Title

The organization must have a written policy or training materials stating Bluetooth must be disabled on all applicable devices unless they employ FIPS 140-2 validated cryptographic modules for data in transit. (Cat III impact)

Discussion

Policy and training provide assurance that security requirements will be implemented in practice. Failure to use FIPS 140-2 validated cryptography makes data more vulnerable to security breaches as the data is unencrypted and in clear text.

Check Content

This check only applies to sites using Bluetooth or ZigBee radios. Verify a written policy or training materials exists stating that Bluetooth (or ZigBee) will be disabled on all applicable devices unless they employ FIPS 140-2 validated cryptographic modules for data in transit. If a policy does not exist or if it does not adequately cover the requirement, this is a finding.

Fix Text

Update the policy or training materials to prohibit use of Bluetooth data transmission without FIPS 140-2 validated cryptographic modules.

Additional Identifiers

Rule ID:

Vulnerability ID: V-35937

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.