Free DISA STIG and SRG Library | Vaulted

CSfC Campus WLAN Policy Security Implementation Guide

Version 1 Release 2
2014-04-25
U_Network_CSfC_WLAN_Policy_V1R2_Manual-xccdf.xml
This STIG contains the policy, training, and operating procedure security controls for the use of classified campus WLAN systems based on the Commercial Solutions for Classified (CSfC) Campus IEEE 802.11 Wireless Local Area Network (WLAN)Capability Package. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Vulnerabilities (14)

All wireless/mobile systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information.

Finding ID
WIR0005
Rule ID
SV-8778r6_rule
Severity
Cat I
CCE
(None)
Group Title
Wireless/mobile systems authorized prior to use
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Unauthorized wireless systems expose DoD networks to attack. The DAA and appropriate commanders must be aware of all wireless systems used at the site. DAAs should ensure a risk assessment for each system including associated services and peripherals, is conducted before approving. Accept risks only when needed to meet mission requirements.

Fix Text

Obtain DAA approval (documented by memo or SSP) prior to wireless systems being installed and used. For CMD systems without a STIG, obtain an IATT prior to wireless systems being installed and used.

Check Content

Detailed Policy Requirements: For CMDs deployed under an Interim Security Configuration Guide (ISCG) or the DoD CIO’s 6 April 2011 memorandum, Use of Commercial Mobile Devices (CMD) in the Department of Defense (DoD), the approval authority is the Component CIO. The site must have an Interim Authority To Test (IATT) issued by the Component CIO. For all other wireless devices and systems the Designated Approval Authority (DAA) must approve the wireless device or system. Detailed Check Procedures: Work with the site POC to verify documentation. Performed with WIR0016 (equipment list). For CMD systems without a STIG, verify the site has an approved IATT. Mark as a finding if a valid IATT is not available or is not signed by the Component CIO. For all other wireless devices or systems, complete the following: 1. Request copies of written DAA approval documentation. Any of the following documents meets this requirement as proof of compliance: - The DIACAP IA Implementation Plan must show the wireless system as part of the network diagram or list the system/equipment as being part of the network. - DAA approval letter or other document. The document must list the system or equipment and date its use is approved. The DAA approval letter or SSP may be a general statement of approval rather than list each device. 2. Verify DAA approval for type of device used, such as wireless connection services, peripherals, and applications. Mark as a finding for any of the following reasons: - Wireless systems, devices, services, or accessories are in use but DAA approval letter(s) do not exist. - If, in the judgment of the reviewer, configuration differs significantly from that approved by the DAA approval letter. Note: The DAA approval for the wireless system does not need to be documented separately from other DAA approval documents for the site network, as long as the approval documents list the wireless system. For example, if a site network ATO lists the wireless system, the ATO meets the requirements of this check. For Secure Mobile Environment Portable Electronic Device (SME PED), the following applies: - An ATO or an IATO has been signed by the DAA prior to the connection of the unclassified Sensa server to the NIPRNet. - Classified Connection Approval Office (CCAO) approval has been obtained prior to the connection of the classified Sensa server to the SIPRNet. Note: The intent of this check is to ensure the DAA has approved the use of the wireless system being reviewed at the site. This approval can be documented in several ways. The most common is the SSP for the site includes the wireless system and the DAA has signed the SSP. If the command uses an enterprise wide SSP including the wireless system being reviewed and the SSP applies to site being reviewed, then the requirement has been met.

Responsibility

Information Assurance Officer

IA Controls

ECWN-1

The site IAO must maintain a list of all DAA-approved wireless and non-wireless PED devices that store, process, or transmit DoD information.

Finding ID
WIR0015
Rule ID
SV-8779r6_rule
Severity
Cat III
CCE
(None)
Group Title
Site list of approved CMDs
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The site must maintain a list of all DAA-approved wireless and non-wireless CMDs. Close tracking of authorized wireless devices will facilitate the search for rogue devices. Sites must keep good inventory control over wireless and handheld devices used to store, process, and transmit DoD data since these devices can be easily lost or stolen leading to possible exposure of DoD data.

Fix Text

Maintain a list of all DAA-approved WLAN devices. The list must be updated periodically and will contain the data elements required by the STIG policy.

Check Content

Detailed Policy Requirements: This check applies to any wireless end user device (smartphone, tablet, Wi-Fi network interface card, etc.) and wireless network devices (access point, authentication server, etc.). The list of approved wireless devices will be stored in a secure location and will include the following at a minimum: - Access point Media Access Control (MAC) address (WLAN only), - Access point IP address (WLAN only), - Wireless client MAC address, - Network DHCP range (WLAN & WWAN only), - Type of encryption enabled, - Access point SSID (WLAN only), - Manufacturer, model number, and serial number of wireless equipment, - Equipment location, and - Assigned users with telephone numbers. For CMDs: - Manufacturer, model number, and serial number of wireless equipment. - Equipment location or who the device was issued to. - Assigned users with telephone numbers and email addresses. For SME PED: Local commands will keep track of devices by assigning a control number or using the serial number for accountability purposes. Check Procedures: Work with the site POC: 1. Request copies of site’s wireless equipment list. -Detailed SSAA/SSP or database may be used. 2. Verify all minimum data elements listed above are included in the equipment list. 3. Verify all wireless devices used at the site, including infrared mice/keyboards, are included. 4. Verify procedures are in place for ensuring the list is kept updated. 5. Note the date of last update and if the list has many inaccuracies. Mark as a finding if the equipment list does not exist, all data elements are not tracked, or the list is outdated. This check applies to: - Wireless networking devices, such as access points, bridges, and switches. - WLAN client devices, such as laptop computers and PDAs if used with WLAN NICs. - Wireless peripherals, such as Bluetooth, and Infrared mice and keyboards, communications devices, such as VoIP, cellular/satellite telephones, and Broadband NICs, and non-wireless CMDs that store, process, or transmit DoD information.

Responsibility

System Administrator

IA Controls

DCHW-1

Wireless devices connecting directly or indirectly to the network must be included in the site security plan.

Finding ID
WIR0020
Rule ID
SV-8792r5_rule
Severity
Cat III
CCE
(None)
Group Title
Site security plan includes wireless system/equipment
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The DAA and site commander must be aware of all approved wireless devices used at the site or DoD data could be exposed to unauthorized people. Documentation of the enclave configuration must include all attached systems. If the current configuration cannot be determined, then it is difficult to apply security policies effectively. Security is particularly important for wireless technologies attached to the enclave network because these systems increase the potential for eavesdropping and other unauthorized access to network resources.

Fix Text

Ensure devices connecting directly or indirectly (data synchronization) to the network are added to the site's site security plan. (For example, it may say wireless devices of various models are permitted but only when configured in accordance with the Wireless STIG or other such specified restriction.)

Check Content

Review the site security plan. 1. Wireless network devices, such as access points, laptops, CMDs, and wireless peripherals (keyboards, pointers, etc.) using a wireless network protocol, such as Bluetooth, 802.11, or proprietary protocols must be documented in the site security plan. 2. A general statement in the site security plan permitting the various types of wireless network devices used by the site is acceptable rather than a by-model listing, for example, “wireless devices of various models are permitted as long as they are configured in accordance with the Wireless STIG”. Mark as a finding if a DAA-approved site security plan does not exist or if it has not been updated.

Responsibility

Information Assurance Officer

IA Controls

EBCR-1

Wireless devices must not be allowed in a permanent, temporary, or mobile Sensitive Compartmented Information Facilities (SCIFs), unless approved by the SCIF Cognizant Security Authority (CSA) in accordance with Intelligence Community Directive 503 and Director Central Intelligence Directive (DCID) 6/9, the DAA, and the site Special Security Officer (SSO).

Finding ID
WIR0035
Rule ID
SV-12625r5_rule
Severity
Cat I
CCE
(None)
Group Title
Wireless devices in SCIFs are DCID/ICD compliant
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Emanations from computing devices in the secured area may be transmitted or picked up inadvertently by wireless devices.

Fix Text

Ensure users are trained on the need to comply with this requirement and/or site procedures document the policy. Alternately, this requirement can be included in the site User Agreement.

Check Content

For SME PED: This requirement is not applicable. Work with the traditional reviewer or interview the IAO or SM. Determine if the site SCIF CSA has approved wireless CMDs in the site SCIFs. Determine if the DAA and site SSO have approved wireless CMDs in site SCIFs. Ask for approval documentation, if approval has been granted. All three entities must grant approval (SCIF CSA, DAA, and SSO). If wireless CMDs in site SCIFs have not been approved, determine if procedures are in place to prevent users from bringing CMDs into SCIFs and if users are trained on this requirement. Posted signs are considered evidence of compliance. If wireless devices have been approved for use in SCIFs: - Determine if site has written procedures that describe what type of CMDs and under what type of conditions (i.e., turned off, SCIF mode enabled, etc.) approval is granted. - Users must receive proper training on the handling of wireless devices in SCIFs. Mark this as a finding if: - Wireless devices are allowed in site SCIFs without required approvals. - Required procedures are not in place. - Required user training has not been documented.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1, ECWN-1

All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content.

Finding ID
WIR0030
Rule ID
SV-14593r5_rule
Severity
Cat III
CCE
(None)
Group Title
Sign User Agreement
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to these requirements or the risk to the network remains. User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise. Thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures.

Fix Text

Implement User Agreement with required content. Have all users sign a User Agreement.

Check Content

Additional Policy Requirements: The user agreements must include DAA authorized tasks for the mobile device and relevant security requirements, including, but not limited to, the following: 1. DoD CIO Memorandum, “Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement,” 9 May 2008 directs the following content will be included in a site User Agreement: STANDARD MANDATORY NOTICE AND CONSENT PROVISION FOR ALL DOD INFORMATION SYSTEM USER AGREEMENTS By signing this document, you acknowledge and consent that when you access Department of Defense (DoD) information systems: - You are accessing a U.S. Government (USG) information system (IS) (which includes any device attached to this information system) that is provided for U.S. Government authorized use only. - You consent to the following conditions: o The U.S. Government routinely intercepts and monitors communications on this information system for purposes including, but not limited to, penetration testing, communications security (COMSEC) monitoring, network operations and defense, personal misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. o At any time, the U.S. Government may inspect and seize data stored on this information system. o Communications using, or data stored on, this information system are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any U.S. Government-authorized purpose. o This information system includes security measures (e.g., authentication and access controls) to protect U.S. Government interests--not for your personal benefit or privacy. o Notwithstanding the above, using an information system does not constitute consent to personnel misconduct, law enforcement, or counterintelligence investigative searching or monitoring of the content of privileged communications or data (including work product) that are related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Under these circumstances, such communications and work product are private and confidential, as further explained below: - Nothing in this User Agreement shall be interpreted to limit the user's consent to, or in any other way restrict or affect, any U.S. Government actions for purposes of network administration, operation, protection, or defense, or for communications security. This includes all communications and data on an information system, regardless of any applicable privilege or confidentiality. - The user consents to interception/capture and seizure of ALL communications and data for any authorized purpose (including personal misconduct, law enforcement, or counterintelligence investigation). However, consent to interception/capture or seizure of communications and data is not consent to the use of privileged communications or data for personnel misconduct, law enforcement, or counterintelligence investigation against any party and does not negate any applicable privilege or confidentiality that otherwise applies. - Whether any particular communication or data qualifies for the protection of a privilege, or is covered by a duty of confidentiality, is determined in accordance with established legal standards and DoD policy. Users are strongly encouraged to seek personal legal counsel on such matters prior to using an information system if the user intends to rely on the protections of a privilege or confidentiality. - Users should take reasonable steps to identify such communications or data that the user asserts are protected by any such privilege or confidentiality. However, the user's identification or assertion of a privilege or confidentiality is not sufficient to create such protection where none exists under established legal standards and DoD policy. - A user's failure to take reasonable steps to identify such communications or data as privileged or confidential does not waive the privilege or confidentiality if such protections otherwise exist under established legal standards and DoD policy. However, in such cases the U.S. Government is authorized to take reasonable actions to identify such communication or data as being subject to a privilege or confidentiality, and such actions do not negate any applicable privilege or confidentiality. - These conditions preserve the confidentiality of the communication or data, and the legal protections regarding the use and disclosure of privileged information, and thus such communications and data are private and confidential. Further, the U.S. Government shall take all reasonable measures to protect the content of captured/seized privileged communications and data to ensure they are appropriately protected. o In cases when the user has consented to content searching or monitoring of communications or data for personnel misconduct, law enforcement, or counterintelligence investigative searching, (i.e., for all communications and data other than privileged communications or data that are related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants), the U.S. Government may, solely at its discretion and in accordance with DoD policy, elect to apply a privilege or other restriction on the U.S. Government's otherwise-authorized use or disclosure of such information. o All of the above conditions apply regardless of whether the access or use of an information system includes the display of a Notice and Consent Banner ("banner"). When a banner is used, the banner functions to remind the user of the conditions that are set forth in this User Agreement, regardless of whether the banner describes these conditions in full detail or provides a summary of such conditions, and regardless of whether the banner expressly references this User Agreement. 2. For SME PED, see the SME PED User Agreement template included with the SME PED STIG for specific requirements. 3. DoD sites are required to add the following to all site User Agreements: - The agreement should contain the type of access required by the user (privileged, end-user, etc.). - The agreement should contain the responsibilities, liabilities, and security measures (e.g., malicious code detection training) involved in the use of the wireless remote access device. - Incident handling and reporting procedures will be identified along with a designated point of contact. - The remote user can be held responsible for damage caused to a Government system or data through negligence or a willful act. - The policy should contain general security requirements and practices, which are acknowledged and signed by the remote user. - If classified devices are used for remote access from an alternative work site, the remote user will adhere to DoD policy in regard to facility clearances, protection, storage, distributing, etc. - Government owned hardware and software is used for official duties only. The employee is the only individual authorized to use this equipment. - User agrees to complete required wireless device training annually. 4. For approved smartphone and tablet devices add to all User Agreements: - Only approved Bluetooth headsets/handsfree devices will be used. Check Procedures: 1. Inspect a copy of the site’s user agreement. 2. Verify the user agreement has the minimum elements described in the STIG policy. 3. Select 10 names of assigned site personnel and verify they have a signed user agreement on file for assigned wireless equipment (e.g., wireless laptop, smartphone, tablet, etc.). Mark as a finding if site user agreements do not exist or are not compliant with the minimum requirements. For SME PED: - Verify the Terminal Administrator (TA) has users reaffirm their User Agreement at least once every 12 months. Review the dates that site User Agreements were signed.

Responsibility

Information Assurance Officer

IA Controls

ECWN-1, PRTN-1

A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site CMDs.

Finding ID
WIR-SPP-003-01
Rule ID
SV-30692r4_rule
Severity
Cat II
CCE
(None)
Group Title
Publish data spill procedures for CMDs
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

When a data spill occurs on a CMD, classified or sensitive data must be protected to prevent disclosure. After a data spill, the CMD must either be wiped using approved procedures, or destroyed if no procedures are available, so classified or sensitive data is not exposed. If a data spill procedure is not published, the site may not use approved procedures to remediate after a data spill occurs and classified data could be exposed.

Fix Text

Publish a Classified Message Incident (CMI) procedure or policy for the site.

Check Content

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or “data spill” occurs when a classified email is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer to include web browser downloads and files transferred through tethered connections. CMDs are not authorized for processing classified data. A data spill also occurs if a classified document is attached to an otherwise unclassified email. For BlackBerry and Good Mobile Messaging systems, a data spill will only occur if the classified attached document is viewed or opened by the CMD user since the CMD system only downloads an attachment on the CMD if the user views or opens the attachment. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for smartphone destruction procedures. Check Procedures: Interview the IAO. Verify classified incident handling, response, and reporting procedures are documented in site CMD procedures or security policies. Mark as a finding if classified incident handling, response, and reporting procedures are not documented in site CMD procedures or security policies. This requirement applies at both sites where CMDs are issued and managed and at sites where the CMD management server is located. ---At the CMD management server site, verify Incident Handling and Response procedures include actions to sanitize the CMD management server and email servers (e.g., Exchange, Oracle mail). ---At CMD sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified smartphone devices. The following actions will be followed for all CMDs involved in a data spill: -BlackBerry CMDs: follow procedures in the DoD Data Spill Procedures Guide for BlackBerry Smartphones located at http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html. -Windows Mobile, Android, and iOS CMDs: the CMD will be destroyed. Mark as a finding if Incident Handling and Response procedures do not include required information.

Responsibility

Information Assurance Officer

IA Controls

VIIR-1, VIIR-2

If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures.

Finding ID
WIR-SPP-003-02
Rule ID
SV-30694r3_rule
Severity
Cat I
CCE
(None)
Group Title
Site must follow required data spill procedures
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel.

Fix Text

Follow required procedures after a data spill occurs.

Check Content

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). If a data spill occurs on a CMD, the following actions must be completed: - The CMD management server and email servers (i.e., Exchange, Oracle mail, etc.) are handled as classified systems until they are sanitized according to appropriate procedures. (See NSA/CSS Storage Device Declassification Manual 9-12 for sanitization procedures.) - The CMD is handled as a classified device and destroyed according to DoD guidance for destroying classified equipment or sanitized as directed in Check WIR-SPP-003-01. Check Procedures: Interview the IAO. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. Mark as a finding if the site had a data spill within the previous 24 months and required procedures were not followed.

Responsibility

System Administrator

IA Controls

VIIR-1, VIIR-2

Required procedures must be followed for the disposal of CMDs.

Finding ID
WIR-SPP-004
Rule ID
SV-30695r4_rule
Severity
Cat III
CCE
(None)
Group Title
Follow procedures for disposal of CMDs
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If appropriate procedures are not followed prior to disposal of a CMD, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device that might facilitate a subsequent attack.

Fix Text

Follow required procedures prior to disposing of a CMD or transitioning it to another user.

Check Content

This requirement applies to mobile operating system (OS) CMDs. Prior to disposing of a CMD (for example, if a CMD is transferred to another DoD or government agency), follow the disposal procedures found in the STIG Technology Overview document of the STIG for the CMD of interest. For example, look in the BlackBerry Overview document in the BlackBerry STIG for the disposal procedures for a BlackBerry smartphone. Interview the IAO. Verify proper procedures are being followed and the procedures are documented. Check to see how retired, discarded, or transitioned CMDs were disposed of during the previous 6 – 12 months and verify compliance with requirements. Mark as a finding if procedures are not documented or if documented, they were not followed.

Responsibility

System Administrator

IA Controls

ECSC-1, PECS-1

The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.

Finding ID
WIR-SPP-007-01
Rule ID
SV-30699r4_rule
Severity
Cat III
CCE
(None)
Group Title
Publish lost/stolen CMD procedures
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Sensitive DoD data could be stored in memory on a DoD operated mobile operating system (OS) based CMD and the data could be compromised if required actions are not followed when a CMD is lost or stolen. Without procedures for lost or stolen mobile operating system (OS) based CMD devices, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.

Fix Text

Publish procedures to follow if a mobile operating system (OS) based CMD is lost or stolen.

Check Content

Detailed Policy Requirements: The site (location where CMDs are issued and managed and the site where the mobile operating system (OS) based CMD management server is located) must publish procedures to follow if a CMD has been lost or stolen. The procedures should include (as appropriate): -Mobile device user notifies IAO, SM, and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. -The IAO notifies the mobile device management server system administrator and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. The site mobile device management server administrator sends a wipe command to the CMD and then disables the user account on the management server or removes the CMD from the user account. -The site will contact the carrier to have the device deactivated on the carrier’s network. Check procedures: Interview the IAO. Review the site’s Incident Response Plan or other policies and determine if the site has a written plan of action. Mark as a finding if the site does not have a written plan of action following a lost or stolen CMD.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1, VIIR-1, VIIR-2

Required actions must be followed at the site when a CMD has been lost or stolen.

Finding ID
WIR-SPP-007-02
Rule ID
SV-30706r4_rule
Severity
Cat III
CCE
(None)
Group Title
Follow lost/stolen CMD procedures
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If procedures for lost or stolen CMDs are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.

Fix Text

Follow required actions when a CMD is reported lost or stolen.

Check Content

Interview the IAO. Determine if any site mobile devices were reported lost or stolen within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. Mark as a finding if the site had a lost or stolen mobile device within the previous 24 months and required procedures were not followed.

Responsibility

System Administrator

IA Controls

ECSC-1

The site must successfully complete a security assessment of the CSfC based campus WLAN system to confirm compliance with the CSfC Campus WLAN Capability Package prior to IOC and yearly thereafter.

Finding ID
WIR-CWLAN-01
Rule ID
SV-48087r1_rule
Severity
Cat I
CCE
(None)
Group Title
Security assessment of campus WLAN system
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Classified data could be exposed if the campus WLAN system is operated out of compliance with the Commercial Solutions for Classified (CSfC) Campus IEEE 802.11 Wireless Local Area Network (WLAN) Capability Package and any NSA approved deviations to the capability package. The NSA Commercial Solutions for Classified (CSfC) registration process requires CSfC-listed equipment be used in the campus WLAN system. The site should perform a security assessment prior to operating the system to confirm it is compliant and periodically, thereafter, to verify the system is still in compliance with the most recent version of the capability package.

Fix Text

Conduct security assessments of the campus WLAN system before IOC and yearly thereafter and immediately close any open findings or shut down the system.

Check Content

The security assessment must validate that the site’s CSfC based campus WLAN system is compliant with all technical and non-technical requirements listed in the CSfC Campus IEEE 802.11 Wireless Local Area Network (WLAN) Capability Package. The assessment should be successfully completed (no findings) before the systems Initial Operating Capability (IOC) is achieved and yearly thereafter. It is recommended that the assessment be completed by an organization that is separate from the organization that is setting up and managing the campus WLAN system. -Review the registration agreement between the site and NSA to determine if any deviations from the Campus WLAN Capability Package have been approved by NSA. -Review security assessment reports from assessments completed before IOC or yearly thereafter and interview the site IAM/IAO. Determine the date of the last assessment and if there are any open findings from the report. -If security assessments were not completed prior to IOC or yearly thereafter or if assessments were completed but there were open findings listed in the last report, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

DCAR-1, DCII-1

User training must include required topics.

Finding ID
WIR-CWLAN-03
Rule ID
SV-48093r1_rule
Severity
Cat III
CCE
(None)
Group Title
User training for Campus WLAN system
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Classified data could be exposed if users of client devices, that are components a campus WLAN system that is based on the CSfC Campus IEEE 802.11 Wireless Local Area Network (WLAN) Capability Package, are not aware of required operating procedures for safeguarding the client device and the data stored on the device.

Fix Text

Have users complete required training.

Check Content

Users should be trained on the following topics prior to being issued a client device that is a components a campus WLAN system that is based on the Campus WLAN Capability Package and annually thereafter. -Client devices will not be connected to the network via wired connections. -Client devices will be safeguarded as a piece of classified equipment. Required physical security controls, including classified marking labels, will be components of the training. -Client device configuration will not be modified by the user. Any exceptions that are required to operate the client device will be explained in user training. Review site training records to verify required user training has been completed prior to users being issued a client device and at least annually. Review records for a sample of users (at least 3-4 records). If required training has not been completed prior to users being issued a client device and at least annually, this is a finding.

Responsibility

System Administrator

IA Controls

PRTN-1

If Commercial Mobile Devices (CMD) (smartphones or tablets) are used as clients in the campus WLAN system, DoD CIO Memorandum, Use of Commercial Mobile Device (CMD) in the Department of Defense (DoD) must be followed.

Finding ID
WIR-CWLAN-04
Rule ID
SV-48095r1_rule
Severity
Cat II
CCE
(None)
Group Title
Follow DoD CMD policy for campus WLAN clients
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

DoD CIO Memorandum, “Use of Commercial Mobile Device (CMD) in the Department of Defense (DoD)”, 6 Apr 2011, requires specific security controls be implemented in the DoD because these technologies “adds a new element of risk to DoD information”. Classified DoD networks and/or data could be exposed if required controls are not implemented for CMDs that operate as components of a campus WLAN system that is based on the CSfC Campus IEEE 802.11 Wireless Local Area Network (WLAN) Capability Package.

Fix Text

Implement key requirements of the DoD CIO Memorandum, “Use of Commercial Mobile Device (CMD) in the Department of Defense (DoD).

Check Content

Interview the IAM and/or the IAO. Determine if CMDs are used as components of the campus WLAN system that is based on the CSfC Campus IEEE 802.11 Wireless Local Area Network (WLAN) Capability Package. If yes, verify the following key requirements in the DoD CIO memo have been implemented: -The CMDs are managed and controlled by an enterprise management system (Mobile Device Management (MDM) server). -Software and applications must be installed from an approved source (e.g., DoD application store). If CMDs are used as components of the campus WLAN system that is based on the Campus IEEE 802.11 Wireless Local Area Network (WLAN) Capability Package and requirements of the DoD CIO memo are not implemented, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECWN-1

A Secure WLAN (SWLAN) connected to the SIPRNet must have a SIPRNet connection approval package on file with the Classified Connection Approval Office (CCAO).

Finding ID
WIR-CWLAN-05
Rule ID
SV-48096r1_rule
Severity
Cat I
CCE
(None)
Group Title
SWLAN CCAO Approval
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The CCAO approval process provides assurance that the SWLAN use is appropriate and does not introduce unmitigated risks into the SIPRNET.

Fix Text

Disable or remove the non-compliant SWLAN until the site has all required approvals for operation.

Check Content

Review documentation. Verify the SWLAN system CCAO approval documentation exists and has been approved and has a SIPRNet Interim Approval to Operate (IATO) or Approval to Operate (ATO) in GIAP database. If CCAO approval documentation is not available, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECWN-1