A data spill (Classified Message Incident (CMI)) procedure or policy will be published for site smartphones.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24955	WIR-SPP-003-01	SV-30692r2_rule	VIIR-1 VIIR-2	Medium

Description
When a data spill occurs on a smartphone, classified data must be protected to prevent disclosure.

STIG	Date
Wireless Management Server Policy Security Technical Implementation Guide	2011-01-06

Details

Check Text ( C-31114r2_chk )
Detailed Policy Requirements: In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or “data spill” occurs when a classified email is inadvertently sent on an unclassified network and received on a wireless email device. Smartphones are not authorized for processing classified data. A data spill also occurs if a classified document is attached to an otherwise unclassified email. For this case, on a smartphone, a data spill will only occur if the classified attached document is viewed or opened by the smartphone user since the smartphone system only downloads an attachment on the smartphone if the user views or opens the attachment. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for smartphone destruction procedures. Check Procedures: Interview the IAO. Verify classified incident handling, response, and reporting procedures are documented in site smartphone procedures or security policies. This requirement applies at both sites where smartphones are issued and managed and at sites where the smartphone management server is located. ---At the smartphone management server site, verify Incident Handling and Response procedures include actions to sanitize the smartphone management server and email servers (e.g., Exchange, Oracle mail, etc.). ---At smartphone sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified smartphone devices. All smartphones (BlackBerrys, Windows Mobile phones, iPhones, iPads, etc.) where classified information has been downloaded on the device must be destroyed.

Check Text ( C-31114r2_chk )

Detailed Policy Requirements:
In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or “data spill” occurs when a classified email is inadvertently sent on an unclassified network and received on a wireless email device. Smartphones are not authorized for processing classified data.

A data spill also occurs if a classified document is attached to an otherwise unclassified email. For this case, on a smartphone, a data spill will only occur if the classified attached document is viewed or opened by the smartphone user since the smartphone system only downloads an attachment on the smartphone if the user views or opens the attachment. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for smartphone destruction procedures.

Check Procedures:
Interview the IAO. Verify classified incident handling, response, and reporting procedures are documented in site smartphone procedures or security policies.

This requirement applies at both sites where smartphones are issued and managed and at sites where the smartphone management server is located.

---At the smartphone management server site, verify Incident Handling and Response procedures include actions to sanitize the smartphone management server and email servers (e.g., Exchange, Oracle mail, etc.).

---At smartphone sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified smartphone devices. All smartphones (BlackBerrys, Windows Mobile phones, iPhones, iPads, etc.) where classified information has been downloaded on the device must be destroyed.

Fix Text (F-27582r1_fix)
A Classified Message Incident (CMI) procedure or policy must be published for the site.