Smartphone SA will perform a “Wipe” command on all new or reissued smartphones and a STIG-compliant IT policy will be pushed to the device before issuing it to DoD personnel.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24963	WIR-SPP-008-01	SV-30700r1_rule	ECWN-1	Low

Description
Malware can be installed on the device at some point between shipping from the factory and delivery to DoD.

STIG	Date
Smartphone Policy Security Technical Implementation Guide	2011-04-08

Details

Check Text ( C-31126r1_chk )
Detailed Policy Requirements: The smartphone system administrator must perform a Wipe command on all new or reissued smartphones and reload system software and load a STIG-compliant security policy on the smartphone before issuing it to DoD personnel and placing the device on a DoD network. When wireless activation is performed, the activation password is passed to the user in a secure manner (e.g., activation password is encrypted and emailed to an individual). Check Procedures: Interview the IAO. Verify required procedures are followed.

Check Text ( C-31126r1_chk )

Detailed Policy Requirements:
The smartphone system administrator must perform a Wipe command on all new or reissued smartphones and reload system software and load a STIG-compliant security policy on the smartphone before issuing it to DoD personnel and placing the device on a DoD network.

When wireless activation is performed, the activation password is passed to the user in a secure manner (e.g., activation password is encrypted and emailed to an individual).

Check Procedures:
Interview the IAO. Verify required procedures are followed.

Fix Text (F-27597r1_fix)
Smartphone system administrator must perform a “Wipe” command on all new or reissued smartphones.