Title

The organization must develop policy which ensures a CMD is wiped prior to issuance to DoD personnel. (Cat III impact)

Discussion

Malware may be installed on a device at some point between shipping from the factory and delivery to DoD. The malware could result in the compromise of sensitive DoD information or result in the introduction of malware within the DoD network.

Check Content

Review the policy to ensure a procedure is in place for a CMD system administrator to perform a Wipe command on all new or reissued CMDs (e.g., reset to factory configuration), reload system software or updates, and load a DoD compliant security policy on the CMD before issuing it to DoD personnel and placing the device on a DoD network. Verify required procedures are followed. If required procedures are not followed, this is a finding.

Fix Text

Develop a policy which ensures CMD system administrators perform a wipe command on all new or reissued CMDs and an approved IT policy is pushed to the device before issuing it to DoD personnel.

Additional Identifiers

Rule ID:

Vulnerability ID: V-35980

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.