acceptedPDA Security Technical Implementation Guide (STIG)This STIG contains technical security controls for the operation of a PDA in the DoD environment. In this case, PDA refers to any handheld computing device with or without wireless, except for Commercial Mobile Devices (CMDs) (smartphones or tablet computers).DISA, Field Security OperationsSTIG.DOD.MILRelease: 8 Benchmark Date: 25 Apr 20146I - Mission Critial Classified<ProfileDescription></ProfileDescription>I - Mission Critial Public<ProfileDescription></ProfileDescription>I - Mission Critial Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>FIPS validated encryption for data at rest<GroupDescription></GroupDescription>WIR0190FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone).<VulnDiscussion>If a wireless device is lost or stolen without DAR encryption, sensitive DoD data could be compromised. Most known security breaches of cryptography result from improper implementation, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is required for Federal Government uses of cryptography in non-classified applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECWN-1</IAControls>DPMS Target PDA/PEDDISA FSODPMS TargetPDA/PED546Employ FIPS 140-2 validated encryption modules for sensitive DoD data at rest.Detailed Policy Requirements:
FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone).
This requirement applies to any wireless device or non-wireless PDA storing sensitive information, as defined by Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer Memorandum, “Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage,” July 3, 2007.
This requirement also applies to removable memory cards (e.g., MicroSD) used in the PDA except when the PDA is connected to a Windows PC for the purpose of provisioning or transferring data.
Check Procedures:
Interview IAO and review documentation.
1. Determine if the wireless device is used to store sensitive data. Data approved for public release is not sensitive. Other unclassified data may also qualify as sensitive. Any device that stores any sensitive data must meet the requirements in this check.
2. Check a sample of wireless laptops, PDAs, smartphones, and other wireless devices used at the site (2-3 of each type).
3. Obtain the product’s FIPS certificate to confirm FIPS 140-2 validation for each model examined. The certificate may be obtained from the product documentation or the NIST web site.
4. Work with the IAO to determine if encryption is enabled on the wireless client device uses AES or 3DES.
5. Verify temp files with sensitive information are also protected with encryption.
6. Mark as a finding if encryption is not used or is not FIPS 140-2 validated.Use anti-virus software <GroupDescription></GroupDescription>WIR-MOS-PDA-039DoD-licensed anti-malware software will be installed on all wireless clients (e.g., PDAs and smartphones) and non-wireless PDAs. <VulnDiscussion>Security risks inherent to wireless technology usage can be minimized with security measures such current anti-virus updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>DPMS Target PDA/PEDDISA FSODPMS TargetPDA/PED546The IAO will ensure DoD licensed anti-virus software is installed on all wireless clients (e.g., laptops, PDAs, and cellular telephones) and the software is configured in accordance with the Desktop Application STIG and is kept up-to-date with the most recent virus signatures every 14 days or less. Detailed Policy Requirements:
DoD-licensed anti-malware software must be installed on all wireless clients (e.g., PDAs and smartphones) and non-wireless PDAs and is kept up-to-date with the most recent virus signatures every 14 days or less.
Note: This requirement does not apply to any handheld PDA that is not used to connect to the internet or a DoD computer or network. It does not apply to handheld bar-code or RFID scanners that are connected to DoD computers to download scanned data (handheld is used only as a bar-code / RFID scanner). In addition, this requirement does not apply to phones that only have the capability for voice calls only, including wireless VoIP and Unlicensed Mobile Access (UMA) (no data, Internet connections other than for voice calls over wireless VoIP and UMA).
Check Procedures:
Verify laptop computers, PDAs, and smartphones are protected by anti-virus software.
For PDAs and cell phones, inspect a sample of the devices (3 – 4 devices). Verify the software is:
o Configured to scan upon startup (once daily) (or at least scan once every week) or the user trained to scan at least once per week.
o Configured to automatically update at least every 14 days or the user trained to manually update once every two weeks.
o Enabled for Web browser download protection.
o If DoD approved antivirus products (e.g. downloaded from the JTF GNO antivirus portal) are not available for the wireless device, sites must select commercial products which are from major vendors with preference given to products tested or already used by other DoD organizations.
o The DAA must give written approval of this product.
Mark as a finding if any of the following are true:
o No antivirus software is installed; update procedures are not configured or used; or the software is not configured IAW the Wireless STIG policy.PDA and smartphone connection to PC via USB<GroupDescription></GroupDescription>WIR-MOS-PDA-032PDA and Smartphones that are connected to DoD Windows computers via a USB connection must be compliant with requirements.<VulnDiscussion>PDAs with flash memory can introduce malware to a PC when they are connected for provisioning of the PDA or to transfer data between the PC and PDA, particularly if the PDA is seen by the PC as a mass storage device and autorun in enabled. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECWN-1</IAControls>DPMS Target PDA/PEDDISA FSODPMS TargetPDA/PED546Windows PCs used to connect to smartphones will be configured so they are compliant with requirements. NOTE: This check applies to any handheld mobile device (PDA, non-email Windows Mobile or Palm OS PDA, iPod, bar code scanner, RFID scanner, cell phone, etc.) that is connected to a DoD Windows PC for the purpose of provisioning or transferring data between the PC and mobile device. This check does not apply to BlackBerrys, Windows Mobile smartphones used for email, and SME PEDs. Requirements for these devices are found in the appropriate STIG for the device.
These requirements do not apply to:
-PDAs that are never connected to Windows PCs.
-PDAs connected to stand-alone DoD Windows computers that are not connected to a DoD network.
-PCMCIA cards with flash memory used to store user data. For example, many new broadband wireless modems have this capability. (NOTE: encryption of data stored on the flash memory may be required by Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer Memorandum, “Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage,” July 3, 2007.)
-PCMCIA cards with non-user addressable ROM flash memory.
Detailed Policy Requirements:
PDAs and smartphones will not be connected to DoD Windows computers via a USB connection unless the following conditions are met:
- The DoD Windows computer utilizes the DoD Host Based Security System (HBSS) with the Device Control Module (DCM). Configuration requirements are found in CTO 10-004A.
-Autorun is disabled on the Windows PC.
Check Procedures:
Interview the IAO and smartphone administrator.
Check the following on sample (use 3-4 devices as a random sample) PCs and smartphones:
- Verify the site has implemented HBSS with DCM on computers used to connect BlackBerrys. Have the Windows reviewer assist in determining that HBSS with DCM is installed (ususally verified during a Windows Workstation review)..
- Verify Autorun is disabled (ususally verified during a Windows Workstation review).
Remote access VPN - FIPS 140-2<GroupDescription></GroupDescription>WIR-MOS-PDA-034-01The VPN client on wireless clients (PDAs, smartphones) used for remote access to DoD networks must be FIPS 140-2 validated. <VulnDiscussion>DoD data could be compromised if transmitted data is not secured with a compliant VPN. FIPS validation provides a level of assurance that the encryption of the device has been securely implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECWN-1</IAControls>DPMS Target PDA/PEDDISA FSODPMS TargetPDA/PED546Comply with requirement. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client
specification sheets and FIPS 140-2 certificate. Verify the
devices have a VPN client installed and that it is FIPS 140-2
validated. Mark as a finding if the VPN is not FIPS 140-2
validated.Removable flash media and FIPS 140-2 encryption<GroupDescription></GroupDescription>WIR-MOS-PDA-033Removable memory cards (e.g., MicroSD) must use a FIPS 140-2 validated encryption module to bind the card to a particular device such that the data on the card is not readable on any other device.<VulnDiscussion>Memory card used to transfer files between PCs and PDAs is a migration path for the spread of malware on DoD computers and handheld devices. These risks are mitigated by the requirements listed in this check.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECWN-1</IAControls>DPMS Target PDA/PEDDISA FSODPMS TargetPDA/PED546Comply with requirementNote: Removable flash media is defined as media that is readily accessible by the user and does not require additional tools to disassemble the device or remove screws to gain access.
Note: This check applies to any handheld mobile device (PDA, non-email Windows Mobile or Palm OS PDA, bar code scanner, RFID scanner, cell phone, etc.) that is connected to a DoD Windows PC for the purpose of provisioning or transferring data between the PC and mobile device. This check does not apply to BlackBerrys, Windows Mobile smartphones used for email, and SME PEDs. Requirements for these devices are found in the appropriate Checklist for the device.
Check Procedures:
Interview the IAO to determine if the site uses removable memory cards in site managed handheld PDAs.
If Yes,
-Determine if FIPS 140-2 data encryption has been implemented on the memory cards. Ask the IAO for FIPS certificate or search for it on the NIST web site.
-Determine if the removable data storage media card is bound to the PED such that it may not be read by any other PED or computer. Procedures will vary, depending on system vendor. Ask the IAO for system technical documentation showing this capability and how to configure.
-Determine if the security policy on the PDA is configured to deny the use of removable data storage media on site managed PEDs (if this capability is available). Procedures will vary, depending on system vendor. Ask the IAO for system technical documentation showing this capability and how to configure it.
-Determine if the site uses a removable data storage memory card to load files on site PDAs for the purpose of provisioning the PDA. If yes, verify the memory card used for provisioning has either been provided by the PDA vendor or loaded with provisioning files from a non-NIPRNet computer.
Mark as a finding if the requirements for compliance are not met.Remote access VPN - AES encryption<GroupDescription></GroupDescription>WIR-MOS-PDA-034-02All wireless PDA clients used for remote access to DoD networks must have a VPN capability that supports AES encryption.<VulnDiscussion>DoD data could be compromised if transmitted data is not secured with a compliant VPN.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECWN-1</IAControls>DPMS Target PDA/PEDDISA FSODPMS TargetPDA/PED546Comply with requirement. This check is not applicable if the installed VPN client is not used for remote access to DoD networks.
Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets. Verify the VPN client support AES encryption. Mark as a finding if AES is not supported. Also mark as a finding if no VPN capability is present.Remote access VPN - CAC authentication<GroupDescription></GroupDescription>WIR-MOS-PDA-034-03All wireless PDA clients used for remote access to a DoD network must have a VPN capability that supports CAC authentication. <VulnDiscussion>If an adversary can bypass a VPN’s authentication controls, then the adversary can compromise DoD data transmitted over the VPN and conduct further attacks on DoD networks. CAC authentication greatly mitigates this risk by providing strong two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECWN-1</IAControls>DPMS Target PDA/PEDDISA FSODPMS TargetPDA/PED546Comply with requirement. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices.
Verify the VPN client supports CAC authentication to the DoD network (recommend asking the site wireless device administrator to demo this capability).
Mark as a finding if CAC authentication is not supported.Remote access VPN - split tunneling<GroupDescription></GroupDescription>WIR-MOS-PDA-034-04Wireless PDA VPNs must operate with split tunneling disabled.<VulnDiscussion>DoD data could be compromised if transmitted data is not secured with a compliant VPN.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECWN-1</IAControls>DPMS Target PDA/PEDDISA FSODPMS TargetPDA/PED546Comply with requirement. This check is not applicable if the installed VPN client is not used for remote access to DoD networks.
Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Check to see if the VPN has a setting to disable split tunneling. The following test can also be done:
1. Connect to the Internet using the PDA browser.
2. Launch the VPN client and connect to the DoD network.
3. Check to see if the browser is still connected to the Internet. If yes, split tunneling is not disabled.
Mark as a finding if split tunneling is not disabled on all PDA VPN clients as the default configuration setting.Require device unlock password/passcode<GroupDescription></GroupDescription>WIR-MOS-PDA-010The PDA/smartphone must be configured to require a passcode for device unlock.<VulnDiscussion>Sensitive DoD data could be compromised if a device unlock passcode is not set up on a DoD PDA/smartphone. These devices are particularly vulnerable because they are exposed to many potential adversaries when they taken outside of the physical security perimeter of DoD facilities, and because they are easily concealed if stolen.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>DPMS Target PDA/PEDDISA FSODPMS TargetPDA/PED546Configure the MDM server to require a passcode for device unlock.Detailed Policy Requirements:
PDAs and smartphones must be protected by authenticated login procedures to unlock the device. Either CAC or password authentication is required.
Check Procedures:
Interview the IAO and system administrator.
- Verify that CAC authentication or password authentication is used on site managed PDAs. Verify authentication is required to unlock the PDA on a sample of devices at the site. Inspect 3-4 devices.
Password/passcode maximum failed attempts<GroupDescription></GroupDescription>WIR-MOS-PDA-017Password/passcode maximum failed attempts must be set to the required value.<VulnDiscussion>A hacker with unlimited attempts can determine the passcode of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the PDA/smartphone and disclosure of sensitive DoD data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>IAIA-1</IAControls>DPMS Target PDA/PEDDISA FSODPMS TargetPDA/PED546Set password/passcode maximum failed attempts to 10 or less.Check a sample (3-4 devices) of site PDAs and verify the PDA has been configured to wipe after 10 (or less) incorrect passwords have been entered.Minimum password/passcode length<GroupDescription></GroupDescription>WIR-MOS-PDA-011The device minimum password/passcode length must be set as required. <VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>DPMS Target PDA/PEDDISA FSODPMS TargetPDA/PED546Configure the mobile operating system to enforce a minimum length for the device unlock password. Where a security container application is used in lieu of mobile operating system protections, configure the security container application to enforce a minimum length password for entry into the application. Review the mobile operating system configuration to determine if the device enforces a minimum length for the device unlock password. For device unlock on mobile operating systems with no access to sensitive or classified information, the requirement is a minimum of 4 numbers. For access mobile devices with sensitive information, the minimum length is 6. If the mobile device places sensitive information or security functions in “security container” applications only, then a compliant configuration is to require a 6-character or longer password to enter the container application, and a 4-digit or longer password to unlock the device. If the device does not enforce a minimum length for the device unlock password or, where applicable, the security container, this is a finding.Required logon banner<GroupDescription></GroupDescription>WIR-MOS-PDA-007PDAs/smartphones must display the required banner during device unlock/ logon. <VulnDiscussion>DoD CIO memo requires all PDAs, BlackBerrys, and smartphones to have a consent banner displayed during logon/device unlock to ensure users understand their responsibilities to safeguard DoD data. When users understand their responsibilities, they are less likely to engage in behaviors that could compromise of DoD information systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWM-1</IAControls>DPMS Target PDA/PEDDISA FSODPMS TargetPDA/PED546Display the required banner during device unlock/logon. Detailed Policy Requirements:
All PDAs and Smartphones must display the following banner during device unlock/ logon:
A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to
the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest
agreement by clicking on a box indicating "OK."
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network
operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
B. For Blackberries and other PDAs/PEDs with severe character limitations:
I've read & consent to terms in IS user agreem't.
Check Procedures:
Work with the SA to review the configuration of the PDA security management server or security policy configured on the PDA/smartphone. Review a sample of devices to check that the required banner is being used. Mark as a finding if the required banner is not used.
Note: Depending on the system, this setting could be set on the management server on on the handheld device.