STIGQter STIGQter: STIG Summary:

Commercial Mobile Device (CMD) Policy Security Technical Implementation Guide (STIG)

Version: 2

Release: 5 Benchmark Date: 28 Oct 2016

SV-30690r4_ruleSite physical security policy must include a statement outlining whether CMDs with digital cameras (still and video) are permitted or prohibited on or in this DoD facility.
SV-30692r6_ruleA data spill (Classified Message Incident (CMI)) procedure or policy must be published for site CMDs.
SV-30694r5_ruleIf a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures.
SV-30695r6_ruleRequired procedures must be followed for the disposal of CMDs.
SV-30697r5_ruleMobile operating system (OS) based CMDs and systems must not be used to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA approved transmission and storage methods are used.
SV-30698r6_ruleMobile device users must complete training on required content before being provided mobile devices or allowed access to DoD networks with a mobile device.
SV-30699r6_ruleThe site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.
SV-30700r5_ruleThe mobile device system administrator must perform a wipe command on all new or reissued CMDs and a STIG-compliant IT policy will be pushed to the device before issuing it to DoD personnel.
SV-30701r4_ruleMobile device software updates must only originate from approved DoD sources.
SV-30706r5_ruleRequired actions must be followed at the site when a CMD has been lost or stolen.
SV-36045r5_ruleMobile users must complete required training annually.
SV-43023r4_ruleA security risk analysis must be performed on a mobile application by the Authorizing Official (AO) or AO-authorized authority prior to the application being approved for use.