STIGQter STIGQter: STIG Summary: Mobile Device Policy Security Technical Implementation Guide (STIG) Version: 2 Release: 6 Benchmark Date: 26 Jul 2019:

Mobile device users must complete training on required content before being provided mobile devices or allowed access to DoD networks with a mobile device.

DISA Rule

SV-30698r7_rule

Vulnerability Number

V-24961

Group Title

Mobile device users receive training on required content

Rule Version

WIR-SPP-006-01

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Have all mobile device users complete training on required content.

Check Contents

Detailed Policy Requirements:
This requirement applies to mobile operating system (OS) CMDs.

All mobile device users must receive required training on the following topics before they are provided a mobile device or allowed access to DoD networks with a mobile device.

a. Requirement that personally-owned mobile devices are not used to transmit, receive, store, or process DoD information unless approved by the AO and the owner signs forfeiture agreement in case of a security incident.

b. Procedures for mobile device usage in and around classified processing areas.

c. Requirement that mobile devices with digital cameras (still and video) are not allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed.

d. Procedures for a data spill.

e. Requirement that Over-The-Air (OTA) mobile device software updates should only come from DoD-approved sources.

f. When Wi-Fi is used, the following training will be completed:
- Procedures for setting up a secure Wi-Fi connection and verifying the active connection is to a known access point.

- Approved connection options (i.e., enterprise, home, etc.).

- Requirements for home Wi-Fi connections.

- The mobile device Wi-Fi radio will be disabled by the user whenever a Wi-Fi connection is not being used.

g. Do not discuss FOUO or classified information on non-secure (devices whose cryptographic modules protecting data in transit are not FIPS 140-2 certified or NSA Type-1 certified for voice) cellular phones, cordless phones, and two-way radios used for voice communications.

h. Do not connect mobile devices to any workstation.

i. The installation of user owned applications, including geo-location aware applications, on the mobile device will be based on the Command’s Mobile Device Personal Use Policy and AO approval.

j. The use of the mobile OS device to view and/or download personal email will be based the Command’s Mobile Device Personal Use Policy and AO approval.

k. The download of user owned data (music files, picture files, etc.) on the mobile device will be based the Command’s Mobile Device Personal Use Policy and AO approval.

l. All radios on the mobile device (Wi-Fi, Bluetooth, near-field communications (NFC)) must be turned off when not needed. This does not apply to radios supporting voice and data communication over a wireless carrier’s cellular network, in which case continuous connectivity is permissible.

m. Procedure on how to disable Location Services on the device. Location Services must be disabled for all applications or enabled only for applications approved by the AO for location based services.

Note: Listing training requirements in the User Agreement is an acceptable procedure for informing/training users on many of the required training topics.

Check Procedures:
- Review site mobile device training material to see if it contains the required content.
Note: Some training content may be listed in the User Agreement signed by the user.

- Verify site training records show that mobile device users received required training and training occurred before the user was issued a mobile device. Check training records for approximately five users, picked at random.

If training material does not contain required content, this is a finding.

Vulnerability Number

V-24961

Documentable

False

Rule Version

WIR-SPP-006-01

Severity Override Guidance

Detailed Policy Requirements:
This requirement applies to mobile operating system (OS) CMDs.

All mobile device users must receive required training on the following topics before they are provided a mobile device or allowed access to DoD networks with a mobile device.

a. Requirement that personally-owned mobile devices are not used to transmit, receive, store, or process DoD information unless approved by the AO and the owner signs forfeiture agreement in case of a security incident.

b. Procedures for mobile device usage in and around classified processing areas.

c. Requirement that mobile devices with digital cameras (still and video) are not allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed.

d. Procedures for a data spill.

e. Requirement that Over-The-Air (OTA) mobile device software updates should only come from DoD-approved sources.

f. When Wi-Fi is used, the following training will be completed:
- Procedures for setting up a secure Wi-Fi connection and verifying the active connection is to a known access point.

- Approved connection options (i.e., enterprise, home, etc.).

- Requirements for home Wi-Fi connections.

- The mobile device Wi-Fi radio will be disabled by the user whenever a Wi-Fi connection is not being used.

g. Do not discuss FOUO or classified information on non-secure (devices whose cryptographic modules protecting data in transit are not FIPS 140-2 certified or NSA Type-1 certified for voice) cellular phones, cordless phones, and two-way radios used for voice communications.

h. Do not connect mobile devices to any workstation.

i. The installation of user owned applications, including geo-location aware applications, on the mobile device will be based on the Command’s Mobile Device Personal Use Policy and AO approval.

j. The use of the mobile OS device to view and/or download personal email will be based the Command’s Mobile Device Personal Use Policy and AO approval.

k. The download of user owned data (music files, picture files, etc.) on the mobile device will be based the Command’s Mobile Device Personal Use Policy and AO approval.

l. All radios on the mobile device (Wi-Fi, Bluetooth, near-field communications (NFC)) must be turned off when not needed. This does not apply to radios supporting voice and data communication over a wireless carrier’s cellular network, in which case continuous connectivity is permissible.

m. Procedure on how to disable Location Services on the device. Location Services must be disabled for all applications or enabled only for applications approved by the AO for location based services.

Note: Listing training requirements in the User Agreement is an acceptable procedure for informing/training users on many of the required training topics.

Check Procedures:
- Review site mobile device training material to see if it contains the required content.
Note: Some training content may be listed in the User Agreement signed by the user.

- Verify site training records show that mobile device users received required training and training occurred before the user was issued a mobile device. Check training records for approximately five users, picked at random.

If training material does not contain required content, this is a finding.

Check Content Reference

M

Responsibility

System Administrator

Target Key

3521

Comments