|All wireless/mobile systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information.
|Computers with an embedded wireless system must have the radio removed or otherwise physically disable the radio hardware before the computer is used to transfer, receive, store, or process classified information, unless the wireless system has been certified via the DoD Commercial Solutions for Classified (CSfC) program.
|Site physical security policy must include a statement outlining whether mobile devices with digital cameras (still and video) are permitted or prohibited on or in this DoD facility.
|Publish data spill procedures for mobile devices
|If a data spill (Classified Message Incident (CMI)) occurs on a mobile device, the site must follow required data spill procedures.
|Required procedures must be followed for the disposal of mobile devices.
|Mobile operating system (OS) based mobile devices and systems must not be used to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA approved transmission and storage methods are used.
|Mobile device users must complete training on required content before being provided mobile devices or allowed access to DoD networks with a mobile device.
|The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.
|The mobile device system administrator must perform a wipe command on all new or reissued mobile devices and a STIG-compliant IT policy will be pushed to the device before issuing it to DoD personnel.
|Mobile device software updates must only originate from approved DoD sources.
|Required actions must be followed at the site when a mobile device has been lost or stolen.
|Mobile users must complete required training annually.
|A security risk analysis must be performed on a mobile application by the Authorizing Official (AO) or AO-authorized authority prior to the application being approved for use.
|Personally owned or contractor owned mobile devices must not be used to transmit, receive, store, or process DoD information or connect to DoD networks.
|All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content.
|Unclassified wireless devices must not be operated in Secure Spaces (as defined in DoDI 8420.01) unless required conditions are followed.