STIGQter STIGQter: STIG Summary:

Mobile Device Policy Security Technical Implementation Guide (STIG)

Version: 2

Release: 6 Benchmark Date: 26 Jul 2019

SV-8778r7_ruleAll wireless/mobile systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information.
SV-21976r7_ruleComputers with an embedded wireless system must have the radio removed or otherwise physically disable the radio hardware before the computer is used to transfer, receive, store, or process classified information, unless the wireless system has been certified via the DoD Commercial Solutions for Classified (CSfC) program.
SV-30690r5_ruleSite physical security policy must include a statement outlining whether mobile devices with digital cameras (still and video) are permitted or prohibited on or in this DoD facility.
SV-30692r6_rulePublish data spill procedures for mobile devices
SV-30694r6_ruleIf a data spill (Classified Message Incident (CMI)) occurs on a mobile device, the site must follow required data spill procedures.
SV-30695r7_ruleRequired procedures must be followed for the disposal of mobile devices.
SV-30697r6_ruleMobile operating system (OS) based mobile devices and systems must not be used to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA approved transmission and storage methods are used.
SV-30698r7_ruleMobile device users must complete training on required content before being provided mobile devices or allowed access to DoD networks with a mobile device.
SV-30699r7_ruleThe site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.
SV-30700r6_ruleThe mobile device system administrator must perform a wipe command on all new or reissued mobile devices and a STIG-compliant IT policy will be pushed to the device before issuing it to DoD personnel.
SV-30701r5_ruleMobile device software updates must only originate from approved DoD sources.
SV-30706r6_ruleRequired actions must be followed at the site when a mobile device has been lost or stolen.
SV-36045r6_ruleMobile users must complete required training annually.
SV-43023r5_ruleA security risk analysis must be performed on a mobile application by the Authorizing Official (AO) or AO-authorized authority prior to the application being approved for use.
SV-104677r1_rulePersonally owned or contractor owned mobile devices must not be used to transmit, receive, store, or process DoD information or connect to DoD networks.
SV-104679r1_ruleAll users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content.
SV-104681r1_ruleUnclassified wireless devices must not be operated in Secure Spaces (as defined in DoDI 8420.01) unless required conditions are followed.