4.6 Wireless Communications
4.6.2 Wireless Portable Electronic Devices
Wireless PEDs include personal digital assistants (PDA), smart telephones, two-way pagers, handheld radios, cellular telephones, personal communications services (PCS) devices, multifunctional wireless devices, portable audio/video recording devices with wireless capability, scanning devices, messaging devices, and any other wireless clients capable of storing, processing, or transmitting sensitive information.
There is currently no DHS-approved encryption software for PEDs, although individual Components may be using products that provide adequate protection. As DHS or National Security Agency (NSA) standards are established, they will be discussed in this section of the handbook.
Personally owned PEDs are not authorized to process, transmit, or store sensitive or classified information. Personally owned PEDs may not be connected to sensitive or classified systems or networks.
Government-owned PEDs can be used in conjunction with Department networks or systems (to include any downloading of data from a user’s workstation to these devices) only if the current C&A documentation specifically addresses the inherent risks associated with their use and the DAA evaluates and accepts any residual risk. Re-certification and accreditation are required if these issues are not currently addressed in the most current C&A documentation.
System owners and IT project managers must identify and implement as many countermeasures as appropriate to strengthen the security of wireless PEDs. These countermeasures include the use of passwords, personal firewalls, and antivirus software; the monitoring of malicious
activities; the use of modification detection software and of software that will allow the device to dynamically identify and adapt to each wireless mode of operation; the tracking of data and assets; and management protocols. Countermeasures should allow the system administrator to maintain a user and community profile through unit identification and validation, which would in turn allow administrators to remove data, update software, and log and track unauthorized
removal where appropriate.
Because of their portability and mobility, PEDs are also extremely susceptible to theft, physical damage, and loss—all of which could lead to compromise of information.
Components are to develop and maintain a property inventory list of all PEDs authorized for use.
This list is to include serial numbers and/or seat numbers, user names, use, and location of all PEDs for accountability purposes. Each DHS-owned PED is to have an asset tag, whose number
is included in the inventory list. Rules of behavior for PEDs must be published and enforced.
DHS 4300A Attachment G provides guidance on developing rules of behavior, including rules for PEDs, and provides sample rules of behavior.
DHS 4300A Attachment Q2 (Wireless Portable Electronic Devices) provides guidance for DHS Components to use in developing and implementing wireless PED security.
DHS Policy
a. The use of wireless PEDs and accessory devices in areas where sensitive or classified information is discussed is prohibited unless specifically authorized by the DAA in writing.
b. Wireless PEDs shall not be connected physically or wirelessly to the DHS-wired core network without written consent from the DAA.
c. Wireless PEDs shall not be used to store, process, or transmit combinations, personal identification numbers (PIN), or sensitive information in unencrypted formats.
d. Wireless PEDs such as BlackBerry devices and smartphones shall implement strong identification, authentication, data encryption, and transmission encryption technologies. Portable electronic devices such as BlackBerry devices and smartphones shall be password-protected, with a security timeout period established. For BlackBerry devices, the security timeout shall be set to 10 minutes.
e. System Security Plans shall promulgate the provisions, procedures, and restrictions for using wireless PEDs to download mobile code in an approved manner.
f. Wireless PEDs shall be operated only when current DHS Technical Reference Model (TRM)-approved versions of antivirus software and software patches are installed.
g. Cost-effective countermeasures to denial-of-service attacks shall be identified and established prior to a wireless PED being approved for use.
h. Components shall maintain a current inventory of all approved wireless PEDs in operation.
i. Wireless PEDs shall be cleared of all information before being reused by another individual, office, or Component within DHS or before they are surplused; wireless PEDs that are being disposed of, recycled, or returned to the owner or manufacturer shall first be sanitized using approved procedures.
j. Legacy wireless PEDs that are not compliant with DHS IT security policy shall implement a migration plan that outlines the provisions, procedures, and restrictions for transitioning these wireless PEDs to DHS-compliant security architectures. Operation of these noncompliant systems requires an approved waiver or exception from the CISO, as appropriate.
k. Personally owned PEDs shall not be used to process, store, or transmit sensitive DHS information.
l. The DAA shall approve the use of Government-owned PEDs to process, store, or transmit sensitive information.
m. The use of add-on devices such as cameras and recorders is not authorized unless approved by the DAA. Functions that can record or transmit sensitive information via video, IR, or RF shall be disabled
DHS Policy in areas where sensitive information is discussed.
Wireless portable electronic device responsibilities are provided below.
Wireless Portable Electronic Device Responsibilities DAAs
• Approve the use of Government-owned, DHS-approved wireless PEDs and accessory devices to connect, process, store, or transmit sensitive information.
• Ensure appropriate and effective security measures are included in the System Security Plan.
• Authorize the use of Government-owned wireless PEDS and accessory devices in areas where sensitive information is discussed.
• Evaluate the risk associated with authorizing wireless PEDs to connect, process, store, transmit, or access sensitive information and systems during the C&A process.
• Approve/disapprove the use of mobile code (e.g., ActiveX).
System Owners/IT Project Managers
• Develop risk mitigation plans for prioritizing corrective actions and implementation milestones.
• Develop migration plans that outline provisions, procedures, and restrictions for transitioning legacy wireless PEDs to DHS-compliant security architectures.
• Maintain an inventory of all approved wireless PEDs in operation.
ISSMs
• Enforce DHS policy on the use of wireless PEDs and accessory devices in areas where sensitive information is discussed.
• Enforce DHS policy concerning the use of wireless PEDs and accessory devices to connect, store, process, or transmit combinations, PINs, or sensitive information.
• Develop procedures for implementation of strong identification, authentication, data encryption, and transmission encryption for wireless PEDs to protect sensitive information from compromise.
• Enforce DHS policy concerning the use of mobile code and antivirus software on wireless PEDs.
• Identify and establish cost-effective countermeasures to denial-of-service attacks for wireless PEDs.
ISSOs
• Ensure wireless PEDs are not permitted in areas where sensitive information is discussed unless authorized in writing by the DAA.
• Enforce DHS policy concerning the use of wireless PEDs to process, store, or transmit sensitive information.
• Enforce DHS policy concerning the use of mobile code and antivirus software on wireless PEDs.
• Implement cost-effective countermeasures to denial-of-service attacks for wireless PEDs.
• Ensure that all information is cleared from wireless PEDs that are to be reused or surplused; ensure that all information is sanitized from wireless PEDs that are being disposed of, recycled, or returned to the owner or manufacturer (see Section 4.3.3, Media Sanitization and Disposal, for approved procedures).
• Implement migration plans that outline provisions, procedures, and restrictions for transitioning
Wireless Portable Electronic Device Responsibilities legacy wireless PEDs to DHS-compliant security architectures.
• Enforce prohibition of add-on devices such as cameras and recorders.
System/Network Administrators
• Ensure wireless PED security controls are properly implemented and configured in accordance with the Systems Security Plan.
• Ensure routine security assessments are accomplished on wireless PEDs.
DHS Managers, Supervisors, and Employees
• Adhere to DHS policy concerning the use of wireless PEDs in areas where sensitive information is being discussed.
• Adhere to DHS policy concerning the use of wireless PEDs to process, store, transmit, or access combinations, PINs, or sensitive information.
The differences among wireless PEDs are becoming less clear-cut as voice communications, email, calendars, text messaging, Internet capabilities, and other services converge on integrated PED platforms. These product innovations—while they improve mobility, flexibility,
portability, and economies of scale—are subject to all the threats, vulnerabilities, and security risks inherent in evolving wireless technologies.
4.6.2.1 Cellular Phones
Cellular phones used in areas where sensitive information is discussed have the same inherent vulnerabilities as cordless telephones and speakerphones as discussed in Section 4.4.2. They potentially allow a discussion of sensitive information being held in the same area to be overheard by a third party who would not normally have access to such information.
As is the case with traditional telephones, cellular communications can be intercepted. However, the interception of conversations over telephones requires the insertion of a monitoring device;
the interception of cellular communications does not, and information transmitted by cellular phones can be intercepted at reasonably great distances. An individual could be in a neighboring building or in the street outside the building and monitor conversations that are within the reach of the microphone in the cellular phone. In fact, cellular phone credentials can be cloned to other phones, allowing the “cloned” phone to masquerade as the original phone and allow covert monitoring of conversations near the original caller.
DHS Policy
Components shall develop guidance for discussing sensitive information on cellular phones. Guidance shall be approved by a senior Component official and is subject to review by the DHS CISO and the DHS Wireless Management Office. Under no circumstances shall classified information be discussed on cellular phones.
Cellular phone responsibilities are provided below.
Cellular Phone Responsibilities Managers
Cellular Phone Responsibilities
• Ensure employees are aware of DHS policy prohibiting the discussion of sensitive DHS information while using a wireless telephone.
Users
• Ensure sensitive DHS information is not discussed while using a wireless telephone.
4.6.2.2 Pagers
Text pagers can send text messages up to 110 or 160 characters long, depending on the carrier.
Text messages also can be sent from a cellular service provider’s Web page, or from Web sites that allow users to send text messages for free. Pagers have the same inherent vulnerabilities as cellular phones with respect to exposure of sensitive information to unauthorized recipients (see Section 4.6.2.1).
Text messages rely on the service provider’s network and are not encrypted. There is thus no assurance of the security of these services. Moreover, text-message devices can be spammed with text messages until the user’s mailbox is full and the user can no longer receive new text messages until previously stored messages are deleted.
Pagers shall not be used to transmit information that is explicitly labeled as sensitive or classified. In addition, pagers should not be used to transmit information on computer or network problems or status. This information could be intercepted and used to identify the configuration and possibly the location of IT assets, which could be then be targeted for attack by an outsider or untrustworthy insider.
A preferred alternative to transmitting text messages is to page an individual with a phone number and require the individual to call that number using a traditional (i.e., noncellular or nonmobile) telephone in a location where the conversation could not be monitored by others in the immediate area and where sensitive information can safely be discussed.
DHS Policy Pagers shall not be used to transmit sensitive information.
Pager responsibilities are provided below.
Pager Responsibilities Managers
• Ensure employees are aware of DHS policy prohibiting the transmission of sensitive DHS information to pagers.
Users
• Ensure sensitive DHS information is not transmitted to pagers.
4.6.2.3 Multifunctional Wireless Devices
Wireless devices have evolved to be multifunctional (cell phones, pagers, and radios can surf the Internet, retrieve email, take and transmit pictures, etc), and most of these functions have no security.
Where there is a strong business justification for their use, DHS-owned wireless devices can be equipped to allow synchronization with approved Departmentally owned computers. Data is encrypted or decrypted, as needed, for synchronization with computer based personal
information managers (PIMs) and other programs.
The risk assessment for multifunctional wireless devices is to include an assessment of the risks associated with all the functions, including infrared (IR), radio frequency (RF), and video. The DAA must approve the associated risks identified by the risk assessment. Based on the
sensitivity and classification of the data and the associated risk from the risk assessment, the DAA may allow the use of multifunctional wireless devices.
Use of peripheral devices must be tightly controlled. Audio and video recording capabilities should be prohibited unless specifically required for an individual’s duties. Unauthorized recordings of sensitive conversations or images of sensitive equipment could be used to compromise the security of the Department.
DHS Policy
a. Functions that cannot be encrypted using approved cryptographic modules shall not be used to process, store, or transmit sensitive information.
b. Functions that transmit or receive video, infrared (IR), or radio frequency (RF) signals shall be disabled in areas where sensitive information is discussed.
c. Short Message Service (SMS) and Multimedia Messaging Service (MMS) shall not be used and shall be disabled whenever possible.
Multifunctional wireless device responsibilities are provided below.
Multifunctional Wireless Device Responsibilities DAAs
• Approve the implementation of multifunctional wireless devices at an acceptable level of risk.
• Ensure that the System Security Plan adequately addresses the protection of sensitive material accessed and stored on multifunctional wireless devices prior to accreditation.
IT Project Managers/System Owners
• Ensure security requirements for multifunctional wireless devices are communicated to the IT project manager and system administrators.
System/ Network Administrators
• Ensure that multifunctional wireless devices are configured properly with encryption enabled to prevent unauthorized access, disclosure, damage, modification, or destruction of data.
• Ensure multifunctional wireless devices are periodically scanned for rogue access points and other
Multifunctional Wireless Device Responsibilities vulnerabilities.
ISSOs
• Ensure that the System Security Plan addresses the protection of sensitive material accessed and stored on wireless devices.
• Ensure that security requirements for multifunctional wireless devices are addressed in the System Security Plan and rules of behavior.
• Ensure routine security assessments are accomplished on multifunctional wireless devices to identify rogue access points, backdoors, and other system vulnerabilities, and to enumerate vulnerabilities, risk statements, risk levels, and corrective actions.