The organization must have an access control security policy requiring approval from the appropriate authorizing official(s) for the connection of unclassified mobile devices to unclassified information systems.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35959	SRG-MPOL-041	SV-47275r1_rule		Medium

Description
Mobile/portable computing and communications devices (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, etc.) require specific approval for use, as the capabilities and mobility of these devices present additional risk to DoD networks and data.

STIG	Date
Mobile Policy Security Requirements Guide	2013-01-24

Details

Check Text ( C-44196r1_chk )
Review the organization's access control and security policy, list of officials with authority to approve the connection of unclassified mobile devices to unclassified information systems, procedures addressing access control for portable and mobile devices, documentation for random inspections of mobile devices, and other relevant documents or records. Interview organizational personnel responsible for granting approval to connect unclassified mobile devices to unclassified information systems; organization personnel responsible for randomly reviewing/inspecting mobile devices; and organizational personnel using mobile devices in facilities containing information systems processing, storing, or transmitting classified information. Verify (i) the organization has developed and published an access control security policy requiring approval to connect unclassified mobile devices to unclassified information systems by nominated organization officials; and (ii) the organization has identified organization personnel with the authority to grant connection approval. If a policy requiring connection approval does not exist, this is a finding.

Check Text ( C-44196r1_chk )

Review the organization's access control and security policy, list of officials with authority to approve the connection of unclassified mobile devices to unclassified information systems, procedures addressing access control for portable and mobile devices, documentation for random inspections of mobile devices, and other relevant documents or records. Interview organizational personnel responsible for granting approval to connect unclassified mobile devices to unclassified information systems; organization personnel responsible for randomly reviewing/inspecting mobile devices; and organizational personnel using mobile devices in facilities containing information systems processing, storing, or transmitting classified information. Verify (i) the organization has developed and published an access control security policy requiring approval to connect unclassified mobile devices to unclassified information systems by nominated organization officials; and (ii) the organization has identified organization personnel with the authority to grant connection approval.

If a policy requiring connection approval does not exist, this is a finding.

Fix Text (F-40486r1_fix)
Develop and publish an access control security policy requiring approval prior to connecting unclassified mobile devices to unclassified information systems, identifying organization personnel with the authority to grant connection approval.