Bluetooth should be avoided on systems doing any kind of work for the Federal government – DoD or civilian. When tightening security for system access, it’s important to consider all vectors of attack—especially Bluetooth-enabled peripherals like keyboards, mice, earbuds, and other devices. Here’s why:
CMMC Control AC.L1-3.1.1 (Access Control): This control is applicable to ALL contracts with the US Government. It requires limiting information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). Bluetooth devices typically connect to computers or mobile devices without any sort of authentication. This is a Level 1 control, meaning disabling Bluetooth is a requirement for any device handling ANY Federal Contract Information (FCI). This includes non-DoD contractors. Yes… most government contractors are not in compliance.
CMMC Compliance and FIPS 140-2 Encryption: For remote access, AC.L2-3.1.13 requires employing cryptographic mechanisms to protect the confidentiality of remote access sessions. Bluetooth is considered a remote access mechanism because the Bluetooth signals can travel beyond the confines of the office environment. This is a CMMC Level 2 control that is applicable to most DoD contractors. No Bluetooth device meets this standard. So, Bluetooth certainly cannot be used in environments where Controlled Unclassified Information (CUI) is processed.
0 Comments