STIGQter: STIG Summary: Mobile Device Policy Security Technical Implementation Guide (STIG) Version: 2 Release: 6 Benchmark Date: 26 Jul 2019:

Computers with an embedded wireless system must have the radio removed or otherwise physically disable the radio hardware before the computer is used to transfer, receive, store, or process classified information, unless the wireless system has been certified via the DoD Commercial Solutions for Classified (CSfC) program.

DISA Rule

SV-21976r7_rule

Vulnerability Number

V-19813

Group Title

No embedded wireless NIC on classified computers

Rule Version

WIR0045

Severity

CAT I

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Ensure computers with embedded wireless NICs that cannot be removed and are not used to transfer, receive, store, or process classified information unless the NICs have been physically disabled or the wireless system is CSfC certified.

Check Contents

Interview the IAO and inspect a sample of laptops/PCs (check about 10% if possible, with priority to laptops) used at the site for classified data processing.

1. Ask if there are laptops/PCs used to process classified information that have embedded
wireless NICs. No embedded wireless NICs are allowed, including WLAN, Bluetooth, WMAN, cellular, etc. unless the wireless radios have been physically disabled or the wireless system has been certified via the DoD CSfC program.

2. The NIC should be physically removed or physically disabled. Using methods such as tape or software disabling is not acceptable.

Interview the ISSO and determine if the site either bought laptops without wireless NICs (Wi-Fi, Bluetooth, WiMax, etc.) or physically removed or disabled the NICs from laptops. Verify the site has procedures in place to ensure laptops with wireless NICs are not used for classified data processing unless the NICs have been physically disabled or the wireless system is CSfC certified.

If laptops or other computers are used to process classified information and have a wireless NIC installed and the NIC is not physically disabled or the system is not CSfC certified, this is a finding.

If this is a finding, recommend to the AO that this is a critical finding requiring immediate action

Vulnerability Number

V-19813

Documentable

False

Rule Version

WIR0045

Severity Override Guidance

Interview the IAO and inspect a sample of laptops/PCs (check about 10% if possible, with priority to laptops) used at the site for classified data processing.

1. Ask if there are laptops/PCs used to process classified information that have embedded
wireless NICs. No embedded wireless NICs are allowed, including WLAN, Bluetooth, WMAN, cellular, etc. unless the wireless radios have been physically disabled or the wireless system has been certified via the DoD CSfC program.

2. The NIC should be physically removed or physically disabled. Using methods such as tape or software disabling is not acceptable.

Interview the ISSO and determine if the site either bought laptops without wireless NICs (Wi-Fi, Bluetooth, WiMax, etc.) or physically removed or disabled the NICs from laptops. Verify the site has procedures in place to ensure laptops with wireless NICs are not used for classified data processing unless the NICs have been physically disabled or the wireless system is CSfC certified.

If laptops or other computers are used to process classified information and have a wireless NIC installed and the NIC is not physically disabled or the system is not CSfC certified, this is a finding.

If this is a finding, recommend to the AO that this is a critical finding requiring immediate action

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

3521

Comments