UCF STIG Viewer Logo

Smartphone Policy Security Technical Implementation Guide

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-24960 High Smartphone devices and systems must not be used to send, receive, store, or process classified messages.
V-24957 High If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures.
V-24954 High The site physical security policy must state digital cameras (still and video) must not be allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed.
V-24965 Medium Smartphone Instant Messaging (IM) client application must connect only to a DoD controlled IM server compliant with the Instant Messaging STIG.
V-24955 Medium A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site smartphones.
V-24966 Low The site wireless policy or wireless remote access policy must include information on required smartphone Wi-Fi security controls.
V-24964 Low Smartphone software updates must only originate from DoD sources.
V-24963 Low Smartphone SA must perform a Wipe command on all new or reissued smartphones and a STIG or ISCG-compliant IT policy will be pushed to the device before issuing it to DoD personnel.
V-24961 Low Smartphone users must complete required training.
V-24958 Low Required procedures must be followed for the disposal of smartphones.
V-24953 Low Site physical security policy must include a statement if PDAs and smartphones with digital cameras (still and video) are allowed in the facility.
V-24969 Low Required actions must be followed at the site when a smartphone has been lost or stolen.
V-24968 Low Smartphones must be provisioned DoD PKI digital certificates so users can digitally sign and encrypt e-mail notifications or other email messages required by DoD policy. DAA approval will be obtained prior to the use of software PKI certificates on smartphones.
V-25036 Low If wireless remote access is approved for use, the site's SSP must include wireless remote access equipment and locations (site network Wi-Fi, home, hotel, public hotspots, etc.) approved for site personnel.
V-25034 Low Users must receive training on required topics before they are authorized to access a DoD network via a wireless remote access device.
V-25035 Low The site must have a Wireless Remote Access Policy signed by the site DAA, Commander, Director, or other appropriate authority.
V-24962 Low The site Incident Response Plan or other procedure must include procedures to follow when a smartphone is reported lost or stolen.
V-28317 Low Smartphone users must complete required training annually.