Check: WIR0040
General Wireless Policy:
WIR0040
(in versions v1 r8 through v1 r6)
Title
Wireless devices must not be operated in areas where classified information is electronically stored, processed, or transmitted unless required conditions are followed. (Cat II impact)
Discussion
The operation of electronic equipment and emanations must be controlled in and around areas where sensitive information is kept or processed. Sites should post signs and train users to this requirement to mitigate this vulnerability.
Check Content
Detailed Policy Requirements: Note: This requirement does not apply to the SME PED. Note: This requirement does not apply to the SWLAN SecNet 11/54 equipment. The IAO will ensure wireless devices are not operated in areas where classified information is electronically stored, processed, or transmitted unless: - Approved by the DAA in consultation with the Certified TEMPEST Technical Authority (CTTA). - The wireless equipment is separated from the classified data equipment at the minimum distance determined by the CTTA and appropriate countermeasures, as determined by the CTTA, are implemented. Check Procedures: Review documentation. Work with the traditional security reviewer to verify the following: 1. If classified information is not processed at this site, mark as not a finding. 2. If the site has a written procedure prohibiting the use of wireless devices in areas where classified data processing occurs, mark as not a finding. Ask for documentation showing the CTTA was consulted about operation and placement of wireless devices. Acceptable proof would be the signature or initials of the CTTA on the architecture diagram or other evidence of coordination. IAW DoD policy, the CTTA must have a written separation policy for each classified area. 3. Review written policies, training material, or user agreements to see if wireless usage in these areas is addressed. 4. Verify proper procedures for wireless device use in classified areas is addressed in training program. Mark as a finding if any of the following is found: - CTTA has not designated a separation distance in writing. - DAA has not coordinated with the CTTA. - Users are not trained or made aware (using signage or user agreement) of procedures for wireless device usage in and around classified processing areas.
Fix Text
- CTTA must designate a separation distance in writing. - DAA must coordinate with the CTTA. - Train users or get a signed user agreement on procedures for wireless device usage in and around classified processing areas.
Additional Identifiers
Rule ID: SV-12659r15_rule
Vulnerability ID: V-12106
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |