10.8.26 Government Furnished and Personally Owned Mobile Device Security Policy

Manual Transmittal

July 21, 2020

Purpose

(1) This transmits revised IRM 10.8.26, Information Technology (IT) Security, Government Furnished and Personally Owned Mobile Device Security Policy.

Material Changes

(1) This policy has been updated to revise and incorporate requirements for government furnished mobile devices and non-government furnished/personally owned mobile devices that access, process, transmit, or store IRS information, in support of the Bring Your Own Device (BYOD) program.

(2) Several requirements from obsolesced Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) have been removed, relocated to the appropriate Security Control Exhibits or IRM, or replaced where technically feasible.

(3) Several requirements from obsolesced IRM 10.8.40, IT Security - Wireless Security Policy have been relocated to this IRM

  1. Added the following sections/updated section titles and content:
    - 10.8.26.1 added Program Scope and Objectives formerly Overview
    - 10.8.26.1.1 added Scope formerly Purpose
    - 10.8.26.1.2 added Objectives formerly Authority
    - 10.8.26.1.3 added Background formerly Scope
    - 10.8.26.1.5 added Risk Acceptance and Risk-based Decision formerly Risk-based Decision
    - 10.8.26.3.1.2, AC-7 Unsuccessful Logon Attempts is incorporated from IRM 10.8.40.3.1
    - 10.8.26.3.1.3, AC-17 Remote Access is incorporated from IRM 10.8.40.3.1
    - 10.8.26.3.1.4, AC-18 Wireless Access is incorporated from IRM 10.8.40.3.1
    - 10.8.26.3.1.4(13), AC-18 is incorporated from IRM Wireless Access 10.8.40.3.2
    - 10.8.26.3.1.4(14), AC-18 Wireless Access is incorporated from IRM Wireless Access 10.8.40.3.4(2)
    - 10.8.26.3.5.1(1), CM-2 Baseline Configuration is incorporated from IRM 10.8.40.3.5(1)
    - 10.8.26.3.5.1(3), CM-2 Baseline Configuration is incorporated from IRM 10.8.40.3.5(2)(a)
    - 10.8.26.17.1(2), SI-2 Flaw Remediation is incorporated from IRM 10.8.40.3.5(7)
    - 10.8.26.3.5.1(4), CM-2 Baseline Configuration is incorporated from IRM 10.8.40.3.5(8)
    - 10.8.26.3.1.3(4), AC-17 Remote Access is incorporated from IRM 10.8.40.3.5(10)
    - 10.8.26.3.7.1(2), IA-5 Authentication Management is incorporated from IRM 10.8.40.3.6(3)
    - 10.8.26.3.7.1(1), IA-5 Authentication Management is incorporated from IRM 10.8.40.3.6(4)(a)
    - 10.8.26.3.11.1(6), PE-3 Physical Access Control is incorporated from IRM 10.8.40.3.10(2)
    - 10.8.26.3.1.5(10), AC-19 Access Controls for Mobile Devices is incorporated from IRM 10.8.40.3.10(3)
    - 10.8.26.3.1.5(11), AC-19 Access Controls for Mobile Devices is incorporated from IRM 10.8.40.3.11(1)
    - 10.8.26.3.4.1(2), CA-2 Security Assessments is incorporated from IRM 10.8.40.3.11.1
    - 10.8.26.3.15.2(1), SA-4 Acquisition Process is incorporated from IRM 10.8.40.3.13(1)
    - 10.8.26.3.15.1(1), SA-3 System Development Life Cycle (SDLC) is incorporated from IRM 10.8.40.3.13(2)
    - 10.8.26.3.1.4(16), AC-18 Wireless Access is incorporated from IRM 10.8.40.3.13(3)
    - 10.8.26.3.1.4(17), AC-18 Wireless Access is incorporated from IRM 10.8.40.3.14(2)
    - 10.8.26.3.1.4(18), AC-18 Wireless Access is incorporated from IRM 10.8.40.3.14(3)
    - 10.8.26.3.1.4.1(1), WLAN IDS Sensor Scanning is incorporated from IRM 10.8.40.3.14.1.2(1)
    - 10.8.26.3.1.4.1(2), WLAN IDS Sensor Scanning is incorporated from IRM 10.8.40.3.14.1.2(2)
    - 10.8.26.3.1.4.1(3), WLAN IDS Sensor Scanning is incorporated from IRM 10.8.40.3.14.1.2(3)
    - 10.8.26.3.1.4.1(4), WLAN IDS Sensor Scanning is incorporated from IRM 10.8.40.3.14.1.2(4)
    - 10.8.26.3.1.5.(1), AC-19 Access Controls for Mobile Devices is incorporated from IRM 10.8.40.3.14.1.2(5)
    - 10.8.26.3.16.1(1), SC-8 Transmission Confidentiality and Integrity is incorporated from IRM 10.8.40.3.14.1.3(1)
    - 10.8.26.3.16.2(1), SC-13 Cryptographic Protection is incorporated from IRM 10.8.40.3.14.1.3(2)
    - 10.8.26.3.17.1(1), SI-2 Flaw Remediation is incorporated from IRM 10.8.40.3.14.1.3(3)
    - 10.8.26.3.16.3(1), Bluetooth: As a result of the Sunsetting of the DoD reference, the source of the controls requirements have been changed and are based on NIST 800-121 Revision 2 documentation (incorporated from IRM 10.8.403.14.2).
    - 10.8.26.3.16.4, Bluetooth Connectivity: As a result of the Sunsetting of DoD reference, the source of the controls requirements have been changed and are based on NIST 800-121 Revision 2 documentation (incorporated from IRM 10.8.40.3.14.2.1).
    - 10.8.26.3.16.5, Bluetooth Pairing and Authentication: As a result of the Sunsetting of DoD reference, the source of the controls requirements have been changed and are based on NIST 800-121 Revision 2 documentation (incorporated from IRM 10.8.40.3.14.2.2).
    - 10.8.26.3.16.6, Bluetooth Legacy Pairing: As a result of the Sunsetting of DoD reference, the source of the controls requirements have been changed and are based on NIST 800-121 Revision 2 documentation (incorporated from IRM 10.8.40.3.14.2.3).
    - 10.8.26.3.16.7, Secure Simple Pairing (SSP) Security: As a result of the Sunsetting of DoD reference, the source of the controls requirements have been changed and are based on NIST 800-121 Revision 2 documentation (incorporated from IRM 10.8.40.3.14.2.4).
    - 10.8.26.3.16.8, Bluetooth Encryption: As a result of the Sunsetting of DoD reference, the source of the controls requirements have been changed and are based on NIST 800-121 Revision 2 documentation (incorporated from IRM 10.8.40.3.14.2.5).
    - 10.8.26.3.16.9(1), Bluetooth Headsets is incorporated from IRM 10.8.40.3.14.2.6(1)
    - 10.8.26.3.16.9(2), Bluetooth Headsets is incorporated from IRM 10.8.40.3.14.2.6(2)
    - 10.8.26.3.16.9(3), Bluetooth Headsets is incorporated from IRM 10.8.40.3.14.2.6(4)
    - 10.8.26.3.16.9(4), Bluetooth Headsets is incorporated from IRM 10.8.40.3.14.2.6(5)
    - 10.8.26.3.16.9(5), Bluetooth Headsets is incorporated from IRM 10.8.40.3.14.2.6(6)
    - 10.8.26.3.16.10, Wireless System Components is incorporated from IRM 10.8.40.3.14.3
    - 10.8.26.3.16.11, Global Positioning System(GPS) is incorporated from IRM 10.8.40.3.14.4
    - Exhibit 10.8.26-1, Security Control Exhibit Checklist is incorporated from IRM 10.8.40.3.14.6(6)

(4) The following sections have been updated/clarified with this version of policy:

  1. Added the following sections/updated section titles and content:
    - 10.8.26.3.1.1, AC-3 Access Enforcement, added subsection Access to Sensitive Information
    - 10.8.26.3.1.4, Clarified the IRS employees use of secured Wi-Fi and secure Public Wi-Fi.
    - 10.8.26.3.1.4.1, Hot-Spot requirements added to AC-18
    - 10.8.26.3.5.1, CM baseline, in preparation of Treasury PWG recommended revision to TD P 85-01 Appendix A
    -10.8.26.3.5.2, CM-6 Configuration Settings, specified BYOD program enrolled devices in the text, replaced shall with must, changed verbiage on what is wiped/removed from BYOD enrolled devices.
    - 10.8.26.3.10.1, MP-6 Media Sanitization, changed the name from Media Sanitization and Disposal
    - 10.8.26.3.16.2, Bluetooth Connectivity: added requirements from NIST SP 800-121 Rev 2 .
    - 10.8.26.3.16.3, Bluetooth Pairing and Authentication: added requirements from NIST SP 800-121 Rev 2.
    - 10.8.26.3.16.4, Bluetooth Legacy Pairing: added requirements from NIST SP 800-121 Rev 2
    - 10.8.26.3.16.5, Secure Simple Pairing (SSP): added requirements from NIST SP 800-121 Rev 2
    - 10.8.26.3.16.6, Bluetooth Encryption: added requirements from NIST SP 800-121 Rev 2
    - Exhibit 10.8.26-6, Not Applicable SRG/STIG Requirements: External Reference: Commercial Mobile Device (CMD) Policy STIG (2.5) 2016-09-30, External Reference: Mobile Policy SRG (1.2) 2013-07-03, External Reference: Mobile Policy STIG (2.3) 2016-09-01
    - Exhibit 10.8.26-1, Security Control Exhibit Checklist: (Mobile Device Technical Security Requirements)
    - Exhibit 10.8.26-2, Mobile Device Operating System (OS) Configuration Settings
    - Exhibit 10.8.26-3, Glossary and Acronyms
    - Exhibit 10.8.26-4, References

  2. Removed the following sections:
    - Additional Blackberry Requirements
    - AirWatch Mobile Device Management (MDM) Software
    - Apple iOS 7
    - Apple iOS 8
    - Apple iOS 9
    - BlackBerry Enterprise Server (version 5.x) Part 1, Architecture and Training
    - BlackBerry Enterprise Server (version 5.x) Part 2, Configuration Requirements
    - BlackBerry Enterprise Server (version 5.x) Part 3, IT Policy Configuration Requirements
    - BlackBerry OS 7.x.x
    - BlackBerry v10.2.x
    - BlackBerry Enterprise Service (BES) v10.2.x BlackBerry Device Service (BDS)
    - General Mobile Device Non-Enterprise Activated (NEA)
    - PDA/Smartphone
    - Samsung Android Knox 2.x
    - Samsung Android OS 5 with Knox 2.x
    - Microsoft Windows Phone 8.1

  3. Restructured the Manual Transmittal, Introductory sections.

  4. Updated links throughout the document to reflect new/revised organizational links.

(5) Editorial changes (including grammar, spelling, and clarification) were made throughout the IRM.

Effect on Other Documents

IRM 10.8.26 dated February 28, 2017, is superseded. This IRM supersedes all prior versions of IRM 10.8.26, and supplements: IRM 10.8.1, IT Security, Policy and Guidance and IRM 10.8.2, IT Security, IT Security Roles and Responsibilities.

Audience

IRM 10.8.26 applies to and shall be distributed to all employees, contractors, vendors, and volunteers responsible for ensuring the security of government furnished mobile devices and approved non-government furnished/personally owned (BYOD) mobile devices.

Effective Date

(07-21-2020)

Nancy Sieger
Acting Chief Information Officer

Program Scope and Objectives

  1. This IRM lays the foundation to implement and manage security for government furnished mobile devices and non-government furnished/personally owned mobile devices that have been approved for use by employees participating in the Bring Your Own Device (BYOD) program, and the data stored on them, within the Internal Revenue Service (IRS).

  2. Audience: The provisions in this manual apply to:

    1. All offices and business, operating, and functional units within the IRS.

    2. Individuals and organizations having contractual arrangements with the IRS, including employees, contractors, vendors, volunteers and outsourcing providers, who use or operate information systems or mobile devices that store, process, or transmit IRS information or connect to an IRS network or system.

      Note:

      When the terms "mobile devices" and "mobile device users" are used within this IRM, they refer to both government furnished and approved non-government furnished/personally owned mobile devices and users unless otherwise noted.

    3. Bring Your Own Device (BYOD) participants, unless otherwise specified as only government furnished mobile devices.

    4. Government furnished or approved non-government furnished/personally owned mobile devices used to accomplish the IRS mission.

      Note:

      For the purpose of this IRM, laptops are categorized as a mobile device with computing and communication (e.g., wireless, local area network (LAN)) capability, and shall comply with all IRM 10.8.1, TD-P 85-01, and other related IRM policy requirements for mobile devices. (IRS-defined)

    5. All IRS information and information systems. For information systems that store, process, or transmit, classified information, please refer to IRM 10.9.1, National Security Information, for additional procedures for protecting classified information.

  3. Policy Owner: Chief Information Officer.

  4. Program Owner: Architecture and Implementation (an organization within Cybersecurity)

Scope

  1. The IRS shall ensure that the product (e.g., software, hardware) and version selected is in accordance with IRS Enterprise Architecture (EA) Enterprise Standards Profile (ESP) that dictates the official products and versions within the IRS.

  2. This policy provides BYOD program participants with the Rules of Behavior that they shall abide by in order to prevent IRS data from being insecurely stored on a mobile device or carried over an insecure network where it could be subject to unauthorized access or disclosure.

  3. The IRS shall ensure the application or system version is a version for which the vendor still offers standardized technical support.

  4. In the event there is a discrepancy between this policy and IRM 10.8.1, IRM 10.8.1 has precedence, unless the security controls/requirements in this policy are more restrictive or otherwise noted.

Objectives

  1. This IRM establishes the minimum baseline security policy and requirements for all IRS IT assets in order to:

    1. Protect the critical infrastructure, including government furnished and approved non-government furnished/personally owned mobile devices, and assets of the IRS against attacks that exploit IRS assets and other approved devices used to access, process, transmit or store IRS information.

    2. Enable government furnished and approved non-government furnished/personally owned mobile devices that meet the security requirements of this policy, to operate and support the business needs of the organization.

    3. Prevent unauthorized access to government furnished and approved non-government furnished/personally owned mobile devices when being used to access, process, transmit or store IRS information.

  2. It is acceptable to configure settings to be more restrictive than those defined in this IRM.

  3. To configure less restrictive controls requires a risk-based decision (RBD). See the Risk-Based Decisions section within this IRM for additional guidance.

Background

  1. Government furnished and non-government furnished/personally owned mobile devices are vulnerable to theft and the loss of all data stored on them, which places the information they contain at risk of disclosure or compromise. Many theft rings operating today at airports, hotels, and other public places target mobile devices. Additionally, the use of mobile devices in public places (e.g., airports, restaurants, conferences, public transportation) and transmitting information through public telecommunications networks, presents a significant risk of unauthorized persons observing and gaining access to the information that is being processed. Therefore, IRS employees, contractors, and volunteers shall abide by all requirements provided within this policy to help protect their government furnished and non-government furnished/personally owned mobile devices, and the information contained on them, from these risks.

  2. The Information Technology (IT) organization has implemented the "Bring Your Own Device" (BYOD) program to permit IRS personnel to use non-government furnished/personally owned mobile devices for business purposes. This program offers the convenience of using an approved non-government furnished/personally owned mobile device to access, process, transmit, or store IRS information. Therefore, those IRS employees who choose to participate in the program shall abide by the requirements specified within this policy. The IRS shall be able to ensure that agency data is protected at all places and all times.

  3. Federal Information Processing Standard (FIPS) 200 mandates the use of National Institute of Standards and Technology (NIST) Special Publication 800-53 as an initial set of baseline security controls for the creation of agency IT security policy.

  4. IRM 10.8.26 is part of the Security, Privacy and Assurance policy family, IRM Part 10 series for IRS Information Technology, Cybersecurity.

Authority

  1. IRM 10.8.1 , IT Security, Policy and Guidance, establishes the security program and the policy framework for the IRS.

  2. The requirements within this IRM for mobile devices shall comply with and supplement the security controls defined in IRM 10.8.1.

Risk Acceptance and Risk-Based Decisions

  1. Any exception to this policy requires that the Authorizing Official (AO) make a Risk-Based Decision (RBD).

  2. RBD requests shall be submitted in accordance with IRM 10.8.1 and use Form 14201, as described in the Risk Acceptance Request and Risk-Based Decision standard operating procedures (SOP), available on the Enterprise Federal Information Security Modernization Act (FISMA) Compliance SharePoint site via the Risk Acceptance Requests link at:
    https://portal.ds.irsnet.gov/sites/CyberSRM/SitePages/RiskBasedDecision.aspx.

  3. See IRM 10.8.1 for additional guidance about Risk Acceptance and Risk-Based Decisions

Roles and Responsibilities

  1. IRM 10.8.2, IT Security, Roles and Responsibilities, defines IRS-wide roles and responsibilities related to IRS information and computer security, and is the authoritative source for such information.

  2. The supplemental roles and responsibilities provided below are specific to the security of all government furnished and approved non-government furnished/personally owned mobile devices. Refer to IRM 10.8.2 for additional information regarding organizational and individual roles and responsibilities related to information and computer security.

Government Furnished Mobile Device Users

  1. Government furnished mobile device users shall be responsible for ensuring the physical and logical security of their assigned equipment. (IRS-defined)

    Note:

    An example of how an employee shall ensure the logical security of a mobile device by exercising due care in preventing viruses and malware from being installed on their mobile devices by not opening attachments and documents from untrusted sources(i.e., attachments and documents from a personal email).

  2. Managers of employees who have been assigned government furnished mobile devices shall ensure their employees exercise due care in safeguarding these devices and the data they contain. (IRS-defined)

  3. Refer to IRM 10.8.27, Information Technology (IT) Security, Personal Use of Government Furnished Information Technology Equipment and Resources, for guidance pertaining to the prohibited uses of government furnished mobile devices.

Non-Government Furnished/Personally Owned (BYOD) Mobile Device Users

  1. BYOD participants shall: (IRS-defined)

    1. Understand that if their approved non-government furnished/personally owned mobile device is not compliant with IRS security policies or if it presents any unacceptable risk to the IRS’s networks or data, that it will not be allowed to connect to the IRS’s systems.

    2. Consent to remote inspection and monitoring of the IRS-approved mobile access solution (e.g., Blackberry Unified Endpoint Management) on their approved non-government furnished/personally owned mobile device, using technology centrally managed by IRS IT organization.

    3. Ensure they are the only person who has access to their approved non-government furnished/personally owned mobile devices when being used to view or process IRS information.

    4. Ensure a valid password is successfully entered prior to logging onto the mobile device.

    5. Ensure a valid password is successfully entered prior to logging into the IRS-approved mobile access (e.g., Blackberry UEM) solution.

    6. See the Rules of Behavior for BYOD Participants section within this IRM for further requirements when using their approved non-government furnished/personally owned mobile device to access, process, transmit, or store IRS information.

  2. BYOD participants shall not: (IRS-defined)

    1. Use the screen capture function on their mobile device while logged into the IRS-approved mobile access solution (e.g., Blackberry UEM).

      Note:

      Using the screen capture function while logged into the IRS-approved mobile access solution (e.g., Blackberry UEM), could place IRS sensitive information (e.g., Sensitive But Unclassified (SBU) and Personally Identifiable Information (PII)) at risk of disclosure.

    2. Share their IRS-approved mobile access solution (e.g., Blackberry UEM) password with anyone.

IT Security Controls

  1. The IT security controls within this manual provide a range of safeguards and countermeasures for the government furnished and approved non-government furnished/personally owned mobile devices that access, process, transmit, or store IRS information.

  2. The security controls in this IRM supplement the requirements defined in IRM 10.8.1.

AC - Access Control

  1. In addition to the Access Control guidance defined within this IRM, requirements for the following Access Control areas shall be implemented in accordance with IRM 10.8.1

    • AC-2 Account Management

    • AC-4 Information Flow Enforcement

    • AC-5 Separation of Duties

    • AC-6 Least Privilege

    • AC-8 System-Use Notifications

    • AC-9 Previous Logon (Access) Notification

    • AC-10 Concurrent Session Control

    • AC-11 Session Lock

    • AC-12 Session Termination

    • AC-14 Permitted Actions without Identification or Authentication

    • AC-16 Security Attributes

    • AC-20 Use of External Information Systems

    • AC-21 Information Sharing

    • AC-22 Publicly Accessible Content

    • AC-23 Data Mining Protection

    • AC-24 Access Control Decisions

    • AC-25 Reference Monitor

AC-3 Access Enforcement
  1. Mobile devices connected to IRS networks or processing IRS information shall comply with IRM 10.8.1 and the security requirements of those networks. (IRS-defined)

  2. See IRM 10.8.1 for additional guidance on Access Enforcement.

Access to Sensitive Information
  1. Sensitive information (e.g., SBU and PII) shall not be downloaded to mobile devices. (IRS-defined)

    1. Government furnished laptops are the only exception to this requirement

  2. Sensitive information (i.e., Federal Taxpayer Information (FTI)/ 6103 information) shall not be viewed or discussed on mobile devices in public places (e.g., airports, coffee shops, hospitals, malls, etc.). (IRS-defined)

  3. Sensitive information stored or processed on a government furnished laptop shall be protected with the same requirements as hard-copy documents (e.g., markings, distribution, destruction) and in accordance with the requirements defined within IRM 10.8.1. (IRS-defined)

  4. Mobile devices shall not be used to access, process, transmit, or store classified data. (DISA: SRG-MPOL-075)

    1. Government furnished laptops are the only exception to this requirement. (IRS-defined)

AC-7 Unsuccessful Logon Attempts
  1. The maximum number of consecutive unsuccessful login attempts to a mobile device shall be set in accordance with IRM 10.8.1. (DISA: SRG-MPOL-001)

  2. See IRM 10.8.1 for additional guidance on Unsuccessful Logon Attempts.

AC-17 Remote Access
  1. The IRS shall have a wireless remote access policy shall be signed by the site AO, Director, or other appropriate authority.(DISA: SRG-MPOL-031)

  2. Remote access shall only be accomplished with a government furnished mobile device via an IRS-approved Virtual Private Network (VPN) solution that uses FIPS 140-2 (or later) validated encryption technology. (IRS-defined)

  3. Remote access with an approved non-government furnished/personally owned mobile device shall only be accomplished using the IRS-approved mobile access (e.g., Blackberry UEM) solution. (IRS-defined)

  4. The IRS IT organization shall create and document a list of network protocols within a mobile device deemed to be non-secure for remote access into IRS networks. (DISA: SRG-MPOL-002)

  5. See IRM 10.8.1 for additional guidance on Remote Access.

AC-18 Wireless Access
  1. Wi-Fi and Bluetooth communications shall be confined to IRS-controlled boundaries. (DISA: SRG-MPOL-009)

  2. Usage restrictions shall be established for wireless access. (DISA: SRG-MPOL-010)

  3. IRS Concept of Operations (CONOPS) or site security plan shall include information specifying that Bluetooth devices use only Class 2 or 3 standard radios. (DISA: SRG-MPOL-011)

  4. IRS CONOPS or site security plan shall include guidance requiring that Bluetooth radios shall not be modified through signal amplification, antenna configuration, or other techniques that could affect signal detection or interception. (DISA: SRG-MPOL-012)

  5. The wireless interface on computers with an embedded wireless system shall be removed before the computer is used to transfer, receive, store, or process classified information. (DISA: SRG-MPOL-015)

  6. The IRS shall establish implementation guidance for wireless access. (DISA: SRG-MPOL-016)

  7. Locations where Commercial Mobile Device (CMD) Wi-Fi access is approved or disapproved shall be documented. (DISA: SRG-MPOL-018)

    Note:

    Additional information on Wi-Fi access can be found in the appropriate System Security Plan (SSP) and on the Wireless Local Area Network (WLAN) Project SharePoint site https://program.ds.irsnet.gov/sites/UNSWLANSharepointHome/Pages/WLAN-Home.aspx

  8. The IRS shall establish a wireless access control and security policy to define the administrative procedures and technical requirements to be met prior to being authorized to connect to an IRS information system. (DISA: SRG-MPOL-028)

  9. The IRS shall maintain a list of all AO-approved wireless and non-wireless devices under their control that store, process, or transmit IRS information. (DISA: SRG-MPOL-029)

  10. Each wireless device connecting to an IRS network shall be included in the applicable site security plan or other appropriate Security Assessment and Authorization (SA&A) document. (DISA: SRG-MPOL-030)

  11. The IRS shall ensure the network access control solution supports wireless clients and solutions if wireless networking is implemented. (DISA: SRG-MPOL-035)

  12. IRS employees shall be responsible to ensure they only use the secured Wi-Fi (e.g. hotels, home): (IRS-defined)

    Note:

    The intent of this requirement is to avoid a situation where the employee is inadvertently using their neighbors Wi-Fi.

    Note:

    For further design guidance for Wi-Fi security and privacy, see IRS IT publication, Enterprise Architecture (EA) Remote Access Security Teleworking - Wireless Fidelity (Wi-Fi) http://ea.web.irs.gov/arch/. The list of publications can be found by navigating to the Design Guidance option under the column Applications and Technology. The publication is under the section for Security and Privacy.

  13. IRS employees are permitted to utilize secure Public Wi-Fi access (e.g., hospital, Internet café, coffee shop, public library). (IRS-defined)

  14. Training materials shall be developed stating Bluetooth shall be disabled on all applicable devices unless they employ FIPS 140-2 validated cryptographic modules for data in transit. (DISA: SRG-MPOL-019)

  15. IRS wireless systems (including associated peripheral devices, operating systems, applications, network/Personal Computer (PC) connection methods, and services) shall be approved by the AO prior to installation and use for processing IRS information. (DISA: SRG-MPOL-017)

  16. Use of Government Furnished Equipment (GFE) phones and GFE MiFi’s/Hot-Spots for remote access to IRS IT assets (e.g., networks, systems) shall be provided through an encryption mechanism such as a virtual private network (VPN) connection that meets FIPS 140 validation requirements (AC-17(2)_T.206).

    1. A Two factor authentication shall be implemented for all remote access to an IRS system (AC-17_T.006). Refer to IRM 10.8.1 for further guidance.

  17. The IRS shall only procure and deploy WPA2-Enterprise certified WLAN equipment and software for wireless systems that connect directly to IRS networks. (DISA: SRG-MPOL-024)

  18. Personally owned or contractor owned CMDs shall not be used to transmit, receive, store, or process IRS information or connect to IRS networks without AO authorization. (IRS-defined)

  19. Privately owned Ethernet to Wi-Fi converters (e.g., wireless Ethernet bridges, wireless media adapters) shall not be connected to IRS laptops or workstations. (IRS-defined)

  20. See IRM 10.8.1 for additional guidance on Wireless Access.

WLAN IDS Sensor Scanning
  1. The IRS shall monitor for unauthorized wireless connections to an information system in accordance with IRM 10.8.55Network Security Policy on Information System Moniroting. (DISA: SRG-MPOL-005)

  2. The AO shall define a time period for monitoring of unauthorized wireless connections to information systems, including scans for unauthorized wireless access points. (DISA: SRG-MPOL-006)

  3. The IRS shall document and take appropriate action if an unauthorized wireless connection is discovered. (DISA: SRG-MPOL-007)

  4. The IRS shall define the appropriate action(s) to be taken if an unauthorized wireless connection is discovered. (DISA: SRG-MPOL-008)

AC-19 Access Controls for Mobile Devices
  1. The IRS shall ensure Wireless Intrusion Detection System (WIDS) sensor scan results are saved for at a minimum one (1) year. (DISA: SRG-MPOL-049)

  2. In addition to the Access Control for Mobile Devices requirements within this IRM, the Access Control for Mobile Devices requirements defined in IRM 10.8.1 shall be implemented.

  3. An authorization process shall be developed and published that states the process to obtain approval before both government furnished mobile devices and non-government furnished/personally owned mobile devices approved for use in the BYOD program, can connect to an IRS information system(s). (DISA: SRG-MPOL-070)

  4. The IRS shall store and maintain baseline configuration of each CMD, including application software, in accordance with the requirements defined in IRM 10.8.1 and the IRM 2.149, Asset Management series. (DISA: SRG-MPOL-047)

  5. The IRS IT organization shall establish SOPs for provisioning government furnished mobile devices prior to issuing them to employees and installing applications on the device. (DISA: SRG-MPOL-061)

  6. ) Mobile devices shall be provisioned with PKI digital certificates, in accordance with IRM 10.8.52, IRS Public Key Infrastructure (PKI) X.509 Certificate Policy, so users can digitally sign and encrypt email notifications or other email messages required by IRS policy. (DISA: SRG-MPOL-064)

    1. Non-government furnished/personally owned mobile devices shall have this capability via the IRS-approved mobile access solution (e.g., Blackberry UEM). (IRS-defined)

    2. AO approval shall be obtained prior to the use of software PKI certificates on mobile devices. (IRS-defined)

  7. The IRS shall explicitly specify in each site’s physical security policy, whether mobile devices, containing cameras (still and video), are permitted or prohibited at that site. (DISA: SRG-MPOL-059; WIR-SPP-001)

  8. A list of high risk locations for the usage of mobile devices shall be developed, documented, and provided to security personnel and other applicable IRS personnel. (DISA: SRG-MPOL-072)

  9. Inspection and preventative measures shall be applied to mobile devices returning from locations the IRS deems to be of significant risk to IRS information systems. (DISA: SRG-MPOL-074)

  10. Unclassified wireless devices shall not be operated in areas where sensitive information is electronically stored, processed, or transmitted unless the following conditions are followed (DISA: WIR0040):

    1. Approved by the AO in consultation with a Certified TEMPEST Technical Authority (CTTA); and

    2. The wireless equipment is separated from the classified data equipment at a minimum distance determined by the CTTA and appropriate countermeasures, as determined by the CTTA, are implemented.

  11. All users of mobile devices or wireless devices shall sign a user agreement before the mobile or wireless device is issued to the user. (DISA: WIR0030)

  12. IRS or Treasury-issued software certificates shall not be used for non-government furnished/personally owned mobile devices, unless they have been approved for use in the BYOD program. (DISA: SRG-MPOL-058; IRS-defined)

  13. Government furnished mobile device users shall not accept over-the-air (OTA) wireless software updates from the wireless carrier or other non-IRS sources unless the updates have been tested and IRS-approved. (DISA: SRG-MPOL-063)

    1. Mobile device software updates shall only originate from an approved IRS source. (DISA: WIR-SPP-008-02)

  14. The IRS shall ensure mobile operating systems, mobile applications, and mobile device management agents on managed mobile devices are updated in accordance with IRM 10.8.1 and IRM 10.8.50 after the updates/patches are available. (DISA: SRG-MPOL-069)

  15. See IRM 10.8.1 for additional guidance on Access Control for Mobile Devices.

Access Controls for Government Furnished Mobile Devices
  1. Government furnished mobile devices shall not be used by anyone other than authorized personnel (e.g., the person to whom it is assigned, IT personnel performing maintenance/repairs, the manager of the person to whom it is assigned, personnel conducting an official audit) (IRS-defined)

  2. The AO shall ensure that a security risk analysis is performed on a mobile device operating system (OS) application prior to being approved for use on a government furnished mobile device. (DISA: SRG-MPOL-067)

  3. Prior to an application being accredited by the AO, distributed, or installed on a government furnished mobile device, a risk analysis shall be performed. before the application is accredited by the AO. (DISA: SRG-MPOL-003; WIR-SPP-021)

  4. Measures shall be taken to ensure that the Instant Messaging (IM) client on government furnished mobile devices connects only to security-compliant, IRS-controlled IM servers. (SRG-MPOL-065; WIR-SPP-009)

  5. All non-core applications on government furnished mobile devices shall be approved by the AO. (DISA: SRG-MPOL-066)

  6. The AO shall verify that local sites, where government furnished mobile devices are provisioned, issued, and managed, are conducting annual self-assessments. (DISA: SRG-MPOL-046)

  7. The IRS IT organization shall maintain results and mitigation actions, from mobile device integrity validation tool scans on government furnished mobile devices, for a minimum of one (1) year. (DISA: SRG-MPOL-048)

  8. The IRS IT organization shall review government furnished mobile device integrity scan results at least daily. (DISA: SRG-MPOL-050)

  9. The IRS shall ensure that the Personal Use Policy:

    1. Specifies what types of personal files, if any, are permitted on the government furnished mobile device. Refer to IRM 10.8.27 for additional guidance. (DISA: SRG-MPOL-055)

    2. Specifies restrictions on the use of personal email. Refer to IRM 10.8.27 for additional guidance. (DISA: SRG-MPOL-056)

    3. Is approved by the AO. (DISA: SRG-MPOL-057)

  10. The IRS shall develop policy which ensures that a government furnished mobile device is wiped prior to issuance to IRS personnel. (DISA: SRG-MPOL-062)

Access Control for Non-Government Furnished/Personally Owned (BYOD) Mobile Devices
  1. Non-government furnished/personally owned mobile devices shall be required to pass compliance checks performed by the IRS-approved mobile access (e.g., Blackberry UEM) solution, prior to being approved for use in the BYOD program. (IRS-defined)

  2. Only approved non-government furnished/personally owned mobile devices shall be permitted to:

    1. Connect to IRS networks. (DISA: SRG-MPOL-042)

    2. Process or store IRS sensitive information, including IRS email. (DISA: SRG-MPOL-043)

  3. The IRS IT organization shall retain information system connection or processing agreements for approved non-government furnished/personally owned mobile devices that have been approved for use in the BYOD program. (IRS-defined)

  4. The IRS shall periodically conduct manual audits of approved non-government furnished/personally owned mobile devices to verify that the device is not running unauthorized software or has not otherwise been modified in an unauthorized manner. (DISA: SRG-MPOL-045)

AT - Awareness and Training

  1. In addition to the Awareness and Training guidance defined within this IRM, requirements for the following Awareness and Training areas shall be implemented in accordance with IRM 10.8.1.

AT-2 Security Awareness Training
  1. All supplemental policies required to implement mobile device security solutions shall be documented and provided to mobile device users. (IRS-defined)

  2. All mobile device users (including BYOD participants) shall receive training on the IRS-approved mobile access solution (e.g., Blackberry UEM), and both the permissible and prohibited usage requirements for their mobile devices. The following areas shall be addressed before they are authorized access to an IRS network with a mobile device: (DISA: SRG-MPOL-077; WIR-SPP-006-01)

    1. Requirement that approved non-government furnished/personally owned mobile devices are not used to access, process, transmit, or store IRS information unless approved by the AO and the owner signs a forfeiture agreement in case of a security incident.

    2. Procedures for wireless device usage in and around classified processing areas.

    3. Requirement that mobile devices with digital cameras (still and video) are not allowed in any areas where classified documents or information are stored, transmitted, or processed.

    4. Procedures for a data spill.

    5. Requirement that wireless email devices and systems are not used to send, receive, store, or process classified messages.

    6. Requirement that mobile devices will not be connected to classified IRS networks or information systems.

    7. Requirement that a user immediately notifies the appropriate site contacts (e.g., Manager, Computer Security Incident Response Center (CSIRC), etc.) when his/her CMD has been lost or stolen.

    8. Secure Bluetooth Smart Card Reader (SCR) usage:
      - Secure pairing procedures.
      - Perform secure pairing immediately after the SCR is reset.
      - Accept only Bluetooth connection requests from devices they control.
      - Monitor Bluetooth connection requests and activity in order to detect possible attacks and unauthorized activity.

    9. Procedures on how to sign and encrypt email.

    10. If Short Messaging Service (SMS) and/or Multimedia Messaging Service (MMS) are used, Information Assurance (IA) awareness training material should include SMS/MMS security issues.

    11. Requirement that Over-The-Air (OTA) wireless software updates should only come from IRS-approved sources.

    12. When approved non-government furnished/personally owned Wi-Fi Service is used, ensure that the following information is provided:
      - Procedures for setting up a secure Wi-Fi connection and verifying the active connection is to a known access point.
      - Approved connection options (i.e., enterprise, home, etc.).
      - Requirements for home Wi-Fi connections.

    13. Requirement that the Wi-Fi radio shall:
      - Be disabled by the user whenever a Wi-Fi connection is not being used.
      - Never be enabled if the government furnished mobile device is connected to a government furnished PC/laptop. Refer to IRM 10.8.1 for additional guidance.

    14. Do not discuss sensitive or classified information on non-secure (devices not FIPS 140-2 certified or NSA Type-1 certified for voice) cellular phones, cordless phones, and two-way radios used for voice communications.

    15. Do not connect mobile devices to any workstation that stores, processes, or transmits classified data. (Exception: SME PED).

    16. The installation of user-owned applications, including geo-location ( i.e., GPS, family locator) aware applications, on the mobile device. Refer to IRM 10.8.1 for further guidance.

    17. The use of the government furnished mobile device to view and/or download personal email.

    18. The downloading of user-owned data (music files, picture files, etc.) on government furnished mobile devices.

    19. The use of government furnished mobile devices to connect to user social media web accounts. Refer to IRM 10.8.27 for further guidance.

    20. Requirement that when the Bluetooth radio is authorized for use with an approved smartcard reader or hands-free headset, that the user will disable the Bluetooth radio whenever a Bluetooth connection is not being used.

    21. All radios on the government furnished mobile device (Wi-Fi, Bluetooth, near-field communications (NFC)) shall be turned off when not needed.

    22. Procedures on how to disable Location Services on the government furnished mobile device. Location Services shall be disabled for all applications or enabled only for applications approved by the AO for location based services.

    23. Additional iOS device (iPhone and iPad) requirements:
      i. Procedures on how to disable the device Bluetooth radio when not being used.
      ii. Procedures on how to disable the device Wi-Fi radio when not being used.
      iii. Procedures on how to disable "Ask to Join Networks" Wi-Fi feature. This feature shall be disabled at all times on a government furnished mobile device.
      iv. iMessage should be considered an unsecure messaging application, similar to cellular SMS. Sensitive information shall not be sent via iMessage.
      v. Procedures for disallowing applications access to the mobile device’s PIM date (calendar, address book, etc.) when prompted during application install. The only allowed exception is for the IRS-approved mobile access solution (e.g., Blackberry UEM).

    24. Additional Android requirements:
      i. Procedures on how to disable the device Bluetooth radio when not being used.
      ii. Procedures on how to disable the device Wi-Fi radio when not being used

  3. Training material shall be developed that states only IRS-approved non-government furnished/personally owned mobile devices:

    1. Shall be used to send, receive, store, or process sensitive/OUO data and information or connect to IRS networks. (DISA: SRG-MPOL-075)

    2. Shall be used to access IRS email systems. (DISA: SRG-MPOL-076)

  4. Mobile device users shall receive training on the following required topics before they are authorized to access an IRS network via a wireless remote access device: (IRS-defined)

    1. User authentication and content encryption requirements.

    2. Enabling wireless interfaces only when needed.

    3. Enabling the VPN connection to the IRS network immediately after establishing a wireless connection (using an approved VPN client).

    4. All Internet browsing being done on the IRS network, only after the VPN connection has been established.

    5. No split tunneling of VPN.

    6. Locations where wireless remote access is authorized or not authorized (e.g., home, airport, hotel, etc.).

    7. Wireless client configuration requirements.

    8. Use of WPA2 Personal (Advanced Encryption Standard (AES)) on home WLAN.

    9. Home WLAN password and SSID requirements - Discontinue the use of devices suspected of being tampered with and notify the site AO.

  5. See IRM 10.8.1 for additional guidance on Security Awareness Training.

AT-3 Role-Based Security Training
  1. BYOD participants shall be required to take Operational Security (OPSEC) training that provides usage guidelines and vulnerability mitigation techniques for non-government furnished/personally owned mobile devices being used to access IRS networks and data. (DISA: SRG-MPOL-079)

  2. The mobile device management server administrator shall receive required training annually. (DISA: SRG-MPOL-078)

    1. The mobile device management server administrator shall receive training on the following:
      i. Administrative service accounts shall not be used to log into the mobile device management server or any server service.
      ii. Activation passwords or PINs. Refer to IRM 10.8.1 for further guidance.
      iii. A new activation password shall be selected each time one is assigned (e.g., the same password cannot be used for all users or for a group of users).
      iv. User and group accounts on the mobile device management server. Refer to IRM 10.8.1 for further guidance.

  3. See IRM 10.8.1 for additional guidance on Role-Based Security Training.

AT-4 Security Training Records
  1. The AO shall verify that each mobile device user completes the required mobile device user training annually. (DISA: SRG-MPOL-080; WIR-SPP-006-02)

  2. See IRM 10.8.1 for additional guidance on Security Training Records.

AU - Audit and Accountability

  1. In addition to the Audit and Accountability guidance defined within this IRM, requirements for the following Audit and Accountability areas shall be implemented in accordance with IRM 10.8.1:

    • AU-2 Audit Events

    • AU-3 Content of Audit Records

    • AU-4 Audit Storage Capacity

    • AU-5 Response to Audit Processing Failures

    • AU-6 Audit Review, Analysis, and Reporting

    • AU-7 Audit Reduction and Report Generation

    • AU-8 Time Stamps

    • AU-9 Protection of Audit Information

    • AU-10 Non-Repudiation

    • AU-11 Audit Record Retention

    • AU-12 Audit Generation

    • AU-13 Monitoring for Information Disclosure

    • AU-14 Session Audit

    • AU-15 Alternate Audit Capability

    • AU-16 Cross-Organizational Auditing

CA - Security Assessment and Authorization (SA&A)

  1. In addition to the Security Assessment and Authorization guidance defined within this IRM, requirements for the following Security Assessment and Authorization control areas shall be implemented in accordance with IRM 10.8.1:

    • CA-3 System Interconnections

    • CA-5 Plan of Action and Milestones (POA&M)

    • CA-6 Security Authorization

    • CA-7 Continuous Monitoring

    • CA-8 Penetration Testing

    • CA-9 Internal System Connections

CA-2 Security Assessments
  1. Mobile devices that access, process, transmit, or store IRS information shall:

    1. Be documented in a Security Assessment and Authorization (SA&A) package in accordance with IRM 10.8.1, Treasury Directive Publication (TD-P) 85-01, Department of the Treasury IT Security Program, and NIST Special Publication (SP) 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems. (IRS-defined)

      Note:

      Each individual mobile device does not need to have an SA&A for it; however, each mobile device configuration needs to go through the SA&A process and documented in the package.

  2. Wireless devices connecting directly or indirectly (e.g., ActiveSync, wireless) to a network shall be included in the appropriate System’s SA&A documentation (i.e., System Security Plan (SSP)). (IRS-defined)

  3. Mobile devices shall be approved by the AO prior to accessing IRS networks and data. (IRS-defined)

  4. Mobile devices that process SBU and PII are subject to a full security assessment prior to use. (IRS-defined)

    1. Cybersecurity Security Assessment Services (SAS) shall identify any security risk(s) and document the assessment of risk in a Security Assessment Report (SAR).

    2. The AO shall make a determination if the identified risk(s) are acceptable or not.

  5. See IRM 10.8.1 for additional guidance on Security Assessments.

CM - Configuration Management

  1. In addition to the Configuration Management guidance defined within this IRM, requirements for the following Configuration Management control areas shall be implemented in accordance with IRM 10.8.1:

    • CM-3 Configuration Change Control

    • CM-4 Security Impact Analysis

    • CM-5 Access Restrictions for Change

    • CM-7 Least Functionality

    • CM-8 Information System Component Inventory

    • CM-9 Configuration Management Plan

    • CM-10 Software Usage Restrictions

    • CM-11 User-Installed Software

CM-2 Baseline Configuration
  1. Configuration management procedures shall be developed for government furnished mobile devices in accordance with IRM 10.8.1 and this IRM. (IRS-defined)

  2. IRS developed configuration baselines for mobile device security shall be developed consistent with NIST 800-124 and NIST 800-37 when setting minimum security standards for mobile devices. (IRS-defined)

    Note:

    The above guidance, including appropriate security controls specified in NIST SP 800-53, is in addition to all existing federal requirements for data protection and remote access for mobile devices.

  3. The IRS shall establish and maintain baseline configurations and inventories, including application software, throughout the respective System Development Life Cycle (SDLC) (i.e., IRS Enterprise Lifecycle (ELC)), of government furnished mobile devices that access, process, transmit, or store IRS information. (IRS-defined)

  4. A list shall be maintained of all mobile computing devices that are used to store, process, and transmit IRS data in accordance with inventory requirements defined in IRM 10.8.1, this IRM, and IRM 2.149 IT Asset Management series. (DISA: SRG-MPOL-029)

  5. See IRM 10.8.1 for additional guidance on Baseline Configuration.

CM-6 Configuration Settings
  1. SCRs used with government furnished mobile devices must have the IRS-approved software version installed. (IRS-defined)

  2. Government furnished and non-government furnished/personally owned mobile devices must be set to implement the security requirements within this IRM and IRM 10.8.1. (IRS-defined)

  3. Non-Government furnished/personally owned mobile devices that are enrolled in the BYOD program that are rooted or jailbroken must not be permitted. (IRS-defined)

    1. Mobile device management servers must be configured to detect rooted or jailbroken devices.

    2. IRS installed applications and/or software on detected rooted or jailbroken devices must be wiped.

      Note:

      Rooted and jailbroken are terms that describe the process of modifying the mobile device’s operating system, often with the goal of running unsigned code or performing unsupported customizations to the operating system. Unlocking allows users to operate a mobile device on a cellular network it is not authorized to connect to.

  4. For guidance on operating system-specific configuration settings, see the Mobile Device Technical Security Requirements Exhibits within this IRM

  5. See IRM 10.8.1 for additional guidance on Configuration Settings.

CP - Contingency Planning

  1. In addition to the Contingency Planning guidance defined within this IRM, requirements for the following Contingency Planning areas shall be implemented in accordance with IRM 10.8.1:

    • CP-2 Contingency Plan

    • CP-3 Contingency Training

    • CP-4 Contingency Plan Testing

    • CP-6 Alternate Storage Site

    • CP-7 Alternate Processing Site

    • CP-8 Telecommunications Services

    • CP-9 Information System Backup

    • CP-10 Information System Recovery and Reconstitution

    • CP-11 Alternate Communications Protocols

    • CP-12 Safe Mode

    • CP-13 Alternative Security Mechanisms

IA - Identification and Authentication

  1. In addition to the Identification and Authentication guidance defined within this IRM, requirements for the following Identification and Authentication control areas shall be implemented in accordance with IRM 10.8.1:

    • IA-2 Identification and Authentication (Organizational Users)

    • IA-3 Device Identification and Authentication

    • IA-4 Identifier Management

    • IA-6 Authenticator Feedback

    • IA-7 Cryptographic Module Authentication

    • IA-8 Identification and Authentication (Non-Organizational Users)

    • IA-9 Service Identification and Authentication

    • IA-10 Adaptive Identification and Authentication

    • IA-11 Reauthentication

IA - 5 Authenticator Management
  1. Passwords/passcodes shall be created and maintained in accordance with IRM 10.8.1 and the appropriate underlying OS IRM where applicable. (IRS-defined)

  2. A password shall be enabled for each wireless client that connects to an IRS network or system. Passwords shall comply with IRM 10.8.1. (IRS-defined)

  3. Government furnished mobile device users shall be prevented from changing the user profile on their assigned mobile devices. (IRS-defined)

  4. See IRM 10.8.1 for additional guidance on Authenticator Management.

IR - Incident Response

  1. In addition to the Incident Response guidance defined within this IRM, requirements for the following Incident Response control areas shall be implemented in accordance with IRM 10.8.1:

    • IR-2 Incident Response Training

    • IR-3 Incident Response Testing

    • IR-4 Incident Handling

    • IR-5 Incident Monitoring

    • IR-7 Incident Response Assistance

    • IR-9 Information Spillage Response

    • IR-10 Integrated Information Security Cell

IR-6 Incident Reporting
  1. The detection of any incidents regarding mishandling, tampering, theft, or loss of a government furnished or non-government furnished/personally owned mobile device, shall be reported by users immediately to their manager and the IRS CSIRC, the enterprise-wide reporting entity. (DISA: SRG-MPOL-081)

  2. Employees shall cooperate with CSIRC during the investigation of any incidents reported by them. (TD P 85-01 Vol. I, Section 2.15)

  3. The IRS shall follow the incident handling policy if PII is found on a mobile device not authorized to process, store, or transmit PII. (DISA: SRG-MPOL-052)

  4. The IRS shall establish a SOP for data spills on mobile devices. (DISA: SRG-MPOL-053; WIR-SPP-003-01)

    1. If a data spill occurs on a wireless email device or system, the required data spill procedures shall be followed. (DISA: WIR-SPP-003-02)

  5. Refer to the following resources for additional incident reporting requirements not addressed within this IRM (TD P 85-01 Appendix G):

    1. IRM 10.2.8 , Physical Security Program, Incident Reporting.

    2. The IRS CSIRC, Cyber Incident Reporting Procedures, at: http://www.csirc.web.irs.gov/reporting/

  6. See IRM 10.8.1 for additional guidance on Incident Reporting.

IR-8 Incident Response Plan
  1. The IRS’s Incident Response Plan shall include response procedures to follow when a mobile device (e.g., smartphones, tablets, laptops, Bring Your Own Device (BYOD)) is reported lost or stolen. (DISA: SRG-MPOL-082; WIR-SPP-007-01)

    1. The required response actions shall be followed when a mobile device is reported lost or stolen. (DISA: WIR-SPP-007-02)

  2. See IRM 10.8.1 for additional guidance on Incident Response Plan.

MA - Maintenance

  1. In addition to the Maintenance guidance defined within this IRM, requirements for the following Maintenance areas shall be implemented in accordance with IRM 10.8.1:

    • MA-2 Controlled Maintenance

    • MA-3 Maintenance Tools

    • MA-4 Non-Local Maintenance

    • MA-5 Maintenance Personnel

    • MA-6 Timely Maintenance

MP - Media Protection

  1. In addition to the Media Protection guidance defined within this IRM, requirements for the following Media Protection control areas shall be implemented in accordance with IRM 10.8.1:

    • MP-2 Media Access

    • MP-3 Media Marking

    • MP-4 Media Storage

    • MP-5 Media Transport

    • MP-8 Media Downgrading

MP-6 Media Sanitization
  1. The IRS IT organization shall develop procedures for the sanitization and disposal of government furnished mobile devices. (IRS-defined)

    1. Procedures shall be followed to ensure that all IRS mobile devices that have processed sensitive information are disposed of.

    2. Government furnished mobile devices shall be cleansed by utilizing commercial disk-wiping software.

  2. The IRS IT organization shall keep an inventory of all disposed government furnished mobile devices. (IRS-defined)

  3. The IRS IT organization shall develop procedures for the sanitization of non-government furnished/personally owned mobile devices. (IRS-defined)

    1. Procedures shall be followed to ensure that all non-government furnished/personally-owed mobile device users have their IRS-approved mobile access solution (e.g., Blackberry UEM) user privileges disabled if a security incident occurs, the employee is no longer participating in the BYOD program, or upon departure from the agency. (IRS-defined)

  4. The IRS IT organization shall keep an inventory of all non-government furnished/personally owned mobile device users who have had their IRS-approved mobile access solution (e.g., Blackberry UEM) user privileges disabled. (IRS-defined)

  5. All mobile devices shall follow the device manufacturer’s instructions for wiping user data installed from the device memory and the media card. (IRS-defined)

  6. Prior to decommissioning or transferring to another government agency, mobile devices that will no longer be used (including configuration data), shall be sanitized from the host in accordance with IRM 2.149 , IT Asset Management, IT Asset Management series, and IRM 10.8.1. (DISA: SRG-MPOL-083; WIR-SPP-004)

    1. A “Wipe” command shall be performed on all new or reissued government furnished mobile devices. (DISA: WIR-SPP-008-01)

    2. An IRS security-compliant profile shall be pushed to government furnished mobile devices before issuing them to IRS personnel.(IRS-defined)

  7. See IRM 10.8.1 for additional guidance on Media Sanitization.

MP-7 Media Use
  1. Government furnished mobile devices with removable memory cards (e.g., MicroSD) shall abide by the following requirements: (IRS-defined)

    1. Data stored on the card shall be encrypted with a FIPS 140-2 (or later) validated encryption technology solution.

    2. The card shall be bound to the mobile device such that it cannot be read by any other mobile device or computer.

  2. BYOD participants shall not store any IRS data on a removable memory card. (IRS-defined)

  3. See IRM 10.8.1 for additional guidance on Media Use.

PE - Physical and Environmental Protection

  1. In addition to the Physical and Environmental Protection guidance defined within this IRM, requirements for the following Physical and Environmental Protection control areas shall be implemented in accordance with IRM 10.8.1:

    • PE-2 Physical Access Authentication

    • PE-4 Access Control for Transmission Medium

    • PE-5 Access Control for Output Devices

    • PE-6 Monitoring Physical Access

    • PE-8 Visitor Access Records

    • PE-9 Power Equipment and Power Cabling

    • PE-10 Emergency Shutoff

    • PE-11 Emergency Power

    • PE-12 Emergency Lighting

    • PE-13 Fire Protection

    • PE-14 Temperature and Humidity Controls

    • PE-15 Water Damage Protection

    • PE-16 Delivery and Removal

    • PE-17 Alternate Work Site

    • PE-18 Location of Information System Components

    • PE-19 Information Leakage

    • PE-20 Asset Monitoring and Tracking

PE-3 Physical Access Control
  1. At all times, government furnished and non-government furnished/personally owned mobile device users shall: (IRS-defined)

    1. Be responsible for the physical security of their mobile device(s).

    2. Secure their mobile device(s) when not in their possession.

    3. Never leave their powered-on mobile device unlocked when it is not in their presence.

    4. Secure their mobile device(s) (e.g., cable lock, screen lock) from theft or tampering when located in an IRS facility and at an approved telework location (e.g., home).

    5. When traveling; if additional screening is required during the airport screening process, inform the security agent that you cannot be separated from your government furnished mobile device (e.g., laptop) at any time, and that it shall be kept in your possession.

  2. The IRS Physical Security organization shall develop and implement procedures for physical mobile device security compliance. (IRS-defined)

  3. Passwords/passcodes, hardware tokens, and/or smart cards shall not be stored on/or with a mobile device or laptop, unless encrypted or otherwise under the direct and continuous control of the authorized user. (IRS-defined)

  4. Mobile devices with wireless capability shall be restricted from any area where classified IRS systems process information or where classified information is discussed. (IRS-defined)

  5. When in a secure area, the following procedures shall be applied: (IRS-defined)

    1. Leave mobile devices outside of conference rooms (when possible).

    2. Ensure that all devices, if present, are in airplane mode with Wi-Fi turned off.

    3. Applications that record or video shall be removed, or their use restricted.

      Note:

      The act of recording/video also includes audio.

    4. Ensure the camera on the back of the device is blocked (e.g. opaque tape) to prevent photo or video recording.

  6. All wireless network devices, such as (WIDS) and wireless routers, access points, gateways, and controllers shall be: (DISA: SRG-MPOL-084)

    1. Secured in such a manner to prevent tampering or theft; or

    2. Located in a secure room with limited access.

  7. Refer to IRM 10.8.1, the IRM 10.2.x, Physical Security Program series of IRMs, and IRM 1.4.6, Managers Security Handbook for additional physical and environmental protection security guidance.

≡ ≡ ≡ ≡
  1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡

  2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

      Note:

      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

PL – Security Planning

  1. In addition to the Security Planning guidance defined within this IRM, requirements for the following Security Planning control areas shall be implemented in accordance with IRM 10.8.1:

    • PL-2 System Security Plan

    • PL-7 Security Concept of Operations

    • PL-8 Information Security Architecture

    • PL-9 Central Management

  2. All users of mobile devices or wireless devices shall sign a user agreement before the mobile or wireless device is issued to the user. (DISA: WIR0030)

PL-4 Rules of Behavior
  1. In addition to the Rules of Behavior requirements within this IRM, the Rules of Behavior requirements defined in IRM 10.8.1 shall be implemented.

Rules of Behavior for Government Furnished Mobile Device Users
  1. Government furnished mobile devices shall not be used to access social media web accounts (Facebook, Twitter, etc.) unless documented in the appropriate security authorization documentation (e.g., SSP) and approved by the AO. (DISA: SRG-MPOL-077)

  2. Government furnished mobile device users shall not download personally owned data (music files, picture files, etc.) on their assigned device unless approved and documented by the appropriate AO. (DISA: SRG-MPOL-077)

  3. Personal email shall not be accessed, viewed, and/or downloaded on government furnished mobile devices unless approved and documented by the appropriate AO. (DISA: SRG-MPOL-056)

Rules of Behavior for BYOD Participants
  1. In order to connect a non-government furnished/personally owned mobile device to the IRS network with the capability of backing up, storing, or otherwise accessing IRS data of any type, BYOD participants shall: (IRS-defined)

    1. Understand and acknowledge that they shall comply with all rules and procedures made applicable to its use.

    2. Be responsible for the physical security of their mobile device.

    3. Be responsible for backing up their personal data.

    4. Understand that mobile devices which are not in compliance with IRS security policies or represent any unacceptable risk to the IRS network or data will not be allowed to connect to the IRS systems.

    5. Acknowledge and consent to remote inspection and monitoring of the IRS-approved mobile access solution (e.g., Blackberry UEM) on their personally owned mobile device, using technology centrally managed by IRS IT.

    6. Not store, process, access and/or transmit any sensitive taxpayer information (PII or SBU) or federal records, outside of the IRS-approved mobile access solution (e.g., Blackberry UEM).

    7. Only access the IRS network and data using their non-government furnished/personally owned mobile device via the IRS-approved mobile access solution (e.g., Blackberry UEM).

    8. Acknowledge that their right to use of the IRS-approved mobile access solution (e.g., Blackberry UEM) will be limited solely to access and use of IRS system resources.

    9. Agree to the removal of the IRS-approved mobile access solution (e.g., Blackberry UEM) from their mobile device if the authorized use is terminated for any reason.

  2. The IRS reserves the right to disconnect any non-government furnished/personally owned mobile device from IRS system resources if the mobile device is used in a way that puts IRS systems or data, or the data of taxpayers or other persons, at an unacceptable risk of harm or disclosure. (IRS-defined)

  3. The Government will not be liable for damages to any personal property that may occur during the course of performing IRS-related duties, except to the extent that the Government is held liable under the Federal Tort Claims Act or the Military Personnel and Civilian Employee’s Claims Act.(IRS-defined)

PS - Personnel Security

  1. In addition to the Personnel Security guidance defined within this IRM, requirements for the following Personnel Security control areas shall be implemented in accordance with IRM 10.8.1:

    • PS-2 Position Risk Designation

    • PS-3 Personnel Screening

    • PS-4 Personnel Termination

    • PS-5 Personnel Transfer

    • PS-7 Third-Party Personnel Security

    • PS-8 Personnel Sanctions

PS-6 – Access Agreements
  1. Employees shall not be permitted to operate a government furnished or non-government furnished/personally owned mobile device without first signing a user agreement. (DISA: SRG-MPOL-086)

  2. See IRM 10.8.1 for additional guidance on Access Agreements.

RA - Risk Assessment

  1. In addition to the Risk Assessment guidance defined within this IRM, requirements for the following Risk Assessment control areas shall be implemented in accordance with IRM 10.8.1:

    • RA-1 Risk Assessment Policy and Procedures

    • RA-2 Security Categorization

    • RA-5 Vulnerability Scanning

    • RA-6 Technical Surveillance Countermeasures Survey

RA-3 Risk Assessment
  1. Risk assessments of mobile devices shall adhere to the requirements and be conducted using this manual, IRM 10.8.1 , the security checklists pertaining to this IRM, as well those of other pertinent IRMs (e.g., operating system, wireless). (IRS-defined)

    1. Any deficiencies in compliance shall be documented in a risk assessment report and brought to the attention of the responsible AO.

  2. Government furnished mobile devices with wireless capabilities shall have the additional risks and mitigations associated with non-government facilities, identified in a risk assessment. (IRS-defined)

  3. See IRM 10.8.1 for additional guidance on Risk Assessment.

SA - System and Services Acquisition

  1. In addition to the System and Services Acquisition guidance defined within this IRM, requirements for the following System and Services Acquisition control areas shall be implemented in accordance with IRM 10.8.1:

    • SA-2 Allocation of Resources

    • SA-4 Acquisition Process

    • SA-5 Information System Documentation

    • SA-8 Security Engineering Principles

    • SA-9 External Information System Services

    • SA-10 Developer Configuration Management

    • SA-11 Developer Security Testing and Evaluation

    • SA-12 Supply Chain Protection

    • SA-13 Trustworthiness

    • SA-14 Critical Analysis

    • SA-15 Development Process, Standards, and Tools

    • SA-16 Developer-Provided Training

    • SA-17 Develop Security Architecture and Design

    • SA-18 Tamper Resistance and Detection

    • SA-19 Component Authenticity

    • SA-20 Customized Development of Critical Components

    • SA-21 Developer Screening

    • SA-22 Unsupported System Components

SA-3 System Development Life Cycle (SDLC)
  1. Wireless devices shall adhere to the IRS Enterprise Lifecycle (ELC) in accordance with IRM 10.8.1. (IRS-defined)

  2. See IRM 10.8.1 for additional guidance on System Development Life Cycle (SDLC).

SA-4 Acquisition Process
  1. Wireless products shall be acquired, accounted for, and inventoried in accordance with IRM 10.8.1. (IRS-defined)

  2. See IRM 10.8.1 for additional guidance on Acquisition Process.

SC - System and Communications Protection

  1. In addition to the System and Communications Protection guidance defined within this IRM, requirements for the following System and Communications Protection control areas shall be implemented in accordance with IRM 10.8.1:

    • SC-2 Application Partitioning

    • SC-3 Security Function Isolation

    • SC-4 Information in Shared Resources

    • SC-5 Denial of Service Protection

    • SC-6 Resource Availability

    • SC-7 Boundary Protection

    • SC-10 Network Disconnect

    • SC-11 Trusted Path

    • SC-12 Cryptographic Key Establishment and Management

    • SC-15 Collaborative Computing Devices

    • SC-16 Transmission of Security Attributes

    • SC-17 Public Key Infrastructure (PKI) Certificates

    • SC-18 Mobile Code

    • SC-19 Voice Over Internet Protocol

    • SC-20 Secure Name /Address Resolution Service (Authoritative Source)

    • SC-21 Secure Name /Address Resolution Service (Recursive or Caching Resolver)

    • SC-22 Architecture and Provisioning for Name/Address Resolution Service

    • SC-23 Session Authenticity

    • SC-24 Fail in Known State

    • SC-25 Thin Nodes

    • SC-26 Honeypots

    • SC-27 Platform-Independent Applications

    • SC-28 Protection of Information at Rest

    • SC-29 Heterogeneity

    • SC-30 Concealment and Misdirection

    • SC-31 Covert Channel Analysis

    • SC-32 Information System Partitioning

    • SC-34 Non-Modifiable Executable Programs

    • SC-35 Honeyclients

    • SC-36 Distributed Processing and Storage

    • SC-37 Out-of-Band Channels

    • SC-38 Operations Security

    • SC-39 Process Isolation

    • SC-40 Wireless Link Protection

    • SC-41 Port and I/O Device Access

    • SC-42 Sensor Data

    • SC-43 Usage Restrictions

    • SC-44 Detonation Chambers

SC-8 Transmission Confidentiality and Integrity
  1. Wireless application servers (e.g., BlackBerry Enterprise Servers or other communication servers that act as a gateway between a server and a wireless client) shall be configured in accordance with IRM 10.8.1, this IRM, and any other applicable IRMs. (IRS-defined)

  2. See IRM 10.8.1 for additional guidance on Transmission Confidentiality and Integrity.

SC-13 Cryptographic Protection
  1. Data exchange shall be encrypted in accordance with the encryption standards of this IRM and IRM 10.8.1. (IRS-defined)

  2. See IRM 10.8.1 for additional guidance on Cryptographic Protection.

Bluetooth
  1. Bluetooth communications shall be used for transmission in accordance with the requirements within this IRM and IRM 10.8.1. (IRS-defined)

  2. Bluetooth capabilities shall only be enabled when within a controlled IRS facility. (IRS-defined)

  3. Perform comprehensive security assessments at regular intervals to fully understand the organization’s Bluetooth security posture. Assessments help identify Bluetooth devices being used within the organization and help ensure the wireless security policy is being followed. (NIST 800-121: Table 4-2 (3))

  4. Provide users with a list of precautionary measures they should take to better protect handheld Bluetooth devices from theft. The organization and its employees are responsible for its wireless technology components because theft of those components could lead to malicious activities against the organization’s information system resources. (NIST 800-121: Table 4-2 (5))

  5. Set Bluetooth devices to the lowest necessary and sufficient power level so that transmissions remain within the secure perimeter of the organization. Setting Bluetooth devices to the lowest necessary and sufficient power level ensures a secure range of access to authorized users. The use of Class 1 devices, as well as external amplifiers or high-gain antennas, should be avoided because of their extended range. (NIST 800-121: Table 4-2 (8))

    1. Bluetooth 4.0 and 4.1 devices and services using low energy technologies should use Security Mode 1, Service Level 3 whenever possible. Low energy Security Mode 1, Service Level 3 provides the highest security available for 4.0 and 4.1 low energy devices. (NIST 800-121: Table 4-2 (14))

    2. Bluetooth 4.2 devices and services using low energy functionality should use Security Mode 1, Service Level 4 whenever possible. Low energy Security Mode 1, Service Level 4 implements Secure Connections mode and provides the highest security available for 4.2 low energy devices. (NIST 800-121: Table 4-2 (15))

  6. Unneeded and unapproved service and profiles should be disabled. Many Bluetooth stacks are designed to support multiple profiles and associated services. The Bluetooth stack on a device should be locked down to ensure only required and approved profiles and services are available for use. (NIST 800-121: Table 4-2 (9))

  7. Ensured that Bluetooth capabilities are disabled when they are not in use. Bluetooth capabilities should be disabled on all Bluetooth devices, except when the user explicitly enables Bluetooth to establish a connection. This minimizes exposure to potential malicious activities. For devices that do not support disabling Bluetooth (e.g., headsets), the entire device should be shut off when not in use. (NIST 800-121: Table 4-2 (28))

  8. The Random Number Generator (RNG) may produce static or periodic numbers that may reduce the effectiveness of the security mechanisms. Bluetooth implementations should use strong pseudo random number generators (PRNGs) based on NIST standards. See NIST SP 800-90A, SP 800-90B, SP 800-90C. (NIST 800-121: Table 4-1 (20))

  9. Ensure that portable devices with Bluetooth interfaces are configured with a password. (NIST 800-121: Table 4-2 (31))

  10. Install antivirus software on Bluetooth-enabled hosts that support such host-based security software, in accordance with IRM 10.8.1 and IRM 10.8.54. (NIST 800-121: Table 4-2 (33))

  11. Fully test and regularly deploy Bluetooth software and firmware patches and upgrades, in accordance with IRM 10.8.1 and IRM 10.8.50, IT Security, Servicewide Security Patch Management. (NIST 800-121: Table 4-2 (34))

  12. Fully understand the impacts of deploying any security feature or product prior to deployment. (NIST 800-121: Table 4-2 (36))

Bluetooth Connectivity
  1. Bluetooth devices should be configured by default as undiscoverable and remain undiscoverable except as needed for pairing. This prevents visibility to other Bluetooth devices except when discovery is absolutely required. In addition, the default Bluetooth device names sent during discovery should be changed to non-identifying values. (NIST 800-121: Table 4-2 (18))

  2. Bluetooth devices shall prompt the user to authorize all incoming Bluetooth connection requests before allowing any incoming connection request to proceed. Users shall also never accept connections, files, or other objects from unexpected, unknown, or untrusted sources. (NIST 800-121: Table 4-2 (24))

  3. Users should not accept transmissions of any kind from unknown or suspicious devices. These types of transmissions include messages, files, and images. With the increase in the number of Bluetooth-enabled devices, it is important that users only establish connections with other trusted devices and only accept content from these trusted devices. (NIST 800-121: Table 4-2 (35))

Bluetooth Pairing and Authentication
  1. Ensure device mutual authentication is performed for all connections. Mutual authentication is required to provide verification that all devices on the network are legitimate. (NIST 800-121: Table 4-2 (21))

  2. Use application-level authentication atop the Bluetooth stack for sensitive data communication. Bluetooth devices can access link keys from memory and automatically connect with previously paired devices. Incorporating application- level software that implements authentication and encryption will add an extra layer of security. Passwords and other authentication mechanisms, such as biometrics and smart cards, can be used to provide user authentication for Bluetooth devices. (NIST 800-121: Table 4-2 (25))

  3. Perform pairing as infrequently as possible, ideally in a secure area where attackers cannot realistically observe the passkey entry and intercept Bluetooth pairing messages. Users should not respond to any messages requesting a PIN, unless the user has initiated a pairing and is certain the PIN request is being sent by one of the user’s devices. Pairing is a vital security function and requires that users maintain a security awareness of possible eavesdroppers. If an attacker can capture the transmitted frames associated with pairing, determining the link key is straightforward for pre-2.1 and 4.0 devices since security is solely dependent on PIN entropy and length. This recommendation also applies to 2.1/3.0 devices, although similar eavesdropping attacks against SSP have not yet been documented. (NIST 800-121: Table 4-2 (29))

    Note:

    A “secure area” is defined as a non-public area that is indoors away from windows in locations with physical access controls.

  4. Bluetooth 4.1 Basic Rate (BR)/Enhanced Data Rate (EDR) devices and services should use Security Mode 4, Service Level 4 whenever possible, as it provides the highest security available for 4.1 and later BR/EDR devices. (NIST 800-121: Table 4-2 (16))

  5. A BR/EDR service-level security mode (i.e., Security Mode 2 or 4) should only be used in a controlled and well-understood environment. Security Mode 3 provides link-level security prior to link establishment, while Security Modes 2 and 4 allow link-level connections before any authentication or encryption is established. NIST highly recommends that devices use Security Mode 3. (NIST 800-121: Table 4-2 (30))

  6. In the event a Bluetooth device is lost or stolen, users should immediately delete the missing device from the paired device lists of all other Bluetooth devices. This policy will prevent an attacker from using the lost or stolen device to access another Bluetooth device owned by the user(s). (NIST 800-121: Table 4-2 (32))

Bluetooth Legacy Pairing
  1. A Bluetooth 2.1 or later device using Security Mode 4 shall fall back to Security Mode 3 for backward compatibility with 2.0 and earlier devices (i.e., for devices that do not support Security Mode 4). The Bluetooth specifications allow a 2.1 device to fall back to any security mode for backward compatibility. This allows the option of falling back to Security Modes 1-3. Security Mode 3 provides the best security. (NIST 800-121: Table 4-2 (13))

Secure Simple Pairing (SSP) Security
  1. Bluetooth devices shall store Secure Simple Pairing (SSP) Elliptic Curve Diffie-Hellman (ECDH) public/private key pairs securely. (NIST 800-121: Table 4-1 (19))

  2. For 2.1 and later devices using SSP, avoid using the “Just Works” association model. The device shall verify that an authenticated link key was generated during pairing. The “Just Works” association model does not provide man-in-the-middle (MITM) protection. Devices that only support Just Works (e.g., devices that have no input/output capability) should not be procured if similarly qualified devices that support one of the other association models (i.e., Numeric Comparison, OOB, or Passkey Entry) are available. (NIST 800-121: Table 4-2 (11))

  3. For 2.1 and later devices using SSP, random and unique passkeys shall be used for each pairing based on the Passkey Entry association model. If a static passkey is used for multiple pairings, the MITM protection provided by the Passkey Entry association model is reduced. (NIST 800-121: Table 4-2 (12))

Bluetooth Encryption
  1. Recommended Security Modes and Levels are as follows: (NIST 800-121: Executive Summary)

    1. For Bluetooth 4.1 devices that have BR, EDR, and High Speed (HS) features, Security Mode 4, Level 4 is recommended because it requires Secure Connections, which uses authenticated pairing and encryption using 128-bit strength keys generated using FIPS-approved AES encryption.

    2. For Bluetooth 2.1 through 4.0 devices, Security Mode 4, Level 3 is the most secure.

    3. For Bluetooth 2.0 and older devices Security Mode 3 is recommended.

    4. Security Modes 2 and 4 can also use authentication and encryption, but do not initiate them until after the Bluetooth physical link has already been fully established and logical channels partially established.

    5. Security Mode 1 devices never initiate security and therefore should never be used.

  2. Weak ECDH key pairs minimize SSP eavesdropping protection, which may allow attackers to determine secret link keys. All devices should have unique, strongly-generated ECDH key pairs that change regularly. (NIST 800-121: Table 4-1 (8))

  3. Ensure that link keys are not based on unit keys. The use of shared unit keys can lead to successful spoofing, MITM, and eavesdropping attacks. The use of unit keys for security was deprecated in Bluetooth v1.2. (NIST 800-121: Table 4-2 (10))

  4. Invoke link encryption for all Bluetooth connections. (NIST 800-121: Table 4-1 (19))

  5. If multi-hop wireless communication is being used, ensure that encryption is enabled on every link in the communication chain. (NIST 800-121: Table 4-1 (20))

  6. Bluetooth 3.0 and earlier specifications allow devices to negotiate encryption keys as small as one byte. Bluetooth low energy requires a minimum key size of seven bytes. NIST strongly recommends using Secure Connections Only Mode which requires the full 128-bit key strength (AES-CCM) for both BR/EDR and low energy. (NIST 800-121: Table 4-1 (21))

  7. Enable encryption for all broadcast transmissions (Encryption Mode 3). (NIST 800-121: Table 4-1 (22))

  8. Configure encryption key sizes to the maximum allowable. (NIST 800-121: Table 4-1 (23))

  9. Use encryption atop the Bluetooth stack for sensitive data communication. Employing higher layer encryption (particularly FIPS 140 validated) over the native encryption will further protect the data in transit. (NIST 800-121: Table 4-2 (25))

Bluetooth Headsets
  1. IRS has made a risk-based decision to allow employees to use both government-issued and personally owned Bluetooth headsets with pairing capabilities to Bluetooth-enabled systems (e.g., Black Berry devices and cellular phones) to conduct IRS business. This is an approved exception to IRS Personal Use Policy. Refer to IRM 10.8.27 for more additional guidance. (IRS-defined)

    Note:

    The term “headset” is intended to include any device designed to communicate the human voice to and from a cellular telephone or mobile computing device. It includes portable headsets, hands-free devices in vehicles, portable speakerphones, and other devices with no data functionality.

  2. Acquisition of IRS-procured Bluetooth headsets shall be a Business Unit Expense. (IRS-defined)

  3. Bluetooth headsets shall not have any capabilities beyond voice communication and encryption. (IRS-defined)

  4. Employees shall not communicate IRS sensitive information while utilizing a Bluetooth headset. Refer to IRM 10.8.1 for additional guidance related to situations where job function requires this specific type of communication. (IRS-defined)

  5. If the employee is in a position that requires a Bluetooth headset device to complete his or her job responsibilities, then the following guideline applies: (IRS-defined)

    1. If the employee has business calls, a landline remains the preferred method for conducting such calls. If the employee chooses to use their personal cell phone or an IRS-provided cell phone with his or her personal Bluetooth headset, that shall be considered a personal choice by the user and the government shall not incur costs associated with calls or maintenance of personal wireless headsets.(IRS-defined)

Wireless System Components
  1. Wireless System Components (wireless peripherals) including, but not limited to, keyboards, mice, presenters/pointers, and headphones shall be used in accordance with the following security controls: (IRS-defined)

    1. Shall only be used in an approved IRS work location.

    2. Shall not be used to communicate IRS sensitive information.

    3. The use and operation of these components shall be in accordance with the applicable requirements of this IRM.

  2. The acquisition of IRS-procured wireless system components shall be in accordance with approved business processes. (IRS-defined)

Global Positioning System (GPS) Devices
  1. The IRS has made a decision to allow the use of taxpayer address information on Global Positioning System (GPS) devices. The Office of Privacy, Governmental Liaison and Disclosure (PGLD), has published specific guidelines for use of Taxpayer address data on personally-owned GPS devices. See IRM 10.5.1.6.10, Global Positioning Systems (GPS). (IRS-defined)

  2. Users of GPS devices should be advised that many GPS devices, such as those installed in smartphones and some automobiles, use telematics to transmit address information entered by the user to the GPS vendor. Therefore, IRS personnel shall:

    1. Only enter Taxpayer address information into the GPS. No other Taxpayer-identifiable information shall be entered into GPS devices. (IRS-defined)

    2. Immediately delete all Taxpayer address information from the GPS device upon arrival at the destination address. (IRS-defined)

  3. If the GPS device requires a corresponding name or identifier for the address, use a made-up number or other moniker that does not include any Taxpayer PII or IRS-related information. (IRS-defined)

  4. IRS-owned or personally owned GPS devices shall not be connected to an IRS computer.

    1. The ACIO Cybersecurity has made a Risk-Based Decision to allow the connection of IRS-procured GPS devices to personally owned computers for the purpose of updating map information and firmware. (IRS-defined)

SI - System and Information Integrity

  1. In addition to the System and Information Integrity guidance defined within this IRM, requirements for the following System and Information Integrity control areas shall be implemented in accordance with IRM 10.8.1:

    • SI-3 Malicious Code Protection

    • SI-4 Information System Monitoring

    • SI-5 Security Alerts, Advisories, and Directives

    • SI-6 Security Function Verification

    • SI-7 Software, Firmware, and Information Integrity

    • SI-8 Spam Protection

    • SI-10 Information Input Validation

    • SI-11 Error Handling

    • SI-12 Information Output Handling and Retention

    • SI-13 Predictable Failure Prevention

    • SI-14 Non-Persistence

    • SI-15 Information Output Filtering

    • SI-16 Memory Protection

    • SI-17 Fail-Safe Procedures

SI-2 Flaw Remediation
  1. Wireless application servers shall have the latest virus scanning and security patches installed and updated to detect and prevent viruses and other malicious content from infecting the enterprise network, in accordance with IRM 10.8.1 and IRM 10.8.54, Minimum Firewall Administration Requirements. (SI-2(2)_T.235)

  2. Per IRM 10.8.50, Security firmware updates and patches to government furnished mobile device hardware and software components shall be fully tested prior to deployment. (IRS-defined

  3. See IRM 10.8.1 for additional guidance on Flaw Remediation.

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡

    1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

Mobile Device Operating System (OS) Configuration Settings

  1. The required OS configuration settings for the operation of approved mobile devices within the IRS environment are maintained in an Excel-based exhibit/spreadsheet, which is located on the IRS IT Security SharePoint site at:https://portal.ds.irsnet.gov/sites/CyberSP/tools/default.aspx. See the Security Control Exhibits tab under Libraries and then select the IRM 10.8.26 folder.

  2. The following mobile device OS configuration tables are available in the Excel-based exhibit:

    1. Apple iOS 10 Non-Supervised Controls

    2. Apple iOS 10 Optional Supervised Controls

    3. Apple iOS 11 Non-Supervised Controls

    4. Apple iOS 11 Optional Supervised Controls

    5. BlackBerry OS 10.3.x

    6. Samsung Android OS 6 with (Knox 2.x) Non-Work Environment

    7. Samsung Android OS 6 with (Knox 2.x) Work Environment Container

    8. Samsung Android OS 6 with (Knox 2.x) Play for Work Inside KNOX Container

    9. Samsung Android OS 7 with (Knox 2.x) Non-Work Environment

    10. Samsung Android OS 7 with (Knox 2.x) Work Environment Container

    11. Samsung Android OS 7 with (Knox 2.x) API for Each MDM Policy Rule

Glossary and Acronyms

Term Definition or Description
A

Advanced Encryption Standard (AES)
A symmetric-key encryption standard adopted by the U.S. government. The standard comprises three block ciphers: AES-128, AES-192, and AES-256. Each of these ciphers has a 128-bit block size, with key sizes of 128, 192, and 256 bits, respectively.
   
Authorizing Official (AO) Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to an agency.
B
Biometric Associates, LP (BAL)
Developer of fingerprint identification system modules for biometric smartcards and subsystems.
BIOS (Basic Input/Output System) Software stored on a small memory chip on a computer’s motherboard that loads prior to the operating system and instructs the computer on how to perform a number of basic functions such as booting and keyboard controls.
BlackBerry Enterprise Server (BES) A middleware software package that is part of the BlackBerry wireless platform.
Blackberry Unified Endpoint Management (UEM) Provides an integrated view of users, devices, apps and policies, across multiple ownership models and platforms, including iOS, Android™, Windows 10®, macOS, and Chrome OS.
Blackberry Work BB Work is the new mobile app (an upgrade to BlackBerry’s Good for Enterprise) for sending / receiving IRS email on BYOD devices.
Bluetooth A proprietary open wireless technology standard for exchanging data over short distances (using short wavelength radio transmissions) from fixed and mobile devices, creating wireless personal area networks (WPANs) with high levels of security. Created by telecoms vendor Ericsson in 1994, it was originally conceived as a wireless alternative to RS-232 data cables. It can connect several devices, overcoming problems of synchronization. A Bluetooth piconet is an ad hoc network linking a user group of devices using Bluetooth technology protocols to allow one master device to interconnect with up to seven active slave devices (because a three-bit MAC address is used). Up to 255 further slave devices can be inactive, or parked, which the master device can bring into active status at any time. Piconet range varies according to the class of the Bluetooth device. Data transfer rates vary between about 200 and 2100 kilobits per second (kbit/s) at the application.
Bring Your Own Device (BYOD) Bring Your Own Device is a concept that allows employees to utilize their personally owned technology devices to stay connected to, access data from, or complete tasks for their organizations. At a minimum, BYOD programs allow users to access employer-provided services and/or data on their personal tablets/eReaders, smartphones, and other devices.
Bluetooth Service Level For Security Mode 4, the Bluetooth specification defines five levels of security for Bluetooth services for use during SSP. The service security levels are as follows:
  • Service Level 4 – Requires MITM protection and encryption using 128-bit equivalent strength for link and encryption keys; user interaction is acceptable.

  • Service Level 3 – Requires MITM protection and encryption; user interaction is acceptable.

  • Service Level 2 – Requires encryption only; MITM protection is not necessary.

  • Service Level 1 – MITM protection and encryption not required. Minimal user interaction.

  • Service Level 0 – No MITM protection, encryption, or user interaction required.

BR Basic Rate.
C
Commercial Mobile Device (CMD)
A subset of Portable Electronic Devices (PEDs) that provides one or more commercial wireless interfaces along with a compact user input interface (Touch Screen, Miniature Keypad, etc.) and excludes PEDs running a multi-user operating system (Windows OS, Mac OS, etc.). This definition includes, but is not limited to smart phones, tablets, and e-readers.
   
Computer Security Incident Response Center (CSIRC) Responsible for monitoring the IRS network 24 hours a day year-round for cyber attacks and computer vulnerabilities and for responding to various security incidents such as the theft of a laptop computer.
CONOPS Concept of Operations.
Controlled Unclassified Information (CUI) A new category of unclassified categories issued in a directive on May 9, 2008, by President George W. Bush. CUI replaces categories such as For Official Use Only (FOUO), Sensitive But Classified (SBU) and Law Enforcement Sensitive (LES) categories. Refers to unclassified information that is to be protected from public disclosure.
CTTA Certified TEMPEST Technical Authority
D
Data Spill
The accidental or deliberate exposure of classified, sensitive or official information into an uncontrolled or unauthorized environment or to persons without a need-to-know. A data spill is sometimes referred to as unintentional information disclosure or a data leak.
Defense Information Systems Agency (DISA) An agency composed of military, federal civilian, and contractors. DISA provides information technology and communications support to the President, Secretary of Defense, the military services, the combatant commands, and any individual or system contributing to the defense of the United States.
Dynamic Host Configuration Protocol (DHCP) A protocol used by network devices (clients) to obtain various parameters necessary for the clients to operate in an Internet Protocol (IP) network. By using this protocol, system administration workload greatly decreases, and devices can be added to the network with minimal or no manual configurations.
802.11 An evolving family of specifications for wireless local area networks (WLANs) developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE).
E
ECDH
Elliptic Curve Diffie-Hellman.
EDR Enhanced Data Rate.
Encryption Any procedure used in cryptography to convert plaintext into ciphertext to prevent anyone but the intended recipient from reading that data.
Enterprise Lifecycle (ELC) The dynamic, iterative process of changing the enterprise over time by incorporating new business processes, new technology, and new capabilities, as well as maintenance, disposition and disposal of existing elements of the enterprise.
ESP Enterprise Standards Profile.
   
   
F
Federal Information Processing Standard (FIPS)
Publicly announced standardizations developed by the United States federal government for use in computer systems by all non-military government agencies and by government contractors, when properly invoked and tailored on a contract.
Forfeiture Agreement A contractual agreement where one party may be required to forfeit specified property if the party fails to fulfill its contractual obligations.
G
GFE
Government Furished Equipment.
Global Positioning System (GPS) A space-based satellite navigation system that provides location and time information in all weather conditions, anywhere on or near the Earth where there is an unobstructed line of sight to four or more GPS satellites.
   
   
   
H
HS
High Speed.
HTTP Hypertext Transfer Protocol.
HTTPS Hypertext Transfer Protocol Secure.
I
IDS
Intrusion Detection System.
IEEE 802.11 A family of IEEE standards that extend the common wired Ethernet local network standard into the wireless domain using the 5 GHz and 2.4 GHz public spectrum bands. It specifies an over-the-air interface between a wireless client and a base station or between two wireless clients. It is commonly referred to as Wi-Fi because the Wi-Fi Alliance provides certification for 802.11 products.
Information Technology (IT) The application of computers and telecommunications equipment to store, retrieve, transmit and manipulate data, often in the context of a business or other enterprise.
iOS (previously iPhone OS) A mobile operating system developed and distributed by Apple Inc.
IRM Internal Revenue Manual.
IRS Internal Revenue Service.
   
   
M
MITM
Man-in-the-middle.
Mobile Application Management (MAM) Describes the software and services responsible for provisioning and controlling access to internally developed and commercially available mobile apps used in business settings on both company-provided and bring your own smartphones and tablet computers.
Mobile Devices/ Portable Electronic Devices (PEDs) Mobile devices/portable electronic devices have computing and wireless or Local Area Network (LAN) connectivity capabilities. These include, but are not limited to: laptops with wireless capabilities, cellular/personal communication system devices, audio/video/data recording or playback devices, scanning devices, remote sensors, messaging devices, (for example, Blackberries, Palm Pilots, Pocket PCs, iPhones, iPads), and two-way radios.
   
Mobile Device Integrity Scanning (MDIS) Used to audit the integrity of the mobile devices.
Mobile Device Management (MDM) Software that secures, monitors, manages and supports devices deployed across mobile operators, service providers and enterprises.
Multimedia Messaging Service (MMS) A standard way to send messages that include multimedia content to and from mobile phones.
N
National Institute of Standards and Technology (NIST)
The federal technology agency that works with industry to develop and apply technology, measurements, and standards.
   
O
Operating System (OS)
A collection of software that manages computer hardware resources and provides common service for computer programs.
OTA Over-The-Air.
P
PC
Personal Computer
Personal Computer Memory Card International Association (PCMCIA) An organization consisting of some 500 companies that has developed a standard for small, credit card-sized devices, called PC Cards.
Personally Identifiable Information (PII) All taxpayer information or any combination of information that can be used to uniquely identify, contact, or locate a person. A specific type of sensitive and SBU information that includes the personal information of taxpayers, and the personal information of employees, contractors, applicants, and visitors to the IRS. Examples of PII include, but are not limited to: name; home address; Social Security number; date of birth; home telephone number; biometric data (e.g., height, weight, eye color, fingerprints, etc.); and other numbers or information that alone or in combination with other data can identify an individual.
PIM Personal Information Management.
PRNG Pseudo Random Number Generator.
   
Public Key Infrastructure (PKI) A system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an internet transaction.
R
Research in Motion (RIM)
A Canadian telecommunication and wireless device company best known as the developer of the BlackBerry smartphone.
Risk Based Decision (RBD) Determination of a course of action predicated primarily on the assessment of risk and the expected impact of that course of action on that risk.
   
   
RNG Random Number Generator.
S
SA&A
Security Assessment and Authorization.
Sanitization The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.
   
Secure Sockets Layer (SSL) Cryptographic protocols that are designed to provide communication security over the Internet.
Security Assessment Report (SAR) Reflects assessment activities conducted by assessors to determine security control effectiveness based on modifications to the security plan and deployed controls.
Security Assessment Services (SAS) Responsible for identifying any security risk and documenting the assessment of risk a SAR.
Security Technical Implementation Guide (STIG) A methodology for standardized secure installation and maintenance of computer software and hardware.
Sensitive But Unclassified (SBU) Information Any information that requires protection due to the risk and magnitude of loss or harm to the IRS or to the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction.
Sensitive Information Information in which the loss, misuse, or unauthorized access to, or modification of, could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), but has not been specifically authorized under criteria established by an Executive Order or an act of Congress to be kept classified in the interest of national defense or foreign policy. Examples of such sensitive information include personal financial information and information that discloses law enforcement investigative methods. Other particular classes of information may have additional statutory limits on disclosure that require that information to also be treated as sensitive. Examples include tax information, which is protected by Section 6103 of the IRC (26 U.S.C. § 6103) and advanced procurement information, protected by the Procurement Integrity Act (41 U.S.C. § 423).
Short Messaging Service (SMS) A text messaging service component of phone, web, or mobile communication systems, using standardized communications protocols that allow the exchange of short text messages between fixed line or mobile phone devices.
   
Smart Card Reader (SCR) An electronic device that reads smart cards. A smart card is a plastic card about the size of a credit card, with an embedded microchip that can be loaded with data, used for telephone calling, electronic cash payments, and other applications, and then periodically refreshed for additional use.
Smartphone A mobile phone built on a mobile operating system, with more advanced computing capability and connectivity than a feature phone. Smartphones combine the functions of a personal digital assistant (PDA), camera, and mobile phone. They also typically include GPS, touchscreens, web-browsing capabilities, and include a mobile operating system (mobile OS) (e.g., Apple iOS, Microsoft Windows Phone, and RIM BlackBerry OS).
SME Secure Mobile Environment.
Split Tunneling Split tunneling is a computer networking concept which allows a VPN user to access a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same network connection.
SRG Security Requirements Guide.
SSID Service Set Identifier.
SSP Secure Simple Pairing.
Standard Operating Procedures (SOP) Established or prescribed methods to be followed routinely for the performance of designated operations or in designated situations.
   
Subscriber Identity Module (SIM) An integrated circuit that securely stores the international mobile subscriber identity (IMS) and the related key used to identify and authenticate subscribers on mobile telephony devices (such as mobile phones and computers).
System Security Plan (SSP) A formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements.
Systems Development Life Cycle (SDLC) A process of creating or altering information systems, and the models and methodologies that people use to develop these systems.
T
Tablet
.A tablet computer (tablet) is a mobile computer, larger than a mobile phone or mobile computing device , integrated into a flat touchscreen and primarily operated by touching the screen rather than using a physical keyboard. It often uses an onscreen virtual keyboard, a passive stylus pen, or a digital pen. Besides having most PC capabilities, popular typical tablet computers include wireless Internet browsing functions, potential cell phone functions, GPS navigation, and video camera functions.. In many ways, the functions and purposes of laptops, tablets, and smartphones overlap.
Treasury Directive Publication (TD-P) Documents that provide a baseline of IT security standards that apply to the Department of the Treasury bureaus, departmental offices (DO), Office of the Inspector General (OIG), and the Treasury Inspector General for Tax Administration (TIGTA), hereafter referred to collectively as bureaus.
Treasury Inspector General for Tax Administration (TIGTA) Provides oversight of the Department of Treasury matters involving Internal Revenue Service (IRS) activities, the IRS Oversight Board and the IRS Office of Chief Counsel.
   
   
   
V
Virtual Private Network (VPN)
A computer network that links two computers or devices through an underlying local or wide area network, while encapsulating the data and keeping it private. It is comparable to a pipe within a pipe. Even though the outer pipe contains the inner one, the inner pipe has a wall that blocks other traffic in the outer pipe from mixing with the inner traffic. To the rest of the network, the VPN traffic just looks like another traffic stream.
Voice over Internet Protocol (VOIP) A methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks.
W
Wide Area Network (WAN)
A network that covers a broad area (i.e., any telecommunications network that links across metropolitan, regional, or national boundaries) using private or public network transports.
Wi-Fi Wireless Fidelity.
WIDS Wireless Intrusion Detection System.
Wi-Fi Protected Access (WPA) A security protocol and security certification program developed by the Wi-Fi Alliance to secure wireless computer networks.
WIPE A command or series of commands that resets the mobile device to its default factory condition and deletes all user data, including user-installed applications, stored on the device
Wireless A technology that enables devices to communicate without physical connections (without requiring network or peripheral cabling).
Wireless Client A system or device that connects to an access point or another client directly via wireless connection.
Wireless Local Area Network (WLAN) Links two or more devices using some wireless distribution method (typically spread-spectrum or OFDM radio), and usually providing a connection through an access point to the wider Internet.

References

Internal Revenue Manuals (IRMs)

  • IRM 1.4.6 , Resource Guide for Managers, Managers Security Handbook.

  • IRM 2.149.x , IT Asset Management series.

  • IRM 10.2.x , Physical Security Program series.

  • IRM 10.2.1 , Physical Security Program, Physical Security.

  • IRM 10.2.8 , Physical Security Program, Incident Reporting.

  • IRM 10.5.1 , Privacy and Information Protection, Privacy Policy

  • IRM 10.8.1 , Information Technology (IT) Security, Policy and Guidance.

  • IRM 10.8.2 , Information Technology (IT) Security, Roles and Responsibilities.

  • IRM 10.8.27 , Information Technology (IT) Security, Personal Use of Government Furnished Information Technology Equipment and Resources.

  • IRM 10.8.50 , Information Technology (IT) Security, Service-wide Security Patch Management.

  • IRM 10.8.52 , Information Technology (IT) Security, IRS Public Key Infrastructure (PKI) X.509 Certificate Policy.

  • IRM 10.8.54 , Information Technology (IT) Security, Minimum Firewall Administration Requirements

  • IRM 10.8.55 , Information Technology (IT) Security, Network Security Policy.

  • IRM 10.9.1 , National Security Information.

Department of the Treasury Publications

  • Treasury Directive (TD) Publication (P) 15-71, Department of Treasury Security Manual , June 17, 2011.

  • Treasury Directive (TD) Publication (P) 85-01, Treasury Information Technology Security Program, Volume 3, Unclassified (Non-National Security) Systems , July 1, 2016

National Institute of Standards and Technology (NIST)

  • NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, June 2014.

  • NIST SP 800-53 Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations, January 2015.

  • NIST SP 800-121 Rev 2, Guide to Bluetooth Security, May 2017

Defense Information Systems Agency (DISA)

  • Defense Information Systems Agency (DISA) Apple iOS 10, Security Technical Implementation Guide (STIG), Version 1, Release 3, April 28, 2017

  • Defense Information Systems Agency (DISA) Apple iOS 11, Security Technical Implementation Guide (STIG), Version 1, Release 1, January 16, 2018.

  • Defense Information Systems Agency (DISA) Apple iOS 11, Security Technical Implementation Guide (STIG), Version 1, Release 1, January 16, 2018.

  • Defense Information Systems Agency (DISA) BlackBerry Enterprise Server (BES) 12.5.x, Security Technical Implementation Guide (STIG), Version 1, Release 3, July 28, 2017.

  • Defense Information Systems Agency (DISA) BlackBerry OS 10.3.x, Security Technical Implementation Guide (STIG), Version 1, Release 3, May 9, 2017.

  • Defense Information Systems Agency (DISA) Commercial Mobile Device (CMD) Policy Security Technical Implementation Guide (STIG), Version 2, Release 5, October 28, 2016 .

  • Defense Information Systems Agency (DISA) Mobile Policy, Security Technical Implementation Guide (STIG), Version 2, Release 3, October 28, 2016

  • Defense Information Systems Agency (DISA) Mobile Policy Security Requirements Guide (SRG), Version 1, Release 2, July 26, 2013.

  • Defense Information Systems Agency (DISA) Samsung Android OS 6 with Knox 2.0 Security Technical Implementation Guide (STIG), Version 1, Release 2, January 27, 2017

  • Defense Information Systems Agency (DISA) Samsung Android OS 7 with Knox 2.0 Security Technical Implementation Guide (STIG), Version 1, November 6, 2017

  • Defense Information Systems Agency (DISA) Microsoft Windows 10 Mobile Security Technical Implementation Guide (STIG), Version 1, Release 3, October 27, 2017

Not Applicable SRG/STIG Requirements

External Reference: Commercial Mobile Device (CMD) Policy STIG (2.5) 2016-09-30

STIG ID Requirement
WIR-SPP-005 Mobile operating system (OS) based CMDs and systems shall not be used to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA approved transmission and storage methods are used.

External Reference: Mobile Policy SRG (1.2) 2013-07-03

Source ID Requirement
SRG-MPOL-004 The organizations wireless metropolitan area network (WMAN) system accreditation must include a Transmission Security (TRANSEC) vulnerability analysis, if the WMAN system operates in a tactical environment.
SRG-MPOL-014 The organization must obtain U.S. Forces Command (USFORSCOM) or host nation approval for the use of wireless equipment prior to operation of such equipment outside the United States and Possessions (USP).
SRG-MPOL-020 The organization must maintain a SIPRNet connection approval package with the Classified Connection Approval Office (CCAO) when connecting a Secure WLAN (SWLAN) to SIPRNet.
SRG-MPOL-021 The organization must reasonably size and constrain the Wireless Metropolitan Area Network (WMAN) signals to their intended coverage area.
SRG-MPOL-022 The organizations WMAN system must not operate in the 3.30-3.65 GHz frequency band.
SRG-MPOL-023 The Incident Response Plan (IRP) and/or SOP must have the required procedures for reporting the results of WMAN intrusion scans.
SRG-MPOL-032 The organization must notify the Certified TEMPEST Technical Authority (CTTA) before a Secure WLAN (SWLAN) becomes operational and connected to the SIPRNet.
SRG-MPOL-037 The organization must have written policy or training material stating CMDs must not be used to receive, transmit, or process classified messages unless specifically approved by NSA for such purposes and NSA-approved transmission and storage methods are used.
SRG-MPOL-038 The organization must not permit operation of wireless devices in areas where classified information is electronically stored, processed, or transmitted unless operation is in accordance with DAA-approved CTTA restrictions at the site.
SRG-MPOL-040 The organization must have a policy forbidding the use of wireless personal area network (PAN) devices, such as near-field communications (NFC), Bluetooth, and ZigBee, to send, receive, store, or process classified information.
SRG-MPOL-044 The organization must require that mobile devices used in facilities containing information systems processing, storing, or transmitting classified information, and the information stored on those devices, are subject to random reviews/inspections by organization defined security officials.
SRG-MPOL-085 The organization must ensure physical security controls are implemented for Secure WLAN (SWLAN) access points.

External Reference: Mobile Policy STIG (2.3) 2016-09-01

STIG ID Requirement
WIR0045 Computers with an embedded wireless system shall have the radio removed before the computer is used to transfer, receive, store, or process classified information, unless the wireless system has been certified via the IRS Commercial Solutions for Classified (CSfC) program.