Smartphone SA must perform a “Wipe” command on all new or reissued smartphones and a STIG-compliant IT policy will be pushed to the device before issuing it to DoD personnel.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24963	WIR-SPP-008-01	SV-30700r2_rule	ECWN-1	Low

Description
Malware can be installed on the device at some point between shipping from the factory and delivery to DoD. The malware could result in the compromise of sensitive DoD information or result in the introduction of malware within the DoD network.

STIG	Date
Smartphone Policy Security Technical Implementation Guide	2011-06-20

Details

Check Text ( C-31126r2_chk )
Detailed Policy Requirements: The smartphone system administrator must perform a Wipe command on all new or reissued smartphones and reload system software and load a STIG-compliant security policy on the smartphone before issuing it to DoD personnel and placing the device on a DoD network. When wireless activation is performed, the activation password is passed to the user in a secure manner (e.g., activation password is encrypted and emailed to an individual). Check Procedures: Interview the IAO. Verify required procedures are followed. Mark as a finding if required procedures were not followed.

Check Text ( C-31126r2_chk )

Detailed Policy Requirements:
The smartphone system administrator must perform a Wipe command on all new or reissued smartphones and reload system software and load a STIG-compliant security policy on the smartphone before issuing it to DoD personnel and placing the device on a DoD network.

When wireless activation is performed, the activation password is passed to the user in a secure manner (e.g., activation password is encrypted and emailed to an individual).

Check Procedures:
Interview the IAO. Verify required procedures are followed. Mark as a finding if required procedures were not followed.

Fix Text (F-27597r1_fix)
Smartphone system administrator must perform a “Wipe” command on all new or reissued smartphones.