| V-24960 | High | Smartphone devices and systems must not be used to send, receive, store, or process classified messages. | DoDD 8100.2 states wireless devices will not be used for classified data unless approved for such use. Classified data could be exposed to unauthorized personnel. |
| V-24957 | High | If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures. | If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel. |
| V-24954 | High | The site physical security policy must state digital cameras (still and video) must not be allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed. | PDAs and cell phones with embedded cameras can be used to photograph classified material and can be easily concealed. Classified information could be compromised. Photos may also be taken of the... |
| V-24965 | Medium | Smartphone Instant Messaging (IM) client application must connect only to a DoD controlled IM server compliant with the Instant Messaging STIG. | Non-DoD IM servers can be located anywhere in the world and may be under an adversary’s control. If a DoD smartphone IM client connects to a non-DoD IM server, malware could be installed on the... |
| V-24955 | Medium | A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site smartphones. | When a data spill occurs on a smartphone, classified or sensitive data must be protected to prevent disclosure. After a data spill, the smartphone must either be wiped using approved procedures,... |
| V-24966 | Low | The site wireless policy or wireless remote access policy must include information on required smartphone Wi-Fi security controls. | If the policy does not include information on Wi-Fi security controls, then it is more likely that the security controls will not be implemented properly. Wi-Fi is vulnerable to a number of... |
| V-24964 | Low | Smartphone software updates must only originate from DoD sources. | Users must not accept Over-The-Air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the IAO.... |
| V-24963 | Low | Smartphone SA must perform a Wipe command on all new or reissued smartphones and a STIG or ISCG-compliant IT policy will be pushed to the device before issuing it to DoD personnel. | Malware can be installed on the device at some point between shipping from the factory and delivery to DoD. The malware could result in the compromise of sensitive DoD information or result in... |
| V-24961 | Low | Smartphone users must complete required training. | Users are the first line of security controls for smartphone systems. They must be trained in using smartphone security controls or the system could be vulnerable to attack. |
| V-24958 | Low | Required procedures must be followed for the disposal of smartphones. | If appropriate procedures are not followed prior to disposal of a smartphone, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device that... |
| V-24953 | Low | Site physical security policy must include a statement if PDAs and smartphones with digital cameras (still and video) are allowed in the facility. | Mobile devices with cameras are easily used to photograph sensitive information and areas if not addressed. Sites must establish, document, and train on how to mitigate this threat. |
| V-24969 | Low | Required actions must be followed at the site when a smartphone has been lost or stolen. | If procedures for lost or stolen smartphones are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA. |
| V-24968 | Low | Smartphones must be provisioned DoD PKI digital certificates so users can digitally sign and encrypt e-mail notifications or other email messages required by DoD policy. DAA approval will be obtained prior to the use of software PKI certificates on smartphones. | S/MIME provides the user with the ability to digitally sign and encrypt e-mail messages, to verify the digital signatures on received messages, and to decrypt messages received from others if... |
| V-25036 | Low | If wireless remote access is approved for use, the site's SSP must include wireless remote access equipment and locations (site network Wi-Fi, home, hotel, public hotspots, etc.) approved for site personnel. | Wireless client, networks, and data could be compromised if unapproved wireless remote access is used. In most cases, unapproved devices are not managed and configured as required by the... |
| V-25034 | Low | Users must receive training on required topics before they are authorized to access a DoD network via a wireless remote access device. | Improper use of wireless remote access to a DoD network can compromise both the wireless client and the network, as well as, expose DoD data to unauthorized people. Without adequate training... |
| V-25035 | Low | The site must have a Wireless Remote Access Policy signed by the site DAA, Commander, Director, or other appropriate authority. | Wireless clients, DoD data, and the DoD network could be compromised if operational policies for the use of wireless remote access are not documented by the site. |
| V-24962 | Low | The site Incident Response Plan or other procedure must include procedures to follow when a smartphone is reported lost or stolen. | Sensitive DoD data could be stored in memory on a DoD operated smartphone and the data could be compromised if required actions are not followed when a smartphone is lost or stolen. Without... |
| V-28317 | Low | Smartphone users must complete required training annually.
| Users are the first line of security controls for smartphone systems. They must be trained in using smartphone security controls or the system could be vulnerable to attack. |
