{
"stig": {
"date": "2014-03-18",
"description": "This STIG contains the technical security controls for the operation of Bluetooth/Zigbee devices in the DoD environment.",
"findings": {
"V-18619": {
"checkid": "C-22301r1_chk",
"checktext": "Ask the IAO for documentation verifying Bluetooth peripherals (e.g., headsets) used by personnel at the site conform to the DoD Bluetooth Peripheral Device Security Requirements Specification (i.e., verification from NSA, DISA, or a DoD test agency). The specification is found at http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html and http://www.nsa.gov/ia/_files/wireless/BlueToothDoc.pdf.",
"description": "Sensitive unclassified voice and data communications could be intercepted and exposed if required security controls are not used.",
"fixid": "F-34125r1_fix",
"fixtext": "Procure Bluetooth headsets that conform to the DoD Bluetooth Peripheral Device Security Requirements Specification.\n",
"iacontrols": [
"ECCT-1"
],
"id": "V-18619",
"ruleID": "SV-20177r1_rule",
"severity": "medium",
"title": "Bluetooth peripherals must conform to the DoD Bluetooth Peripheral Device Security Requirements Specification.\n",
"version": "WIR0405"
},
"V-30360": {
"checkid": "C-39030r1_chk",
"checktext": "NOTE: this check only applies to sites using Bluetooth or Zigbee radios.\n\nInterview the IAO and verify a written policy or training materials exists stating that Bluetooth (or Zigbee) will be disabled on all applicable devices unless they employ FIPS 140-2 validated cryptographic modules for data-in-transit.\nMark as a finding if policy does not exist or if it does not adequately cover the requirement. \n",
"description": "Policy and training provide assurance that security requirements will be implemented in practice. Failure to use FIPS 140-2 validated cryptography makes data more vulnerable to security breaches.",
"fixid": "F-34126r1_fix",
"fixtext": "The IAO will ensure there is a policy or training materials prohibiting use of Bluetooth data transmission without FIPS 140-2 validated cryptographic modules.",
"iacontrols": [
"ECCT-1"
],
"id": "V-30360",
"ruleID": "SV-40017r1_rule",
"severity": "low",
"title": "The site must have a written policy or training materials stating Bluetooth must be disabled on all applicable devices unless they employ FIPS 140-2 validated cryptographic modules for data-in-transit.",
"version": "WIR0401"
},
"V-3499": {
"checkid": "C-39029r4_chk",
"checktext": "NOTE: This check also applies to Bluetooth voice and wireless USB (WUSB) devices. This check does not apply to Zigbee telemetry sensor data or other Zigbee data where the IAO has determined the data is not sensitive. \n\n- If the site uses Bluetooth (or Zigbee) for data or voice communications, check a sample (3-4) of Bluetooth (or Zigbee) enabled devices and note their make and model. Examine the associated product documentation to determine if the device employs FIPS 140-2 validated cryptographic modules for data-in-transit, to include digital voice communications. This should be accomplished by reviewing the relevant FIPS certificate in the product documentation or the NIST web site.\n\nMark as a finding if any Bluetooth (or Zigbee) device does have a FIPS 140-2 validated cryptographic module supporting encryption of data in transit.\n\nNote: This requirement only applies to mobile devices that are expected to leave a DoD facility. It does not apply to voice headsets for fixed location assets such as IP-based desk telephones. No encryption or identification requirements are required for this use.",
"description": "FIPS validation provides assurance that the cryptographic modules are implemented correctly and resistant to compromise. Failure to use FIPS 140-2 validated cryptographic modules makes it more likely that sensitive DoD data will be exposed to unauthorized people.",
"fixid": "F-3430r1_fix",
"fixtext": "Disable Bluetooth or procure Bluetooth devices that employ FIPS 140-2 validated cryptographic modules for data-in-transit.",
"iacontrols": [
"ECCT-1"
],
"id": "V-3499",
"ruleID": "SV-3499r2_rule",
"severity": "medium",
"title": "If Bluetooth (or Zigbee) devices transmit unclassified DoD data communications, then they must use FIPS 140-2 validated cryptographic modules for data in transit, including digital voice communications.",
"version": "WIR0400"
},
"V-4634": {
"checkid": "C-11516r1_chk",
"checktext": "NOTE: The check also applies to Wireless USB (WUSB) devices. This check does not apply to wireless email devices (Blackberry, Windows Mobile, etc.). See the appropriate wireless email device checklist for Bluetooth requirements for these devices.\n\nVerify compliance by reviewing the user agreement or security briefing to see if personnel have been properly instructed in the policy that devices with Bluetooth radios cannot be used for or around classified. Mark as a finding if the user agreement or security briefing does not exist or does not adequately cover the requirement.",
"description": "Classified data could be compromised since Bluetooth (and Zigbee) devices do not meet DoD encryption requirements for classified data.",
"fixid": "F-34124r1_fix",
"fixtext": "Ensure the users are trained on need to comply with this requirement and/or site procedures document the policy.",
"iacontrols": [
"ECWN-1"
],
"id": "V-4634",
"ruleID": "SV-4634r1_rule",
"severity": "high",
"title": "Bluetooth (and Zigbee) devices must not be used to send, receive, store, or process classified information.",
"version": "WIR0410"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-18619": "true",
"V-30360": "true",
"V-3499": "true",
"V-4634": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critial Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-18619": "true",
"V-30360": "true",
"V-3499": "true",
"V-4634": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critial Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-18619": "true",
"V-30360": "true",
"V-3499": "true",
"V-4634": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critial Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-18619": "true",
"V-30360": "true",
"V-3499": "true",
"V-4634": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-18619": "true",
"V-30360": "true",
"V-3499": "true",
"V-4634": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-18619": "true",
"V-30360": "true",
"V-3499": "true",
"V-4634": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-18619": "true",
"V-30360": "true",
"V-3499": "true",
"V-4634": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-18619": "true",
"V-30360": "true",
"V-3499": "true",
"V-4634": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-18619": "true",
"V-30360": "true",
"V-3499": "true",
"V-4634": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "bluetoothzigbee",
"title": "Bluetooth/Zigbee Security Technical Implementation Guide (STIG)",
"version": "6"
}
}