{
"stig": {
"date": "2013-03-12",
"description": "This STIG contains the policy, training, and operating procedure security controls for the use of wireless LAN clients in the DoD environment.",
"findings": {
"V-25034": {
"checkid": "C-31258r7_chk",
"checktext": "Detailed Policy Requirements: \nThe IAO and the site wireless device administrator must ensure all wireless remote access users receive training on the following topics before they are authorized to access a DoD network via a wireless remote access device: \n\n- Maintaining physical control of the device. \n- Reducing exposure of sensitive data. \n\n- User authentication and content encryption requirements. \n- Enabling wireless interfaces only when needed. \n- Enable VPN connection to the DoD network immediately after establishing a wireless connection (using an approved VPN client).\n- All Internet browsing will be done via the VPN connection to the DoD network. \n- No split tunneling of VPN. \n- Locations where wireless remote access is authorized or not authorized (i.e., home, airport, hotel, etc.). \n- Wireless client configuration requirements. \n- Use of WPA2 Personal (AES) on home WLAN. \n- Home WLAN password and SSID requirements - Discontinue the use of devices suspected of being tampered with and notify the site IAO. \n\nCheck Procedures: \nReview site wireless device and/or IA awareness training material to verify it contains the required content. \n\nNote: Some training content may be listed in the User Agreement signed by the user. \n\nVerify site training records show authorized wireless remote access users received required training and training occurred before the users were issued a device. Check training records for approximately five users, picked at random. \n\nMark as a finding if wireless remote access users have not received required training. ",
"description": "Improper use of wireless remote access to a DoD network can compromise both the wireless client and the network, as well as, expose DoD data to unauthorized people. Without adequate training remote access users are more likely to engage in behaviors that make DoD networks and information more vulnerable to security exploits.",
"fixid": "F-27724r2_fix",
"fixtext": "Complete required training. ",
"iacontrols": [
"PRTN-1"
],
"id": "V-25034",
"ruleID": "SV-30836r4_rule",
"severity": "low",
"title": "Users must receive training on required topics before they are authorized to access a DoD network via a wireless remote access device. ",
"version": "WIR-WRA-001"
},
"V-25035": {
"checkid": "C-31259r4_chk",
"checktext": "Detailed Policy Requirements: \n\nA site's Remote Access Policy will be written and signed by the site DAA, Commander, Director, or other appropriate manager. Recommend the policy includes required security controls for the DoD-owned/operated wireless client (PDA, smartphone, or tablet): \n\n- Device unlock password requirements. \n\n- Client software patches kept up to date - Internet browsing though enterprise Internet gateway. \n- Device security policy managed by centrally-managed policy manager. \n\n- Procedures after client is lost, stolen, or other security incident occurs. \n\n- Configuration requirements of wireless client - Home WLAN authentication requirements. \n- Home WLAN SSID requirements. \n- Separate WLAN access point required for home WLAN. \n- 8+-character authentication password required for home WLAN. \n- Use of third-party Internet portals (kiosks) (approved or not approved). \n- Use of personally-owned or contractor-owned client devices (approved or not approved). \n- Implementation of health check of client device before connection is allowed. \n- Places where remote access is approved (home, hotels, airport, etc.). \n\n- Roles and responsibilities: \n--Which users or groups of users are and are not authorized to use organization's WLANs. \n--Which parties are authorized and responsible for installing and configuring APs and other WLAN equipment. \n\n- WLAN infrastructure security: \n--Physical security requirements for WLANs and WLAN devices, including limitations on the service areas of WLANs. \n--Types of information that may and may not be sent over WLANs, including acceptable use guidelines. \n\n- WLAN client device security: \n--The conditions under which WLAN client devices are and are not allowed to be used and operated. \n--Standard hardware and software configurations that must be implemented on WLAN client devices to ensure the appropriate level of security. \n--Limitations on how and when WLAN client\u2019s device may be used, such as specific locations. \n--Avoid connecting to WLAN access points with WEP security due to the security issues with this protocol.\n\n- Guidelines on reporting losses of WLAN client devices and reporting WLAN security incidents. \n- Guidelines for the protection of WLAN client devices to reduce theft. \n\nCheck Procedures: \n\nInterview the IAO and/or the site wireless device administrator and determine if the site has a wireless remote access policy (or a wireless section in a general remote access policy). Verify the policy has been signed by the site DAA, Commander, Director, or other appropriate managers. Mark as a finding if a wireless remote access policy does not exist or is not signed. ",
"description": "Wireless clients, DoD data, and the DoD network could be compromised if operational policies for the use of wireless remote access are not documented by the site.",
"fixid": "F-27725r3_fix",
"fixtext": "Publish Wireless Remote Access Policy signed by the site DAA, Commander, Director, or other appropriate authority.",
"iacontrols": [
"ECWN-1"
],
"id": "V-25035",
"ruleID": "SV-30837r4_rule",
"severity": "low",
"title": "The site must have a Wireless Remote Access Policy signed by the site DAA, Commander, Director, or other appropriate authority. ",
"version": "WIR-WRA-002"
},
"V-25036": {
"checkid": "C-31260r4_chk",
"checktext": "This requirement applies to mobile operating system (OS) CMDs.\n\nWork with traditional reviewer to review site\u2019s physical security policy. Verify the site addresses CMDs with embedded cameras.\n\nMark this as a finding if there is no written physical security policy outlining whether CMDs with cameras (still and video) are permitted or prohibited on or in the DoD facility. ",
"description": "Wireless client, networks, and data could be compromised if unapproved wireless remote access is used. In most cases, unapproved devices are not managed and configured as required by the appropriate STIG and the site\u2019s overall network security controls are not configured to provide adequate security for unapproved devices. When listed in the SSP, the site has shown that security controls have been designed to account for the wireless devices.",
"fixid": "F-27726r5_fix",
"fixtext": "Publish a site physical security policy that includes a statement if CMDs with cameras (still and video) are permitted or prohibited on or in the DoD facility. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-25036",
"ruleID": "SV-30838r3_rule",
"severity": "low",
"title": "The site physical security policy must include a statement if CMDs with digital cameras (still and video) are permitted or prohibited on or in the DoD facility.",
"version": "WIR-WRA-003"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-25034": "true",
"V-25035": "true",
"V-25036": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critial Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-25034": "true",
"V-25035": "true",
"V-25036": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critial Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-25034": "true",
"V-25035": "true",
"V-25036": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critial Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-25034": "true",
"V-25035": "true",
"V-25036": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-25034": "true",
"V-25035": "true",
"V-25036": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-25034": "true",
"V-25035": "true",
"V-25036": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-25034": "true",
"V-25035": "true",
"V-25036": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-25034": "true",
"V-25035": "true",
"V-25036": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-25034": "true",
"V-25035": "true",
"V-25036": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "wireless_remote_access_policy_security_implementation_guide",
"title": "Wireless Remote Access Policy Security Implementation Guide",
"version": "1"
}
}