Free DISA STIG and SRG Library | Vaulted

Commercial Mobile Device (CMD) Policy Security Technical Implementation Guide (STIG)

Version 2 Release 5
2016-10-28
U_CMD_Policy_STIG_V2R5_Manual-xccdf.xml
This STIG contains the policy, training, and operating procedure security controls for the use of CMDs in the DoD environment. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil..

Vulnerabilities (12)

Site physical security policy must include a statement outlining whether CMDs with digital cameras (still and video) are permitted or prohibited on or in this DoD facility.

Finding ID
WIR-SPP-001
Rule ID
SV-30690r4_rule
Severity
Cat III
CCE
(None)
Group Title
Site CMD camera policy
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Mobile devices with cameras are easily used to photograph sensitive information and areas if not addressed. Sites must establish, document, and train on how to mitigate this threat.

Fix Text

Update the security documentation to include a statement outlining whether CMDs with digital cameras (still and video) are allowed in the facility.

Check Content

This requirement applies to mobile operating system (OS) CMDs. Work with traditional reviewer to review site’s physical security policy. Verify the site addresses CMDs with embedded cameras. If there is no written physical security policy outlining whether CMDs with cameras are permitted or prohibited on or in this DoD facility, this is a finding.

Responsibility

Security Manager

IA Controls

ECWN-1

A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site CMDs.

Finding ID
WIR-SPP-003-01
Rule ID
SV-30692r6_rule
Severity
Cat II
CCE
(None)
Group Title
Publish data spill procedures for CMDs
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

When a data spill occurs on a CMD, classified or sensitive data must be protected to prevent disclosure. After a data spill, the CMD must either be wiped using approved procedures, or destroyed if no procedures are available, so classified or sensitive data is not exposed. If a data spill procedure is not published, the site may not use approved procedures to remediate after a data spill occurs and classified data could be exposed.

Fix Text

Publish a Classified Message Incident (CMI) procedure or policy for the site.

Check Content

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or “data spill” occurs when a classified email is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer to include web browser downloads and files transferred through tethered connections. CMDs are not authorized for processing classified data. A data spill also occurs if a classified document is attached to an otherwise unclassified email. For BlackBerry and Good Mobile Messaging systems, a data spill will only occur if the classified attached document is viewed or opened by the CMD user since the CMD system only downloads an attachment on the CMD if the user views or opens the attachment. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for smartphone destruction procedures. Check Procedures: Interview the ISSO. Verify classified incident handling, response, and reporting procedures are documented in site CMD procedures or security policies. If classified incident handling, response, and reporting procedures are not documented in site CMD procedures or security policies, this is a finding. This requirement applies at both sites where CMDs are issued and managed and at sites where the CMD management server is located. - At the CMD management server site, verify Incident Handling and Response procedures include actions to sanitize the CMD management server and email servers (e.g., Exchange, Oracle mail). - At CMD sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified smartphone devices. The following actions will be followed for all CMDs involved in a data spill: If Incident Handling and Response procedures do not include required information, this is a finding.

Responsibility

Other

If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures.

Finding ID
WIR-SPP-003-02
Rule ID
SV-30694r5_rule
Severity
Cat I
CCE
(None)
Group Title
Site must follow required data spill procedures
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel.

Fix Text

Follow required procedures after a data spill occurs.

Check Content

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). If a data spill occurs on a CMD, the following actions must be completed: - The CMD management server and email servers (i.e., Exchange, Oracle mail, etc.) are handled as classified systems until they are sanitized according to appropriate procedures. (See NSA/CSS Storage Device Declassification Manual 9-12 for sanitization procedures.) - The CMD is handled as a classified device and destroyed according to DoD guidance for destroying classified equipment or sanitized as directed in Check WIR-SPP-003-01. Check Procedures: Interview the ISSO. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. If the site had a data spill within the previous 24 months and required procedures were not followed, this is a finding.

Responsibility

System Administrator

Required procedures must be followed for the disposal of CMDs.

Finding ID
WIR-SPP-004
Rule ID
SV-30695r6_rule
Severity
Cat III
CCE
(None)
Group Title
Follow procedures for disposal of CMDs
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If appropriate procedures are not followed prior to disposal of a CMD, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device that might facilitate a subsequent attack.

Fix Text

Follow required procedures prior to disposing of a CMD or transitioning it to another user.

Check Content

This requirement applies to mobile operating system (OS) CMDs. Prior to disposing of a CMD (for example, if a CMD is transferred to another DoD or government agency), follow the disposal procedures found in the mobile operating system STIG Supplemental document. Interview the ISSO. Verify proper procedures are being followed and the procedures are documented. Check to see how retired, discarded, or transitioned CMDs were disposed of during the previous 6 – 12 months and verify compliance with requirements. If procedures are not documented or if documented, they were not followed, this is a finding.

Responsibility

System Administrator

Mobile operating system (OS) based CMDs and systems must not be used to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA approved transmission and storage methods are used.

Finding ID
WIR-SPP-005
Rule ID
SV-30697r5_rule
Severity
Cat I
CCE
(None)
Group Title
Classified data on CMDs
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

DoDD 8100.2 states wireless devices will not be used for classified data unless approved for such use. Classified data could be exposed to unauthorized personnel.

Fix Text

Publish written policy or training material stating if and when CMDs can be used to process, send, or receive classified information.

Check Content

Interview the ISSO. Verify written policy and training material exists (or requirement is listed on a signed user agreement) stating if and when CMDs can be used to transmit classified information. If written policy or training material does not exist, stating if and when CMDs can be used to receive, transmit, or process classified information, this is a finding.

Responsibility

System Administrator

Mobile device users must complete training on required content before being provided mobile devices or allowed access to DoD networks with a mobile device.

Finding ID
WIR-SPP-006-01
Rule ID
SV-30698r6_rule
Severity
Cat III
CCE
(None)
Group Title
Mobile device users receive training on required content
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Users are the first line of security controls for CMD systems. They must be trained in using CMD security controls or the system could be vulnerable to attack.

Fix Text

Have all mobile device users complete training on required content.

Check Content

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. All mobile device users must receive required training on the following topics before they are provided a mobile device or allowed access to DoD networks with a mobile device. Training is divided into two groups: Group A (general topics) and Group B (device specific topics). DISA’s Smartphones and Tablets security course satisfies the requirement for Group A training topics. The course is located at: http://iase.disa.mil/eta/smartphone_tablet_v1/launchpage.htm. a. Requirement that personally-owned PEDs are not used to transmit, receive, store, or process DoD information unless approved by the AO and the owner signs forfeiture agreement in case of a security incident. b. Procedures for wireless device usage in and around classified processing areas. c. Requirement that PEDs with digital cameras (still and video) are not allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed. d. Procedures for a data spill. e. Requirement that Over-The-Air (OTA) wireless software updates should only come from DoD-approved sources. f. When CMD Wi-Fi Service is used, the following training will be completed: - Procedures for setting up a secure Wi-Fi connection and verifying the active connection is to a known access point. - Approved connection options (i.e., enterprise, home, etc.). - Requirements for home Wi-Fi connections. - The Wi-Fi radio will be disabled by the user whenever a Wi-Fi connection is not being used. - The Wi-Fi radio must never be enabled while the CMD is connected via a cable to a PC. g. Do not discuss FOUO or classified information on non-secure (devices whose cryptographic modules protecting data in transit are not FIPS 140-2 certified or NSA Type-1 certified for voice) cellular phones, cordless phones, and two-way radios used for voice communications. h. Do not connect PDAs, smartphones, and tablets to any workstation that stores, processes, or transmits classified data.. i. The installation of user owned applications, including geo-location aware applications, on the mobile device will be based on the Command’s Mobile Device Personal Use Policy. j. The use of the mobile OS device to view and/or download personal email will be based the Command’s Mobile Device Personal Use Policy. k. The download of user owned data (music files, picture files, etc.) on the mobile device will be based the Command’s Mobile Device Personal Use Policy. l. All radios on the mobile device (Wi-Fi, Bluetooth, near-field communications (NFC)) must be turned off when not needed. This does not apply to radios supporting voice and data communication over a wireless carrier’s cellular network, in which case continuous connectivity is permissible. m. Procedure on how to disable Location Services on the device. Location Services must be disabled for all applications or enabled only for applications approved by the AO for location based services. n. Connecting PDAs, smartphones, and tablets to any DoD workstation via a USB connection is prohibited. Note: Listing training requirements in the User Agreement is an acceptable procedure for informing/training users on many of the required training topics. Check Procedures: - Review site CMD training material to see if it contains the required content. Note: Some training content may be listed in the User Agreement signed by the user. - Verify site training records show that CMD users received required training and training occurred before the user was issued a CMD. Check training records for approximately five users, picked at random. If training material does not contain required content, this is a finding.

Responsibility

System Administrator

The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.

Finding ID
WIR-SPP-007-01
Rule ID
SV-30699r6_rule
Severity
Cat III
CCE
(None)
Group Title
Publish lost/stolen CMD procedures
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Sensitive DoD data could be stored in memory on a DoD operated mobile operating system (OS) based CMD and the data could be compromised if required actions are not followed when a CMD is lost or stolen. Without procedures for lost or stolen mobile operating system (OS) based CMD devices, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.

Fix Text

Publish procedures to follow if a mobile operating system (OS) based CMD is lost or stolen.

Check Content

Detailed Policy Requirements: The site (location where CMDs are issued and managed and the site where the mobile operating system (OS) based CMD management server is located) must publish procedures to follow if a CMD has been lost or stolen. The procedures should include (as appropriate): - Mobile device user notifies ISSO, SM, and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. - The ISSO notifies the mobile device management server system administrator and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. The site mobile device management server administrator sends a wipe command to the CMD and then disables the user account on the management server or removes the CMD from the user account. - The site will contact the carrier to have the device deactivated on the carrier’s network. Check procedures: Interview the ISSO. Review the site’s Incident Response Plan or other policies to determine if the site has a written plan of action. If the site does not have a written plan of action following a lost or stolen CMD, this is a finding.

Responsibility

System Administrator

The mobile device system administrator must perform a wipe command on all new or reissued CMDs and a STIG-compliant IT policy will be pushed to the device before issuing it to DoD personnel.

Finding ID
WIR-SPP-008-01
Rule ID
SV-30700r5_rule
Severity
Cat III
CCE
(None)
Group Title
CMD provisioning-01
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Malware can be installed on the device at some point between shipping from the factory and delivery to DoD. The malware could result in the compromise of sensitive DoD information or result in the introduction of malware within the DoD network.

Fix Text

Perform a wipe command on all new or reissued mobile devices.

Check Content

Detailed Policy Requirements: The CMD system administrator must perform a wipe command on all new or reissued CMDs, reload system software, and load a STIG-compliant security policy on the CMD before issuing it to DoD personnel and placing the device on a DoD network. The intent is to return the device to the factory state before the DoD software baseline is installed. When wireless activation is performed, the activation password is passed to the user in a secure manner (e.g., activation password is encrypted and emailed to an individual). Check Procedures: Interview the ISSO. Verify required procedures are followed. If required procedures were not followed, this is a finding.

Responsibility

System Administrator

Mobile device software updates must only originate from approved DoD sources.

Finding ID
WIR-SPP-008-02
Rule ID
SV-30701r4_rule
Severity
Cat III
CCE
(None)
Group Title
CMD provisioning-02
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Users must not accept Over-The-Air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the ISSO. Unauthorized/unapproved software updates could include malware or cause a degradation of the security posture of the CMD and DoD network infrastructure. All software updates should be reviewed and/or tested by the smartphone system administrator and originate from a DoD source or DoD-approved source. Wireless software updates should be pushed from the CMD management server, when this feature is available.

Fix Text

Ensure CMD software updates originate from DoD sources or approved non-DoD sources only. Users do not accept Over-The-Air (OTA) wireless software updates from non-approved sources.

Check Content

Detailed Policy Requirements: Software updates must come from either DoD sources or DoD-approved sources. CMD system administrators should push OTA software updates from the CMD management server, when this feature is available. Otherwise the site administrator should verify the non-DoD source of the update has been approved by IT management. Check Procedures: Interview the ISSO and CMD management server system administrator. -Verify the site mobile device handheld and mobile device management server administrators are aware of the requirements. -Determine what procedures are used at the site for installing software updates on site-managed CMDs. If the site does not have procedures in place, so users can down-load software updates from a DoD source or DoD-approved source, this is a finding.

Responsibility

System Administrator

IA Controls

ECWN-1

Required actions must be followed at the site when a CMD has been lost or stolen.

Finding ID
WIR-SPP-007-02
Rule ID
SV-30706r5_rule
Severity
Cat III
CCE
(None)
Group Title
Follow lost/stolen CMD procedures
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If procedures for lost or stolen CMDs are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.

Fix Text

Follow required actions when a CMD is reported lost or stolen.

Check Content

Interview the ISSO. Determine if any site mobile devices were reported lost or stolen within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. If the site had a lost or stolen mobile device within the previous 24 months and required procedures were not followed, this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Mobile users must complete required training annually.

Finding ID
WIR-SPP-006-02
Rule ID
SV-36045r5_rule
Severity
Cat III
CCE
(None)
Group Title
Annual training required
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Users are the first line of security controls for CMD systems. They must be trained in using CMD security controls or the system could be vulnerable to attack. If training is not renewed on an annual basis, users may not be informed of new security procedures or may forget previously trained procedures, which could lead to an exposure of sensitive DoD information.

Fix Text

Complete required training annually for all CMD users.

Check Content

This requirement applies to mobile operating system (OS) CMDs. All CMD users must receive required training annually. If training records do not show users receiving required training at least annually, this is a finding.

Responsibility

System Administrator

IA Controls

PETN-1

A security risk analysis must be performed on a mobile application by the Authorizing Official (AO) or AO-authorized authority prior to the application being approved for use.

Finding ID
WIR-SPP-021
Rule ID
SV-43023r4_rule
Severity
Cat I
CCE
(None)
Group Title
Mobile application security review
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Non-approved applications can contain malware. Approved applications should be reviewed and tested by the AO to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server).

Fix Text

Have AO or Command IT CCB use the required procedures to review mobile applications prior to approving them.

Check Content

Detailed Requirements: Core applications are applications included in the mobile device operating system. Applications added by the wireless carrier are not considered core applications. A security risk analysis must be performed by the AO or AO-approved approval authority prior to a mobile OS application being approved for use. - The application review and approval process must include an evaluation of what OS level permissions are required by the application and how the application shares data and memory space with other applications. The review process must also ensure: - Approved applications do not contain malware or share data stored on the mobile OS device with non-DoD servers. Check Procedures: Ask the site for documentation showing what security risk analysis procedures are used by the AO prior to approving non-core applications for use. Determine if the procedures include an evaluation of the following: - What OS level permissions are required by the application? - The application does not contain malware. - The application does not share data stored on the CMDs with non-DoD servers. - If the application stores sensitive data, the application data storage container uses FIPS 140-2 validated cryptographic module. If a security review was not conducted on approved applications or the application security risk review procedures do not contain the required risk assessment evaluation tasks, this is a finding.

Responsibility

System Administrator