The site must have a Wireless Remote Access Policy signed by the site AO, Commander, Director, or other appropriate authority.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-25035	WIR-WRA-002	SV-30837r6_rule	ECWN-1	Low

Description
Wireless clients, DoD data, and the DoD network could be compromised if operational policies for the use of wireless remote access are not documented by the site.

STIG	Date
Remote Access Policy STIG	2015-09-16

Details

Check Text ( C-31259r7_chk )
Detailed Policy Requirements: A site's Remote Access Policy will be written and signed by the site AO, Commander, Director, or other appropriate manager. Recommend the policy includes required security controls for the DoD-owned/operated wireless client (PDA, smartphone, or tablet): - Device unlock password requirements. - Client software patches kept up to date - Internet browsing through enterprise Internet gateway. - Device security policy managed by centrally-managed policy manager. - Procedures after client is lost, stolen, or other security incident occurs. - Configuration requirements of wireless client - Home WLAN authentication requirements. - Home WLAN SSID requirements. - Separate WLAN access point required for home WLAN. - 8+-character authentication password required for home WLAN. - Use of third-party Internet portals (kiosks) (approved or not approved). - Use of personally-owned or contractor-owned client devices (approved or not approved). - Implementation of health check of client device before connection is allowed. - Places where remote access is approved (home, hotels, airport, etc.). - Roles and responsibilities: --Which users or groups of users are and are not authorized to use organization's WLANs? --Which parties are authorized and responsible for installing and configuring APs and other WLAN equipment? - WLAN infrastructure security: --Physical security requirements for WLANs and WLAN devices, including limitations on the service areas of WLANs. --Types of information that may and may not be sent over WLANs, including acceptable use guidelines. - WLAN client device security: --The conditions under which WLAN client devices are and are not allowed to be used and operated. --Standard hardware and software configurations that must be implemented on WLAN client devices to ensure the appropriate level of security. --Limitations on how and when WLAN client’s device may be used, such as specific locations. --Avoid connecting to WLAN access points with WEP security due to the security issues with this protocol. - Guidelines on reporting losses of WLAN client devices and reporting WLAN security incidents. - Guidelines for the protection of WLAN client devices to reduce theft. Check Procedures: Interview the ISSO and/or the site wireless device administrator and determine if the site has a wireless remote access policy (or a wireless section in a general remote access policy). Verify the policy has been signed by the site AO, Commander, Director, or other appropriate managers. If a wireless remote access policy does not exist or is not signed, this is a finding.

Check Text ( C-31259r7_chk )

Detailed Policy Requirements:

A site's Remote Access Policy will be written and signed by the site AO, Commander, Director, or other appropriate manager. Recommend the policy includes required security controls for the DoD-owned/operated wireless client (PDA, smartphone, or tablet):

- Device unlock password requirements.

- Client software patches kept up to date - Internet browsing through enterprise Internet gateway.
- Device security policy managed by centrally-managed policy manager.

- Procedures after client is lost, stolen, or other security incident occurs.

- Configuration requirements of wireless client - Home WLAN authentication requirements.
- Home WLAN SSID requirements.
- Separate WLAN access point required for home WLAN.
- 8+-character authentication password required for home WLAN.
- Use of third-party Internet portals (kiosks) (approved or not approved).
- Use of personally-owned or contractor-owned client devices (approved or not approved).
- Implementation of health check of client device before connection is allowed.
- Places where remote access is approved (home, hotels, airport, etc.).

- Roles and responsibilities:
--Which users or groups of users are and are not authorized to use organization's WLANs?
--Which parties are authorized and responsible for installing and configuring APs and other WLAN equipment?

- WLAN infrastructure security:
--Physical security requirements for WLANs and WLAN devices, including limitations on the service areas of WLANs.
--Types of information that may and may not be sent over WLANs, including acceptable use guidelines.

- WLAN client device security:
--The conditions under which WLAN client devices are and are not allowed to be used and operated.
--Standard hardware and software configurations that must be implemented on WLAN client devices to ensure the appropriate level of security.
--Limitations on how and when WLAN client’s device may be used, such as specific locations.
--Avoid connecting to WLAN access points with WEP security due to the security issues with this protocol.

- Guidelines on reporting losses of WLAN client devices and reporting WLAN security incidents.
- Guidelines for the protection of WLAN client devices to reduce theft.

Check Procedures:

Interview the ISSO and/or the site wireless device administrator and determine if the site has a wireless remote access policy (or a wireless section in a general remote access policy). Verify the policy has been signed by the site AO, Commander, Director, or other appropriate managers. If a wireless remote access policy does not exist or is not signed, this is a finding.

Fix Text (F-27725r4_fix)
Publish Wireless Remote Access Policy signed by the site AO, Commander, Director, or other appropriate authority.