{
  "name": "stig_wman_subscriber",
  "date": "2014-03-18",
  "description": "This STIG contains the technical security controls for the operation of a WMAN Subscriber in the DoD environment.",
  "title": "WMAN Subscriber Security Technical Implementation Guide (STIG)",
  "version": "6",
  "item_syntax": "^\\w-\\d+$",
  "section_separator": null,
  "items": [
    {
      "id": "V-14002",
      "title": "A device’s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use.",
      "description": "If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can then route traffic through the device’s wired interface to attack devices on the wired network or obtain sensitive DoD information.",
      "severity": "medium"
    },
    {
      "id": "V-14202",
      "title": "FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone).",
      "description": "If a wireless device is lost or stolen without DAR encryption, sensitive DoD data could be compromised.  Most known security breaches of cryptography result from improper implementation, not flaws in the cryptographic algorithms themselves.   FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is required for Federal Government uses of cryptography in non-classified applications.",
      "severity": "medium"
    },
    {
      "id": "V-14207",
      "title": "WMAN systems must require strong authentication from the user or WMAN subscriber device to WMAN network.\n",
      "description": "Broadband systems not compliant with authentication requirements could allow a hacker to gain access to the DoD network.",
      "severity": "medium"
    },
    {
      "id": "V-18602",
      "title": "When a WMAN system is implemented, the network enclave must enforce strong authentication from user to DoD enclave (wired network).  For “User to Enclave” authentication, the enclave must enforce network authentication requirements found in USCYBERCOM CTO 07-15Rev1 (or subsequent updates) (e.g. CAC authentication).\n\nNote:  User authentication to the enclave must be a separate process from authentication to the WMAN system.  If the WMAN vendor implements CAC authentication for the User or WMAN subscriber device to WMAN network, the user may only need to enter their PIN once to authenticate to both the WMAN system and the enclave.\n",
      "description": "Without strong user authentication to the network a hacker may be able to gain access.",
      "severity": "medium"
    },
    {
      "id": "V-18603",
      "title": "Site WMAN systems that transmit unclassified data must implement required data encryption controls.\n",
      "description": "Sensitive DoD data could be exposed to a hacker.",
      "severity": "medium"
    },
    {
      "id": "V-18604",
      "title": "A WMAN system transmitting classified data must implement required data encryption controls.",
      "description": "If not compliant, classified data could be compromised.",
      "severity": "high"
    },
    {
      "id": "V-19903",
      "title": "Site WMAN systems must implement strong authentication from the user or WMAN subscriber device to WMAN network.",
      "description": "Broadband systems not compliant with authentication requirements could allow a hacker to gain\naccess to the DoD network.",
      "severity": "medium"
    },
    {
      "id": "V-19904",
      "title": "Site WMAN systems must implement strong authentication from the user or WMAN subscriber device to WMAN network.",
      "description": "Broadband systems not compliant with authentication requirements could allow a hacker to gain\naccess to the DoD network.",
      "severity": "medium"
    },
    {
      "id": "V-3512",
      "title": "NSA Type1 products and required procedures must be used to protect classified data at rest (DAR) on wireless devices used on a classified WLAN or WMAN. ",
      "description": "NSA Type 1 products provide a high level of assurance that cryptography is implemented correctly and meets the standards for storage of classified information.  Use of cryptography that is not Type 1 certified violates policy and increases the risk that classified data will be compromised. ",
      "severity": "high"
    }
  ]
}