| V-24960 | High | Smartphone devices and systems will not be used to send, receive, store, or process classified messages, unless approved. | DoDD 8100.2 states that wireless devices will not be used for classified data unless approved for such use. Classified data could be exposed to unauthorized personnel. |
| V-24957 | High | If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site will follow required procedures. | If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel. |
| V-24954 | High | PDAs/smartphones with digital cameras (still and video) will not be allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed. | PDAs and cell phones with embedded cameras can be used to photograph classified material and can be easily concealed. Classified information could be compromised. |
| V-24965 | Medium | Smartphone Instant Messaging (IM) client application will connect to a DoD controlled IM server that is compliant with the Instant Messaging STIG. | Non-DoD IM servers can be located anywhere in the world and can expose the DoD smartphone system and enclave to malware and hacker attacks. |
| V-24955 | Medium | A data spill (Classified Message Incident (CMI)) procedure or policy will be published for site smartphones. | When a data spill occurs on a smartphone, classified data must be protected to prevent disclosure. |
| V-24966 | Low | The site wireless policy or wireless remote access policy will include information on required smartphone Wi-Fi security controls. | Unauthorized and improperly configured smartphone Wi-Fi can lead to the exposure of DoD data. |
| V-24964 | Low | Smartphone software updates will only originate from DoD sources. | Users must not accept over-the-air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the IAO.... |
| V-24963 | Low | Smartphone SA will perform a “Wipe” command on all new or reissued smartphones and a STIG-compliant IT policy will be pushed to the device before issuing it to DoD personnel. | Malware can be installed on the device at some point between shipping from the factory and delivery to DoD. |
| V-24961 | Low | Smartphone users will complete required training. | Users are the first line of security controls for smartphone systems. They must be trained in using smartphone security controls or the system could be vulnerable to attack. |
| V-24958 | Low | Required procedures will be followed for the disposal of smartphones. | Procedures must be used to remove DoD information on the wireless email device prior to disposal. |
| V-24953 | Low | Site physical security policy will include a statement if PDAs and smartphones with digital cameras (still and video) are allowed in the facility. | Wireless phones with cameras are easily used to photograph sensitive information and areas if not addressed. Sites must establish, document, and train on how to mitigate this threat. This is an... |
| V-24969 | Low | Required actions will be followed at the site when a smartphone has been lost or stolen. | DoD data could be compromised if required actions are not followed. |
| V-24968 | Low | Smartphones will be provisioned so that users can digitally sign and encrypt e-mail notifications or other email messages required by DoD policy. DAA approval will be obtained prior to the use of software PKI certificates on smartphones. | S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance that the message is authentic and is... |
| V-25036 | Low | If wireless remote access is approved for use, the site's SSP will include wireless remote access equipment and locations (site network Wi-Fi, home, hotel, public hotspots, etc.) approved for site personnel. | Wireless client, networks, and data could be compromised if unapproved wireless remote access is used. |
| V-25034 | Low | Users will receive training on required topics before they are authorized to access a DoD network via a wireless remote access device. | Improper use of wireless remote access to a DoD network can compromise both the wireless client and the network and expose DoD data to unauthorized people. |
| V-25035 | Low | The site will have a Wireless Remote Access Policy that has been signed by the site DAA, Commander, Director, or other appropriate managers. | Wireless clients and the DoD network could be compromised and DoD data could be compromised if operational policies for the use of wireless remote access are not documented by the site. |
| V-24962 | Low | The site Incident Response Plan or other procedure will include procedures to follow when a smartphone is reported lost or stolen. | DoD data could be compromised if required actions are not followed. |
