An error occurred:

Check: SRG-MPOL-057

Mobile Policy SRG: SRG-MPOL-057 (in version v1 r2)

Title

The organizations CMD Personal Use Policy must be approved by its DAA. (Cat III impact)

Discussion

Malware can be introduced on a DoD enclave via personally-owned applications and personal website accounts. In addition, sensitive DoD data could be exposed by the same malware. The DoD component must publish a Personal Use Policy for DoD component managed or owned CMDs. The policy will provide information on allowed personal use of DoD component mobile devices, including devices approved for connection to DoD networks and processing of sensitive data and for devices not approved for connection to DoD networks and processing of DoD data (for example, non-enterprise activated devices). The policy will be approved by the DAA based on a risk based assessment. The assessment will consider costs to the Command that could result from additional wireless service charges from personal usage of the device.

Check Content

Determine if the site has a Personal Use Policy for site/Command-managed or owned CMDs. The policy must include: -Installation of user-owned and free commercial applications. -Viewing and/or downloading personal email. -Download of user-owned data (music files, picture files, etc.). -Connections to user social media accounts. -The use of geo-location aware applications that save or transmit the location of the device. The use of geo-location aware applications should be based on an Operational Security (OPSEC) risk assessment. -Connecting DoD managed mobile devices to personally-owned computers. (For example, a personally owned computer used to download personally-owned files to the mobile device.) Verify the policy has been signed or otherwise approved by the site DAA. If a Personal Use Policy for site/Command managed or owned CMDs does not exist or is not approved by the DAA, this is a finding.

Fix Text

Create and publish a Personal Use Policy for DoD component managed or owned CMDs and obtain DAA approval of the policy.

Additional Identifiers

Rule ID:

Vulnerability ID: V-35975

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000082

The organization establishes usage restrictions for organization-controlled mobile devices.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-19

Access Control For Mobile Devices