Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 8. Information Technology (IT) Security

Section 40. Wireless Security Policy

10.8.40  Wireless Security Policy

10.8.40.1  (01-30-2009)
Purpose

  1. This Internal Revenue Manual (IRM) establishes the minimum security controls and guidance for the design, implementation, and use of wireless networks and devices within the Internal Revenue Service (IRS) in order to:

    1. Protect the critical infrastructure and assets of the IRS against attacks that exploit wireless transmissions;

    2. Prevent unauthorized wireless deployments; and

    3. Enable wireless technologies that meet the security requirements of this policy and support the business needs of the organization.

10.8.40.1.1  (01-30-2009)
Overview

  1. This IRM lays the foundation to implement and manage secure wireless networks and devices within the IRS.

  2. While wireless communications can offer many benefits such as portability, flexibility, increased productivity, and lower installation costs, they can also pose significant risks to the critical infrastructure and assets of the IRS, if not properly implemented and secured. As new technologies are developed, they become a major source of new vulnerabilities for which security solutions must be developed and implemented.

  3. A report by the Government Accountability Office (GAO) titled Federal Agencies Need to Improve Controls over Wireless Networks (GAO-05-383) found that federal agencies need to better secure wireless devices and networks to protect federal information and information systems. The GAO report emphasized that it is crucial for agencies to develop wireless security policies, configure security tools to meet policy requirements, monitor the wireless networks, and train their staff in wireless security. Agencies must ensure that wireless network security is incorporated into their agency-wide information security programs in accordance with the Federal Information Security Management Act (FISMA).

10.8.40.1.2  (01-30-2009)
Scope

  1. This IRM applies to all wireless devices, services, and networks that store, process, or transmit Sensitive But Unclassified (SBU)/Controlled Unclassified Information (CUI) data or connect to an IRS network or system.

  2. This IRM applies to all IRS personnel, contractors, and visitors that enter IRS facilities or that have access to IRS information and information systems.

  3. Organizations may augment the specific security controls in this policy to increase the security levels for a wireless technology implementation if approved by the responsible Designated Accrediting Authority (DAA).

10.8.40.1.3  (01-30-2009)
IRM Section Topics

  1. This IRM contains information on the following subjects:

    • Purpose

    • General Policy

    • Management Controls

    • Operational Controls

    • Technical Controls

    • Deviations

    • IEEE 802.11 Robust Security Network (RSN) Security Checklist ( see Exhibit 10.8.40-1)

    • Bluetooth Security Checklist ( see Exhibit 10.8.40-2)

    • Wireless Portable Electronic Device (PED) / Personal Digital Assistant (PDA) Checklist( see Exhibit 10.8.40-3)

    • Wireless System Component(s) Checklist ( see Exhibit 10.8.40-4)

    • Glossary ( see Exhibit 10.8.40-5)

    • References ( see Exhibit 10.8.40-6)

10.8.40.1.4  (01-30-2009)
Authority

  1. The requirements in this IRM supplement the management, operational, and technical controls defined in IRM 10.8.1, IT Security Policy and Guidance, to include comprehensive guidance on wireless technologies and communications.

  2. FISMA requires Federal Agencies to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure integrity, availability, and confidentiality of data and systems.

  3. The requirements and guidance identified in this IRM for wireless networks and devices must comply with IRM 10.8.1.

  4. This IRM is not to contradict nor alter the meaning of requirements stated in IRM 10.8.1. In the event there is a discrepancy between this policy and IRM 10.8.1, IRM 10.8.1 has precedence unless specifically noted otherwise.

10.8.40.2  (01-30-2009)
General Policy

  1. Wireless devices, services, and technologies that are integrated or connected to IRS networks shall be considered part of those networks and comply with IRM 10.8.1.

  2. Wireless networks and devices transmitting Sensitive But Unclassified (SBU) information/Controlled Unclassified Information (CUI) and/or connecting to the IRS network shall obtain Certification and Accreditation (C&A) in accordance with IRM 10.8.1, TD P 85-01, and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.

  3. A Wireless Intrusion Detection System (WIDS) shall monitor the IRS 802.11 wireless environment across all IRS facility spaces and immediate surrounding areas.

  4. Identification and authentication measures shall be implemented for both wireless clients and users.

  5. Encryption of wirelessly transmitted SBU/CUI information shall be in accordance with IRM 10.8.1.

  6. This IRM shall be regularly evaluated and updated in accordance with IRM 10.8.1.

10.8.40.2.1  (01-30-2009)
Roles and Responsibilities

  1. IRM 10.8.2,Information Technology Security Roles and Responsibilities, defines IRS-wide roles and responsibilities related to IRS information and computer security, and is the authoritative source for such information.

  2. The supplemental requirements provided below are specific to the implementation of IRS wireless security controls. Refer to IRM 10.8.2 for additional information regarding organizational and individual responsibilities related to information and computer security.

10.8.40.2.1.1  (01-30-2009)
Senior Management/Executives

  1. The DAA shall approve or disapprove requests for deploying Wireless Local Area Network routers and hubs to connect end-user desktop computers or PDA devices.

10.8.40.2.1.2  (01-30-2009)
Associate Chief Information Officer (ACIO), Cybersecurity

  1. The Computer Security and Incident Response Center (CSIRC), within Cybersecurity, shall operate and maintain a Wireless Intrusion Detection System (WIDS) in accordance with System and Information Integrity section of this IRM.

10.8.40.2.1.3  (01-30-2009)
Network Administrator (NA)

  1. Network administrators (NAs) shall be responsible for maintaining the configuration of wireless networks or network devices under his/her control in accordance with the requirements of this IRM.

10.8.40.2.1.4  (01-30-2009)
System Administrator

  1. System administrators (SAs) shall be responsible for maintaining the configuration of wireless systems or portable electronic devices under his/her control in accordance with the requirements of this IRM.

10.8.40.3  (01-30-2009)
Management Controls

  1. The IRS shall implement management security controls to mitigate risk of IT applications and electronic information loss in order to protect the organization's mission (see IRM 10.8.1 for general information and computer security management control requirements).

  2. Additional management controls specific to wireless systems, networks, and devices are provided below in the following areas:

    1. Risk Assessment

    2. Planning

    3. System and Services Acquisition

    4. Certification, Accreditation, and Security Assessments

10.8.40.3.1  (01-30-2009)
Risk Assessment

  1. Risk assessments of the wireless controls of Wireless LAN, Bluetooth, Portable Electronic/Personal Digital Assistant systems, and Wireless System Components shall be conducted using the Security Checklist provided in Exhibit 10.8.40-1, Exhibit 10.8.40-2, Exhibit 10.8.40-3 and Exhibit 10.8.40-4 of this IRM. Deficiencies in conformance to the Security Checklists by applications or General Support Systems (GSSs) shall be documented in risk assessment reports and brought to the attention of the system’s Designated Accrediting Authority (DAA).

  2. For wireless networks and devices that include wireless remote access, the risk assessment shall identify any additional risks and mitigation associated with non-government facilities.

  3. A site survey shall be performed at regular (at least annually) and random intervals (including validating that rogue access points do not exist in the infrastructure) to identify aspects of the network security posture inconsistent with this policy.

  4. Wireless access point range boundaries shall be empirically tested to measure and establish the precise extent of the wireless coverage.

10.8.40.3.2  (01-30-2009)
Planning

  1. Regardless of the type of wireless technology or platform that may emerge in the future that impact the IRS or meet a specific IRS business need, all wireless technologies and solutions must meet the minimum security requirements established by this policy and obtain a full certification and accreditation in accordance with IRM 10.8.1.

  2. The IRS will adopt as policy and adhere to future Treasury directives, NIST guidance on wireless security standards, and guidelines that are applicable to the organization.

  3. The IRS shall track the progress of 802.11 and other emerging wireless security products, standards, and associated threats and vulnerabilities.

10.8.40.3.3  (01-30-2009)
System and Services Acquisition

  1. Wireless devices shall be acquired and provided by Modernization and Information Technology Services (MITS), Criminal Investigation (CI), or Chief Counsel.

  2. Wireless networks and systems shall adhere to the System Development Life Cycle in accordance with IRM 10.8.1.

10.8.40.3.4  (01-30-2009)
Certification, Accreditation, and Security Assessments

  1. All wireless networks and devices shall obtain Certification and Accreditation (C&A) in accordance with IRM 10.8.1.

  2. Only authorized wireless technologies and devices that are certified and accredited by MITS and the ACIO Cybersecurity shall be used within the organization.

  3. Wireless networks shall not be used until they comply with this IRM.

10.8.40.4  (01-30-2009)
Operational Controls

  1. The IRS shall implement operational security controls, which are primarily implemented and executed by personnel for each information system (see IRM 10.8.1 for general information and computer security operational control requirements).

  2. Additional operational controls specific to wireless systems, networks, and devices are provided below in the following areas:

    1. Physical and Environmental Protection

    2. Configuration Management

    3. Maintenance

    4. System and Information Integrity

    5. Media Protection

    6. Incident Response

    7. Awareness and Training

10.8.40.4.1  (01-30-2009)
Physical and Environmental Protection

  1. Security measures shall be in place to protect wireless routers, communications equipment, and data from physical damage, theft, power surges, electrostatic discharge, magnetic fields, water, overheating, and other physical threats.

  2. Physical access controls shall be utilized to restrict the entry and exit of unauthorized personnel and prevent the removal or unauthorized modification of wireless devices installed in an IRS facility. Refer to IRM 10.8.1 and IRM 1.16,Physical Security Program for additional guidance on physical and environmental controls.

  3. External boundary protection mechanisms shall be in place around the perimeter of IRS facilities to prevent unauthorized access to wireless communications.

  4. Wireless access points and devices shall be set to the lowest necessary and sufficient power level so that transmissions remain within the range required for device communication.

  5. Directional antennae shall be used where possible to limit unauthorized access to 802.11 Access Points (APs).

  6. Wireless access points shall be located on the interior of buildings instead of near exterior walls and windows.

10.8.40.4.2  (01-30-2009)
Configuration Management

  1. MITS shall maintain the baseline configuration for wireless technologies that will be deployed in the IRS environment, emergency situations, or temporary or conditional situation.

  2. Security firmware updates and patches to wireless hardware and software components shall be fully tested and deployed as soon as they become available in accordance with IRM 10.8.50,Service-wide Security Patch Management.

  3. All wireless access points and wireless devices shall be inventoried in accordance with IRM 10.8.1.

10.8.40.4.3  (01-30-2009)
Maintenance

  1. The reset function of wireless access points and devices shall only be used when needed and only invoked by authorized individuals.

  2. Wireless access points and devices shall be restored to the latest security settings when the reset functions are used.

10.8.40.4.4  (01-30-2009)
System and Information Integrity

  1. MITS approved anti-virus and personal firewall software shall be installed on all wireless clients that process or store SBU/CUI data.

  2. A WIDS shall monitor network traffic on the 802.11 radio frequency space. To consistently and confidently monitor signals, the system must monitor the complete ISM (Industrial, Scientific, and Medical) bands used for the Institute of Electrical and Electronics Engineers (IEEE) 802.11, including 2.4 GHz and 5 GHz.

    1. WIDS agents shall be deployed in the 802.11 wireless environment to detect suspicious behavior and unauthorized wireless access or activity.

    2. The WIDS shall monitor wireless 802.11 networks and devices in accordance with the policy on Wireless Intrusion Detection Systems (WIDS).

    3. The WIDS shall detect and log the following minimum events in accordance with the IRM 10.8.1 requirements for monitoring protection at least monthly:

    • Unauthorized radio transmitters;

    • Unauthorized clients attempting to associate with an access point (AP) connected to an IRS network;

    • Authorized devices communicating with unauthorized devices;

    • Denial of service attacks (DoS) and interference; and

    • See LEM 10.8.3,Audit Logging Security Standards for additional auditing requirements.

10.8.40.4.5  (01-30-2009)
Media Protection

  1. When wireless access points or other devices will no longer be used by the IRS, configuration and data shall be sanitized to prevent disclosure of network configuration, keys, passwords, etc. in accordance with IRM 10.8.1 and IRM 2.14.1,Information Technology Asset Management.

10.8.40.4.6  (01-30-2009)
Incident Response

  1. Wireless networks and devices shall be incorporated into IT incident response capabilities and plans in accordance with IRM 10.8.1.

10.8.40.4.7  (01-30-2009)
Awareness and Training

  1. All IRS employees and contractors shall receive training in accordance with the training and awareness requirements detailed in IRM 10.8.1 to also include the use and risk of wireless technologies within the agency.

  2. All IRS employees and contractors designing or implementing a wireless technology or solution shall receive specialized training to fully understand the wireless technology or solution and its associated risks.

    1. The DAA shall be responsible for identifying and ensuring specialized training to meet the above requirement.

  3. All managers of employees in sensitive positions using wireless devices shall ensure employees receive a briefing at least quarterly to maintain awareness of the risks associated with wireless devices and the potential risk to IRS information.

10.8.40.5  (01-30-2009)
Technical Controls

  1. The IRS shall implement technical security controls and ensure the design of IT systems that process, store, or transmit all information shall include, at a minimum, the technical security requirements discussed in this IRM (see IRM 10.8.1 for general information and computer security technical control requirements).

  2. Additional technical controls specific to wireless systems, networks, and devices are provided below in the following areas:

    1. Identification and Authentication

    2. Access Control

    3. Audit and Accountability

    4. System and Communications Protection

10.8.40.5.1  (01-30-2009)
Identification and Authentication

  1. Wireless networks and devices shall perform mutual authentication for all accesses to IRS systems or networks.

    1. Wireless Local Area Networks (WLANs) shall use mutual authentication via 802.1x and the Extensible Authentication Protocol (EAP).

  2. User authentication mechanisms for the management interfaces of wireless access points and devices shall be enabled.

  3. A "power-o" password shall be enabled for each wireless client that connects to an IRS network or system. Passwords shall comply with IRM 10.8.1.

  4. A fallback method for failed wireless authentication (e.g., forgotten passwords and lost smart cards) shall be at least as strong as the primary method.

10.8.40.5.2  (01-30-2009)
Access Control

  1. Privately-owned wireless network interface cards (NICs) shall not be connected to IRS equipment or used to process, access, or store IRS data.

  2. Wireless access points shall be turned off or disabled when they are not needed for business operations.

10.8.40.5.2.1  (01-30-2009)
Wireless Remote Access

  1. Remote wireless desktop or laptop clients shall be properly configured for use with the Enterprise Remote Access Project (ERAP) to leverage IPSec-based VPN technology for remote wireless communications.

  2. Remote wireless communication shall comply with the settings and requirements of ERAP.

  3. Connectivity to a personal or public wireless access point using IRS-owned desktop, laptop, or PED clients without properly configured ERAP and PC-based firewall software shall not be permitted unless authorized in writing by the DAAs of the system requesting connectivity and the DAA of the resource being accessed in accordance with IRM 10.8.1. Systems or devices connected in this manner shall not be connected or reconnected to an IRS network, and such a connection shall not process, store, or transmit SBU/CUI data.

  4. Users with administrator privileges shall not alter any security component configurations or settings on their laptop or desktop without written approval of the DAA.

  5. All wireless remote configurations shall be approved by ACIO Cybersecurity in accordance with ELC processes.

10.8.40.5.3  (01-30-2009)
Audit and Accountability

  1. All IRS devices and systems that connect to a wireless technology or device must ensure compliance with IRM 10.8.1 and LEM 10.8.3,Audit Logging Security Standards.

  2. Wireless access point logging shall be enabled and audit logs shall be reviewed in accordance with IRM 10.8.1 and LEM 10.8.3.

10.8.40.5.4  (01-30-2009)
System and Communications Protection

  1. Refer to Treasury Directive 86-02 (Radio Frequency Management), IRM 10.8.1 (IT Security Policy and Standards), IRM 2.13.2 (Telecommunications Asset Too - Waste, Fraud and Abuse) for detailed telecommunication environment and services requirements.

  2. The security controls established in this policy shall apply in the absence of specific security policy for all current and future telecommunications technologies (including conventional, wired, open path or closed path optical, guided media, infrared, cable TV, satellite technologies, data, voice, video, Private Branch Exchange (PBX), Global Positioning System (GPS), or other Wireless Wide Area Network (WWAN)) that use or implement wireless technologies.

10.8.40.5.4.1  (01-30-2009)
Wireless Local Area Network (WLAN) Infrastructure

  1. Wireless Local Area Network (WLAN) routers and hubs may be deployed to connect end-user desktop computers and PDA devices only with prior approval from the appropriate DAA.

  2. The design, implementation, or use of a WLAN infrastructure that stores, processes, or transmits SBU/CUI data must comply with the IEEE 802.11i wireless security standard and use WPA2 (Wi-Fi Protected Access 2)-certified equipment and software.

    1. The IEEE 802.11i Robust Security Network (RSN) framework shall be used with IEEE 802.1x authentication to establish a secure wireless connection between WLAN devices.

    2. AES (Advanced Encryption Standard), with a minimum of 256 bit encryption, shall be used to support integrity and confidentiality services.

    3. CCMP (Counter-mode/CBC-MAC Protocol) shall be used to handle both packet authentication and encryption.

    4. The pairwise master key (PMK) shall have a lifetime of 24 hours or less.

    5. The group master key (GMK) shall have a lifetime of 8 hours or less.

  3. Servers resident in a computing center shall not use wireless interfaces to connect to the enterprise network.

  4. The default SSID (Service Set Identifier) shall not be used. The SSID character string shall not reflect the IRS name or products.

  5. The broadcast SSID feature shall be disabled so that the client SSID must match that of the AP.

  6. Default parameters of wireless access points shall be changed.

  7. All insecure and non-essential management protocols of access points shall be disabled. Insecure protocols include, but are not limited to, Simple Network Management Protocol (SNMP) v1, telnet, FTP, and others identified within IRM 10.8.1. A non-essential protocol is one that is not required for normal business operations.

  8. Security features of the WLAN product shall be enabled, including cryptographic authentication and Advanced Encryption Standard (AES) encryption.

  9. Default keys shall be replaced with randomly-generated unique keys.

  10. Layer 2 switches shall be used in lieu of hubs for access point connectivity where possible.

  11. "Ad hoc mode" for 802.11 shall be disabled unless the environment is such that the risk is accepted and approved by the designated DAA.

  12. Management traffic destined for wireless access points shall be segregated from other network communications.

  13. SNMPv3 and SSL/TLS shall be used for Web-based management of wireless access points.

10.8.40.5.4.1.1  (01-30-2009)
Wireless Application Servers

  1. Wireless Application Servers (e.g., BlackBerry Enterprise Servers or other communication servers that act as a gateway between a server and a wireless client) shall obtain certification and accreditation in accordance with IRM 10.8.1.

  2. Data exchange shall be encrypted in accordance with the Encryption Standards of this IRM.

  3. No data shall be staged within a temporary server between a wireless application server and client.

  4. Wireless application servers shall have the latest virus scanning and security patches installed and updated to detect and prevent viruses and other malicious content from infecting the corporate network.

10.8.40.5.4.1.1.1  (01-30-2009)
BlackBerry Enterprise Server

  1. The BlackBerry Enterprise Server (BES) and BlackBerry PDA shall meet FIPS 140-2 standards for encryption based on NIST standards.

  2. All BESs and BlackBerry PDAs shall be approved by the GSS DAA and a risk assessment shall be documented in a Security Assessment Report (SAR).

  3. The BES and BlackBerry PDA shall be incorporated into the GSS Security Plan for each MITS area that implements a BES and BlackBerry PDA within the IRS organizations.

  4. IT Policy rules shall be set within the BES to implement the security requirements of this IRM and IRM 10.8.1

  5. Peer-to-peer (PIN-to-PIN) and other instant messaging capabilities shall be disabled on BlackBerry PDAs. Exceptions to this requirement shall be based on risk assessment, operational need, and GSS DAA approval.

  6. Public instant messaging services shall not be used or configured on the BlackBerry PDA

  7. BlackBerry PDAs shall not be used to access internal websites or applications with the exception of IRS email.

  8. Content filtering rules and site restrictions shall be implemented in accordance with the IRS Internet access and the Firewall policy.

  9. Split-pipe connections shall not be permitted.

  10. All outbound email shall be transmitted through MITS. All other email services and forwarding shall be disabled.

  11. All PDAs connected to the IRS network shall be IRS-issued devices obtained based on job function necessity. Based on analysis of risk, repercussions of use, and technology evolvement, personally-owned PDAs shall not be connected to the IRS network.

10.8.40.5.4.1.2  (01-30-2009)
Wireless Clients

  1. IRS-issued/approved wireless desktop, laptop, and PED clients approved for use by the responsible DAA shall be used and configured in accordance with the security requirements and encryption standards of this IRM and IRM 10.8.1.

  2. Wireless laptops shall comply with IRM 10.8.26,Laptop Computer Security Policy.

10.8.40.5.4.2  (01-30-2009)
Wireless Portable Electronic Devices (PEDs)

  1. Only government-owned wireless Portable Electronic Devices (PEDs) shall be used for conducting official government business, transmitting SBU/CUI data, or connecting to a government computer system.

  2. Personally owned PEDs shall not be used to transmit, receive, store, or process SBU/CUI.

    1. If the employee is in a position that requires a wireless device to complete their job responsibilities, then it shall be requested through their Manager and the MITS Information Technology Helpdesk.

    2. If an employee is on business travel and does not normally require a wireless device to complete their job responsibilities, then they shall request a loaner device through their Manager and the MITS Information Technology Helpdesk.

    3. If the employee has an urgent business call while on business travel, a land line shall be the preferred method for conducting such calls. If the employee chooses to use their personal cell phone, that shall be considered a personal choice by the user and the government shall not incur costs associated with calls or maintenance of personal wireless equipment.

  3. Wireless PEDs that are connected directly to an IRS 802.11 network shall comply with the requirements of the Wireless Local Area Network (WLAN) section of this IRM.

  4. Wireless PEDs that are connected directly to an IRS-wired network (e.g., via a hot-synch connection to a workstation) shall not be permitted to operate wirelessly while directly connected.

  5. Wireless PEDs that process SBU/CUI information are subject to a full certification and accreditation. Prior to use, the GSS Information System Security Officer (ISSO) and GSS DAA shall determine the security risk and document the assessment of risk in a Security Assessment Report (SAR).

  6. Wireless PEDs shall not connect to a government computer system that processes classified information.

  7. Wireless PEDs shall be restricted from any area where classified government systems process information or where classified information is discussed.

  8. Users shall immediately report a lost or stolen IRS wireless PED to CSIRC and TIGTA.

  9. Wireless PEDs and add-on modules shall be stored securely when left unattended in accordance with IRM 10.8.1.

  10. Refer to the Portable Electronic Devices section of IRM 10.8.1 for additional security requirements.

10.8.40.5.4.2.1  (01-30-2009)
Wireless Personal Digital Assistants (PDAs)

  1. Desktop application-mirroring software shall be password-protected.

  2. Wireless PDAs shall have timeout mechanisms that automatically prompt the user for a password after a period of inactivity as specified in IRM 10.8.1.

  3. Wireless PDAs shall be synchronized with their corresponding desktop or laptop regularly.

  4. Communication ports shall be turned off when not needed for business operations.

  5. Only approved wireless applications identified within the Enterprise Architecture’s Enterprise Standards Profile (ESP) shall be allowed or downloaded on a wireless IRS PDA. No automatic downloading of wireless applications shall be performed on the PDAs.

  6. Wireless PDAs shall be sanitized in accordance with IRM 10.8.1 prior to reuse by another individual or office within the IRS.

  7. All SBU/CUI data communicated wirelessly between a PDA and laptop, desktop, or wireless application server shall be encrypted according to this IRM and IRM 10.8.1.

  8. Wireless PDAs shall have a profile with the security controls established in this policy, and the profile shall be pushed from the cradle synch or a wireless application server to the user PDA.

  9. Users shall be prevented from changing the user profile on wireless PDAs.

  10. The number of times a wireless PDA user is allowed to decline when prompted to change the password and update the PDA shall be limited to a specified number of attempts before being locked out.

10.8.40.5.4.2.2  (01-30-2009)
Bluetooth

  1. Bluetooth is an open standard for short-range digital radio signals used for creating small wireless networks on an ad hoc basis. The requirements in this section shall apply to Bluetooth technology as well as any other ad hoc network and Wireless Personal Area Network (WPAN) for which this policy does not provide specific guidance.

  2. The end user shall visually inspect the environment for privacy before Bluetooth initialization procedures during which key exchanges occur.

  3. PIN codes shall be changed from the default to be random.

  4. Combination keys shall be used in place of unit keys.

  5. Link encryption shall be invoked for all Bluetooth connections.

  6. Encryption shall be enabled on every link in the communication chain for Bluetooth communications.

  7. Security Mode 2 (service level enforced security) shall be used for devices that will always reside inside an IRS facility.

  8. All broadcast messages shall implement Encryption Mode 3 so that all traffic is encrypted with the master key.

  9. Encryption key sizes shall be at least 128-bits as defined in NIST SP 800-57, Recommendation for Key Management.

  10. Portable devices with Bluetooth interfaces shall be configured with a password to prevent unauthorized access if lost or stolen.

  11. Bluetooth communications shall be used for transmission in accordance with IRM 10.8.1.

10.8.40.5.4.2.2.1  (01-30-2009)
Bluetooth Headsets

  1. Business and functional units shall establish management controls that ensure IRS-procured Bluetooth headsets are inventoried, administered, and returned during employee separations or reassignments.

  2. Use of Bluetooth headsets (e.g., earpieces) whether government issued or personally owned to conduct IRS business shall only be carried out with the approval of the employee’s manager.

  3. IRS procured Bluetooth headsets shall be placed on the Agency-Wide Shared Services (AWSS) Restricted Purchase List.

  4. The MITS DAA for Voice Services, in collaboration with the MITS DAA for End-User Equipment & Services (EUES), shall develop a Bluetooth Approved Products List. This Approved Products List shall be used by all IRS employees when procuring Bluetooth headsets.

  5. Bluetooth headsets shall not have any capabilities beyond voice communication and encryption.

  6. Employees shall not communicate IRS sensitive information while utilizing a Bluetooth headset. Refer to the Telecommunication Devices section of IRM 10.8.1 for additional information related to situations where job function requires this specific type of communication.

  7. If the employee is in a position that requires a Bluetooth headset device to complete their job responsibilities, then permission for its use shall be requested through their manager.

    1. If the employee has business calls, a land line remains the preferred method for conducting such calls. If the employee chooses to use their personal cell phone or an IRS provided cell phone with their personal Bluetooth headset, that shall be considered a personal choice by the user and the government shall not incur costs associated with calls or maintenance of personal wireless headsets. Refer to the Wireless Portable Electronic Devices section of this IRM for additional information.

10.8.40.5.4.2.3  (01-30-2009)
Wireless Voice/Data Communications & Cellular Telephones

  1. Wireless voice/data communications across an Internet Protocol (e.g., VoIP) and any other multi-functional wireless devices (e.g., devices with additional wireless capabilities beyond voice communication) shall comply with all requirements of this IRM and IRM 10.8.1.

  2. Refer to IRM 10.8.1 for additional guidance related to telecommunication devices and personally-owned equipment and software.

    Note:

    Based on analysis of risk, repercussions of use, and technology evolvement, personally-owned wireless communication devices shall not be used to communicate IRS sensitive information

    .

10.8.40.5.4.2.4  (01-30-2009)
Wireless System Components

  1. Wireless system components including, but not limited to, keyboards, mice, headphones, and printers shall be approved by the appropriate DAA prior to installation. The use and operation of these components shall be in accordance with the applicable requirements of this IRM.

  2. A security checklist shall be completed and signed by the manager or employee servicing organization(s), such as the Equal Employment Opportunity (EEO) organization, who are submitting request on behalf of employee(s) prior to authorizing/requesting wireless system components.

  3. A completed security checklist shall be provided to the approving executive (DAA) as part of the approval process (see the Wireless System Component(s) Security Checklist Exhibit of this IRM ( Exhibit 10.8.40-4) for further detail).

  4. Employees in positions that engage taxpayers (sensitive positions) and/or process SBU/CUI, are required to meet the mandated encryption requirement outlined in IRM 10.8.1 and this IRM.

    1. For employees that do not process SBU/CUI data or are not in sensitive positions, employees' management shall certify that the wireless device(s) are not being issued to employees that either process SBU/CUI data or hold a sensitive position.

    2. If you are not in a sensitive position or do not process sensitive information, you are allowed to obtain a IRS issued wireless headset (see IRM 10.8.1 available at http://mass.web.irs.gov/ITSec/LawsRegs.asp for definition and information related Sensitive Information, SBU, CUI, and PII).

10.8.40.5.4.3  (01-30-2009)
Radio Frequency Identification (RFID)

  1. Radio Frequency Identification (RFID) shall not be used to transmit SBU/CUI data, but may be used for asset tagging, identification, and tracking.

  2. Sensitive information shall not be recorded on or within RFID tags (see IRM 10.8.1 for guidance on sensitive information).

  3. The IRS shall provide notice and full disclosure on the use of RFID to those employees using an RFID application or system.

10.8.40.5.4.4  (01-30-2009)
Encryption Standards

  1. All wireless transmissions of sensitive information shall be encrypted utilizing FIPS 140-2 validated encryption modules in accordance with IRM 10.8.1.

  2. Wireless encryption key sizes shall be at least 128 bits in strength as defined by NIST SP 800-57.

  3. Encryption shall be determined based on the sensitivity of the data on the network and the processor speeds of the computers.

  4. The information stored or transmitted through a wireless network or device must be assessed to determine the sensitivity of the information and determine the necessary security controls.

  5. Encryption of sensitive files and/or directories contained on laptops shall be used in accordance with IRM 10.8.26 , Laptop Computer Security Policy.

10.8.40.6  (10-31-2008)
Deviations

  1. Deviations from this policy shall be submitted in accordance with IRM 10.8.1.

  2. Use Form 13125, as described in the deviation Standard Operating Procedures (SOPs) provided on the Cybersecurity Web site.

Exhibit 10.8.40-1  (01-30-2009)
IEEE 802.11 Robust Security Network (RSN) Security Checklist

IEEE 802.11 Robust Security Network (RSN) Security Checklist
IEEE 802.11 RSN Requirements
Requirement Component Impacted Completion Status
Initiation Phase
1. Ensure completion of a full assessment of risk to understand WLAN threats, the likelihood that those threats will be realized, and the potential impact of realized threats on the value of IRS assets. ALL  
2. Establish a WLAN usage policy that specifies which user communities are authorized to use WLAN technology and for what purposes. STA / AP/ AS  
3. Ensure all WLAN devices comply with all applicable security IRM requirements. ALL  
4. Ensure physical protection of WLAN devices physically attached to the IRS network in accordance with IRM 1.16 restricted access/space requirements. STA/ AP/ AS  
5. Ensure all connections to IRS WLANs be based on an IEEE 802.11i RSNA using IEEE 802.1X/EAP authentication. STA  
6. Establish or enhance operating system and application security configuration standards for laptops and other potential STAs to account for WLAN risks. STA  
7. Establish or enhance operating system and application security configuration standards for the AS. AS  
8. Ensure administration and network management of WLAN infrastructure equipment (e.g., APs and ASs) involve strong authentication and encryption of all communication. AP / AS  
9. Ensure user training about the risks of WLAN technology and how to mitigate those risks. ALL  
10. If applicable, develop or revise the IRS PKI certificate policy, certification practice statement, and related processes to support the WLAN solution. STA / AS  
11. Ensure two-factor authentication for WLAN connectivity. STA / AS  
12. Establish requirements for a WLAN intrusion detection system. STA / AP / DS  
13. Utilize the services of security professionals to assist with WLAN security issues if the requisite skill sets are not currently available in the IRS. ALL  
14.  Ensure system/application certification documentation includes WLAN devices. ALL  
Planning and Design Phase
15. Conduct a site survey to determine the proper location of APs, given a desired coverage area. AP  
16. Ensure creation of a dedicated Virtual LAN (VLAN) to support AP connections to the distribution system (e.g., enterprise wired network). AP / DS  
17. Ensure that network management information between APs/ASs and network management servers or consoles is transmitted over a dedicated management VLAN. AP / AS  
18. If a WLAN will be supporting unauthenticated users, such as members of the public, install a network firewall between each WLAN and its distribution system. AP / AS / DS  
19. Install a personal firewall on each mobile device. STA  
20.  Develop wireless security audit processes and procedures that identify the types of security relevant events that should be captured, and determine how audit records will be securely stored for subsequent analysis in accordance with IRM 10.8.1 and LEM 10.8.3. AP / AS  
21.  Select an appropriate EAP method or EAP method sequence for WLAN authentication, and design any necessary integration with PKI technology. STA / AS  
22.  Determine the fallback strategy when WLAN authentication fails AS  
23. Deploy wireless intrusion detection systems to detect suspicious or unauthorized activity. STA / AP  
24. Ensure system/application has been certified and accredited prior to use. ALL  
Procurement Phase
25. Procure WPA2-Enterprise certified STA and AP products only. STA / AP  
26.  Procure products that use FIPS-validated cryptographic modules and deploy them in "FIPS mode" if required. STA / AP  
27. Procure STAs and APs that support NIST AES key wrap with 128-bit HMAC-SHA-1 to protect transient keys during the 4-Way and Group Key Handshakes. STA / AP  
28. Procure ASs and APs that communicate securely. AS / AP  
29. Procure products that support the IRS-chosen EAP methods. STA / AS  
30.  Procure APs that terminate associations after a configurable time period. AP  
31. Procure ASs that grant authorizations for a configurable time period. AS  
32.  Procure APs that log security relevant events and forward them to a remote audit server in real time. AP  
33. Procure APs that can support an independent management interface to the distribution system (e.g., wired network). AP  
34. Procure APs that support SNMPv3 if SNMP-based AP management is used. AP  
35. Procure APs that support authentication and data encryption for administrative sessions. AP  
36. When the WLAN solution involves TLS-based EAP methods, procure STAs whose software can be configured to specify valid ASs by name. STA  
37. Procure APs and ASs that can support IPSec or alternative security methods to establish a mutually authenticated secure communications channel between AP and AS. AP / AS  
38. Procure APs and ASs that support Network Time Protocol (NTP). AP / AS  
39. Procure an auditing tool to automate the review of AP and AS audit data. AP / AS / DS  
40. Procure products that can be upgraded easily in software or firmware. ALL  
Implementation Phase
41. Ensure that all APs have strong, unique administrative passwords developed in accordance with IRM 10.8.1. AP  
42. Disable all insecure and unused management protocols on the APs, and configure remaining management protocols for least privilege. AP  
43. Disable WEP and TKIP in the configuration of each AP. AP  
44. Activate logging and direct log entries to a remote audit server. AP / AS  
45. Establish an IPSec connection (or equivalent protection mechanism) between each AP and its associated AS or ASs. AP / AS  
46. Configure a maximum GMK lifetime on the AP, preferably not to exceed 24 hours. AP  
47. Configure a maximum PMK lifetime on the AS, preferably not to exceed eight hours. AS  
48. Configure the STA and AS to use authorized EAP methods only. STA / AS  
49. When TLS methods are used, ensure that the STAs connect to valid ASs only. STA  
50. Disable ad hoc mode on each STA unless a business requirement exists for peer-to-peer wireless networking. STA  
51. Ensure no privately-owned devices are used in or connected to the WLAN. ALL  
Operations/Maintenance Phase
52. Test and deploy software patches and upgrades on a regular basis. ALL  
53. Ensure that all passwords are changed regularly in accordance with IRM 10.8.1. ALL  
54. Review audit logs frequently accordance with IRM 10.8.1 and LEM 10.8.3. AP / AS / DS
(STA optional) 		 
55. Inventory APs. AP  
56. Inventory STAs. STA  
57. Perform comprehensive WLAN security assessments at regular and random intervals. AP / AS  
58. Re-apply the IRS’ security configuration standard to an AP whenever its reset function is used. AP  
59. If PSKs are to establish RSN associations, replace them frequently, preferably at least every 30 days. STA / AP  
60. If PSKs are used to establish RSN associations, ensure that no key is shared across multiple STAs. STA / AP  
61. Periodically update the certificates on the clients and the servers. STA / AP  
62. Designate an individual or group to track WLAN product vulnerabilities and wireless security trends. ALL  
Disposal Phase
63. When disposing of a WLAN component, remove all sensitive configuration information, including pre-shared keys and passwords in accordance with the sanitization requirements described in IRM 10.8.1. ALL  
64. When disposing of a WLAN component, ensure that its audit records are retained as needed to meet legal or other requirements. ALL  
Component Key:
AP – Access Point
AS – Authentication Server
DA – Destination Address
DS – Distribution System
STA – Station

Exhibit 10.8.40-2  (01-30-2009)
Bluetooth Security Checklist

Bluetooth Security Checklist
Bluetooth Requirement
1. Prior to acquisition, ensure that wireless devices support updates and upgrades for security patch deployment.
2.  Ensure that users on the network are fully trained in computer security awareness and the risks associated with wireless technology (e.g., Bluetooth).
3.  Perform a risk assessment to understand the value of the assets of the system that need protection.
4.  Ensure all devices comply with all applicable security IRM requirements.
5. Perform comprehensive security assessments at regular intervals to fully understand the wireless network security posture. Refer to IRM 10.8.1 for risk assessment guidance.
6. Ensure that the wireless "network" is fully understood. With connections to both wired and wireless wide area networks, the IRS must understand the overall connectivity. Note: a device may contain various wireless technologies and interfaces.
7. Ensure external boundary protection is in place around the perimeter of the building or buildings of the agency.
8.  Deploy physical access controls to the building and other secure areas (e.g., photo ID, card badge readers).
9. Ensure that handheld or small Bluetooth devices are protected from theft.
10.  Ensure that personally-owned Bluetooth devices are not used to process IRS information.
11. Ensure that Bluetooth devices are turned off or disabled when not needed for business operations.
12.  Take a complete inventory of all Bluetooth-enabled wireless devices. Ensure that all Bluetooth devices have DAA approval.
13.  Study and understand planned Bluetooth-enabled devices to understand any security idiosyncrasies or inadequacies.
14.  Change the default settings of the Bluetooth device to reflect IRS security policy.
15. Ensure that the Bluetooth "pairing " environment is secure from eavesdroppers (e.g., the environment has been visually inspected for possible adversaries before the initialization procedures during which key exchanges occur).
16. Implement PIN codes that are random and avoid weak PINs.
17. Choose PIN codes that are the manufacturers' maximum length.
18. Ensure that no Bluetooth device is defaulting to the zero PIN.
19. Ensure that combination keys are used instead of unit keys.
20. Invoke link encryption for all Bluetooth connections (e.g., no Security Mode 1).
21. Ensure that encryption is enabled on every link in the communication chain.
22. Make use of Security Mode 2 in controlled and well-understood environments.
23. Ensure device mutual authentication for all accesses.
24. Enable encryption for all broadcast transmissions (Encryption Mode 3).
25. Configure encryption key sizes to the maximum allowable.
26. Establish a "minimum key size" for any key negotiation process.
27. Ensure that portable devices with Bluetooth interfaces are configured with a password to prevent unauthorized access if lost or stolen.
28. Use application-level (on top of the Bluetooth stack) encryption and authentication for highly sensitive data communication in accordance with IRM 10.8.1. For example, an IPSec-based Virtual Private Network (VPN) technology can be used for highly sensitive transactions.
29. Install antivirus software on intelligent, Bluetooth-enabled hosts.
30. Fully test and deploy software Bluetooth patches and upgrades regularly.
31. Deploy appropriate user authentication according to IRM 10.8.1 (biometrics, smart cards, two-factor authentication, and PKI should be considered for sensitive systems).
32. Ensure intrusion detection systems monitor electromagnetic activity within and nearby IRS facilities to detect suspicious behavior or unauthorized access and activity.
33. Fully understand the impacts of deploying any security feature or product prior to deployment.
34. Ensure that no personally-owned device are connected to the WLAN.
35. Ensure the system/application certification documentation includes wireless devices.
36. Ensure the system/application has been certified and accredited prior to use.

Exhibit 10.8.40-3  (01-30-2009)
Wireless PED/PDA Security Checklist

Wireless PED/PDA Security Checklist
Wireless PED/PDA Requirement
1.  Ensure that users on the network are trained in computer security awareness and the risks associated with handheld devices in accordance with IRM 10.8.1.
2.  Ensure the wireless devices comply with all applicable security IRM requirements.
3.  Prior to acquisition, ensure that wireless devices support updates and upgrades for security patch deployment.
4. Ensure wireless devices do not directly communicate with IRS internal network resources, except through the use of IRS-approved strong authentication technology.
5. Conduct ongoing, random security audits to monitor and track devices.
6. Ensure that personally-owned wireless handheld devices are not used to process IRS information.
7. Ensure that external physical boundary protection is in place around the perimeter of the building or buildings of the agency.
8. Deploy physical access controls to the building and other secure areas (e.g., photo ID, card badge readers).
9.  Label all handheld devices with the owner and agency's information.
10. Take a complete inventory of all wireless handheld devices. Ensure that all wireless handheld devices have DAA approval.
11. Ensure that users know where to report a lost or stolen device.
12. Ensure that devices are stored securely when left unattended.
13. Ensure that add-on modules are adequately protected when not in use to prevent against theft.
14. Enable a power-on password for each handheld device.
15. Ensure software used to interface with a user’s system is password protected in accordance with IRM 10.8.1.
16.  Ensure proper password management (aging, complexity criteria, etc.) for all handheld devices in accordance with IRM 10.8.1.
17. Ensure that desktop application-mirroring software is password protected.
18. Store SBU/CUI data on backup storage modules in encrypted form in accordance with IRM 10.8.1.
19. Review vendor Web sites frequently for new patches and software releases.
20. Install patches on the affected devices and workstations.
21. Review security-related mailing lists for the latest security information and alerts.
22. Ensure that all devices have timeout mechanisms that automatically prompt the user for a password after a period of inactivity.
23. Synchronize devices with its corresponding PC regularly.
24.  Avoid placing SBU/CUI information on a handheld device. If necessary to do so, delete SBU/CUI data from the handheld device and archive it on the PC when no longer needed on the handheld.
25.  Ensure communication ports are disabled during periods of inactivity.
26.  Install antivirus software on all wireless handheld devices.
27.  Install personal firewall software on all networked handheld devices where available.
28.  Ensure mobile code is not downloaded from non-IRS sources.
29.  Ensure that PDAs are provided with secure authorization software/firmware.
30.  Ensure that a user can be securely authenticated when operating locally and remotely.
31. Use robust encryption in accordance with FIPS 140-2 and password protection utilities for the protection of sensitive data files and applications.
32. Ensure that all individual functions of multi-functional wireless devices are secured in accordance with IRS policy.
33. When disposing handheld devices that will no longer be used by the agency, clear configuration settings to prevent the disclosure of sensitive network information.
34. Ensure that no personally-owed PED is used.
35. Ensure the system/application certification documentation includes all wireless devices.
36. Ensure the system/application has been certified and accredited prior to use.

Exhibit 10.8.40-4  (01-30-2009)
Wireless System Component(s) Security Checklist

Wireless System Component(s) Security Checklist
Manager/ Employee Servicing organization:
Employee Name:
Component Type:
Job Requirement:
  Instructions: This checklist shall be completed and signed by the manager of the employee or the employee servicing organization(s), such as the Equal Employment Opportunity (EEO)) organization, who are submitting request on behalf of employee(s), prior to authorizing/requesting wireless system component(s). Please carefully read then check the items listed below to certify understanding and compliance.
As the Manager requesting/assigning a wireless system component for the employee identified above, I shall:
1. Review IRM 10.8.1, IT Security, Policy and Guidance, paying particular attention to requirements for Sensitive But Unclassified (SBU) Information/Controlled Unclassified Information (CUI) and Portable electronic devices.
2. Review IRM 10.8.40, Wireless Security Policy.
3. Ensure employee(s) review the policies stated above.
4. Perform initial review and approval of employee(s) request for wireless system component(s) to ensure the request in accordance with the security requirements stated IRM 10.8.1 and this IRM.
5. Certify that the wireless system component(s) is (are) not being requested for or issued to employees that process SBU/CUI data or are in sensitive positions.
6. Ensure requested wireless system components are approved for use by the appropriate DAA prior to installation and use shall operate in accordance with the requirements of this IRM.
7. Ensure the use of requested components operate in accordance with IRM 10.8.1 and this IRM.
8. Maintain a complete inventory of all wireless system components assigned to each employee.
9. Report any theft, loss or compromise of any wireless system components to IRS CSIRC.


I, (name): _______________________________ certify that I have performed the initial review and approval of employee(s) request for wireless system component(s) in accordance with requirements stated in IRM 10.8.1 and this IRM.

Date: _______________________________

Exhibit 10.8.40-5  (01-30-2009)
Glossary

  1. Controlled Unclassified Information - A categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is pertinent to the national interests of the United States or to the important interests of entities outside the Federal Government, and under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. Henceforth, the designation CUI replaces "Sensitive But Unclassified" (SBU).

  2. Personal Digital Assistant (PDA) – A handheld computer that serves as an organizer for personal information. PDAs are increasingly becoming more versatile and may include such features as Web browsing and Internet email.

  3. Sensitive But Unclassified (SBU) Information - Any information that requires protection due to the risk and magnitude of loss or harm to the IRS or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction.

  4. Wireless – A technology that enables devices to communicate without physical connections (without requiring network or peripheral cabling).

  5. Wireless Access Point (AP) – The entry point from a wireless station to a wireless network or from a wireless network to a wired network. APs generally consist of a radio, a wired network interface, and management and bridging software.

  6. Wireless Client – A system or device that wirelessly accesses an AP or another client directly.

  7. Wireless Device – A device that can communicate with another device without a physical connection to that device.

  8. Wireless Portable Electronic Device (PED) – A non-stationary wireless client with the capability of recording, storing, and/or transmitting information. Wireless PEDs include, but are not limited to: network interface cards, PDAs, keyboards, mice, printers, and USB devices that transmit data wirelessly.

Exhibit 10.8.40-6  (01-30-2009)
References

  1. This policy was developed based on best practices and guidance consistent with publication of the National Institute of Standards and Technology (NIST), the Department of Defense (DoD) Defense Information Systems Agency (DISA), and the Center for Internet Security (CIS). The following are recommended references when designing, implementing, or using a wireless network or device:

    1. NIST SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i;

    2. NIST SP 800-48, Wireless Network Security: 802.11, Bluetooth and Handheld Devices;

    3. NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS);

    4. DoD DISA Wireless Security Technical Implementation Guide (STIG);

    5. DoD DISA Wireless LAN Security Framework;

    6. CIS Wireless Networking Benchmark.

  2. The IRS's Office of Servicewide Policy, Directives and Electronic Research (SPDER), in partnership with LEXIS-NEXIS, has made all IRMs available to all IRS employees.

  3. IRS IRMs are available at: http://spder.web.irs.gov/IRMOnline/irm.htm .

  4. Cybersecurity (formally Mission Assurance and Security Services (MA&SS)) web site at http://mits.web.irs.gov/Cybersecurity/.


More Internal Revenue Manual