V-68689 | Medium | The BES12 server must be configured to enable all required audit events: a. Failure to push a new application on a managed mobile device; b. Failure to update an existing application on a managed mobile device. | Failure to generate these audit records makes it more difficult to identify or investigate attempted or successful compromises, potentially causing incidents to last longer than necessary.
SFR... |
V-68695 | Medium | The BES12 server platform must be protected by a DoD-approved firewall. | Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential... |
V-68697 | Medium | The firewall protecting the BES12 server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BES12 server and platform functions. | Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
V-68691 | Medium | The BES12 server must leverage the BES12 Platform user accounts and groups for BES12 server user identification and authentication. | A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker... |
V-68687 | Medium | The BES12 server must be configured with the Administrator roles: a. MD user b. Server primary administrator c. Security configuration administrator d. Device user group administrator e. Auditor. | Having several roles for the MDM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one... |
V-68693 | Medium | The BES12 server must initiate a session lock after a 15-minute period of inactivity. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the... |
V-68703 | Medium | The BES12 server must be configured to disable a users capability to perform self-service tasks. | The security posture of a BlackBerry device or the DoD BlackBerry service could be compromised if users are able to perform self-service tasks, including activating unauthorized devices. In the... |
V-68705 | Medium | The server PKI digital certificate installed on the BES12 Server to support Consoles and BlackBerry Web Services authentication must be a DoD PKI issued certificate. A self-signed certificate will not be used. | When a self-signed PKI certificate is used, a rogue BDS server can impersonate the DoD BDS server during SA connections to the BAS or when a BlackBerry user uses BWDM to connect to the BAS. In... |
V-68685 | Low | Before establishing a user session, the BES12 server must display an administrator-specified advisory notice and consent warning message regarding use of the BES12 server. | Note: The advisory notice and consent warning message is not required if the General Purpose OS or Network Device displays an advisory notice and consent warning message when the administrator... |