STIGQter: STIG Summary: Commercial Mobile Device (CMD) Policy Security Technical Implementation Guide (STIG) Version: 2 Release: 5 Benchmark Date: 28 Oct 2016:

If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures.

DISA Rule

SV-30694r5_rule

Vulnerability Number

V-24957

Group Title

Site must follow required data spill procedures

Rule Version

WIR-SPP-003-02

Severity

CAT I

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Follow required procedures after a data spill occurs.

Check Contents

Detailed Policy Requirements:
This requirement applies to mobile operating system (OS) CMDs.

This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO).

If a data spill occurs on a CMD, the following actions must be completed:

- The CMD management server and email servers (i.e., Exchange, Oracle mail, etc.) are handled as classified systems until they are sanitized according to appropriate procedures. (See NSA/CSS Storage Device Declassification Manual 9-12 for sanitization procedures.)

- The CMD is handled as a classified device and destroyed according to DoD guidance for destroying classified equipment or sanitized as directed in Check WIR-SPP-003-01.

Check Procedures:
Interview the ISSO. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed.

If the site had a data spill within the previous 24 months and required procedures were not followed, this is a finding.

Vulnerability Number

V-24957

Documentable

False

Rule Version

WIR-SPP-003-02

Severity Override Guidance

Detailed Policy Requirements:
This requirement applies to mobile operating system (OS) CMDs.

This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO).

If a data spill occurs on a CMD, the following actions must be completed:

- The CMD management server and email servers (i.e., Exchange, Oracle mail, etc.) are handled as classified systems until they are sanitized according to appropriate procedures. (See NSA/CSS Storage Device Declassification Manual 9-12 for sanitization procedures.)

- The CMD is handled as a classified device and destroyed according to DoD guidance for destroying classified equipment or sanitized as directed in Check WIR-SPP-003-01.

Check Procedures:
Interview the ISSO. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed.

If the site had a data spill within the previous 24 months and required procedures were not followed, this is a finding.

Check Content Reference

M

Responsibility

System Administrator

Target Key

1978

Comments