acceptedPDA/Smartphone Security Technical Implementation GuideThis STIG contains the technical security controls for the operation of a PDA or Smartphone in the DoD environment.DISA, Field Security OperationsSTIG.DOD.MILRelease: 5 Benchmark Date: 28 Oct 20116I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>FIPS validated encryption for data at rest<GroupDescription></GroupDescription>WIR0190FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone).<VulnDiscussion>If a wireless device is lost or stolen without DAR encryption, sensitive DoD data could be compromised. Most known security breaches of cryptography result from improper implementation, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is required for Federal Government uses of cryptography in non-classified applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Employ FIPS 140-2 validated encryption modules for sensitive DoD data at rest.Detailed Policy Requirements:
FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone).
This requirement applies to any wireless device or non-wireless PDA storing sensitive information, as defined by Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer Memorandum, “Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage,” July 3, 2007.
This requirement also applies to removable memory cards (e.g., MicroSD) used in the PDA except when the PDA is connected to a Windows PC for the purpose of provisioning or transferring data. In that case check WIR0860 applies.
Check Procedures:
Interview IAO and review documentation.
1. Determine if the wireless device is used to store sensitive data. Data approved for public release is not sensitive. Other unclassified data may also qualify as sensitive. Any device that stores any sensitive data must meet the requirements in this check.
2. Check a sample of wireless laptops, PDAs, smartphones, and other wireless devices used at the site (2-3 of each type).
3. Obtain the product’s FIPS certificate to confirm FIPS 140-2 validation for each model examined. The certificate may be obtained from the product documentation or the NIST web site.
4. Work with the IAO to determine if encryption is enabled on the wireless client device uses AES or 3DES.
5. Verify temp files with sensitive information are also protected with encryption.
6. Mark as a finding if encryption is not used or is not FIPS 140-2 validated.Use anti-virus software <GroupDescription></GroupDescription>WIR-MOS-PDA-039DoD-licensed anti-malware software will be installed on all wireless clients (e.g., PDAs and smartphones) and non-wireless PDAs. <VulnDiscussion>Security risks inherent to wireless technology usage can be minimized with security measures such current anti-virus updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>The IAO will ensure DoD licensed anti-virus software is installed on all wireless clients (e.g., laptops, PDAs, and cellular telephones) and the software is configured in accordance with the Desktop Application STIG and is kept up-to-date with the most recent virus signatures every 14 days or less. Detailed Policy Requirements:
DoD-licensed anti-malware software must be installed on all wireless clients (e.g., PDAs and smartphones) and non-wireless PDAs and is kept up-to-date with the most recent virus signatures every 14 days or less.
Note: This requirement does not apply to any handheld PDA that is not used to connect to the internet or a DoD computer or network. It does not apply to handheld bar-code or RFID scanners that are connected to DoD computers to download scanned data (handheld is used only as a bar-code / RFID scanner). In addition, this requirement does not apply to phones that only have the capability for voice calls only, including wireless VoIP and Unlicensed Mobile Access (UMA) (no data, Internet connections other than for voice calls over wireless VoIP and UMA).
Check Procedures:
Verify laptop computers, PDAs, and smartphones are protected by anti-virus software.
For PDAs and cell phones, inspect a sample of the devices (3 – 4 devices). Verify the software is:
o Configured to scan upon startup (once daily) (or at least scan once every week) or the user trained to scan at least once per week.
o Configured to automatically update at least every 14 days or the user trained to manually update once every two weeks.
o Enabled for Web browser download protection.
o If DoD approved antivirus products (e.g. downloaded from the JTF GNO antivirus portal) are not available for the wireless device, sites must select commercial products which are from major vendors with preference given to products tested or already used by other DoD organizations.
o The DAA must give written approval of this product.
Mark as a finding if any of the following are true:
o No antivirus software is installed; update procedures are not configured or used; or the software is not configured IAW the Wireless STIG policy.Use personal firewall on PDA / smartphone<GroupDescription></GroupDescription>WIR-MOS-PDA-031A personal firewall must be implemented on each PDA / smartphone that is used to connect to the Internet or DoD network.<VulnDiscussion>Without a personal firewall, the PDA / Smartphone is susceptible to vulnerability scanning and malware attacks from the Internet and other networks to which it may intentionally or inadvertently connect.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Comply with DoD policy.Inspect a sample (3-4) PDAs used at the site to connect to the Internet or DoD network. Verify the software is:
- Able to block both inbound and outbound ports and services as needed
- Configured for automatic updates from a trusted site every 14 days (if this feature is available) or the user has been trained to manually download updates every 14 days (check user agreement or training records).
- Configured to block known DDoS ports and unneeded services as identified by the local SA.
- NIAP validated. If an NIAP approved personal firewall is not available for the PDA operating system, sites must select commercial products which are from major vendors with preference given to products tested or already used by other DoD organizations.
Mark as a finding if any of these requirements are not met.
Note: Personal firewall features are included in many PDA antivirus products.
Note: This requirement does not apply to any handheld PDA that is not used to connect to the internet or a DoD computer or network. It does not apply to handheld bar-code or RFID scanners that are connected to a DoD computers to download scanned data (handheld is used only as a bar-code / RFID scanner). Also, this requirement does not apply to phones that only have the capability for voice calls only, including wireless VoIP and Unlicensed Mobile Access (UMA) (no data, Internet connections other than for voice calls over wireless VoIP and UMA).
PDA and smartphone connection to PC via USB<GroupDescription></GroupDescription>WIR-MOS-PDA-032PDA and Smartphones that are connected to DoD Windows computers via a USB connection must be compliant with requirements.<VulnDiscussion>PDAs with flash memory can introduce malware to a PC when they are connected for provisioning of the PDA or to transfer data between the PC and PDA, particularly if the PDA is seen by the PC as a mass storage device and autorun in enabled. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECWN-1</IAControls>Windows PCs used to connect to smartphones will be configured so they are compliant with requirements. NOTE: This check applies to any handheld mobile device (PDA, non-email Windows Mobile or Palm OS PDA, iPod, bar code scanner, RFID scanner, cell phone, etc.) that is connected to a DoD Windows PC for the purpose of provisioning or transferring data between the PC and mobile device. This check does not apply to BlackBerrys, Windows Mobile smartphones used for email, and SME PEDs. Requirements for these devices are found in the appropriate STIG for the device.
These requirements do not apply to:
-PDAs that are never connected to Windows PCs.
-PDAs connected to stand-alone DoD Windows computers that are not connected to a DoD network.
-PCMCIA cards with flash memory used to store user data. For example, many new broadband wireless modems have this capability. (NOTE: encryption of data stored on the flash memory may be required by Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer Memorandum, “Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage,” July 3, 2007.)
-PCMCIA cards with non-user addressable ROM flash memory.
Detailed Policy Requirements:
PDAs and smartphones will not be connected to DoD Windows computers via a USB connection unless the following conditions are met:
- The DoD Windows computer utilizes the DoD Host Based Security System (HBSS) with the Device Control Module (DCM). Configuration requirements are found in CTO 10-004A.
-Autorun is disabled on the Windows PC.
Check Procedures:
Interview the IAO and smartphone administrator.
Check the following on sample (use 3-4 devices as a random sample) PCs and smartphones:
- Verify the site has implemented HBSS with DCM on computers used to connect BlackBerrys. Have the Windows reviewer assist in determining that HBSS with DCM is installed (ususally verified during a Windows Workstation review)..
- Verify Autorun is disabled (ususally verified during a Windows Workstation review).
Remote access VPN - FIPS 140-2<GroupDescription></GroupDescription>WIR-MOS-PDA-034-01The VPN client on wireless clients (PDAs, smartphones) used for remote access to DoD networks must be FIPS 140-2 validated. <VulnDiscussion>DoD data could be compromised if transmitted data is not secured with a compliant VPN. FIPS validation provides a level of assurance that the encryption of the device has been securely implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECWN-1</IAControls>Comply with policy requirement.Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client
specification sheets and FIPS 140-2 certificate. Verify the
devices have a VPN client installed and that it is FIPS 140-2
validated. Mark as a finding if the VPN is not FIPS 140-2
validated.Remote access VPN - AES encryption<GroupDescription></GroupDescription>WIR-MOS-PDA-034-02All wireless PDA clients used for remote access to DoD networks must have a VPN capability that supports AES encryption.<VulnDiscussion>DoD data could be compromised if transmitted data is not secured with a compliant VPN.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Comply with policy requirement.This check is not applicable if the installed VPN client is not used for remote access to DoD networks.
Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets. Verify the VPN client support AES encryption. Mark as a finding if AES is not supported. Also mark as a finding if no VPN capability is present.Remote access VPN - CAC authentication<GroupDescription></GroupDescription>WIR-MOS-PDA-034-03All wireless PDA clients used for remote access to a DoD network must have a VPN capability that supports CAC authentication. <VulnDiscussion>If an adversary can bypass a VPN’s authentication controls, then the adversary can compromise DoD data transmitted over the VPN and conduct further attacks on DoD networks. CAC authentication greatly mitigates this risk by providing strong two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Comply with policy requirement.Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices.
Verify the VPN client supports CAC authentication to the DoD network (recommend asking the site wireless device administrator to demo this capability).
Mark as a finding if CAC authentication is not supported.Remote access VPN - split tunneling<GroupDescription></GroupDescription>WIR-MOS-PDA-034-04Wireless PDA VPNs must operate with split tunneling disabled.<VulnDiscussion>DoD data could be compromised if transmitted data is not secured with a compliant VPN.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Comply with policy requirement.This check is not applicable if the installed VPN client is not used for remote access to DoD networks.
Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Check to see if the VPN has a setting to disable split tunneling. The following test can also be done:
1. Connect to the Internet using the PDA browser.
2. Launch the VPN client and connect to the DoD network.
3. Check to see if the browser is still connected to the Internet. If yes, split tunneling is not disabled.
Mark as a finding if split tunneling is not disabled on all PDA VPN clients as the default configuration setting.Require device unlock password/passcode<GroupDescription></GroupDescription>WIR-MOS-PDA-010The PDA/smartphone must be configured to require a passcode for device unlock.<VulnDiscussion>Sensitive DoD data could be compromised if a device unlock passcode is not set up on a DoD PDA/smartphone. These devices are particularly vulnerable because they are exposed to many potential adversaries when they taken outside of the physical security perimeter of DoD facilities, and because they are easily concealed if stolen.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Configure the smartphone to require a passcode for device unlock.Detailed Policy Requirements:
PDAs and smartphones must be protected by authenticated login procedures to unlock the device. Either CAC or password authentication is required.
Check Procedures:
Interview the IAO and system administrator.
- Verify that CAC authentication or password authentication is used on site managed PDAs. Verify authentication is required to unlock the PDA on a sample of devices at the site. Inspect 3-4 devices.
Maximum password/passcode age<GroupDescription></GroupDescription>WIR-MOS-PDA-013Maximum password/passcode age must be set as required.<VulnDiscussion>If the passcode is not changed periodically, then an adversary with knowledge of the passcode can use it indefinitely without detection, potentially allowing access to sensitive DoD information and enabling subsequent attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Set maximum passcode age as required.Check a sample (3-4 devices) of site PDAs and verify the password age is set to 90 days or less.Password/passcode maximum failed attempts<GroupDescription></GroupDescription>WIR-MOS-PDA-017Password/passcode maximum failed attempts must be set to the required value.<VulnDiscussion>A hacker with unlimited attempts can determine the passcode of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the PDA/smartphone and disclosure of sensitive DoD data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Set password/passcode maximum failed attempts to required value.Check a sample (3-4 devices) of site PDAs and verify the PDA has been configured to wipe after 10 (or less) incorrect passwords have been entered.Minimum password/passcode length<GroupDescription></GroupDescription>WIR-MOS-PDA-011The device minimum password/passcode length must be set as required. <VulnDiscussion>If the length of the passcode is less than the required length, brute force password attacks will take less time than they would otherwise. Successful attacks will compromise authentication credentials and potentially compromise other sensitive DoD information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Set the smartphone minimum password/passcode length as required. Detailed Policy Requirements:
PDAs and smartphones must be protected by authenticated login procedures to unlock the device. The device password is set to eight or more characters.
Check Procedures:
Check a sample (3-4 devices) on site PDAs and verify unlock password is set to 8 or more characters.
Required logon banner<GroupDescription></GroupDescription>WIR-MOS-PDA-007PDAs/smartphones must display the required banner during device unlock/ logon. <VulnDiscussion>DoD CIO memo requires all PDAs, BlackBerrys, and smartphones to have a consent banner displayed during logon/device unlock to ensure users understand their responsibilities to safeguard DoD data. When users understand their responsibilities, they are less likely to engage in behaviors that could compromise of DoD information systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWM-1, ECWN-1</IAControls>Display the required banner during device unlock/logon. Detailed Policy Requirements:
All PDAs and Smartphones must display the following banner during device unlock/ logon:
A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to
the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest
agreement by clicking on a box indicating "OK."
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network
operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
B. For Blackberries and other PDAs/PEDs with severe character limitations:
I've read & consent to terms in IS user agreem't.
Check Procedures:
Work with the SA to review the configuration of the PDA security management server or security policy configured on the PDA/smartphone. Review a sample of devices to check that the required banner is being used. Mark as a finding if the required banner is not used.
Note: Depending on the system, this setting could be set on the management server on on the handheld device.
Home AP PSK passcode<GroupDescription></GroupDescription>WIR0931DoD network users authorized to remotely connect to a DoD network from a residential WLAN must configure the access point with a strong pre-shared key (PSK) passcode.<VulnDiscussion>If the passcode is weak, then an adversary is more likely to crack it. Once an adversary obtains the passcode, the adversary can use the passcode access to gain access to WLAN and potentially other networks to which it is attached.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECWN-1</IAControls>Provide users with appropriate guidance on using strong passcodes to generate the WLAN PSK.Interview the IAO to determine that the site is providing guidance to users on the selection of an appropriate passcode. Mark as a finding if no such guidance is provided or if the guidance provided does not adequately cover the passcode requirements.