Title

The site IAO must maintain a list of all DAA-approved wireless and non-wireless PED devices that store, process, or transmit DoD information. (Cat III impact)

Discussion

The site must maintain a list of all DAA-approved wireless and non-wireless PEDs. Close tracking of authorized wireless devices will facilitate the search for rogue devices. Sites must keep good inventory control over wireless and handheld devices used to store, process, and transmit DoD data since these devices can be easily lost or stolen leading to possible exposure of DoD data.

Check Content

Detailed Policy Requirements: The list of approved wireless devices will be stored in a secure location and will include the following at a minimum: - Access point Media Access Control (MAC) address (WLAN only), - Access point IP address (WLAN only), - Wireless client MAC address, - Network DHCP range (WLAN & WWAN only), - Type of encryption enabled, - Access point SSID (WLAN only), - Manufacturer, model number, and serial number of wireless equipment, - Equipment location, and - Assigned users with telephone numbers. For smartphones and PDAs: - Manufacturer, model number, and serial number of wireless equipment. - Equipment location. - Assigned users with telephone numbers. For SME PED: Local commands will keep track of devices by assigning a control number or using the serial number for accountability purposes. Check Procedures: Work with the site POC: 1. Request copies of site’s wireless equipment list. -Security Readiness Review (SRR) worksheets in Appendix B of the Wireless Security Checklist may be used. -Detailed SSAA/SSP or database may be used. 2. Verify all minimum data elements listed in the STIG policy are included in the equipment list. 3. Verify all WLAN devices used, including infrared mice/keyboards, are included. 4. Verify procedures are in place for ensuring the list is kept updated. 5. Note the date of last update and if the list has many inaccuracies. Mark as a finding if the equipment list does not exist, all data elements are not tracked, or the list is outdated. This check applies to: - Wireless networking devices, such as access points, bridges, and switches. - WLAN client devices, such as laptop computers and PDAs if used with WLAN NICs. - Wireless peripherals, such as Bluetooth, and Infrared mice and keyboards, communications devices, such as VoIP, cellular/satellite telephones, and Broadband NICs, and non-wireless PEDs that store, process, or transmit DoD information.

Fix Text

Maintain a list of all DAA-approved WLAN devices. The list must be kept updated periodically and will contain the data elements required by the STIG policy.

Additional Identifiers

Rule ID: SV-8779r17_rule

Vulnerability ID: V-8284

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.