UCF STIG Viewer Logo

A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site smartphones and tablets.


Overview

Finding ID Version Rule ID IA Controls Severity
V-24955 WIR-SPP-003-01 SV-30692r2_rule VIIR-1 VIIR-2 Medium
Description
When a data spill occurs on a smartphone/tablet, classified or sensitive data must be protected to prevent disclosure. After a data spill, the smartphone/tablet must either be wiped using approved procedures, or destroyed if no procedures are available, so classified or sensitive data is not exposed. If a data spill procedure is not published, the site may not use approved procedures to remediate after a data spill occurs and classified data could be exposed.
STIG Date
Smartphone Policy Security Technical Implementation Guide 2012-10-09

Details

Check Text ( C-31114r2_chk )
Detailed Policy Requirements:
This requirement applies to mobile operating system (OS) smartphones and tablets.

This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO).

In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or “data spill” occurs when a classified email is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer to include web browser downloads and files transferred through tethered connections. Smartphones are not authorized for processing classified data.

A data spill also occurs if a classified document is attached to an otherwise unclassified email. For this case, on a smartphone, a data spill will only occur if the classified attached document is viewed or opened by the smartphone user since the smartphone system only downloads an attachment on the smartphone if the user views or opens the attachment. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for smartphone destruction procedures.

Check Procedures:
Interview the IAO. Verify classified incident handling, response, and reporting procedures are documented in site smartphone procedures or security policies. Mark as a finding if classified incident handling, response, and reporting procedures are not documented in site smartphone procedures or security policies.

This requirement applies at both sites where smartphones are issued and managed and at sites where the smartphone management server is located.

---At the smartphone management server site, verify Incident Handling and Response procedures include actions to sanitize the smartphone management server and email servers (e.g., Exchange, Oracle mail).

---At smartphone sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified smartphone devices. The following actions will be followed for all smartphones involved in a data spill:

-BlackBerry smartphones: follow procedures in the DoD Data Spill Procedures Guide for BlackBerry Smartphones located at http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html.

-Windows Mobile, Android, and iOS smartphones: the smartphone will be destroyed.

Mark as a finding if Incident Handling and Response procedures do not include required information.
Fix Text (F-27582r1_fix)
A Classified Message Incident (CMI) procedure or policy must be published for the site.