Check: SRG-MPOL-077
Mobile Policy SRG:
SRG-MPOL-077
(in version v1 r2)
Title
The organization must ensure users receive training before they are authorized to access a DoD network with a CMD. (Cat III impact)
Discussion
Improper use of wireless remote access to a DoD network can compromise both the wireless client and the network, as well as, expose DoD data to unauthorized individuals. Without adequate training, remote access users are more likely to engage in behaviors that make DoD networks and information vulnerable to security exploits. The security personnel and the site wireless device administrator must ensure all wireless remote access users receive training before they are authorized to access a DoD network via a wireless remote access device.
Check Content
This requirement applies to all CMDs. All CMD users must receive required training on the following topics before they are provided a mobile device or allowed access to DoD networks with a mobile device. Training is divided into two groups: Group A (general topics) and Group B (device specific topics). DISA’s CMD security course satisfies the requirement for Group A training topics. The course is located at: http://iase.disa.mil/eta/CMD_tablet_v1/launchpage.htm. Group A – General Topics a. Requirement that personally-owned PEDs are not used to transmit, receive, store, or process DoD information unless approved by the DAA and the owner signs forfeiture agreement in case of a security incident. b. Procedures for wireless device usage in and around classified processing areas. c. Requirement that PEDs with digital cameras (still and video) are not allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed. d. Procedures for a data spill. e. Requirement that wireless email devices and systems are not used to send, receive, store, or process classified messages (does not apply to the SME PED). f. Requirement that CMDs and systems will not be connected to classified DoD networks or information systems. g. Requirement that a user immediately notify appropriate site contacts (i.e., IAO, CMD management server administrator, supervisor, etc.) when his/her CMD has been lost or stolen. h. Secure Bluetooth Smart Card Reader (SCR) usage: --Secure pairing procedures. --Perform secure pairing immediately after the SCR is reset. --Accept only Bluetooth connection requests from devices they control. --Monitor Bluetooth connection requests and activity in order to detect possible attacks and unauthorized activity. i. Procedures on how to sign and encrypt email. j. If Short Message Service (SMS) and/or Multi-media Messaging Service (MMS) are used, IA awareness training material should include SMS/MMS security issues. k. Requirement that Over-The-Air (OTA) wireless software updates should only come from DoD approved sources. l. When CMD Wi-Fi Service is used, the following training will be completed: --Procedures for setting up a secure Wi-Fi connection and verifying the active connection is to a known access point. --Approved connection options (i.e., enterprise, home, etc.). --Requirements for home Wi-Fi connections. --The Wi-Fi radio will be disabled by the user whenever a Wi-Fi connection is not being used. --The Wi-Fi radio must never be enabled while the CMD is connected to a PC. m. Do not discuss sensitive or classified information on non-secure (devices not FIPS 140-2 certified or NSA Type-1 certified for voice) cellular phones, cordless phones, and two-way radios used for voice communications. n. Do not connect PDAs, CMDs, and tablets to any workstation that stores, processes, or transmits classified data. (Exception: SME PED). o. The installation of user owned applications, including geo-location aware applications, on the mobile device will be based on the Command’s Mobile Device Personal Use Policy. p. The use of the mobile OS device to view and/or download personal email will be based the Command’s Mobile Device Personal Use Policy. q. The download of user owned data (music files, picture files, etc.) on the mobile device will be based the Command’s Mobile Device Personal Use Policy. r. The use of the mobile device to connect to user social media web accounts will be based the Command’s Mobile Device Personal Use Policy. s. When the Bluetooth radio is authorized for use with an approved smartcard reader or handsfree headset, the user will disable the Bluetooth radio whenever a Bluetooth connection is not being used. t. All radios on the mobile device (Wi-Fi, Bluetooth, near-field communications (NFC)) must be turned off when not needed. u. Procedure on how to disable Location Services on the device. Location Services must be disabled for all applications or enabled only for applications approved by the DAA for location based services. Group B – Device Specific Topics Add device specific training requirements based on specific devices used. Check Procedures: - Review site CMD training material to see if it contains the required content. NOTE: Some training content may be listed in the User Agreement signed by the user. - Verify site training records show that CMD users received required training and training occurred before the user was issued a CMD. Check training records for approximately five users, picked at random. Mark as a finding if training material does not contain required content.
Fix Text
Develop and publish policy mandating users complete the required training prior to accessing a DoD network with a CMD.
Additional Identifiers
Rule ID:
Vulnerability ID: V-35995
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000106 |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users. |
Controls
Number | Title |
---|---|
AT-2 |
Security Awareness Training |