| V-25007 | High | The PDA/smartphone must be configured to require a passcode for device unlock. | Sensitive DoD data could be compromised if a device unlock passcode is not set up on a DoD PDA/smartphone. These devices are particularly vulnerable because they are exposed to many potential... |
| V-18856 | Medium | Removable memory cards (e.g., MicroSD) must use a FIPS 140-2 validated encryption module to bind the card to a particular device such that the data on the card is not readable on any other device. | Memory card used to transfer files between PCs and PDAs is a migration path for the spread of malware on DoD computers and handheld devices. These risks are mitigated by the requirements listed... |
| V-14202 | Medium | FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone). | If a wireless device is lost or stolen without DAR encryption, sensitive DoD data could be compromised. Most known security breaches of cryptography result from improper implementation, not flaws... |
| V-19897 | Medium | All wireless PDA clients used for remote access to DoD networks must have a VPN capability that supports AES encryption. | DoD data could be compromised if transmitted data is not secured with a compliant VPN. |
| V-25016 | Medium | The device minimum password/passcode length must be set as required. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts... |
| V-25022 | Medium | PDAs/smartphones must display the required banner during device unlock/ logon. | DoD CIO memo requires all PDAs, BlackBerrys, and smartphones to have a consent banner displayed during logon/device unlock to ensure users understand their responsibilities to safeguard DoD data. ... |
| V-25011 | Medium | Password/passcode maximum failed attempts must be set to the required value. | A hacker with unlimited attempts can determine the passcode of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the PDA/smartphone and... |
| V-14275 | Medium | DoD-licensed anti-malware software will be installed on all wireless clients (e.g., PDAs and smartphones) and non-wireless PDAs. | Security risks inherent to wireless technology usage can be minimized with security measures such current anti-virus updates. |
| V-19899 | Medium | Wireless PDA VPNs must operate with split tunneling disabled. | DoD data could be compromised if transmitted data is not secured with a compliant VPN. |
| V-19898 | Medium | All wireless PDA clients used for remote access to a DoD network must have a VPN capability that supports CAC authentication. | If an adversary can bypass a VPN’s authentication controls, then the adversary can compromise DoD data transmitted over the VPN and conduct further attacks on DoD networks. CAC authentication... |
| V-18627 | Medium | The VPN client on wireless clients (PDAs, smartphones) used for remote access to DoD networks must be FIPS 140-2 validated. | DoD data could be compromised if transmitted data is not secured with a compliant VPN. FIPS validation provides a level of assurance that the encryption of the device has been securely implemented. |
| V-18625 | Medium | PDA and Smartphones that are connected to DoD Windows computers via a USB connection must be compliant with requirements. | PDAs with flash memory can introduce malware to a PC when they are connected for provisioning of the PDA or to transfer data between the PC and PDA, particularly if the PDA is seen by the PC as a... |
