10.8.40  Wireless Security Policy

Manual Transmittal

October 05, 2012

Purpose

(1) This transmits revised Internal Revenue Manual (IRM) 10.8.40, Information Technology (IT) Security, Wireless Security Policy.

Background

A report by the Government Accountability Office (GAO) titled Federal Agencies Need to Improve Controls over Wireless Networks (GAO-05-383), found that federal agencies need to better secure wireless devices and networks to protect federal information and information systems. The GAO report emphasized that it is crucial for agencies to develop wireless security policies, configure security tools to meet policy requirements, monitor the wireless networks, and train their staff in wireless security.

Material Changes

(1) Changes have been made throughout this IRM to better align with the language in IRM 10.8.1.

(2) Changes have been made throughout this IRM to incorporate NIST and DISA requirements.

(3) The following new sections have been added:

  1. IRM 10.8.40.3.2.1 System Security Planning

  2. IRM 10.8.40.5.4.2 Bluetooth

  3. Exhibit 10.8.40-2 Acronym Listing

(4) All technology specific checklists have been removed from this IRM. For a link to the current checklists, see Exhibit 10.8.40-1.

(5) Effective July 1, 2012, the Modernization and Information Technology Services (MITS) organization changed its name to IRS Information Technology (IT). All instances of MITS within this IRM have been updated to IRS Information Technology (IT) organization to reflect the change. Link to IRS IT website communication is http://it.web.irs.gov/ProceduresGuidelines/ITNameChange.htm

Effect on Other Documents

IRM 10.8.40, dated July 1, 2011, is superseded.

Audience

IRM 10.8.40 shall be distributed to all personnel responsible for ensuring that adequate security is provided for IRS information and information systems. The policy applies to all employees, contractors and vendors of the IRS.

Effective Date

(10-05-2012)

Terence V. Milholland
Chief Technology Officer

10.8.40.1  (10-05-2012)
Purpose

  1. Internal Revenue Manual (IRM) 10.8 Section 40, Information Technology (IT) Security, Wireless Security Policy provides policies and guidance to be used by the Internal Revenue Service (IRS) organization to carry out their respective responsibilities in information system security regarding wireless networks and devices.

10.8.40.1.1  (10-05-2012)
Overview

  1. While wireless communications can offer many benefits, such as portability, flexibility, increased productivity, and lower installation costs, they can also pose significant risks to the critical infrastructure and assets of the IRS if not properly implemented and secured. As new technologies are developed, they become a major source of new vulnerabilities for which security solutions must be developed and implemented.

  2. This IRM establishes the minimum security controls and guidance for the design, implementation, and use of wireless networks and devices within the IRS in order to:

    1. Protect the critical infrastructure and assets of the IRS against attacks that exploit wireless transmissions;

    2. Prevent unauthorized wireless deployments; and

    3. Enable wireless technologies that meet the security requirements of this policy to support the business needs of the organization.

  3. The wireless requirements defined within this IRM are applicable to all wireless systems/devices used to connect to an IRS network or to store, process, receive, or transmit IRS or taxpayer data.

10.8.40.1.2  (10-05-2012)
Scope

  1. This IRM applies to all IRS-owned wireless devices, services, and networks that store, process, or transmit IRS or taxpayer data or connect to an IRS network or system.

  2. The requirements within this IRM apply to all IRS personnel, contractors, and visitors that enter IRS facilities or have access to IRS information and information systems.

  3. This document shall be used in conjunction with appropriate Operating System (OS) IRMs, as well as other IRM-related requirements of any applications, web server, or database accessing the wireless system.

10.8.40.1.3  (10-05-2012)
IRM Section Topics

  1. This IRM contains information on the following subjects:

    • Purpose

    • General Policy

    • Management Controls

    • Operational Controls

    • Technical Controls

    • Risk Acceptance and Risk Based Decisions

    • Wireless Security Checklists (Exhibit 10.8.40-1)

    • Glossary (Exhibit 10.8.40-2)

    • Acronym List (Exhibit 10.8.40-3)

    • References (Exhibit 10.8.40-4)

10.8.40.1.4  (10-05-2012)
Authority

  1. IRM 10.8.40 is published in conjunction with IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, which establishes the security program and the policy framework for the IRS. The requirements and guidance defined within IRM 10.8.40 augment the security requirements defined in IRM 10.8.1. In the event there is a discrepancy between IRM 10.8.1 and this policy, IRM 10.8.1 has precedence, unless the security requirements within this IRM are more restrictive.

  2. Organizations may augment the specific security controls within this policy to increase the security levels for a wireless technology implementation if approved by the responsible Authorizing Official (AO).

10.8.40.2  (10-05-2012)
General Policy

  1. The IRS shall ensure all Government furnished wireless capabilities (e.g., devices, services) meet the requirements within IRM 10.8.1 and the respective IRM policies applicable to the underlying operating system ( e.g., Windows, Unix).

  2. Wireless devices, services, and technologies that are integrated or connected to IRS networks shall be considered part of those networks and comply with IRM 10.8.1.

  3. All wireless devices operated by the IRS or a contractor on behalf of the IRS shall comply with the provisions within this IRM.

  4. Unless specifically annotated, the IRS Information Technology (IT) organization policy rules within BlackBerry Enterprise Server (BES) and smartphone enterprise servers (e.g., BlackBerry, Android, iOS) and tablets shall be set to implement the security requirements within this IRM and IRM 10.8.1.

10.8.40.2.1  (10-05-2012)
Roles and Responsibilities

  1. IRM 10.8.2,Information Technology (IT) Security, IT Security Roles and Responsibilities, defines IRS-wide roles and responsibilities related to IRS information and computer security, and is the authoritative source for such information.

  2. The supplemental requirements provided below are specific to the implementation of IRS wireless security controls and shall be performed in conjunction with the roles and responsibilities defined within other IRMs in the 10.8 series.

10.8.40.2.1.1  (10-05-2012)
Senior Management/Executives

  1. Request to deploy WLAN components for connecting approved end-user devices shall be approved or disapproved by the appropriate AO prior to their deployment.

10.8.40.2.1.2  (10-05-2012)
Computer Security and Incident Response Center (CSIRC)

  1. The Computer Security and Incident Response Center (CSIRC) within the Information Technology (IT) Cybersecurity Organization shall operate and maintain a Wireless Intrusion Detection System (WIDS) for each instance of a wireless network in accordance with System and Information Integrity section of this IRM.

10.8.40.3  (10-05-2012)
Management Controls

  1. The IRS shall implement management security controls to mitigate risk of IT applications and electronic information loss in order to protect the organization's mission. See IRM 10.8.1 for general information and computer security management control requirements.

  2. Additional management controls specific to wireless systems, networks, and devices are provided below in the following areas:

    • Risk Assessment

    • Planning

    • System and Services Acquisition

    • Security Assessment and Authorization (SA&A)

10.8.40.3.1  (10-05-2012)
Risk Assessment

  1. Risk assessments of specific versions of wireless technology shall be conducted in accordance with the following:

    • Exhibit 10.8.40-1, Wireless Security Checklists; and

    • Security checklists for authorized information technology (e.g., hardware, software, operating system).

  2. Deficiencies in conformance to the security checklists shall be documented in risk assessment reports and brought to the attention of the system’s AO.

  3. Wireless solutions shall not be used if they are not compliant with the security compliance levels/thresholds established by Cybersecurity. Refer to the Risk Assessment section ofIRM 10.8.1 for additional guidance.

  4. For wireless networks and devices that include wireless remote access, the risk assessment shall identify any additional risks and mitigation associated with non-government facilities.

    Note:

    The risk assessment does not need to be on any one specific non-government facility, but rather the types of non-government facility where wireless remote access might be conducted.

  5. A Site survey to identify aspects of the network security posture inconsistent with this IRM policy (including validating that rogue access points do not exist in the infrastructure) shall be performed:

    1. At a minimum annually; and

    2. At random intervals throughout the year.

    Note:

    Site Surveys are of IRS facilities only.

  6. Wireless access point range boundaries shall be empirically tested to measure and establish the precise extent of the wireless coverage.

    Note:

    This requirement does not apply to home user or public wireless network equipment.

10.8.40.3.2  (10-05-2012)
Planning

  1. Refer to the Planning section of IRM 10.8.1 for additional guidance.

10.8.40.3.2.1  (10-05-2012)
System Security Planning

  1. Wireless devices connecting directly or indirectly (e.g., ActiveSync, wireless) to a network shall be included in the appropriate System’s SA&A documentation (i.e., System Security Plan (SSP)).

10.8.40.3.3  (10-05-2012)
System and Services Acquisition

  1. Wireless products shall be acquired, accounted for, and inventoried in accordance with IRM 10.8.1.

  2. Wireless devices shall be provided by Information Technology (IT), Criminal Investigation (CI), or Chief Counsel.

  3. Wireless networks and systems shall adhere to the IRS Enterprise Lifecycle (ELC) in accordance with IRM 10.8.1.

  4. For all new Wireless Local Area Network (WLAN) acquisitions, the WLAN devices shall be WiFi Protected Access II (WPA2) certified.

10.8.40.3.4  (10-05-2012)
Security Assessment and Authorization (SA&A)

  1. IRS wireless networks and devices shall obtain SA&A in accordance with IRM 10.8.1.

  2. IRS wireless systems (including associated peripheral devices, operating systems, applications, network/personal computer (PC) connection methods, and services) shall be approved by the AO prior to installation and use for processing IRS information.

  3. IRS Wireless networks and devices transmitting IRS information and/or connecting an IRS network shall be authorized (i.e., SA&A) in accordance with IRM 10.8.1.

  4. Wireless devices (e.g., computers, smartphones, tablets) and support enterprise servers (e.g., BlackBerry Enterprise Servers, Good Servers) shall be incorporated into the appropriate security authorization documentation (e.g., System Security Plan) for the IT area that implements the devices within the IRS organization.

10.8.40.4  (10-05-2012)
Operational Controls

  1. Operational controls shall address security mechanisms implemented and executed by people not systems.

    Note:

    Operational Controls often require technical or specialized expertise and rely on management activities as well as technical controls. See IRM 10.8.1 for general information and computer security operational control requirements.

  2. Additional operational controls specific to wireless systems, networks, and devices are provided below in the following areas:

    • Physical and Environmental Protection

    • Configuration Management

    • Maintenance

    • System and Information Integrity

    • Media Protection

    • Incident Response

    • Security Awareness and Training

10.8.40.4.1  (10-05-2012)
Physical and Environmental Protection

  1. Physical access controls shall be employed to restrict the entry and exit of unauthorized personnel and prevent the removal or unauthorized modification of wireless devices installed in an IRS facility.

  2. All wireless network devices such as Wireless Intrusion Detection Systems (WIDS) and wireless routers, access points, gateways, and controllers shall be located in a secure room with limited access to prevent tampering or theft.

  3. Wireless devices shall not be permitted or operated in areas where sensitive data is stored, processed, or transmitted unless the devices are approved by the appropriate AO and meet the requirements set forth within this IRM and IRM 10.8.1.

  4. Wireless access points shall be located in the interior of buildings away from exterior walls and windows.

  5. External boundary protection mechanisms shall be in place around the perimeter of IRS facilities, as necessary and based on a documented risk assessment, to prevent unauthorized access to wireless systems.

  6. Wireless signal shaping principles which incorporates antennae design and power management shall be used where possible to limit unauthorized access to 802.11 Access Points (APs).

10.8.40.4.2  (10-05-2012)
Configuration Management

  1. Configuration management procedures shall be developed for wireless devices to incorporate the requirements of IRM 10.8.1 and this IRM.

  2. In accordance with IRM 10.8.1, the IRS shall:

    1. Establish and maintain baseline configurations and inventories of IRS information systems;

    2. Establish and enforce security configuration settings for IT products installed on IRS information systems; and

    3. Monitor and control changes to the baseline configurations of IRS information systems throughout the respective System Development Life Cycle (SDLC) (i.e., IRS Enterprise Lifecycle (ELC)).

  3. Security firmware updates and patches to wireless hardware and software components shall be fully tested and deployed as soon as they become available in accordance with IRM 10.8.50,Service-wide Security Patch Management.

  4. A list shall be maintained of all wireless and non-wireless PED that are used to store, process, and transmit IRS data in accordance with inventory requirements defined in IRM 10.8.1 and IRM 2.14 Asset Management series.

  5. The list of approved wireless devices shall:

    1. Be stored in a secure location and

    2. Include the following at a minimum:

      - Access point Media Access Control (MAC) address (WLAN only);

      - Access point IP address (WLAN only);

      - Wireless client MAC address

      - Network DHCP range (WLAN & Wireless Wide Area Network (WWAN) only;

      - Type of encryption enabled;

      - Access point Service Set Identifier (SSID) (WLAN only);

      - Manufacturer, model number, and serial number of wireless equipment;

      - Equipment location; and

      - Assigned users with telephone numbers.

    3. For smartphones and PEDs

      - Manufacturer, model number, and serial number of wireless equipment;

      - Equipment location or who the device was issued to; and

      - Assigned users with telephone numbers and email addresses.

10.8.40.4.3  (10-05-2012)
Maintenance

  1. The reset function of wireless access points and devices shall only be used when invoked by authorized individuals.

  2. Wireless access points and devices shall be restored to the latest security settings when the reset function is used.

  3. Electronic access to access points for administration/maintenance shall be protected with FIPS 140-2 (or later) validated encryption protocols (e.g., Hypertext Transfer Protocol Secure (HTTPS)).

    1. The Hypertext Transfer Protocol (HTTP) interface shall only be used when operationally necessary, otherwise it shall be disabled.

  4. Wireless maintenance activities shall be planned and scheduled in accordance with IRM 10.8.1.

10.8.40.4.4  (10-05-2012)
System and Information Integrity

  1. Wireless system and information integrity protection shall be conducted in accordance with IRM 10.8.1.

  2. IT approved antivirus software shall be installed on all wireless clients (e.g. , notebook/laptop computers, personal digital assistants, cellular telephones) and non-wireless PEDs.

    Note:

    This requirement does not apply to handheld IRS PEDs that are isolated from any external connection (e.g., not connected to the internet, an IRS computer, or network). It does not apply to handheld barcode or Radio Frequency Identification (RFID) scanners that are connected to IRS computers to download scanned data (handheld is used only as a barcode / RFID scanner). In addition, this requirement does not apply to phones that only have the capability for voice calls, including wireless VoIP and Unlicensed Mobile Access (UMA) (no data, Internet connections other than for voice calls over wireless VoIP and UMA).

  3. An IT approved host-based firewall shall be implemented on all wireless clients (e.g., PEDs, smartphones) that are used to connect to the Internet or IRS network to block unauthorized access to the device.

    Note:

    This requirement does not apply to a handheld IRS PED devices that are isolated from any external connection (e.g., not connected to the internet, an IRS computer, or network). It does not apply to handheld barcode or RFID scanners that are connected to IRS computers to download scanned data (handheld is used only as a barcode/RFID scanner). In addition, this requirement does not apply to phones that only have the capability for voice calls only, including wireless VoIP and Unlicensed Mobile Access (UMA) (no data, Internet connections other than for voice calls over wireless VoIP and UMA).

10.8.40.4.5  (10-05-2012)
Media Protection

  1. Media storage and protection controls shall be implemented in accordance with IRM 10.8.1

  2. Prior to decommissioning or transferring to another government agency, wireless systems and other devices that will no longer be used by the IRS, all data (including configuration data) shall be sanitized from the host in accordance with IRM 2.14.1 Information Technology (IT) Asset Management, IRM 2.7.4 IT Operations, Magnetic Media Management, and IRM 10.8.1.

    1. A “Wipe” command shall be performed on all new or reissued smartphones; and

    2. An IRS security-compliant profile shall be pushed to smartphone devices before issuing it to IRS personnel.

10.8.40.4.6  (10-05-2012)
Incident Response

  1. Wireless networks and devices shall be incorporated into IT incident response capabilities and plans in accordance with IRM 10.8.1.

  2. The IRS Incident Response Plan shall include response procedures to follow when a mobile device (e.g., smartphone, PED, tablet) is reported lost or stolen.

  3. The IRS Incident Response Plan shall include response procedures to follow when a mobile device (e.g., smartphone, PED, tablet) has a “Data Spillage.”

    1. If a “Data Spillage” occurs on a wireless email device or system, the IRS site where the spillage occurred shall follow the required data spillage procedures.

      Note:

      A data spill only occurs if the sensitive attached document is viewed or opened by the smartphone user since the smartphone system only downloads an attachment on the smartphone if the user views or opens the attachment.

10.8.40.4.7  (10-05-2012)
Security Awareness and Training

  1. All IRS employees and contractors shall receive training in accordance with the training and awareness requirements detailed in IRM 10.8.1 to include the use and risk of wireless technologies within the agency.

  2. The AO shall be responsible for identifying and ensuring specialized training to meet the above requirements.

10.8.40.5  (10-05-2012)
Technical Controls

  1. Technical controls shall be executed by the computer system without human intervention.

    Note:

    These controls provide automated protection from unauthorized access or misuse, facilitate detection of security violations, and support security requirements for the systems or applications. The implementation of technical controls shall be consistent with the management of security within the organization. See IRM 10.8.1 for general information and computer security technical control requirements.

  2. Additional technical controls specific to wireless systems, networks, and devices are provided below in the following areas:

    • Identification and Authentication

    • Access Control

    • Audit and Accountability

    • System and Communications Protection

10.8.40.5.1  (10-05-2012)
Identification and Authentication

  1. Identification and Authentication requirements shall be in accordance with IRM 10.8.1.

  2. Wireless networks and devices shall perform mutual authentication for all accesses to IRS systems or networks.

    1. WLANS shall use Extensible Authentication Protocol (EAP) - Transport layer Security (TLS) authentication.

  3. User authentication mechanisms for the management interfaces of wireless access points and devices shall be enabled.

    1. In-band management connections shall require passwords.

    2. Devices shall be password protected for out-of-band management.

  4. Each user accessing a wireless device shall have a separate account with username and password.

  5. A password shall be enabled for each wireless client that connects to an IRS network or system. Passwords shall comply with IRM 10.8.1.

  6. Passwords shall be created and maintained in accordance with IRM 10.8.1 and the appropriate operating system IRM for the underlying OS where applicable.

    1. Password/passcodes for wireless mobile devices (e.g., notebook/laptop computers, personal digital assistants, cellular telephones) shall be configured in accordance with IRM 10.8.1.

    2. Authorized wireless mobile devices shall have the default manufacturer passwords changed.

  7. The fallback method for failed wireless authentication (e.g., forgotten passwords and lost smart cards) shall meet the same authentication requirements as the primary method.

10.8.40.5.2  (10-05-2012)
Access Control

  1. Wireless systems shall adhere to IRS policy for access control in accordance with IRM 10.8.1.

    1. Access control shall follow the principle of separation of duties.

  2. Permissions and privileges granted to individuals within the information system shall follow the concept of least privilege (i.e., all user accounts shall be assigned the lowest privilege level that allows them to perform their duties).

  3. Automated lockouts shall be set accordingly:

    1. The timeout for in-band management access shall be set for no longer than 10 minutes.

    2. Console ports shall be configured to time out after 10 minutes or less of inactivity.

    3. If the WLAN device provides a session timeout capability, it shall be set in accordance with IRM 10.8.1, automatic lockout requirements.

      Note:

      This policy applies to inactivity timeout for client sessions with the WLAN.

    4. The maximum number of unsuccessful network sessions (e.g., TLS, Secure Shell (SSH) login attempts shall be set in accordance with IRM 10.8.1 session lockout requirements.

    5. If used, SSH timeout value shall be set to 60 seconds or less, causing incomplete SSH connections to shut down after timeout expires.

    6. Refer toIRM 10.8.1 for additional automated lockout guidance.

  4. All wireless mobile devices (e.g., notebook/laptop computers, personal digital assistants, cellular telephones) with the capability shall display the required warning/user notification banner during device unlock/logon in accordance with IRM 10.8.1

10.8.40.5.2.1  (10-05-2012)
Wireless Remote Access

  1. Wireless clients (e.g., laptops, desktop, PED) remotely accessing an IRS network shall comply with the following:

    1. Connect via a Virtual Private Network (VPN) supporting Advanced Encryption Standard (AES) encryption (i.e., Enterprise Remote Access Program (ERAP); and

    2. Connect via a VPN that supports authentication (i.e., ERAP).

  2. Remote wireless communication shall comply with the settings and requirements of IT approved remote access requirements (i.e., ERAP).

  3. Wireless remote access via personal or public wireless access point using IRS-owned wireless client without a properly configured IT-approved VPN and PC-based firewall software, and IT-approved antivirus configuration shall not be permitted unless authorized in writing by the AO of the system requesting connectivity and the AO of the resource being accessed.

    1. Systems or devices not meeting these requirements shall not be connected or reconnected to an IRS network; and

    2. Such a connection shall not process, store, or transmit IRS data.

  4. Users with administrator privileges shall not alter any security component configurations or settings on their laptop or desktop without written approval of the AO.

  5. All remote configurations for wireless clients shall be approved by the AO in accordance with Enterprise Life Cycle (ELC) processes.

  6. See IRM 10.8.1 for additional remote access guidance.

10.8.40.5.3  (10-05-2012)
Audit and Accountability

  1. Auditable events shall be logged and processed in accordance with IRM 10.8.3 Information Technology (IT), Audit Logging Security Standards.

  2. Wireless access point logging shall be enabled.

  3. Wireless network devices shall be configured to log all in-band access attempts (permitted and denied).

  4. Audit logs shall be reviewed in accordance with IRM 10.8.1 and IRM 10.8.3.

10.8.40.5.4  (10-05-2012)
System and Communications Protection

  1. Refer to Treasury Directive (TD) 86-02, Radio Frequency Management; IRM 10.8.1; and IRM 2.13.2, Information Technology (IT) Telecommunications Asset Tool - Waste, Fraud and Abuse for detailed telecommunication environment and services requirements.

  2. Privately owned wireless network interface cards (NICs) shall not be connected to IRS equipment or used to process, access, or store IRS data.

  3. Privately owned Ethernet to WiFi converters (e.g., wireless Ethernet bridges, wireless media adapters) shall not be connected to IRS laptops.

10.8.40.5.4.1  (10-05-2012)
Wireless Local Area Network (WLAN) Infrastructure

  1. WLAN routers and hubs may be deployed to connect end-user desktop computers and devices only with prior approval from the appropriate AO.

  2. The design, implementation, or use of a WLAN infrastructure that stores, processes, or transmits IRS sensitive data shall comply with the Institute of Electrical and Electronic Engineers (IEEE) 802.11i wireless security standard and use WPA2-certified equipment and software.

    1. The IEEE 802.11i Robust Security Network (RSN) framework shall be used with IEEE 802.1x authentication to establish a secure wireless connection between WLAN devices.

    2. The pairwise master key (PMK) shall have a lifetime of 24 hours or less.

    3. The group master key (GMK) shall have a lifetime of 8 hours or less.

  3. Managed network elements shall be configured to use two or more Network Time Protocol (NTP) servers to synchronize time.

    1. NTP-enabled devices shall authenticate received NTP messages.

  4. Managed Network out-of-band management (NE OOBM) interfaces shall be configured with an OOBM network address.

  5. Managed routed interfaces shall be configured with both an ingress and egress Access Control List (ACL).

    1. The ingress ACL shall block any transit traffic.

    2. The egress ACL shall block any traffic that was not originated by the managed network elements.

  6. Auxiliary ports on wireless network devices used to remotely access the device via a telephone line shall have a secured modem providing encryption and authentication.

    1. Auxiliary ports not in use shall be disabled.

  7. Wireless network devices shall only allow in-band management sessions from authorized IP addresses from the internal network.

  8. When using SSH, version 2 or later shall be used.

  9. Simple Network Management Protocol (SNMP) implementations using community strings shall change the community string from the default value.

    Note:

    Refer to IRM 10.8.1 for additional guidance.

  10. WLAN SSIDs shall be changed from the manufacturer’s default to a pseudo-random word that does not identify the IRS products, organization, etc.

  11. WLAN access points shall be set to the lowest possible transmit power setting which meets the required signal strength of the area serviced by the access point.

    1. The AP transmission shall not emanate into unneeded areas.

10.8.40.5.4.1.1  (10-05-2012)
WLAN Access Point

  1. Wireless access points and bridges shall be configured with the IRS’s wireless configuration guidelines prior to being connected to the network.

  2. Wireless access points and bridges shall be placed in a dedicated subnet outside the network’s perimeter (e.g., DMZ, Virtual LAN).

  3. Wireless access points shall be configured for WPA2 authentication, confidentiality, and integrity services.

    1. WPA2 (Personal) requires the selection of a strong passcode or passphrase.

    2. WPA2 (Enterprise) requires RADIUS or equivalent authentication services to be deployed on a separate server.

  4. On wireless access points that do not use Authentication, Authorization, and Accounting (AAA) (RADIUS) servers for authentication, the key generation password configured on the WLAN Access Point shall be set in accordance with password requirements in IRM 10.8.1.

  5. Internet-only WLAN Access Points shall reside in a subnet off of the perimeter firewall for the exclusive use of wireless connectivity to the Internet.

  6. The perimeter firewall for the Internet-only WLAN Access Point subnet shall be configured with the following policies:

    1. All traffic from the client device is routed to the external facing Internet gateway.

    2. No client initiated connection requests can be routed to the internal network.

    3. No connection requests from the network can be routed to the WiFi client on the internet-only subnet.

    4. No connection requests from outside the network (e.g., Internet) can be routed to the WiFi client on the internet-only subnet.

  7. Authorized Guest networks (i.e., internet-only traffic) shall utilize perimeter security architecture (e.g., Antivirus, Content Filtering) in accordance with this IRM and IRM 10.8.1

10.8.40.5.4.1.2  (10-05-2012)
WLAN IDS Sensor Scanning

  1. All IRS sites shall conduct WIDS sensor scanning that scans the radio frequency spectrum for unauthorized WLAN devices.

    Note:

    This requirement applies to all IRS sites that operate IRS computer networks, including sites that have no authorized WLAN systems.

  2. Based on a wireless risk assessment, the AO shall make a determination, whether to employ continuous or periodic sensor scanning frequency.

  3. Deployed Wireless IDS (WIDS) sensor scanners shall have the capability to meet the sensor scanning frequency defined by the AO.

    1. The following continuous WIDS scanning system requirements apply:
      i.The System shall be server-based, whereby sensor scanning results are consolidated and evaluated by a WIDS server.
      ii.The WIDS shall scan continuously 24 hours/day, 7 days a week to detect authorized and unauthorized activity.
      iii. The WIDS shall include a location sensing protection scheme for authorized and unauthorized wireless devices that shall provide information that enables designated site personnel to take appropriate actions.

    2. The following periodic WIDS scanning requirements apply;
      i. The AO shall determine how often WIDS scanning is conducted (at a minimum of every 90 days) based on the results of the wireless risk assessment. See IRM 10.8.1 for additional guidance.
      II. Periodic scanning shall be conducted by using handheld or laptop WIDS scanners during a walk-through assessment of the network environment.

  4. WIDS sensor scan results (logs and scan results) shall be maintained for at least one year.

10.8.40.5.4.1.3  (10-05-2012)
Wireless Application Servers

  1. Wireless application servers (e.g., BlackBerry Enterprise Servers or other communication servers that act as a gateway between a server and a wireless client) shall be configured in accordance with IRM 10.8.1, this IRM, and any applicable security checklists.

  2. Data exchange shall be encrypted in accordance with the encryption standards of this IRM and IRM 10.8.1.

  3. Wireless application servers shall have the latest virus scanning and security patches installed and updated to detect and prevent viruses and other malicious content from infecting the enterprise network.

10.8.40.5.4.1.4  (10-05-2012)
IRS Employee's Residential WLAN

  1. The configuration settings below are highly recommended and follow industry best practices for securing home networks.

  2. IRS users authorized to remotely connect to an IRS network via a WLAN should ensure their employee residential WLAN access point security is compliant with the following security requirements:

    1. The WLAN used for IRS work (employee residential WLAN) should be configured for WPA2 Personal (AES) encryption. Access points that cannot meet this requirement should not be used.

    2. The authentication password selected should be constructed in accordance with IRM 10.8.1 password requirements (i.e., minimum of 8 characters long, both upper- and lowercase letters, number, and special character). Access points that cannot meet this requirement should not be used.

  3. IRS users authorized to remotely connect to an IRS network via a WLAN should ensure the employee residential WLAN router firewall is configured with Network Address Translation (NAT).

10.8.40.5.4.1.5  (10-05-2012)
Wireless Clients

  1. IRS-issued/approved wireless desktop, laptop, and PED clients approved for use by the responsible AO shall be used and configured in accordance with the security requirements and encryption standards of this IRM and IRM 10.8.1.

  2. Wireless laptops shall comply with IRM 10.8.26, Laptop Computer Security Policy.

  3. WLAN clients shall be configured so that only one active physical network connection is possible, either wired or wireless, at any time.

  4. Split tunnelling shall not be permitted.

10.8.40.5.4.1.6  (10-05-2012)
Blackberry Enterprise Server

  1. The Blackberry Enterprise Server requirements that had previously been in this section have either been relocated to Blackberry checklists or incorporated with other requirements within this IRM.

    1. See Exhibit 10.8.40-1 for wireless security checklists.

10.8.40.5.4.2  (10-05-2012)
Bluetooth

  1. Bluetooth is an open standard for short-range digital radio signals used for creating small wireless networks on an ad hoc basis. The requirements in this section shall apply to Bluetooth technology as well as any other ad hoc network and Wireless Personal Area Network (WPAN) for which this policy does not provide specific guidance (e.g., ZigBee).

  2. Bluetooth communications shall be used for transmission in accordance with the requirements within this IRM and IRM 10.8.1.

  3. If Bluetooth devices transmit unclassified IRS data communications, then they shall use FIPS 140-2 validated cryptographic modules for data in transit, including digital voice communications.

  4. Bluetooth devices unable to use FIPS 140-2 validated cryptographic modules shall be disabled.

  5. Only Bluetooth headsets that conform to the Bluetooth security requirements within this IRM shall be procured.

  6. The following basic Bluetooth requirements shall be adhered to:

    1. For personal area network applications, Bluetooth devices shall use low-power Class 2 or Class 3 Bluetooth radios without external amplifiers or high-gain antennas.

    2. Devices shall not use the Bluetooth 3.0 High Speed (3.0 + HS) alternate MAC and PHY or Bluetooth 4.0 Low Energy (LE) technology.

    3. Devices shall use easily understandable connection, configuration, and link activity status indicators, such as LEDs or icons.

    4. Devices shall only support the minimum number of Bluetooth services required for operational use of approved Bluetooth peripherals.

    5. Services shall be enabled only while needed.

    6. Devices or administrators shall reliably disable or delete all unneeded Bluetooth services.

    7. Devices or administrators shall reliably disable or delete all unneeded Bluetooth user controls, drivers, application programming interfaces, executables, and applications.

    8. Devices shall use random number values and public/private key pairs that achieve maximum entropy for all cryptographic functions as mandated and defined in the Bluetooth specifications and based on applicable NIST guidelines.

    9. Once approved for IRS use, operational Bluetooth devices and piconets shall be independently monitored for unauthorized Bluetooth activity.

    10. Bluetooth devices shall be transported and stored securely by users and administrators at all times.

  7. Unless specifically defined, only Bluetooth devices compliant with Bluetooth 2.0, 2.1, or later versions shall be used.

  8. Bluetooth devices shall only be enabled when within a controlled IRS facility.

  9. Bluetooth security requirements for mobile OS devices can be found in the corresponding OS checklist. See.Exhibit 10.8.40-1

10.8.40.5.4.2.1  (10-05-2012)
Bluetooth Connectivity

  1. Bluetooth devices shall not be discoverable (responsive to inquiry messages from other Bluetooth devices) unless necessary to establish a connection, at which time the capability shall be turned off.

    Note:

    Ideally, devices should never be discoverable.

    1. If a Bluetooth device needs to be discoverable, the device shall not be discoverable for longer than two minutes at any one time.

  2. Bluetooth devices shall not be connectable (responsive to incoming connection requests from other Bluetooth devices) unless necessary to establish a connection, at which time the capability shall be turned off.

    Note:

    Ideally, devices should not be connectable once the connection is established, or should never be connectable if operationally possible.

  3. Devices shall initiate Bluetooth connections only when necessary to establish a connection, at which time the capability shall be turned off.

    Note:

    Ideally, only one device per Bluetooth piconet shall initiate connections to other devices in that piconet.

  4. Bluetooth devices shall prompt the user to authorize all incoming Bluetooth connection requests before allowing any incoming connection request to proceed.

  5. Users shall never accept connections, files, or other objects from unexpected, unknown, or untrusted sources.

10.8.40.5.4.2.2  (10-05-2012)
Bluetooth Pairing and Authentication

  1. During initial Bluetooth connection requests, all Bluetooth devices shall pair (mutually authenticate) and bond (store the resulting link key).

  2. Bluetooth devices shall store link keys securely.

  3. Subsequent to pairing, all Bluetooth devices shall again mutually authenticate each other during all connection requests.

  4. Bluetooth devices shall not delete existing link keys until after a replacement link key is generated successfully.

  5. All Bluetooth pairing shall be done as infrequently as possible, ideally in a secure location (e.g., an indoor non-public area away from windows and behind physical access controls) where attackers cannot realistically observe entry of the passkey or intercept transmitted pairing messages.

  6. Users or administrators shall not enter or confirm pairing passkeys when unexpectedly prompted to do so.

  7. Users or administrators shall immediately remove unused, lost, stolen, or discarded Bluetooth devices from paired device lists.

  8. Bluetooth devices shall use either legacy pairing Security Mode 3 link level security or Secure Simple Pairing Security Mode 4 service level security.

10.8.40.5.4.2.3  (10-05-2012)
Bluetooth Legacy Pairing

  1. Bluetooth 2.0 devices shall use Security Mode 3 link level security during legacy Bluetooth pairing.

  2. Bluetooth devices using legacy pairing shall use combination keys instead of unit keys for link key establishment.

  3. Devices shall use random Bluetooth passkeys, at least eight digits in length, which are newly generated for each pairing exchange.

    1. If possible, devices shall use random 128-bit binary passkeys.

    2. Passkeys shall not be valid indefinitely.

10.8.40.5.4.2.4  (10-05-2012)
Secure Simple Pairing Security (Security Mode 4)

  1. Bluetooth 2.1 and later devices shall use:

    1. Passkey Entry Secure Simple Pairing association model.

    2. Numeric Comparison association model if each digit of the passkey is confirmed individually.

    3. Out of Band association model, but only with a tethered, non-wireless interface.

  2. Bluetooth devices shall not use the “Just Works” association model and therefore shall immediately discard all unauthenticated Just Works link keys after pairing to terminate such terminate such connections.

  3. Bluetooth devices supporting Secure Simple Pairing shall use Elliptic Curve Diffie-Hellman (ECDH) public/private key pairs that are unique for each device and shall originate from a trusted source.

  4. Bluetooth devices shall store Secure Simple Pairing ECDH public/private key pairs securely.

  5. Host protocol stacks in devices using Security Mode 4 shall be sufficiently robust to prevent denial-of-service and other attacks based on anomalous frames.

10.8.40.5.4.2.5  (10-05-2012)
Bluetooth Encryption

  1. All Bluetooth links shall use 128-bit Bluetooth encryption.

  2. Devices shall initiate Bluetooth encryption immediately after the successful completion of mutual authentication.

  3. Where practically feasible, all Bluetooth devices shall use FIPS 140-2 certified key establishment and encryption layered atop the Bluetooth cryptography specified within this IRM for defense in depth.

  4. Bluetooth smart card readers authorized for use shall use FIPS 140-2 certified cryptography.

  5. Public/private key pairs used in FIPS-certified cryptography shall be unique to each device and must originate from a trusted source.

  6. Bluetooth devices shall store public/private key pairs and all keys used in FIPS-certified cryptography securely based on applicable NIST guidance (e.g., NIST SP 800-57).

10.8.40.5.4.2.6  (10-05-2012)
Bluetooth Headsets

  1. IRS has made a risk-based decision to allow employees to use both government-issued and personally owned Bluetooth headsets with pairing capabilities to Bluetooth-enabled systems (e.g., Black Berry PEDs and cellular phones) to conduct IRS business. This is an approved exception to IRS Personal Use Policy. Refer toIRM 10.8.27 for more additional guidance.

    Note:

    The term “headset” is intended to include any device designed to communicate the human voice to and from a cellular telephone or PED. It includes portable headsets, hands-free devices in vehicles, portable speakerphones, and other devices with no data functionality.

  2. Acquisition of IRS-procured Bluetooth headsets shall be a Business Unit Expense.

  3. Only devices compliant with Bluetooth 2.0, 2.1, or later versions shall be allowed.

  4. Bluetooth headsets shall not have any capabilities beyond voice communication and encryption.

  5. Employees shall not communicate IRS sensitive information while utilizing a Bluetooth headset. Refer to the Telecommunication Devices section of IRM 10.8.1 for additional information related to situations where job function requires this specific type of communication.

  6. If the employee is in a position that requires a Bluetooth headset device to complete his or her job responsibilities, then the following guideline applies:

    1. If the employee has business calls, a landline remains the preferred method for conducting such calls. If the employee chooses to use their personal cell phone or an IRS provided cell phone with his or her personal Bluetooth headset, that shall be considered a personal choice by the user and the government shall not incur costs associated with calls or maintenance of personal wireless headsets. Refer to the Wireless Portable Electronic Devices section of this IRM for additional information.

10.8.40.5.4.3  (10-05-2012)
Wireless Portable Electronic Devices (PEDs)

  1. Only government-owned wireless PEDs shall be used for conducting official government business, transmitting SBU data, or connecting to a government computer system.

    1. All PEDs connected to an IRS network shall be IRS-issued devices obtained based on job function necessity.

  2. Personally owned PEDs shall not be used to transmit, receive, store, or process SBU data.

    1. If the employee is in a position that requires a wireless device to complete their job responsibilities, then a government-issued device shall be requested through their manager.

    2. If the employee has an urgent business call while on business travel, a landline shall be the preferred method for conducting such calls. If the employee chooses to use a personal cell phone, that shall be considered a personal choice by the user and the government shall not incur costs associated with calls or maintenance of personal wireless equipment.

  3. Unless specifically identified (i.e., Bluetooth headsets, GPS), personally owned or contractor-owned PEDs shall not be used to receive, store, process, or transmit IRS information.

    1. Users shall agree to forfeit the PED when a security incident occurs (e.g., data spill);

    2. Follow all required security procedures; and

    3. Install required software in order to protect IRS networks.

  4. Wireless PEDs that are connected directly to an IRS 802.11 network shall comply with the requirements within this IRM.

  5. Wireless PEDs that are connected directly to an IRS-wired network (e.g., via a hot-synch connection to a workstation) shall not be permitted to operate wirelessly while directly connected.

  6. Wireless PEDs that process SBU information are subject to a full security assessment. Prior to use:

    1. Cybersecurity Security Assessment Services (SAS) shall identify any security risk(s) and document the assessment of risk in a SAR; and

    2. The AO makes a determination if the identified risk(s) are acceptable or not.

  7. Wireless PEDs shall not connect to a government computer system that processes classified information.

  8. Wireless devices shall be restricted from any area where classified government systems process information or where classified information is discussed.

  9. Users shall immediately report a lost or stolen IRS wireless PED to CSIRC and the Treasury Inspector General for Tax Administration (TIGTA).

  10. Wireless PEDs and add-on modules shall be stored securely when left unattended in accordance with IRM 10.8.1 .

  11. Refer to IRM 10.8.1 for additional portable electronic device security guidance.

10.8.40.5.4.3.1  (10-05-2012)
Smartphones and Wireless Personal Electronic Devices(PEDs)

  1. Wireless PEDs shall have timeout mechanisms that automatically prompt the user for a password after a period of inactivity as specified in IRM 10.8.1.

  2. Communication ports shall be turned off when not needed for business operations.

  3. Only approved wireless applications identified within the Enterprise Architecture’s Enterprise Standards Profile (ESP) shall be allowed or downloaded on a wireless IRS PED.

    1. Automatic downloading of wireless applications shall not be performed on the PEDs.

  4. Users shall be prevented from changing the user profile on wireless PEDs.

  5. Removable memory cards (e.g., MicroSD) shall abide by the following requirements:

    1. Data stored on the card shall be encrypted with FIPS 140-2 (or later) validated encryption; and

    2. Shall be bound to the PED or smartphone such that it can not be read by any other PED or computer.

10.8.40.5.4.3.2  (10-05-2012)
Wireless Voice/Data Communications & Cellular Telephones

  1. Wireless voice/data communications across an Internet Protocol (e.g., Voice Over Internet Protocol (VoIP)) and any other multi-functional wireless devices (e.g., devices with additional wireless capabilities beyond voice communication) shall comply with all requirements of this IRM and IRM 10.8.1.

  2. Short Messaging Service (SMS) and Multimedia Messaging Service (MMS) may be enabled on IRS-issued cellular telephones and PEDs based on acquisition of technology and assessment of risk. At a minimum, SMS and MMS messaging are subject to the following mitigating controls:

    1. All SMS and MMS messages containing IRS sensitive SBU/CUI information shall be encrypted with FIPS 140-2 or later validated encryption.

    2. Refer to IRM 1.15.6, Managing Electronic Records for guidance regarding the logging of SMS and MMS messages.

    Note:

    Additional mitigating controls for SMS and MMS messaging might be added in the future based on the technology selected and assessment of risk.

  3. Refer to IRM 10.8.1 for additional guidance related to telecommunication devices and personally owned equipment and software.

    Note:

    Based on analysis of risk, repercussions of use, and technology evolvement, personally owned wireless communication devices shall not be used to communicate IRS sensitive information.

10.8.40.5.4.3.3  (10-05-2012)
Wireless System Components

  1. Wireless System Components (wireless peripherals) including, but not limited to, keyboards, mice, presenters/pointers, and headphones shall be used in accordance with the following security controls:

    1. Shall only be used in an approved IRS work location.

    2. Shall not be used in a public venue (e.g., Internet café, coffee shop, restaurant, public library).

    3. Shall not be used to communicate IRS sensitive information.

    4. The use and operation of these components shall be in accordance with the applicable requirements of this IRM.

  2. The acquisition of IRS-procured wireless system components shall be in accordance with approved business processes.

10.8.40.5.4.3.4  (10-05-2012)
Global Positioning System (GPS) Devices

  1. The IRS has made a decision to allow the temporary use of taxpayer address information on GPS devices. The Office of Privacy, Government Liaison and Disclosure (PGLD), formerly (PIPDS), has published specific guidelines for use of Taxpayer address data on personally owned GPS devices. IRS employees shall adhere to these guidelines which are accessible from the (PGLD) website at http://irweb.irs.gov/AboutIRS/bu/pipds/pip/privacy/privacy_art/24689.aspx.

  2. Users of GPS devices should be advised that many GPS devices, such as those installed in smartphones and some automobiles, use telematics to transmit address information entered by the user to the GPS vendor. Therefore, IRS personnel shall:

    1. Only enter Taxpayer address information into the GPS. No other Taxpayer-identifiable information shall be entered into GPS devices.

    2. Immediately delete all Taxpayer address information from the GPS device upon arrival at the destination address.

  3. If the GPS device requires a corresponding name or identifier for the address, use a made-up number or other moniker that does not include any Taxpayer PII or IRS-related information.

  4. IRS-owned or personally owned GPS devices shall not be connected to an IRS computer.

    1. The ACIO Cybersecurity has made a Risk-Based Decision to allow the connection of IRS-procured GPS devices to personally owned computers for the purpose of updating map information and firmware.

10.8.40.5.4.4  (10-05-2012)
Radio Frequency Identification (RFID)

  1. Sensitive or Personally Identifiable Information (PII) shall not be transferred between an RFID tag and RFID scanner unless the information is encrypted in accordance with the encryption requirements within this IRM and IRM 10.8.1.

  2. Data shall be stored in an encrypted form on the RFID tag or encrypted before it is transmitted to the scanner with a FIPS 140-2 or later validated encryption module.

  3. Wireless RFID workstations or scanners shall be compliant with wireless technology used for connection (e.g., WLAN, Bluetooth). For example, if Bluetooth is used for the wireless connection, the RFID scanner shall comply with Bluetooth security controls.

  4. The IRS shall provide notice and full disclosure on the use of RFID to those employees using an RFID application or system.

10.8.40.5.4.5  (10-05-2012)
Encryption Standards

  1. Encryption of wireless transmitted IRS information shall utilize FIPS 140-2 or later validated encryption modules in accordance with IRM 10.8.1.

  2. WLAN shall use AES-Counter-mode/CBC-MAC Protocol (CCMP) to protect data-in-transit.

  3. CCMP shall be used to handle both packet authentication and encryption.

  4. WLAN implementation of AES-CCMP shall be FIPS 140-2 or later validated.

  5. 128-bit encryption strength shall be used, at a minimum, to protect the confidentiality and integrity of IRS information, as defined by NIST SP 800-48, Guide to Securing Legacy IEEE 802.11 Wireless Networks, and NIST SP 800-57, Recommended for Key Management – Part 1 General.

  6. The information stored or transmitted through a wireless network or device must be assessed to determine the sensitivity of the information and determine the necessary security controls.

  7. Encryption of sensitive files and/or directories contained on laptops shall be used in accordance with IRM 10.8.26,Laptop Computer Security Policy.

  8. FIPS 140-2 or later validated encryption tools shall be used to encrypt IRS sensitive data at rest on wireless devices (e.g., laptop, PED, smartphone).

    Note:

    This requirement applies to any wireless device or non-wireless PED that stores sensitive information. This requirement also applies to removable memory cards (e.g., MicroSD) that are used in the PED except when the PED is connected to a Windows PC for the purpose of provisioning or transferring data.

  9. See the checklist on the Cybersecurity web site identified in Exhibit 10.8.40-1 for wireless guidance on specific wireless implementations.

10.8.40.6  (10-05-2012)
Risk Acceptance and Risk-Based Decisions

  1. Requests to deviate from this policy shall be submitted in accordance with policy for Risk Acceptance and Risk-Based Decisions as defined in IRM 10.8.1.

  2. Use Form 14201, as described in the Risk Acceptance Request Standard Operating Procedure (SOP), available on the Enterprise FISMA Compliance SharePoint site.

  3. Any exception(s) to the requirements within this manual shall be based on business justification, an assessment of risks associated with the exception, and the AO’s acceptance of risk.

Exhibit 10.8.40-1 
Wireless Security Checklists

  1. The technical requirements for the Wireless Security checklists are maintained in an Excel spreadsheet, which is provided on the IRS IT Security SharePoint site at:http://op.ds.irsnet.gov/sites/MITS/C/PP/PPM/tools/default.aspx

Exhibit 10.8.40-2 
Glossary

Ad Hoc Mode – A method that allows all wireless devices within range of each other to discover and communicate in peer-to-peer (P2P) fashion without involving central access points.

Advanced Encryption Standard (AES) – A symmetric-key encryption standard adopted by the U.S. government. The standard comprises three block ciphers: AES-128, AES-192, and AES-256. Each of these ciphers has a 128-bit block size, with key sizes of 128, 192, and 256 bits, respectively.

Bluetooth – A proprietary open wireless technology standard for exchanging data over short distances (using short wavelength radio transmissions) from fixed and mobile devices, creating wireless personal area networks (WPANs) with high levels of security. Created by telecoms vendor Ericsson in 1994,[1] it was originally conceived as a wireless alternative to RS-232 data cables. It can connect several devices, overcoming problems of synchronization.

Controlled Unclassified Information – A categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is pertinent to the national interests of the United States or to the important interests of entities outside the Federal Government, and under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. In the future, the designation CUI will replace Sensitive But Unclassified (SBU), but the exact timeframe has not been determined by IRS or Treasury.

Data Spillage – Data spillage occurs whenever sensitive data becomes accessible (such as via email or document transfer) onto an information system that is not authorized to process, store, or transmit the data.

Global Positioning System (GPS) – A system for determining position by comparing radio signals from several satellites.

Good Mobile Messaging – An over-the-air solution users can use to synchronize their PIM data with a handheld device. It consists of a client application for managing PIM data, along with server-side software that provides push capabiltiy for email systems and supporting tools.

In Band Management – Management communications with a managed switch through the networked data ports of the switch.

Multimedia Messaging Service (MMS) – An accepted standard for messaging that lets users send and receive messages formatted with text, graphics, photographs, audio, and video clips.

Network Out of Band Management (NE OOBM) – Management communications with a managed switch through a dedicated management port (or ports) separate from the data ports

Network Time Protocol (NTP) – A protocol for synchronizing the clocks of computer systems. NTP is used to ensure accurate log file timestamp information. Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible.

Personal Digital Assistant (PDA) – A handheld computer that serves as an organizer for personal information. PDAs are increasingly becoming more versatile and may include such features as Web browsing and Internet email.

Piconet – An ad hoc network linking a user group of devices using Bluetooth technology protocols to allow one master device to interconnect with up to seven active slave devices (because a three-bit MAC address is used). Up to 255 further slave devices can be inactive, or parked, which the master device can bring into active status at any time. Piconet range varies according to the class of the Bluetooth device. Data transfer rates vary between about 200 and 2100 kilobits per second (kbit/s) at the application.

Remote Authentication Dial In User Service (RADIUS) – A networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect to a network service.

Sensitive But Unclassified (SBU) Information – Any information that requires protection due to the risk and magnitude of loss or harm to the IRS or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction.

Short Message Service (SMS) – A cellular network facility that allows users to send and receive text messages of up to 160-alphanumeric characters on their handset.

Smartphone – A smartphone is a mobile phone built on a mobile computing platform with more advanced computing ability and connectivity than a feature phone. Smartphones combine the functions of a personal digital assistant (PDA), camera, and mobile phone. They also typically include GPS, touchscreens, web-browsing capabilities, and include a mobile operating system (mobile OS) (e.g., Apple iOS, Microsoft Windows Phone, and RIM BlackBerry OS).

Split Tunneling – Split tunneling is a computer networking concept which allows a VPN user to access a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same network connection.

Tablet – A tablet computer (tablet) is a mobile computer, larger than a mobile phone or PED, integrated into a flat touchscreen and primarily operated by touching the screen rather than using a physical keyboard. It often uses an onscreen virtual keyboard, a passive stylus pen, or a digital pen. Besides having most PC capabilities, popular typical tablet computers include wireless Internet browsing functions, potential cell phone functions, GPS navigation, and video camera functions.. In many ways, the functions and purposes of laptops, tablets, and smartphones overlap.

Telematics – The integrated use of telecommunications and informatics, also known as ICT (Information and Communications Technology).

Wireless – A technology that enables devices to communicate without physical connections (without requiring network or peripheral cabling).

Wireless Access Point (AP) – The entry point from a wireless station to a wireless network or from a wireless network to a wired network. APs generally consist of a radio, a wired network interface, and management and bridging software.

Wireless Bridge – A device that links two wired networks, generally operating at two different physical locations through wireless communications.

Wireless Client – A system or device that wirelessly accesses an AP or another client directly.

Wireless Device – A device that can communicate with another device without a physical connection to that device.

Wireless Fidelity (WiFi) – A term describing a wireless local area network that observes the IEEE 802.11 protocol.

Wipe – A command or series of commands that resets the mobile device to its factory default condition and deletes all user data, including user-installed applications, stored on the device.

Wireless Local Area Network (WLAN) – A group of wireless APs and associated infrastructure within a limited geographic area, such as an office building or building campus, that is capable of radio communications. WLANs are usually implemented as extensions of existing wired LANs to provide enhanced user mobility.

Wireless Portable Electronic Device (PED) – A non-stationary wireless client with the capability of recording, storing, and/or transmitting information. Wireless PEDs include, but are not limited to, network interface cards, PDAs, keyboards, mice, printers, and Universal Serial Bus (USB) devices that transmit data wirelessly.

WPA2 – WiFi Protected Access (WPA) and WiFi Protected Access II (WPA2) are security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system WEP (Wired Equivalent Privacy). The WPA2 certification mark indicates compliance with the full IEEE 802.11i standard.

ZigBee – A specification for a suite of high-level communication protocols using small, low-power digital radios based on the IEEE 802.15.4-2003 standard for Low-Rate Wireless Personal Area Networks (LR-WPANs), such as wireless light switches with lamps, electrical meters with in-home-displays, consumer electronics equipment via short-range radio needing low rates of data transfer. The technology defined by the ZigBee specification is intended to be simpler and less expensive than other WPANs, such as Bluetooth.

Exhibit 10.8.40-3 
Acronym List

Acronym/Abbreviation Word/Meaning
AAA (RADIUS) Authentication, Authorization and Accounting
ACIO Associate Chief Information Officer
ACL Access Control List
AES Advanced Encryption Standard
AO Authorizing Official
AP Access Point
CCMP Counter-mode/CBC-MAC Protocol
CI Criminal Investigation
CSIRC Computer Security and Incident Response Center
CUI Controlled Unclassified Information
DHCP Dynamic Host Configuration Protocol
EAP Extensible Authentication Protocol
ECDH Elliptic Curve Diffie-Hellman
EEO Equal Employment Opportunity
ELC Enterprise Life Cycle
ERAP Enterprise Remote Access Project
ESP Enterprise Standards Profile
FIPS Federal Information Processing Standards
GMK Group Master Key
GPS Global Positioning System
GSS General Support System
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
IDS Intrusion Detection System
IEEE Institute of Electrical and Electronics Engineers
IRM Internal Revenue Manual
IRS Internal Revenue Service
ISSO Information System Security Officer
IT Information Technology
LED Light Emitting Diode
LR-WPAN Low-Rate Wireless Personal Area Network
MAC Media Access Control
MITS Modernization and Information Technology Services
MMS Multi-media Messaging Service
NAT Network Address Translation
NE OOBM Network Out-of-Band Management
NIC Network Interface Card
NIST National Institute of Standards and Technology
NTP Network Time Protocol
OS Operating System
P2P Peer-to-Peer
PC Personal Computer
PDA Personal Digital Assistant
PED Portable Electronic Device
PGLD Privacy Governmental Liaison and Disclosure; formerly Privacy, Information Protection and Data Security (PIPDS)
PII Personally Identifiable Information
PIM Personal Information Management
PMK Pairwise Master Key
RADIUS Remote Authentication Dial In User Service
RFID Radio Frequency Identification
RSN Robust Security Network
SA&A Security Assessment and Authorization
SAR Security Assessment Report
SAS Cybersecurity Security Assessment Services
SBU Sensitive But Unclassified
SCR Smart Card Reader
SDLC System Development Life Cycle
SME Secure Mobile Environment
SMS Short Message Service
SNMP Simple Network Management Protocol
SOP Standard Operating Procedures
SSH Secure Shell
SSID Service Set Identifier
SSL Secure Socket Layer
SSP System Security Plan
TD P Treasury Directive Publication
TIGTA Treasury Inspector General for Tax Administration
UMA Unlicensed Mobile Assess
USB Universal Serial Bus
VoIP Voice Over Internet Protocol
VPN Virtual Private Network
WEP Wired Equivalent Protection
WIDS Wireless Intrusion Detection System
WiFi Wireless Fidelity
WLAN Wireless Local Area Network
WPA2 WiFi Protected Access II
WPAN Wireless Personal Network
WWAN Wireless Wide Area Network

Exhibit 10.8.40-4 
References

Department of the Treasury

TD P 81–01, Treasury Information Technology Programs, July 14, 2009

TD P 86-02, Radio Frequency Management, June 8, 2010

Internal Revenue Service

IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance

IRM 10.8.2, Information Technology (IT) Security, IT Security Roles and Responsibilities

IRM 10.8.3, Information Technology (IT), Audit Logging Security Standards

IRM 10.8.10, Information Technology (IT), Basic UNIX Security Requirements (BUSR)

IRM 10.8.20, Information Technology (IT), Windows Security Policy

IRM 2.13.2, Information Technology (IT), Telecommunications Asset Tool, Waste, Fraud, and Abuse

Defense Information Systems Agency (DISA)

Android 2.2 (Dell) STIG V1R1, 23 Nov 2011

Apple iOS 4 (with Good Mobility Suite) STIG V1R1, 20 Oct 2011

Blackberry Enterprise Server – Part 1 STIG V2R1, 30 Jan 2012

Blackberry Enterprise Server – Part 2 STIG V2R1, 30 Jan 2012

Blackberry Enterprise Server – Part 3 STIG V2R1, 30 Jan 2012

Blackberry Handheld STIG V2R1, 29, 30 Jan 2012

Blackberry Playbook Tablet STIG V1R1, 30 Jan 2012

Bluetooth/ZigBee STIG V6R5, 28 Oct 2011

DoD Bluetooth Peripheral Device Security Requirements, 16 July 2010

General Mobile Device Policy (Non-Enterprise Activated) STIG V1R1, 30 Jan 2012

General Mobile Device (Technical) (Non-Enterprise Activated) STIG V1R1, 30 Jan 2012

General Wireless Policy STIG V1R8, 30 Jan 2012

Good Mobility Suite Server (Android OS) STIG V1R1, 23 Nov 2011

Good Mobility Suite Server (Apple iOS 4) STIG V1R1, 20 Oct 2011

Good Mobility Suite Server (Windows Phone 6.5) STIG V1R2, 28 Oct 2011

PDA/smartphone STIG V6R5, 28 Oct 2011

RFID Scanner STIG V6R5, 28 Oct 2011

RFID Workstation STIG V6R5, 28 Oct 2011

Smartphone Policy STIG V1R7, 30 Jan 2012

Windows Phone 6.5 (with Good Mobility) STIG V1R2, 28 Oct 2011

Wireless Keyboard and Mouse STIG V6R5, 28 Oct 2011

Wireless Management Server STIG V1R5, 30 Jan 2012

Wireless Remote Access Policy STIG V1R2, 28 Oct 2011

WLAN Access Point (Enclave-NIPRNet Connected) V6R5, Oct 2011

WLAN Access Point (Internet Gateway Connection Only) V6R5, 28 Oct 2011.

WLAN Access Point Policy STIG V1R2, Oct 2011

WLAN Authentication Server STIG V6R5, 28 Oct 2011

WLAN Bridge STIG V6R5, 28 Oct 2011 29. WLAN Client STIG, V6R3 28 Oct 2011

WLAN Controller STIG V6R5, 28 Oct 2011

WLAN IDS Server/Sensor STIG V6R5, 28 Oct 2011

National Institute of Standards and Technology (NIST)

NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009

NIST SP 800-48, Guide to Securing Legacy IEEE 802.11 Wireless Networks, July 2008

NIST SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, February 2007

NIST SP 800-98, Guidelines for Securing Radio Frequency Identification (PFID) Systems, April 2007

NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices, November 2007

NIST SP 800-121, Guide to Bluetooth Security, September 2008

NIST SP 800-124, Guidelines on Cell Phone and PDA Security, October 2008

NIST SP 800-127, Guide to Securing WiMAX Wireless Communications, September 2010

NIST SP 800-153, Guidelines for Securing Wireless Local Area Networks (WLANs), February 2012


More Internal Revenue Manual