Title

The site must have a written policy or training materials stating Bluetooth must be disabled on all applicable devices unless they employ FIPS 140-2 validated cryptographic modules for data-in-transit. (Cat III impact)

Discussion

Policy and training provide assurance that security requirements will be implemented in practice. Failure to use FIPS 140-2 validated cryptography makes data more vulnerable to security breaches.

Check Content

NOTE: this check only applies to sites using Bluetooth or Zigbee radios. Interview the IAO and verify a written policy or training materials exists stating that Bluetooth (or Zigbee) will be disabled on all applicable devices unless they employ FIPS 140-2 validated cryptographic modules for data-in-transit. Mark as a finding if policy does not exist or if it does not adequately cover the requirement.

Fix Text

The IAO will ensure there is a policy or training materials prohibiting use of Bluetooth data transmission without FIPS 140-2 validated cryptographic modules.

Additional Identifiers

Rule ID: SV-40017r1_rule

Vulnerability ID: V-30360

Group Title: Bluetooth policy and training

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.