The organization must have a written policy or training materials stating Bluetooth must be disabled on all applicable devices unless they employ FIPS 140-2 validated cryptographic modules for data in transit.

From Mobile Policy Security Requirements Guide

Associated with: CCI-001439

SV-47253r1_rule The organization must have a written policy or training materials stating Bluetooth must be disabled on all applicable devices unless they employ FIPS 140-2 validated cryptographic modules for data in transit.

Vulnerability discussion

Policy and training provide assurance that security requirements will be implemented in practice. Failure to use FIPS 140-2 validated cryptography makes data more vulnerable to security breaches as the data is unencrypted and in clear text.

Check content

This check only applies to sites using Bluetooth or ZigBee radios. Verify a written policy or training materials exists stating that Bluetooth (or ZigBee) will be disabled on all applicable devices unless they employ FIPS 140-2 validated cryptographic modules for data in transit. If a policy does not exist or if it does not adequately cover the requirement, this is a finding.

Fix text

Update the policy or training materials to prohibit use of Bluetooth data transmission without FIPS 140-2 validated cryptographic modules.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.