acceptedGeneral Wireless Policy Security Technical Implementation GuideThis STIG provides policy, training, and operating procedure security controls for the use of wireless devices and systems in the DoD environment. This STIG applies to any wireless device (such as WLAN Access Points and clients, Bluetooth devices, smartphones and cell phones, wireless keyboards and mice, and wireless remote access devices) used to store, process, transmit or receive DoD information.DISA, Field Security OperationsSTIG.DOD.MILRelease: 9 Benchmark Date: 26 Oct 20121I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>Wireless systems authorized prior to use<GroupDescription></GroupDescription>WIR0005All wireless systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information.
<VulnDiscussion>Unauthorized wireless systems expose DoD networks to attack. The DAA and appropriate commanders must be aware of all wireless systems used at the site. DAAs should ensure a risk assessment for each system including associated services and peripherals, is conducted before approving. Accept risks only when needed to meet mission requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Manager</Responsibility><Responsibility>Designated Approving Authority</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECWN-1</IAControls>VMS Target General Wireless PolicyDISA FSOVMS TargetGeneral Wireless Policy2113Obtain DAA approval (documented by memo or SSP) prior to wireless systems being installed and used. For smartphone/tablet systems without a STIG, obtain an IATT prior to wireless systems being installed and used.Detailed Policy Requirements: For mobile smartphones and tablets deployed under an Interim Security Configuration Guide (ISCG) or the DoD CIO’s 6 April 2011 memorandum, Use of Commercial Mobile Devices (CMD) in the Department of Defense (DoD), the approval authority is the Component CIO. The site must have an Interim Authority To Test (IATT) issued by the Component CIO.
For all other wireless devices and systems the Designated Approval Authority (DAA) must approve the wireless device or system.
Detailed Check Procedures:
Work with the site POC to verify documentation. Performed with WIR0016 (equipment list).
For smartphone/tablet systems without a STIG, verify the site has an approved IATT. Mark as a finding if a valid IATT is not available or is not signed by the Component CIO.
For all other wireless devices or systems, complete the following:
1. Request copies of written DAA approval documentation. Any of the following documents meets this requirement as proof of compliance:
- The DIACAP System Security Plan (SSP). The SSP must show the wireless system as part of the network diagram or list the system/equipment as being part of the network.
- DAA approval letter or other document. The document must list the system or equipment and date its use is approved.
The DAA approval letter or SSP may be a general statement of approval rather than list each device.
2. Verify DAA approval for type of device used, such as wireless connection services, peripherals, and applications.
Mark as a finding for any of the following reasons:
- Wireless systems, devices, services, or accessories are in use but DAA approval letter(s) do not exist.
- If, in the judgment of the reviewer, configuration differs significantly from that approved by the DAA approval letter.
Note: The DAA approval for the wireless system does not need to be documented separately from other DAA approval documents for the site network, as long as the approval documents list the wireless system. For example, if a site network ATO lists the wireless system, the ATO meets the requirements of this check.
For Secure Mobile Environment Portable Electronic Device (SME PED), the following applies:
- An ATO or an IATO has been signed by the DAA prior to the connection of the unclassified Sensa server to the NIPRNet.
- Classified Connection Approval Office (CCAO) approval has been obtained prior to the connection of the classified Sensa server to the SIPRNet.
Note: The intent of this check is to ensure the DAA has approved the use of the wireless system being reviewed at the site. This approval can be documented in several ways. The most common is the SSP for the site includes the wireless system and the DAA has signed the SSP. If the command uses an enterprise wide SSP including the wireless system being reviewed and the SSP applies to site being reviewed, then the requirement has been met.Site list of approved PEDs<GroupDescription></GroupDescription>WIR0015The site IAO must maintain a list of all DAA-approved wireless and non-wireless PED devices that store, process, or transmit DoD information. <VulnDiscussion>The site must maintain a list of all DAA-approved wireless and non-wireless PEDs. Close tracking of authorized wireless devices will facilitate the search for rogue devices. Sites must keep good inventory control over wireless and handheld devices used to store, process, and transmit DoD data since these devices can be easily lost or stolen leading to possible exposure of DoD data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><Responsibility>System Administrator</Responsibility><IAControls>DCHW-1</IAControls>VMS Target General Wireless PolicyDISA FSOVMS TargetGeneral Wireless Policy2113Maintain a list of all DAA-approved WLAN devices. The list must be updated periodically and will contain the data elements required by the STIG policy.Detailed Policy Requirements:
This check applies to any wireless end user device (smartphone, tablet, Wi-Fi network interface card, etc.) and wireless network devices (access point, authentication server, etc.). The list of approved wireless devices will be stored in a secure location and will include the following at a minimum:
- Access point Media Access Control (MAC) address (WLAN only),
- Access point IP address (WLAN only),
- Wireless client MAC address,
- Network DHCP range (WLAN & WWAN only),
- Type of encryption enabled,
- Access point SSID (WLAN only),
- Manufacturer, model number, and serial number of wireless equipment,
- Equipment location, and
- Assigned users with telephone numbers.
For smartphones and PDAs:
- Manufacturer, model number, and serial number of wireless equipment.
- Equipment location or who the device was issued to.
- Assigned users with telephone numbers and email addresses.
For SME PED:
Local commands will keep track of devices by assigning a control number or using the serial number for accountability purposes.
Check Procedures:
Work with the site POC:
1. Request copies of site’s wireless equipment list.
-Detailed SSAA/SSP or database may be used.
2. Verify all minimum data elements listed above are included in the equipment list.
3. Verify all wireless devices used at the site, including infrared mice/keyboards, are included.
4. Verify procedures are in place for ensuring the list is kept updated.
5. Note the date of last update and if the list has many inaccuracies.
Mark as a finding if the equipment list does not exist, all data elements are not tracked, or the list is outdated.
This check applies to:
- Wireless networking devices, such as access points, bridges, and switches.
- WLAN client devices, such as laptop computers and PDAs if used with WLAN NICs.
- Wireless peripherals, such as Bluetooth, and Infrared mice and keyboards, communications devices, such as VoIP, cellular/satellite telephones, and Broadband NICs, and non-wireless PEDs that store, process, or transmit DoD information.
SSP includes wireless system/equipment<GroupDescription></GroupDescription>WIR0020Wireless devices connecting directly or indirectly (i.e., ActiveSync, wireless, etc.) to the network must be included in the site System Security Plan (SSP).<VulnDiscussion>The DAA and site commander must be aware of all approved wireless devices used at the site or DoD data could be exposed to unauthorized people. Documentation of the enclave configuration must include all attached systems. If the current configuration cannot be determined, then it is difficult to apply security policies effectively. Security is particularly important for wireless technologies attached to the enclave network because these systems increase the potential for eavesdropping and other unauthorized access to network resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>EBCR-1</IAControls>VMS Target General Wireless PolicyDISA FSOVMS TargetGeneral Wireless Policy2113Ensure devices connecting directly or indirectly (data synchronization) to the network are added to the site's SSP.
(For example, it may say wireless devices of various models are permitted but only when configured in accordance with the Wireless STIG or other such specified restriction.) Review the SSP.
1. Wireless network devices, such as access points, laptops, PEDs, and wireless peripherals (keyboards, pointers, etc.) using a wireless network protocol, such as Bluetooth, 802.11, or proprietary protocols must be documented in the SSP.
2. A general statement in the SSP permitting the various types of wireless network devices used by the site is acceptable rather than a by-model listing, for example, “wireless devices of various models are permitted as long as they are configured in accordance with the Wireless STIG”.
Mark as a finding if a DAA-approved SSP does not exist or if it has not been updated.
Wireless devices in SCIFs are DCID/ICD compliant<GroupDescription></GroupDescription>WIR0035Wireless devices must not be allowed in a permanent, temporary, or mobile Sensitive Compartmented Information Facilities (SCIFs), unless approved by the SCIF Cognizant Security Authority (CSA) in accordance with Intelligence Community Directive 503 and Director Central Intelligence Directive (DCID) 6/9, the DAA, and the site Special Security Officer (SSO).
<VulnDiscussion>Emanations from computing devices in the secured area may be transmitted or picked up inadvertently by wireless devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1, ECWN-1</IAControls>VMS Target General Wireless PolicyDISA FSOVMS TargetGeneral Wireless Policy2113Ensure users are trained on the need to comply with this requirement and/or site procedures document the policy. Alternately, this requirement can be included in the site User Agreement.For SME PED: This requirement is not applicable.
Work with the traditional reviewer or interview the IAO or SM.
Determine if the site SCIF CSA has approved wireless PEDs in the site SCIFs. Determine if the DAA and site SSO have approved wireless PEDs in site SCIFs. Ask for approval documentation, if approval has been granted. All three entities must grant approval (SCIF CSA, DAA, and SSO).
If wireless PEDs in site SCIFs have not been approved, determine if procedures are in place to prevent users from bringing PEDs into SCIFs and if users are trained on this requirement. Posted signs are considered evidence of compliance.
If wireless devices have been approved for use in SCIFs:
- Determine if site has written procedures that describe what type of PEDs and under what type of conditions (i.e., turned off, SCIF mode enabled, etc.) approval is granted.
- Users must receive proper training on the handling of wireless devices in SCIFs.
Mark this as a finding if:
- Wireless devices are allowed in site SCIFs without required approvals.
- Required procedures are not in place.
- Required user training has not been documented.
CTTA coordination for classified wireless<GroupDescription></GroupDescription>WIR0040Wireless devices must not be operated in areas where classified information is electronically stored, processed, or transmitted unless required conditions are followed. <VulnDiscussion>The operation of electronic equipment and emanations must be controlled in and around areas where sensitive information is kept or processed. Sites should post signs and train users to this requirement to mitigate this vulnerability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECWN-1</IAControls>VMS Target General Wireless PolicyDISA FSOVMS TargetGeneral Wireless Policy2113- CTTA must designate a separation distance in writing.
- DAA must coordinate with the CTTA.
- Train users or get a signed user agreement on procedures for wireless device usage in and around classified processing areas.
Detailed Policy Requirements:
Note: This requirement does not apply to the SME PED.
Note: This requirement does not apply to the SWLAN SecNet 11/54 equipment.
The IAO will ensure wireless devices are not operated in areas where classified information is electronically stored, processed, or transmitted unless:
- Approved by the DAA in consultation with the Certified TEMPEST Technical Authority (CTTA).
- The wireless equipment is separated from the classified data equipment at the minimum distance determined by the CTTA and appropriate countermeasures, as determined by the CTTA, are implemented.
Check Procedures:
Review documentation. Work with the traditional security reviewer to verify the following:
1. If classified information is not processed at this site, mark as not a finding.
2. If the site has a written procedure prohibiting the use of wireless devices in areas where classified data processing occurs, mark as not a finding. Ask for documentation showing the CTTA was consulted about operation and placement of wireless devices. Acceptable proof would be the signature or initials of the CTTA on the architecture diagram or other evidence of coordination. IAW DoD policy, the CTTA must have a written separation policy for each classified area.
3. Review written policies, training material, or user agreements to see if wireless usage in these areas is addressed.
4. Verify proper procedures for wireless device use in classified areas is addressed in training program.
Mark as a finding if any of the following are found:
- CTTA has not designated a separation distance in writing.
- DAA has not coordinated with the CTTA.
- Users are not trained or made aware (using signage or user agreement) of procedures for wireless device usage in and around classified processing areas.Sign User Agreement<GroupDescription></GroupDescription>WIR0030All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content. <VulnDiscussion>Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to these requirements or the risk to the network remains.
User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise. Thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><Responsibility>Information Assurance Manager</Responsibility><IAControls>ECWN-1, PRTN-1</IAControls>VMS Target General Wireless PolicyDISA FSOVMS TargetGeneral Wireless Policy2113Implement User Agreement with required content. Have all users sign a User Agreement.Additional Policy Requirements:
The user agreements must include DAA authorized tasks for the mobile device and relevant security requirements, including, but not limited to, the following:
1. DoD CIO Memorandum, “Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement,” 9 May 2008 directs the following content will be included in a site User Agreement:
STANDARD MANDATORY NOTICE AND CONSENT PROVISION FOR ALL DOD INFORMATION SYSTEM USER AGREEMENTS
By signing this document, you acknowledge and consent that when you access
Department of Defense (DoD) information systems:
- You are accessing a U.S. Government (USG) information system (IS) (which includes any device attached to this information system) that is provided for U.S. Government authorized use only.
- You consent to the following conditions:
o The U.S. Government routinely intercepts and monitors communications on this information system for purposes including, but not limited to, penetration testing, communications security (COMSEC) monitoring, network operations and defense, personal misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
o At any time, the U.S. Government may inspect and seize data stored on this information system.
o Communications using, or data stored on, this information system are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any U.S. Government-authorized purpose.
o This information system includes security measures (e.g., authentication and access controls) to protect U.S. Government interests--not for your personal benefit or privacy.
o Notwithstanding the above, using an information system does not constitute consent to personnel misconduct, law enforcement, or counterintelligence investigative searching or monitoring of the content of privileged communications or data (including work product) that are related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Under these circumstances, such communications and work product are private and confidential, as further explained below:
- Nothing in this User Agreement shall be interpreted to limit the user's consent to, or in any other way restrict or affect, any U.S. Government actions for purposes of network administration, operation, protection, or defense, or for communications security. This includes all communications and data on an information system, regardless of any applicable privilege or confidentiality.
- The user consents to interception/capture and seizure of ALL communications and data for any authorized purpose (including personal misconduct, law enforcement, or counterintelligence investigation). However, consent to interception/capture or seizure of communications and data is not consent to the use of privileged communications or data for personnel misconduct, law enforcement, or counterintelligence investigation against any party and does not negate any applicable privilege or confidentiality that otherwise applies.
- Whether any particular communication or data qualifies for the protection of a privilege, or is covered by a duty of confidentiality, is determined in accordance with established legal standards and DoD policy. Users are strongly encouraged to seek personal legal counsel on such matters prior to using an information system if the user intends to rely on the protections of a privilege or confidentiality.
- Users should take reasonable steps to identify such communications or data that the user asserts are protected by any such privilege or confidentiality. However, the user's identification or assertion of a privilege or confidentiality is not sufficient to create such protection where none exists under established legal standards and DoD policy.
- A user's failure to take reasonable steps to identify such communications or data as privileged or confidential does not waive the privilege or confidentiality if such protections otherwise exist under established legal standards and DoD policy. However, in such cases the U.S. Government is authorized to take reasonable actions to identify such communication or data as being subject to a privilege or confidentiality, and such actions do not negate any applicable privilege or confidentiality.
- These conditions preserve the confidentiality of the communication or data, and the legal protections regarding the use and disclosure of privileged information, and thus such communications and data are private and confidential. Further, the U.S. Government shall take all reasonable measures to protect the content of captured/seized privileged communications and data to ensure they are appropriately protected.
o In cases when the user has consented to content searching or monitoring of communications or data for personnel misconduct, law enforcement, or counterintelligence investigative searching, (i.e., for all communications and data other than privileged communications or data that are related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants), the U.S. Government may, solely at its discretion and in accordance with DoD policy, elect to apply a privilege or other restriction on the U.S. Government's otherwise-authorized use or disclosure of such information.
o All of the above conditions apply regardless of whether the access or use of an information system includes the display of a Notice and Consent Banner ("banner"). When a banner is used, the banner functions to remind the user of the conditions that are set forth in this User Agreement, regardless of whether the banner describes these conditions in full detail or provides a summary of such conditions, and regardless of whether the banner expressly references this User Agreement.
2. For SME PED, see the SME PED User Agreement template included with the SME PED STIG for specific requirements.
3. DoD sites are required to add the following to all site User Agreements:
- The agreement should contain the type of access required by the user (privileged, end-user, etc.).
- The agreement should contain the responsibilities, liabilities, and security measures (e.g., malicious code detection training) involved in the use of the wireless remote access device.
- Incident handling and reporting procedures will be identified along with a designated point of contact.
- The remote user can be held responsible for damage caused to a Government system or data through negligence or a willful act.
- The policy should contain general security requirements and practices, which are acknowledged and signed by the remote user.
- If classified devices are used for remote access from an alternative work site, the remote user will adhere to DoD policy in regard to facility clearances, protection, storage, distributing, etc.
- Government owned hardware and software is used for official duties only. The employee is the only individual authorized to use this equipment.
- User agrees to complete required wireless device training annually.
4. For approved smartphone and tablet devices add to all User Agreements:
- Only approved Bluetooth headsets/handsfree devices will be used.
Check Procedures:
1. Inspect a copy of the site’s user agreement.
2. Verify the user agreement has the minimum elements described in the STIG policy.
3. Select 10 names of assigned site personnel and verify they have a signed user agreement on file for assigned wireless equipment (e.g., wireless laptop, smartphone, tablet, etc.).
Mark as a finding if site user agreements do not exist or are not compliant with the minimum requirements.
For SME PED:
- Verify the Terminal Administrator (TA) has users reaffirm their User Agreement at least once every 12 months. Review the dates that site User Agreements were signed.
Wireless devices and servers not secured<GroupDescription></GroupDescription>WIR0025All wireless network devices, such as wireless Intrusion Detection System (IDS) and wireless routers, access points, gateways, and controllers must be located in a secure room with limited access or otherwise secured to prevent tampering or theft.<VulnDiscussion>DoD data and the network could be exposed to attack if wireless network devices are not physically protected. The Network Security Officer (NSO) will ensure all wireless network devices (i.e., IDS, routers, servers, Remote Access System (RAS), firewalls, WLAN access points, etc.), wireless management, and email servers are located in a secure room with limited access or otherwise secured to prevent tampering or theft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1, ECWN-1</IAControls>VMS Target General Wireless PolicyDISA FSOVMS TargetGeneral Wireless Policy2113Place all network devices (i.e., Intrusion Detection System (IDS), routers, Remote Access System (RAS), firewalls, etc.) in a secure room with limited access or otherwise secured to prevent tampering or theft. WIR0225 provides physical security requirements for classified WLAN systems.Detailed Policy Requirements:
For WLAN Access Points:
If the WLAN infrastructure network device (access point, bridge, WLAN switch/gateway/controller, etc.) is used in an unprotected public area, the following security controls are required.
(The site Physical Security Officer should make a determination if a WLAN device installation location should be considered to be an unprotected public area.)
One of the following security controls is required:
- The WLAN device must be physically secured by placing it inside a securely mounted, pick-resistant, and lockable enclosure.
- The encryption keys stored on the device must be encrypted on the device using an encryption module validated as meeting FIPS 140-2 Level 2, at a minimum.
Check Procedures:
The NSO will ensure all network devices (i.e., IDS, routers, servers, Remote Access System (RAS), firewalls, WLAN access points, etc.) are located in a secure room with limited access or otherwise secured to prevent tampering or theft.
For WLAN Access Points:
Determine if the WLAN network component of the WLAN system (e.g., access point or bridge) is installed in an unprotected public area where unauthorized personnel can get access to the device. The Physical Security Reviewer may be able to assist in this determination. If yes, the following requirements apply.
Note: Access points installed above ceiling tiles in a controlled access area or installed 30 feet above the ground in a controlled access hanger can be considered to be installed in a protected non-public area. The site Physical Security Officer should make a determination if a WLAN device installation location should be considered to be in an unprotected public area.
Determine if the WLAN device has been validated as meeting FIPS 140-2 Level 2, at a minimum, or physically secured by placing it inside a securely mounted, pick-resistant, and lockable enclosure.
Mark as a finding if the requirements above are not met.
For SME PED:
During SRR walkthrough inspection, visually confirm the SME PED servers and network equipment (such as, HAIPE) are installed in secured areas.
DAA approval of personally-owned PEDs<GroupDescription></GroupDescription>WIR0010-01DAA must approve the use of personally-owned or contractor-owned PEDs used to transmit, receive, store, or process DoD information. <VulnDiscussion>The use of unauthorized personally-owned wireless devices to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized people. The use of personally-owned PEDs must be controlled by the site. Users must agree to forfeit the PED when security incidents occur, follow all required security procedures, and install required software in order to protect the DoD network. If personally-owned wireless smartphones/tablets are allowed they must process and store FOUO data in a container that utilizes a FIPS 140-2 validated cryptographic module for both data-in-transit, as well as data-at-rest. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><Responsibility>Designated Approving Authority</Responsibility><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1, ECWN-1</IAControls>VMS Target General Wireless PolicyDISA FSOVMS TargetGeneral Wireless Policy2113Prohibit use of personally-owned devices or get required approvals (by DAA). Personally-owned devices will not be used to access DoD restricted resources and information without DAA approval. Users should be trained on this requirement, configuration management procedures should be followed, and the devices must meet DoD security policies and standards. Personally-owned or contractor-owned devices will not be used to access DoD restricted resources and information without DAA approval. Users should be trained on this requirement, configuration management procedures should be followed, and the devices must meet DoD security policies and standards.
Interview the IAO.
1. Ask if users are using personally-owned or contractor-owned devices, such as PDAs, BlackBerrys, laptops, smartphones, tablets, or home computers to access sensitive enclave resources.
2. If personally-owned/contractor-owned devices are allowed, verify written DAA approval exists and the SSP is annotated that personally-owned/contractor-owned devices are allowed.
Mark as a finding if personally-owned devices are used but the DAA has not approved their use.
Hint: This check includes any non-DoD owned or approved devices, such as computers, PEDs/PDAs, and wireless NICs. This applies to administrative and end-user access. Use for end-user is discouraged but may be approved by the DAA.No embedded wireless NIC on classified computers<GroupDescription></GroupDescription>WIR0045Computers with an embedded wireless system must have the radio removed before the computer is used to transfer, receive, store, or process classified information.<VulnDiscussion>With the increasing popularity of wireless networking, most laptops have wireless NICs installed on the laptop motherboard. Although the system administrator may disable these embedded NICs, the user may purposefully or accidentally enable the device. These devices may also inadvertently transmit ambient sound or electronic signals. Therefore, simply disabling the transmit capability is an
inadequate solution for computers processing classified information. In addition, embedded wireless cards do not meet DoD security requirements for classified wireless usage.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECWN-1</IAControls>VMS Target General Wireless PolicyDISA FSOVMS TargetGeneral Wireless Policy2113Ensure computers with embedded wireless NICs that cannot be removed and are not used to transfer, receive, store, or process classified information. Interview the IAO and inspect a sample of laptops/PCs (check about 10% if possible, with priority to laptops) used at the site for classified data processing.
1. Ask if there are laptops/PCs used to process classified information and have embedded
wireless NICs. No embedded wireless NICs are allowed, including WLAN, Bluetooth, WMAN, cellular, etc.
2. The NIC should be physically removed. Using methods, such as tape or software disabling are not acceptable.
Interview the IAO and determine if the site either bought laptops without wireless NICs (Wi-Fi, Bluetooth, WiMax, etc.) or physically removed the NICs from laptops. Verify the site has procedures in place to ensure laptops with wireless NICs are not used for classified data processing.
Mark as a finding if site is using embedded wireless NICs.
If this is a finding, recommend to the DAA this is a critical finding requiring immediate action.Forfeiture agreement for personally-owned PEDs<GroupDescription></GroupDescription>WIR0010-02If DAA has approved the use of personally-owned or contractor-owned PEDs, the owner must sign a forfeiture agreement in case of a security incident.
<VulnDiscussion>The use of unauthorized personally-owned or contractor-owned wireless devices to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized people. The use of personally-owned/contractor-owned PEDs must be controlled by the site. Users must agree to forfeit the PED when security incidents occur, follow all required security procedures, and install required software in order to protect the DoD network.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1, ECWN-1</IAControls>VMS Target General Wireless PolicyDISA FSOVMS TargetGeneral Wireless Policy2113If the DAA has approved the use of personally-owned PEDs, have the owner sign a forfeiture agreement in case of a security incident.When personally-owned PEDs are used to transmit, receive, store, or process DoD information, the owner must sign a forfeiture agreement in case of a security incident.
The reviewer should obtain a copy of the signed forfeiture agreement for a sample of users (2-3) that have been approved to use personally-owned devices. The forfeiture agreement must state the user agrees to forfeit the device to the DoD for sanitization or destruction if a security incident has occurred on the device.
Mark as a finding if signed forfeiture agreements are not available.