10.8.40. Wireless Security Policy

(1) Internal Revenue Manual (IRM) 10.8.40, Information Technology (IT) Security, Wireless Security Policy provides policies and guidance to be used by the Internal Revenue Service (IRS) organization to carry out their respective responsibilities in information system security regarding wireless networks and devices.

(2) It is acceptable to configure settings to be more restrictive than those defined in this IRM.

(3) To configure less restrictive controls requires a risk-based decision. See the Risk Acceptance and Risk-Based Decisions section within this IRM for additional guidance.

(1) IRM 10.8.1 Information Technology (IT) Security, Policy and Guidance establishes the security program and the policy framework for the IRS.

(1) This IRM applies to all IRS-owned wireless devices, services, and networks that store, process, or transmit IRS data or connect to an IRS network or system.

(2) The provisions in this manual apply to:

1. All offices and business, operating, and functional units within the IRS.

2. Individuals and organizations having contractual arrangements with the IRS, including employees, contractors, vendors, and outsourcing providers, which use or operate information systems that store, process, or transmit IRS information or connect to an IRS network or system.

3. All IRS information and information systems. For information systems that store, process, or transmit classified information, please refer to IRM 10.9.1, National Security Information, for additional procedures for protecting classified information.

(3) The IRS shall ensure that the product (e.g., software, hardware) and version selected is in accordance with IRS Enterprise Architecture (EA) Enterprise Standards Profile (ESP) that dictates the official products and versions of software within the IRS.

(4) The IRS shall ensure the application or system version is a version for which the vendor still offers standardized technical support.

(5) In the event there is a discrepancy between this policy and IRM 10.8.1, IRM 10.8.1 takes precedence, unless the security controls/requirements within this policy are more restrictive, or otherwise noted.

(6) This document shall be used in conjunction with appropriate Operating System (OS) IRMs, as well as other IRM-related requirements of any applications, web server, or database accessing the wireless system.

(7) Organizations may augment the specific security controls within this policy to increase the security levels for a wireless technology implementation if approved by the responsible Authorizing Official (AO).

(1) Any exception to this policy requires that the Authorizing Official (AO) make a Risk-Based Decision.

(2) Risk-Based Decision requests shall be submitted in accordance with IRM 10.8.1 and use Form 14201, as described in Risk Acceptance Request and Risk-Based Decision Standard Operating Procedures (SOPs), available on the Enterprise FISMA Compliance SharePoint site via the Risk Acceptance Requests link athttps://portal.ds.irsnet.gov/sites/CyberSRM/SitePages/RiskDecisions.aspx
Refer to IRM 10.8.1 for additional guidance about risk acceptance.

(1) Requests to deploy WLAN components for connecting approved end-user devices shall be approved or disapproved by the appropriate AO prior to their deployment.

(1) The maximum number of consecutive unsuccessful login attempts to a mobile device shall be set in accordance with IRM 10.8.1. (SRG-MPOL-001)

(2) Usage restrictions shall be established for wireless access. (SRG-MPOL-010)

(3) IRS Concept of Operations (CONOPS) or site security plan shall include information specifying that Bluetooth devices use only Class 2 or 3 standard radios. (SRG-MPOL-011)

(4) IRS CONOPS or site security plan shall include guidance requiring that Bluetooth radios must not be modified through signal amplification, antenna configuration, or other techniques that could affect signal detection or interception. (SRG-MPOL-012)

(5) The IRS shall establish implementation guidance for wireless access. (SRG-MPOL-016)

(6) Locations where Commercial Mobile Device (CMD) Wi-Fi access is approved or disapproved shall be documented. (SRG-MPOL-018)

(7) The IRS shall establish a wireless access control and security policy to define the administrative procedures and technical requirements to be met prior to being authorized to connect to an IRS information system. (SRG-MPOL-028)

(8) The IRS shall maintain a list of all AO-approved wireless and non-wireless devices under their control that store, process, or transmit IRS information. (SRG-MPOL-029)

(9) Each wireless device connecting to an IRS network shall be included in the applicable site security plan or other appropriate SA&A document. (SRG-MPOL-030)

(10) The IRS shall have a wireless remote access policy signed by the site AO, Director, or other appropriate authority. (SRG-MPOL-031)

(11) The IRS wireless remote access policy shall address the following security topics: (SRG-MPOL-031)

• Device unlock requirements.

• Anti-virus application.

• Personal firewall.

• Client software patches kept up to date - Internet browsing through enterprise Internet gateway.

• Device security policy managed by centrally-managed policy manager.

• Anti-spyware app (recommended).

• Procedures after client is lost, stolen, or other security incident occurs.

• Host-based Wireless Intrusion Detection and Prevention System (WIDPS)/monitor WIDPS.

• Configuration requirements of wireless client - Home WLAN authentication requirements.

• Home WLAN SSID requirements

• Separate WLAN access point required for home WLAN.

• Password length and complexity required for home WLAN.

• Use of third-party Internet portals (kiosks) (approved or not approved).

• Use of personally-owned or contractor-owned client devices (approved or not approved).

• Implementation of health check of client device before connection is allowed.

• Places where remote access is approved (home, hotels, airport, etc.).

• Roles and responsibilities:
  Which users or groups of users are and are not authorized to use organization's WLANs.
  Which parties are authorized and responsible for installing and configuring APs and other WLAN equipment.

• WLAN infrastructure security:
  Physical security requirements for WLANs and WLAN devices, including limitations on the service areas of WLANs.
  Types of information that may and may not be sent over WLANs, including acceptable use guidelines.

• WLAN client device security:
  The conditions under which WLAN client devices are and are not allowed to be used and operated.
  Standard hardware and software configurations that must be implemented on WLAN client devices to ensure the appropriate level of security.
  Limitations on how and when WLAN client's device may be used, such as specific locations.

• Guidelines on reporting losses of WLAN client devices and reporting WLAN security incidents.

• Guidelines for the protection of WLAN client devices to reduce theft.

(12) The IRS shall ensure the network access control solution supports wireless clients and solutions if wireless networking is implemented. (SRG-MPOL-035)

(13) IRS employees shall be responsible to ensure they only use the secured Wi-Fi: (IRS-defined)

1. Of approved hotels where they are staying; and

2. Installed at home

Note: The intent of this requirement is to avoid a situation where the employee is inadvertently using their neighbors Wi-Fi or a nearby hotel.

(1) Training materials shall be developed stating Bluetooth must be disabled on all applicable devices unless they employ FIPS 140-2 validated cryptographic modules for data in transit. (SRG-MPOL-019)

(1) Auditable events shall be logged and processed in accordance with IRM 10.8.3 Information Technology (IT), Security Audit Logging Security Standards.

(2) Wireless access point logging shall be enabled. (IRS-defined)

(3) Audit logs shall be reviewed in accordance with IRM 10.8.1 and IRM 10.8.3. (IRS-defined l)

(1) IRS Wireless networks and devices transmitting IRS information and/or connecting to an IRS network shall be authorized (i.e., Security Assessment and Authorization (SA&A)) in accordance with IRM 10.8.1.

(2) IRS wireless systems (including associated peripheral devices, operating systems, applications, network/Personal Computer (PC) connection methods, and services) shall be approved by the AO prior to installation and use for processing IRS information. (DISA STIG ID: WIR0005) (SRG-MPOL-017)

(3) Wireless devices (e.g., computers, smartphones, tablets) and support enterprise servers (e.g., BlackBerry Enterprise Servers, Good Servers) shall be incorporated into the appropriate security authorization documentation (e.g., System Security Plan) for the IT area that implements the devices within the IRS organization. (DISA STIG ID: WIR0020)

(4) Wireless remote access equipment, locations, and location types (e.g., site network Wi-Fi, home, hotel, public) approved for usage shall be documented in the appropriate System Security Plan (SSP). (DISA STIG ID: WIR0020)

(1) Configuration management procedures shall be developed for wireless devices to incorporate the requirements of IRM 10.8.1 and this IRM.

(2) In accordance with IRM 10.8.1, the IRS shall:

1. Establish and maintain baseline configurations and inventories of IRS information systems. (IRS-defined)

2. Establish and enforce security configuration settings for IT products installed on IRS information systems. (DISA STIG ID: WIR0020)

3. Monitor and control changes to the baseline configurations of IRS information systems throughout the respective System Development Life Cycle (SDLC) (i.e., IRS Enterprise Lifecycle (ELC)). (DISA STIG ID: WIR0020)

(3) Laptops with WLAN interfaces shall have the WLAN card radio set to OFF as the default setting. (DISA STIG ID: WIR0180)

(4) WLAN EAP-TLS implementation shall use certificate-based PKI authentication to connect to IRS networks. (DISA STIG ID: WIR0116)

(5) WLAN clients shall not be configured to connect to other WLAN devices without the user initiating a request to establish such a connection.(DISA STIG ID: WIR0185)

(6) WLAN-capable devices shall not use wireless peer-to-peer networks to connect to other devices.(DISA STIG ID: WIR0165)

(7) Security firmware updates and patches to wireless hardware and software components shall be fully tested and deployed as soon as they become available in accordance with IRM 10.8.50, Information Technology (IT) Security Servicewide Security Patch Management.

(8) A list shall be maintained of all mobile computing devices that are used to store, process, and transmit IRS data in accordance with inventory requirements defined inIRM 10.8.1 , IRM 10.8.26 Information Technology (IT) Security, Mobile Devices, Mobile Computing Device Management and Bring Your Own Device Security Policy , and IRM 2.14 Asset Management series.

(9) The list of approved wireless devices shall: (DISA STIG ID: WIR0015)

1. Be stored in a secure location and

2. Include, at a minimum, the following:

- Access point Media Access Control (MAC) address (WLAN only).

- Access point IP address (WLAN only).

- Wireless client MAC address.

- Network DHCP range (WLAN & Wireless Wide Area Network (WWAN) only.

- Type of encryption enabled.

- Access point Service Set Identifier (SSID) (WLAN only).

- Manufacturer, model number, and serial number of wireless equipment.

- Equipment location or who the device is issued to

- Assigned users with telephone numbers.

(10) The IRS IT organization shall create and document a list of network protocols within a mobile device deemed to be non-secure for remote access into IRS networks. (SRG-MPOL-002)

(1) Identification and Authentication requirements shall be in accordance with IRM 10.8.1.

(2) User authentication mechanisms for the management interfaces of wireless access points and devices shall be enabled. (DISA STIG ID:NET 1623)

(3) A password shall be enabled for each wireless client that connects to an IRS network or system. Passwords shall comply with IRM 10.8.1. (IRS-defined )

(4) Passwords shall be created and maintained in accordance with IRM 10.8.1 and the appropriate operating system IRM for the underlying OS where applicable.

1. Wireless devices shall have the default manufacturer passwords changed. (DISA STIG ID: NET 240)

(5) The fallback method for failed wireless authentication (e.g., forgotten passwords and lost smart cards) shall meet the same authentication requirements as the primary method. (IRS-defined ))

(1) Wireless networks and devices shall be incorporated into IT incident response capabilities and plans in accordance withIRM 10.8.1.

(1) ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

(2) ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

(3) Wireless maintenance activities shall be planned and scheduled in accordance with IRM 10.8.1.

(1) Media storage and protection controls shall be implemented in accordance with IRM 10.8.1.

(2) Prior to decommissioning or transferring to another government agency, wireless systems and other devices that will no longer be used by the IRS, all data (including configuration data) shall be sanitized from the host in accordance with IRM 2.14.1Information Technology (IT) Asset Management, IRM 2.7.4 IT Operations, Magnetic Media Management, and IRM 10.8.1. (IRS-defined )

(1) Physical access controls shall be employed to restrict the entry and exit of unauthorized personnel and prevent the removal or unauthorized modification of wireless devices installed in an IRS facility. (IRS-defined)

(2) All wireless network devices, such as Wireless Intrusion Detection System (WIDS) and wireless routers, access points, gateways, and controllers shall be: (DISA STIG ID: WIR0025) (SRG-MPOL-084)

1. Secured in such a manner to prevent tampering or theft; or

2. Located in a secure room with limited access.

(3) Wireless devices shall not be permitted or operated in areas where sensitive data is stored, processed, or transmitted unless the devices are approved by the appropriate AO and meet the requirements set forth within this IRM and IRM 10.8.1. (DISA STIG ID: WIR0040)

(4) External boundary protection mechanisms shall be in place around the perimeter of IRS facilities, as necessary and based on a documented risk assessment, to prevent unauthorized access to wireless systems. (IRS-defined )

(1) All users of mobile devices or wireless devices shall sign a user agreement before the mobile or wireless device is issued to the user. (DISA STIG-ID: WIR0030)

(2) Refer to the Planning section of IRM 10.8.1for additional guidance.

(1) Risk assessments of specific versions of wireless technology shall be conducted in accordance with Exhibit 10.8.40-1 Wireless Security :

(2) Deficiencies in conformance to the security exhibits shall be documented in risk assessment reports and brought to the attention of the system’s AO. (DISA STIG ID: WIR0005)

(3) Wireless solutions shall not be used if they are not compliant with the security compliance levels/thresholds established by Cybersecurity. (DISA STIG ID: WIR0005)

1. Refer to the Risk Assessment section ofIRM 10.8.1 for additional guidance.

(4) For wireless networks and devices that include wireless remote access, the risk assessment shall identify any additional risks and mitigation associated with non-government facilities. (DISA STIG ID: WIR0005)

(5) ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

≡ ≡

1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

≡

2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

≡ ≡

(6) Wireless access point range boundaries shall be tested to measure and establish the precise extent of the wireless coverage. (IRS-defined)

(1) Wireless products shall be acquired, accounted for, and inventoried in accordance with IRM 10.8.1. (IRS-defined)

(2) Wireless devices shall adhere to the IRS Enterprise Lifecycle (ELC) in accordance with IRM 10.8.1. (IRS-defined)

(3) The IRS shall only procure and deploy WPA2-Enterprise certified WLAN equipment and software for wireless systems that connect directly to IRS networks. (SRG-MPOL-024)

(1) Refer to Treasury Directive (TD) 86-02, Radio Frequency Management and IRM 10.8.1, for detailed telecommunication environment and services requirements.

(2) Personally owned or contractor owned CMDs shall not be used to transmit, receive, store, or process IRS information or connect to IRS networks without AO authorization. (DISA STIG ID: WIR0010-01)

(3) Privately owned Ethernet to Wi-Fi converters (e.g., wireless Ethernet bridges, wireless media adapters) shall not be connected to IRS laptops or workstations. (DISA STIG ID: WIR0010-01)

(4) Printers shall not be connected to an IRS network via a wireless connection. (IRS-defined)

(5) FIPS 140-2 validated (or later) encryption modules shall be used to encrypt unclassified sensitive data-at-rest on wireless devices (e.g., laptop, smartphone, tablet). (DISA STIG ID:WIR0190)

(1) Wireless system and information integrity protection shall be conducted in accordance with IRM 10.8.1. (IRS-defined)