UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Smartphone users must complete required training.


Overview

Finding ID Version Rule ID IA Controls Severity
V-24961 WIR-SPP-006-01 SV-30698r4_rule PETN-1 Low
Description
Users are the first line of security controls for smartphone systems. They must be trained in using smartphone security controls or the system could be vulnerable to attack.
STIG Date
Smartphone Policy Security Technical Implementation Guide 2011-06-20

Details

Check Text ( C-31120r4_chk )
Detailed Policy Requirements:
All smartphone users must receive required training on the following topics before they are issued a smartphone.

a. Requirement that personally-owned PEDs are not used to transmit, receive, store, or process DoD information unless approved by the DAA and the owner signs forfeiture agreement in case of a security incident.

b. Procedures for wireless device usage in and around classified processing areas.

c. Requirement that PEDs with digital cameras (still and video) are not allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed.

d. Procedures for a data spill.

e. Requirement that wireless email devices and systems are not used to send, receive, store, or process classified messages.

f. Requirement that smartphone devices and systems will not be connected to classified DoD networks or information systems.

g. Requirement that a user immediately notify appropriate site contacts (e.g., IAO, smartphone management server administrator, supervisor, etc.) when his/her smartphone has been lost or stolen.

h. Secure Bluetooth Smart Card Reader (SCR) usage:
--Secure pairing procedures.
--Perform secure pairing immediately after the SCR is reset.
--Accept only Bluetooth connection requests from devices they control.
--Monitor Bluetooth connection requests and activity in order to detect possible attacks and unauthorized activity.

i. Procedures on how to sign and encrypt email.

j. If Short Message Service (SMS) and/or Multi-media Messaging Service (MMS) are used, IA awareness training material should include SMS/MMS security issues.

k. Requirement that over-the-air (OTA) wireless software updates should only come from DoD sources. Software updates from the wireless carrier or other non-DoD sources will not be used until the download has been tested and approved by the IAO.

l. When smartphone Wi-Fi Service is authorized for use, the following training will be completed:
--Procedures for setting up a secure Wi-Fi connection.
--Approved connection options (e.g., enterprise, home, etc.).
--Requirements for home Wi-Fi connections.
--The Wi-Fi radio must never be enabled while the smartphone is connected to a PC.

m. Do not discuss sensitive or classified information on non-secure (devices are not FIPS 140-2 certified or NSA Type-1 certified for voice) cellular phones, cordless phones, and two-way radios that are used for voice communications.

n. Do not connect PDAs and smartphones to any workstation that stores, processes, or transmits classified data. (Exception: SME PED)

o. Manually download updates to antivirus and personal firewall application at least every 14 days if automatic updating is not available. (Applies only if specific PDA / smartphone device has an antivirus / personal firewall application(s).)

Additional BlackBerry requirements:
a. Procedures for conducting an Autoberry scan, requirements for reporting the results of the scan to site IAO or BlackBerry Administrator, and to completion of mitigation actions recommended by the tool after the scan.

b. If the use of the BlackBerry Keeper is approved by the DAA, users are trained on password configuration and change requirements.
--Passwords must be changed at least every 90 days.

c. When SCR is used with a PC, users with PC administrative rights will not disable the RIM Bluetooth Lockdown tool on the PC.

d. Procedures on how to verify and/or set the Bluetooth SCR device property, Trusted field, to be set to “Prompt.” This is the default value. This property is set on the BlackBerry device in the Bluetooth Device Properties immediately after the Bluetooth pairing connection alert.

e. When using an approved Bluetooth headset or handsfree device the following procedures will be followed:
-The user will pair only an approved device to the BlackBerry handheld.
-If the user receives a request for Bluetooth pairing on their BlackBerry handheld from a Bluetooth device other than their smart card reader (CAC reader) or headset, the request will not be accepted by the user.
-Pairing of a Bluetooth headset with the Blackberry handheld will be completed in a non-public area whenever possible.


Additional iPhone/iPad/iPod Touch requirements:
a. Procedure on how to disable the device Bluetooth radio. The Bluetooth radio must be disabled at all times (Some iPhone security systems will alert the system administrator and IAO if the user has turned on the Bluetooth radio.)

b. Procedure on how to disable the device WiFi radio. The WiFi radio will only be used when authorized. (Some iPhone security systems will alert the system administrator and IAO if the user has turned on the WiFi radio.)

c. If a user connects their device to a PC with iTunes, the user may receive a prompt asking if they want to install an available update of Apple iOS. The user should always refuse the update. iOS updates will always be completed by the site system administrator.

d. Procedure on how to disable Location Services on the device. Location Services must be disabled for all applications or enabled only for applications approved by the DAA for location based services.

e. Procedure to disable "Ask to Join Networks" Wi-Fi feature. This feature must be disabled at all times.

f. Procedure to disable "AutoFill" in the Safari web browser. This feature must be disabled at all times.

g. The iOS device should sync to a minimum number of approved machines, it should not sync to laptops that travel with the device, and it should always use encrypted backups. The act of connecting an iOS device to a PC can put it at risk of attack if the PC is compromised.

h. Procedure on how to enable/disable the device Personal Hotspot service and connect only via USB connections. Personal Hotspot or Tethered Modem services will only be used with IAO approval. Wi-Fi or Bluetooth connections to the personal Hotspot are not authorized.


Additional Android requirements:
a. Procedure on how to disable the device Bluetooth radio. The Bluetooth radio will only be used when needed when a connection to the Bluetooth CAC reader is required. When not using the CAC reader, the radio will be disabled.

b. Procedure on how to disable the device WiFi radio. The WiFi radio will only be used when authorized.

c. Procedure on how to disable Location Services on the device. Location Services must be disabled for all applications or enabled only for applications approved by the DAA for location based services.

d. Procedure on how to enable/disable the device Personal Hotspot service. Wi-Fi or Bluetooth connections to the personal Hotspot are not authorized.

Note: Listing training requirements in the User Agreement is an acceptable procedure for informing/training users on many of the required training topics.

Check Procedures:
- Review site smartphone training material to see if it contains the required content. Note: Some training content may be listed in the User Agreement signed by the user.

- Verify that site training records show that smartphone users received required training and training occurred before the user was issued a smartphone. Check training records for approximately five users, picked at random.

Mark as a finding if training material does not contain required content.
Fix Text (F-27591r1_fix)
All smartphone users will complete required training.