Title

The organization must have a policy forbidding the use of wireless personal area network (PAN) devices, such as near-field communications (NFC), Bluetooth, and ZigBee, to send, receive, store, or process classified information. (Cat I impact)

Discussion

Classified data could be compromised since wireless PAN devices do not meet DoD encryption requirements for classified data.

Check Content

Verify compliance by reviewing the user agreement or security briefing to ensure personnel have been properly instructed on the policy that states that wireless PAN devices cannot be used for, or around classified processing. If the user agreement or security briefing does not exist, this is a finding. Note: The check applies to Wireless USB (WUSB) devices; however, it does not apply to wireless email devices (BlackBerry, Windows Mobile, etc.). Review the appropriate wireless email device security requirements for Bluetooth on these devices.

Fix Text

Develop and publish a policy forbidding the use of wireless PAN devices for classified processing.

Additional Identifiers

Rule ID:

Vulnerability ID: V-35958

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.