STIGQter STIGQter: STIG Summary: Mobile Device Policy Security Technical Implementation Guide (STIG) Version: 2 Release: 6 Benchmark Date: 26 Jul 2019: Unclassified wireless devices must not be operated in Secure Spaces (as defined in DoDI 8420.01) unless required conditions are followed.

DISA Rule

SV-104681r1_rule

Vulnerability Number

V-94851

Group Title

CTTA coordination for secure spaces

Rule Version

WIR0040

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Have the Certified TEMPEST Technical Authority (CTTA) designate a separation distance between wireless devices and classified data-processing equipment in writing.

AO must coordinate with the CTTA.

Train users or get a signed user agreement on procedures for wireless device usage in and around classified processing areas.

Check Contents

Detailed Policy Requirements:

Note: This requirement does not apply to NSA-approved classified WLAN systems or SCIFs

The ISSO will ensure wireless devices are not operated in areas where classified information is electronically stored, processed, or transmitted unless:
- Approved by the Authorizing Official (AO) in consultation with the Certified TEMPEST Technical Authority (CTTA).
- The wireless equipment is separated from the classified data equipment at the minimum distance determined by the CTTA and appropriate countermeasures, as determined by the CTTA, are implemented.

Check Procedures:

Review documentation. Work with the traditional security reviewer to verify the following:
1. If classified information is not processed at this site, mark as not a finding.
2. If the site has a written procedure prohibiting the use of wireless devices in areas where classified data processing occurs, mark as not a finding. Ask for documentation showing the CTTA was consulted about operation and placement of wireless devices. Acceptable proof would be the signature or initials of the CTTA on the architecture diagram or other evidence of coordination. IAW DoD policy, the CTTA must have a written separation policy for each classified area.
3. Review written policies, training material, or user agreements to see if wireless usage in these areas is addressed.
4. Verify proper procedures for wireless device use in classified areas is addressed in training program.

If wireless devices are used in or around classified processing areas but the CTTA has not designated a separation distance in writing, the AO has not coordinated with the CTTA, or
users are not trained or made aware (using signage or user agreement) of procedures for wireless device usage in and around classified processing areas, this is a finding.

Vulnerability Number

V-94851

Documentable

False

Rule Version

WIR0040

Severity Override Guidance

Detailed Policy Requirements:

Note: This requirement does not apply to NSA-approved classified WLAN systems or SCIFs

The ISSO will ensure wireless devices are not operated in areas where classified information is electronically stored, processed, or transmitted unless:
- Approved by the Authorizing Official (AO) in consultation with the Certified TEMPEST Technical Authority (CTTA).
- The wireless equipment is separated from the classified data equipment at the minimum distance determined by the CTTA and appropriate countermeasures, as determined by the CTTA, are implemented.

Check Procedures:

Review documentation. Work with the traditional security reviewer to verify the following:
1. If classified information is not processed at this site, mark as not a finding.
2. If the site has a written procedure prohibiting the use of wireless devices in areas where classified data processing occurs, mark as not a finding. Ask for documentation showing the CTTA was consulted about operation and placement of wireless devices. Acceptable proof would be the signature or initials of the CTTA on the architecture diagram or other evidence of coordination. IAW DoD policy, the CTTA must have a written separation policy for each classified area.
3. Review written policies, training material, or user agreements to see if wireless usage in these areas is addressed.
4. Verify proper procedures for wireless device use in classified areas is addressed in training program.

If wireless devices are used in or around classified processing areas but the CTTA has not designated a separation distance in writing, the AO has not coordinated with the CTTA, or
users are not trained or made aware (using signage or user agreement) of procedures for wireless device usage in and around classified processing areas, this is a finding.

Check Content Reference

M

Target Key

3521

Comments