Title

The organization must not permit non-enterprise activated CMDs to process or store DoD sensitive information, including DoD email. (Cat II impact)

Discussion

Non-enterprise activated CMDs are not authorized to process any information other than non-sensitive because they do not have required security controls to avoid tampering and malicious intent. There is a high risk of introducing malware and exfiltration of information if these types of devices store or process anything other than non-sensitive information.

Check Content

Review the organization's policy on non-enterprise activated CMD processing and storage requirements. The policy should include language that disallows the use of such devices in processing or storing anything other than non-sensitive DoD information. The devices will not be used to connect to DoD email systems, including Outlook Web Access (OWA), or store or process DoD email. If the policy does not disallow the use of CMDs for processing anything other than non-sensitive information, including DoD email, this is a finding.

Fix Text

Develop and publish the policy or procedure preventing the processing or storing of DoD sensitive information, including DoD email, by non-enterprise activated CMDs.

Additional Identifiers

Rule ID:

Vulnerability ID: V-35961

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.