V-53027 | High | The Good Mobility Suite server must accept alerts from the mobile operating system when the mobile OS has detected integrity check failures. | Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a... |
V-53099 | High | The Good Mobility Suite must transfer audit logs from managed mobile devices to the Good Mobility Suite. | Good Mobility Suite auditing capability is critical for accurate forensic analysis. The ability to transfer audit logs often is necessary to quickly isolate them, protect their integrity, and... |
V-53057 | High | The Good Mobility Suite server application white list for managed mobile devices must be set to Deny All by default when no applications are listed. | The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. If the system... |
V-53031 | High | The Good Mobility Suite server must detect and report the version of the operating system, device drivers, and application software for managed mobile devices. | Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report... |
V-53029 | High | The Good Mobility Suite server must perform required actions when a security-related alert is received. | Incident response functions are intended to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is accurate and timely... |
V-53019 | High | The Good Mobility Suite must implement separation of administrator duties by requiring a specific role to be assigned to each administrator account. | Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the... |
V-53107 | Medium | The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the certificate was issued by an untrusted certificate authority. | When the operating system accepts the use of certificates issued from untrusted certificate authorities, there is the potential that the system or object presenting the certificate is malicious... |
V-53069 | Medium | The Good Mobility Suite server must disable iOS Allow documents from managed apps in unmanaged apps via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53105 | Medium | The Good Mobility Suite email client must alert the user if it receives a public-key certificate issued from an untrusted certificate authority. | If the user is aware that a certificate has been issued from an untrusted certificate authority, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious... |
V-53145 | Medium | The Good Mobility Suite server must disable the mobile device users access to an application store or repository via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53127 | Medium | The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm. | When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information... |
V-53129 | Medium | The Good Mobility Suite email client must alert the user if it receives an unverified public-key certificate. | If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in... |
V-53061 | Medium | The Good Mobility Suite server must enable iOS Force encrypted backups via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53063 | Medium | The Good Mobility Suite server must disable iOS Allow diagnostic data to be sent to Apple via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53149 | Medium | The Good Mobility Suite server must block access to specific web sites via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53109 | Medium | The Good Mobility Suite email client must alert the user if it receives an invalid public-key certificate. | If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in... |
V-53067 | Medium | The Good Mobility Suite server must disable iOS Allow documents from unmanaged apps in managed apps via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53135 | Medium | The Good Mobility Suite must enforce the minimum password length for the device unlock password via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53125 | Medium | The Good Mobility Suite email client must alert the user if it receives a public-key certificate with a non-FIPS approved algorithm. | If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in... |
V-53065 | Medium | The Good Mobility Suite server must disable iOS Auto-fill via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53253 | Medium | The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified. | If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in... |
V-53055 | Medium | The Good Mobility Suite server must prohibit the mobile device user from installing unapproved applications on the mobile device. | The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what... |
V-53251 | Medium | The Good Mobility Suite email client must alert the user if the certificate uses an unverified CRL. | If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in... |
V-53143 | Medium | The Good Mobility Suite server must set the device inactivity timeout grace period to be immediate via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53051 | Medium | The Good Mobility Suite server must specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. | DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source,... |
V-53053 | Medium | The Good Mobility Suite server must configure the mobile device agent to prohibit the download of software from a non-DoD approved source. | DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source,... |
V-53091 | Medium | The Good Mobility Suite server must disable iOS photo streams via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53093 | Medium | The Good Mobility Suite server must disable iOS shared photo streams via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53059 | Medium | The Good Mobility Suite server must configure the Good Mobility Suite agent to prohibit the download of applications on mobile operating system devices without system administrator control. | The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. If the system... |
V-53037 | Medium | The Good Mobility Suite email client must provide the mobile device user the capability to decrypt incoming email messages using software- or hardware-based digital certificates. | Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data.... |
V-53035 | Medium | The Good Mobility Suite email client must provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP. | Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data.... |
V-53117 | Medium | The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified. | When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information... |
V-53111 | Medium | The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid. | When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information... |
V-53073 | Medium | The Good Mobility Suite server must disable the iOS Today View in lock screen via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53137 | Medium | The Good Mobility Suite server must set the device inactivity timeout to 15 minutes via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53071 | Medium | The Good Mobility Suite server must disable iOS Touch ID to unlock device via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53153 | Medium | The Good Mobility Suite server must force the display of a warning banner on the mobile device via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53077 | Medium | The Good Mobility Suite server must disable the iOS notification center in lock screen via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53133 | Medium | The Good Mobility Suite must be configured to provide the administrative functionality to transmit a remote Data Wipe command, including removable media cards, to a managed mobile device. | Without a Data Wipe capability, the data on the mobile device can be compromised in the event of a lost or stolen device. |
V-53039 | Medium | The Good Mobility Suite email client must provide the mobile device user the capability to digitally sign and encrypt outgoing email messages using software- or hardware-based digital certificates. | Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data.... |
V-53075 | Medium | The Good Mobility Suite server must disable iOS Airdrop via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53157 | Medium | The Good Mobility Suite server must enable a Good Mobility Suite agent password via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53087 | Medium | The Good Mobility Suite server must disable iOS iCloud backup via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53085 | Medium | The Good Mobility Suite server must disable iOS iCloud documents and data via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53083 | Medium | The Good Mobility Suite server must enable iOS force limited ad tracking via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53155 | Medium | The Good Mobility Suite server must set the number of incorrect password attempts before a data wipe procedure is initiated to 10 via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53081 | Medium | The Good Mobility Suite server must disable iOS Siri while the device is locked via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53079 | Medium | The Good Mobility Suite server must disable iOS voice dialing via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53095 | Medium | The Good Mobility Suite server must disable iOS screenshots via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53089 | Medium | The Good Mobility Suite server must disable iOS iCloud keychain sync via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53165 | Medium | The Good Mobility Suite server must disable the automatic removal of the iOS configuration profile via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53167 | Medium | The Good Mobility Suite server must disable the use of simple values within the iOS Good Mobility Server agent password via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53041 | Medium | The Good Mobility Suite email client must set the Smart Card or Certificate Store Password caching timeout period to 120 minutes. | Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data.... |
V-53161 | Medium | The Good Mobility Suite server must enable the Good Mobility Suite agent password length to be six or more characters. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53163 | Medium | The Good Mobility Suite must set the Good Mobility Suite agent inactivity timeout to 15 minutes via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53045 | Medium | The Good Mobility Suite email client must be capable of providing S/MIME v3 (or later version) encryption of email. | Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data.... |
V-53049 | Medium | The Good Mobility Suite server must disable copying data from inside a security container to a non-secure data area on a mobile device via centrally managed policy. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
V-53103 | Low | The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if it cannot verify the certificates revocation status. | When additional assurance is required, the system should deny acceptance of a certificate if it cannot verify its revocation status. Otherwise, there is the potential that it is accepting the... |
V-53101 | Low | The Good Mobility Suite email client must notify the user if it cannot verify the revocation status of the certificate. | If the user is aware that the revocation status of a certificate could not be verified, the user is better prepared to identify suspicious behavior that indicates an IA incident is in progress. ... |
V-53097 | Low | The Good Mobility Suite email client must either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. | HTML code embedded in emails can contain links to malicious sites. Requiring that all emails are viewed in plain text helps remediate phishing attempts. |
V-53115 | Low | The Good Mobility Suite email client must verify all digital certificates in the certificate chain when performing PKI transactions. | If an adversary is able to compromise one of the certificates in the certificate chain, the adversary may be able to sign lower-level certificates in the chain. This would enable the adversary to... |
V-53033 | Low | The Good Mobility Suite email client must support retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes. | Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data.... |
V-53113 | Low | The Good Mobility Suite email client must not accept certificate revocation information without verifying its authenticity. | If the operating system does not verify the authenticity of revocation information, there is the potential that an authorized system is providing false information. Acceptance of the false... |
V-53043 | Low | The Good Mobility Suite email client S/MIME must be fully interoperable with DoD PKI and CAC/PIV. CAC/PIV (hard token) and PKCS#12 (soft token) certificate stores must be supported. | Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data.... |
V-53047 | Low | The Good Mobility Suite email client must restrict contact list data elements transferred to the phone application. | The contact list data elements may contain sensitive or PII information; therefore, the data elements accessed outside the security container must be limited so sensitive data is not exposed. |