Title

The organization must not permit personnel to operate CMD without first signing a user agreement IAW DoD CIO Memorandum, Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement, 9 May 2008. (Cat III impact)

Discussion

Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to these requirements or the risk to the network remains. User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise. Thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures.

Check Content

The user agreements must include DAA authorized tasks for the mobile device and relevant security requirements, including, the DoD CIO Memorandum, "Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement," 9 May 2008. Inspect a copy of the site's user agreement. Verify the user agreement has the minimum elements required IAW the DoD CIO Memorandum. If the site user agreements do not exist or are not compliant with the minimum requirements, this is a finding.

Fix Text

Develop and publish policy mandating all users sign a user agreement before they are issued a mobile or wireless device.

Additional Identifiers

Rule ID:

Vulnerability ID: V-36005

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.