A policy must exist prohibiting non-enterprise activated (NEA) CMDs connecting to DoD devices containing sensitive or classified information or devices that connect to DoD networks.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35989 | SRG-MPOL-071 | SV-47305r1_rule | Medium |
| Description |
|---|
| As non-enterprise activated CMDs do not have the required and necessary security controls applied to the devices, in all cases, DoD data is at risk of compromise or exfiltration if those devices connect to DoD workstations or other devices containing sensitive or classified information. |
| STIG | Date |
|---|---|
| Mobile Policy Security Requirements Guide | 2013-01-24 |
Details
| Check Text ( C-44226r1_chk ) |
|---|
| Review the organization's access control and security policy to determine if requirements for connection to DoD workstations or other systems containing sensitive DoD information are defined. Ensure the organization has defined a usage restriction for connection of a non-enterprise activated CMD to a DoD workstation or other DoD system that stores or processes sensitive information or connects to a DoD network. If a policy does not exist prohibiting non-enterprise activated CMDs from connecting to DoD systems that contain sensitive or classified DoD data or devices that connect to DoD networks, this is a finding. |
| Fix Text (F-40516r1_fix) |
|---|
| Develop and publish policy preventing non-enterprise activated CMDs from physically or wirelessly connecting directly to DoD information systems containing sensitive or classified data or connect to DoD networks. |