Bluetooth Communications (section 11.1)
Rationale:
This work arose from changes in ways of working and technology, and because IT Security Managers are being asked to incorporate a wide range of devices and peripherals into their protection boundary. This work covers enterprise devices, not medical devices.
Change description:
Original 11.1 included radio frequency and infrared devices and Bluetooth. These have now been separated into Bluetooth communication (11.1) and Radio frequency and infrared devices in secure areas (11.2). 11.1 includes twelve new controls. Current 11.2 Multifunction devices, network printers, and fax machines has moved to 11.8, and is being tabled for an update.
Expected outcome:
Bluetooth is vulnerable to threats of interception and eavesdropping. New controls are introduced in 11.1 to control the pairing environment, eg, by knowing the devices and their level of security, and by pairing in secure locations.
Email Security (section 15.2)
Rationale:
Enabling Mail Transfer Agent – Strict Transfer Security (MTA-STS) standard (IETF RFC 8461 and RFC 8460) prevents the unencrypted transfer of emails. This supports GCDO’s work to develop an architecture and common framework for email security based on open standards.
Change description:
Three new controls are added: agencies should enable MTA-STS (2 controls), and agencies should enable the companion reporting mechanism which gives them metrics over the performance of their domains.
Current guidance on address spoofing is updated by incorporating changes in the IETF standard and securing non-email enabled domains.
This work should be read in conjunction with DIA’s Secure Government Email Common Implementation Framework.
Expected outcome:
Agencies reduce the risk from common email-based threats, such as spoofing, phishing, and interception by implementing open standards.