{
"stig": {
"date": "2014-10-07",
"description": "Developed by DISA for use in the DoD. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.",
"findings": {
"V-18627": {
"checkid": "C-39120r5_chk",
"checktext": "This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Note: Use of a VPN to access DoD email on a mobile device is not required.\n\nInterview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and FIPS 140-2 certificate. Verify the VPN client leverages FIPS 140-2 validated cryptographic modules. It may accomplish this either by using its own FIPS 140-2 validated cryptographic module or the FIPS 140-2 validated Apple iOS CoreCrypto Kernel Module. Only VPN client applications that Apple has granted the VPN entitlement have the capability to leverage this module. Verify the VPN client has the Apple iOS VPN entitlement or check that it has its own FIPS 140-2 certificate. \n\nIf the VPN client does not leverage FIPS 140-2 validated cryptography, this is a finding.",
"description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN. FIPS validation provides a level of assurance that the encryption of the device has been securely implemented.",
"fixid": "F-37266r2_fix",
"fixtext": "Install a VPN client that uses FIPS 140-2 validated cryptographic modules to protect data in transit.",
"iacontrols": [
"ECWN-1"
],
"id": "V-18627",
"ruleID": "SV-40265r3_rule",
"severity": "medium",
"title": "The VPN client on mobile devices used for remote access to DoD networks must be FIPS 140-2 validated. ",
"version": "WIR-MOS-iOS-034-01"
},
"V-19897": {
"checkid": "C-35553r3_chk",
"checktext": "This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Note: Use of a VPN to access DoD email on a mobile device is not required.\n\nInterview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and the configuration of the VPN client. Verify the VPN client supports AES encryption. Verify the VPN client is configured to required AES. Mark as a finding if the VPN does not support AES or is not configured to require AES.",
"description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN.",
"fixid": "F-37263r1_fix",
"fixtext": "Install an AES Encrypted VPN client. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-19897",
"ruleID": "SV-36449r2_rule",
"severity": "medium",
"title": "All mobile device VPN clients used for remote access to DoD networks must support AES encryption. ",
"version": "WIR-MOS-iOS-034-02"
},
"V-19898": {
"checkid": "C-35554r4_chk",
"checktext": "This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Note: Use of a VPN to access DoD email on a mobile device is not required.\n\nInterview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and verify the VPN client support CAC authentication. Mark as a finding if the VPN does not support CAC authentication or the client is not configured to require CAC authentication.",
"description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN.",
"fixid": "F-37265r4_fix",
"fixtext": "Install a VPN client that supports CAC authentication and configure the client to require CAC authentication.",
"iacontrols": [
"ECWN-1"
],
"id": "V-19898",
"ruleID": "SV-36450r2_rule",
"severity": "medium",
"title": "All mobile device VPN clients used for remote access to DoD networks must be configured to require CAC authentication. ",
"version": "WIR-MOS-iOS-034-03"
},
"V-19899": {
"checkid": "C-41594r2_chk",
"checktext": "This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Note: Use of a VPN to access DoD email on a mobile device is not required.\n\nInterview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and verify the VPN client supports disabling split tunneling. Verify the VPN client is configured disable split tunneling. Mark as a finding if the VPN does not support disabling split tunneling or it is not disabled on the client.",
"description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN. Split tunneling could allow connections from non-secure Internet sites to access data on the DoD network.",
"fixid": "F-37267r1_fix",
"fixtext": "Disable split tunneling on VPN client. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-19899",
"ruleID": "SV-36451r2_rule",
"severity": "medium",
"title": "All mobile device VPN clients must have split tunneling disabled. ",
"version": "WIR-MOS-iOS-034-04"
},
"V-24982": {
"checkid": "C-31197r6_chk",
"checktext": "Detailed Policy Requirements:\nIf a Bluetooth smart card reader is used, only the following models and firmware versions should be used:\n\nSCR: Biometric Associates, LP (BAL) baiMobile BAL-3000MP Bluetooth Smart Card Reader. Firmware version v2.01.00 or later should be used (version v2.02.00 is recommended).\n\nBluetooth adapter: Biometric Associates, LP (BAL) baiMobile BAL-BTA001 Bluetooth Adapter. Firmware version 1.4.0 or later should be used (version 1.4.4 is recommended).\n\nCheck Procedures:\nSCR: The version of the reader firmware is displayed when the user presses and holds the Action button on the reader for a couple of seconds after the CAC is inserted into the reader.\n\nBluetooth adapter: Model and firmware are printed on the label attached to the adapter.\n\nFor wired smart card readers, check to see if the vendor has completed JITC PKI interoperability testing. Ask to see a copy of the JITC certification. The firmware version should be the same as listed in the JITC certification (or later version).\n\nMark as a finding if the firmware version on the SCR and adapter are not the approved versions.",
"description": "Required security features are not available in earlier software versions. In addition, there may be known vulnerabilities in earlier versions.",
"fixid": "F-27623r1_fix",
"fixtext": "Install required SCR software version. ",
"iacontrols": [
"ECSC-1"
],
"id": "V-24982",
"ruleID": "SV-30781r3_rule",
"severity": "low",
"title": "Smart Card Readers (SCRs) used with CMDs must have required software version installed.",
"version": "WIR-MOS-iOS-002"
},
"V-24983": {
"checkid": "C-31198r9_chk",
"checktext": "Launch the mobile email client and verify S/MIME is installed in the client. The exact procedures will depend on which mobile email product is being used. \nMark as a finding if the mobile email client does not have S/MIME configured.\n\nIf the mobile email client does not have S/MIME configuration settings that can be viewed on the device, try to send a signed encrypted message to a known recipient and verify the recipient can decrypt and verify the digital signature. Mark as a finding if you are unable to send a signed and encrypted message or if the recipient is unable to decrypt and verify the digital signature.\n\nIf the Good Technology client is used:\n\u2022Log into the iOS device.\n\u2022Open the Good application.\n\u2022Go to Preferences.\n\u2022Verify Smartcard and S/MIME specific settings are listed.",
"description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy. Without S/MIME users will not be able to read encrypted email and will not be able to encrypt email with sensitive information.",
"fixid": "F-27624r5_fix",
"fixtext": "Provision the mobile email client with S/MIME so users can digitally sign and encrypt email.",
"iacontrols": [
"ECSC-1"
],
"id": "V-24983",
"ruleID": "SV-30782r3_rule",
"severity": "medium",
"title": "S/MIME must be installed on mobile device, so users can sign/encrypt email.",
"version": "WIR-MOS-iOS-003"
},
"V-24984": {
"checkid": "C-31199r6_chk",
"checktext": "Launch the mobile email client and verify that if the email auto signature feature is used, it is compliant with the requirement. The exact procedures will depend on which mobile email product is being used. Mark as a finding if not compliant.\n\nIf the Good Technology client is used:\n\u2022Log into the iOS device.\n\u2022Open the Good application.\n\u2022Go to Preferences > Signature.",
"description": "The disclaimer message may give information which may key an attacker in on the device. ",
"fixid": "F-27625r4_fix",
"fixtext": "Configure the iOS email auto-signature message, so it does not disclose the email originated from the iOS device (e.g., Sent From My Wireless Handheld).\n ",
"iacontrols": [
"ECSC-1"
],
"id": "V-24984",
"ruleID": "SV-30783r2_rule",
"severity": "low",
"title": "If mobile device email auto signatures are used, the signature message must not disclose the email originated from a CMD (e.g., Sent From My Wireless Handheld). ",
"version": "WIR-MOS-iOS-004"
},
"V-24985": {
"checkid": "C-31201r7_chk",
"checktext": "There are two acceptable implementations for this requirement:\n\n1. The device uses a mobile VPN to route all data traffic to the DoD enclave, which forces all browser traffic to the DoD Internet gateway. Note: This method is only acceptable if the VPN client is configured so that all data downloaded to the mobile device is saved in a FIPS 140-2 validated encrypted container; otherwise, the data at rest requirements in check V-32707/WIR-MOS-iOS-65-09 are not met.\n\n2. The device browser is installed inside an iOS security container and the security container provides the capability to route all browser traffic to the MDM or authorized proxy server where it will be routed to the DoD Internet gateway.\n\nUsing a browser without a mobile VPN and installed outside the iOS device security container is not an approved implementation.\n\nVerify one of the approved browser implementations is used. Talk to the IAO and review 3-4 sample devices.\n\nMark as a finding if a required browser implementation is not used.",
"description": "When using the DoD Internet proxy for iOS device Internet connections, enclave Internet security controls will filter and monitor iOS device Internet connections and reduce the risk that malware could be downloaded on the mobile device.\n",
"fixid": "F-27626r3_fix",
"fixtext": "Use a compliant browser implementation on the iOS device.\n ",
"iacontrols": [
"ECSC-1"
],
"id": "V-24985",
"ruleID": "SV-30784r3_rule",
"severity": "low",
"title": "The browser must direct all traffic to a DoD Internet proxy gateway.\n",
"version": "WIR-MOS-iOS-005"
},
"V-25003": {
"checkid": "C-31332r6_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify a compliance rule has been set up defining iOS 6 or later as approved versions.\n\nMark as a finding if the required compliance rule is not set up on the MDM server.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.\nIf the Good Technology MDM server is used, complete the following:\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify a compliance rule has been set up defining iOS 6 or later versions.\n-Launch the Good Mobile Control Web console and click on the Policies tab.\n-Select a policy set to review and click on the policy.\n-On the left tab, select Compliance Manager.\n-Verify \u201cOS Version Verification\u201d rule is listed. (Note that the rule title does not have to be exact.)\n-Open the rule by checking the box next to the rule and then click on Edit.\n-Verify the following are set.\nPlatform: iPhone\nCheck to Run: OS Version Verification\nConditions: 6.0 or later\nFailure Action: \u201cQuit Good for Enterprise\u201d\nCheck Every: \u201c6 hours\u201d\nCheck: \u201cPermit newer (previously unknown) OS versions\u201d\n",
"description": "Unapproved OS versions do not support required security features.",
"fixid": "F-27651r3_fix",
"fixtext": "Install the required OS version.",
"iacontrols": [
"ECWN-1"
],
"id": "V-25003",
"ruleID": "SV-34937r3_rule",
"severity": "medium",
"title": "Mobile devices must have the required operating system software version installed. ",
"version": "WIR-MOS-iOS-030-01"
},
"V-25007": {
"checkid": "C-31207r5_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \u201cRequire passcode\u201d is checked.\n \nMark as a finding if the required rule is not set up on the MDM server.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "Sensitive DoD data could be compromised if a device unlock passcode is not set up on a DoD iOS device.\n",
"fixid": "F-27657r3_fix",
"fixtext": "Configure the MDM server to require a passcode for device unlock.",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-25007",
"ruleID": "SV-30789r2_rule",
"severity": "medium",
"title": "Mobile devices must be configured to require a password/passcode for device unlock.\n",
"version": "WIR-MOS-iOS-G-010"
},
"V-25008": {
"checkid": "C-31208r5_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to and, in turn, verify the required settings are in the policy. Verify \u201cAllow simple value\u201d is not checked.\n\nIf the required rule is not set up on the MDM server, this is a finding. \n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "iOS provides a security mechanism to prevent users from choosing simple passcodes (e.g., 1111). Implementation of this control is an appropriate defense-in-depth measure to mitigate unauthorized use of the device.",
"fixid": "F-27658r4_fix",
"fixtext": "Disable (uncheck) \"Allow simple value\" in the iOS policy on the MDM server.",
"iacontrols": [
"IAIA-1",
"ECWN-1"
],
"id": "V-25008",
"ruleID": "SV-30790r3_rule",
"severity": "low",
"title": "The iOS device password complexity must be set to the required value.\n",
"version": "WIR-MOS-iOS-G-012-01"
},
"V-25009": {
"checkid": "C-31210r6_chk",
"checktext": "Password expiration is only required if the DAA deems it necessary due to the operational risk and mission need. It is most appropriate when, for whatever reason, the iOS device is outside of the user\u2019s possession and readily accessible to others on a regular or periodic basis. If used, the recommended value is 120 days or less. If used, verify the setting has been set correctly using the following procedure:\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \"Maximum passcode age\" is checked and set to 120 days or less in the iOS security policy.\n\nMark as a finding if the required rule is not set up on the MDM server, if the DAA requires this setting.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "Sensitive DoD data could be compromised if a strong device unlock passcode is not set up on a DoD iOS device and the passcode is not changed periodically.\n",
"fixid": "F-27659r4_fix",
"fixtext": "Set maximum passcode age to 120 days or less if the DAA requires this setting. ",
"iacontrols": [
"IAIA-1",
"ECWN-1"
],
"id": "V-25009",
"ruleID": "SV-30792r2_rule",
"severity": "low",
"title": "Maximum passcode age must be set.",
"version": "WIR-MOS-iOS-G-013"
},
"V-25010": {
"checkid": "C-31213r7_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to and, in turn, verify the required settings are in the policy. Verify that \"Grace period\" is checked and the sum of the \"Auto-Lock\" and \"Grace period\" values is 15 minutes or less. Acceptable combinations include a 15-minute \"Auto-Lock\" and an \"Immediate\" (or null) \"Grace period\", or a 5-minute \"Auto-Lock\" and a 5-minute \"Grace period\". On some MDM systems, the \"Grace period\" may be called \"Passcode Lock\" or a similar label.\n\nIf the required rule is not set up on the MDM server, this is a finding. \n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "Sensitive DoD data could be compromised if the CMD does not automatically lock after 15 minutes of inactivity.",
"fixid": "F-27661r4_fix",
"fixtext": "Enforce the CMD inactivity timeout requirement of 15 minutes or less through a combination of \"Auto-Lock\" and \"Grace period\" values that do not sum to greater than 15 minutes. ",
"iacontrols": [
"PESL-1"
],
"id": "V-25010",
"ruleID": "SV-30795r3_rule",
"severity": "medium",
"title": "The mobile device must be set to lock the device after a set period of user inactivity. ",
"version": "WIR-MOS-iOS-G-016"
},
"V-25011": {
"checkid": "C-31214r5_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \u201cMaximum failed attempts\u201d is checked and set to 10 or less.\n \nMark as a finding if the required rule is not set up on the MDM server.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "A hacker with unlimited attempts can determine the password of an iOS device within a few minutes using password hacking tools, which could lead to unauthorized access to the iOS device and exposure to sensitive DoD data.\n",
"fixid": "F-27662r2_fix",
"fixtext": "Set password/passcode maximum failed attempts to 10 or less.",
"iacontrols": [
"IAIA-1"
],
"id": "V-25011",
"ruleID": "SV-30796r2_rule",
"severity": "medium",
"title": "Passcode maximum failed attempts must be set to required value.",
"version": "WIR-MOS-iOS-G-017"
},
"V-25012": {
"checkid": "C-31215r6_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \u201cAllow use of iTunes Music Store\u201d is unchecked.\n\nMark as a finding if the required rule is not set up on the MDM server.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "Strong configuration management of all media installed on DoD devices is required to ensure the security baseline of the system is maintained. Therefore, the ability for the user to download unapproved applications must be disabled.",
"fixid": "F-27663r2_fix",
"fixtext": "Disable access to public media stores. ",
"iacontrols": [
"ECSC-1",
"ECWN-1"
],
"id": "V-25012",
"ruleID": "SV-30797r3_rule",
"severity": "medium",
"title": "Access to public media stores must be disabled.",
"version": "WIR-MOS-iOS-G-019"
},
"V-25013": {
"checkid": "C-31216r7_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to and, in turn, verify the required settings are in the policy. Verify \u201cAllow installing apps\u201d is disabled or not checked.\n\nMark as a finding if the required rule is not set up on the MDM.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "Application download must be disabled so that unauthorized applications are not installed on DoD-managed iOS devices. Unauthorized apps may contain malware or may modify the security baseline of the device. This could lead to the exposure of sensitive DoD data. ",
"fixid": "F-27664r4_fix",
"fixtext": "On the MDM server, set \u201cAllow installing apps\u201d to disabled (unchecked). ",
"iacontrols": [
"ECWN-1",
"ECLP-1"
],
"id": "V-25013",
"ruleID": "SV-30798r3_rule",
"severity": "medium",
"title": "Users ability to download iOS applications must be disabled.",
"version": "WIR-MOS-iOS-G-020"
},
"V-25014": {
"checkid": "C-31218r7_chk",
"checktext": "Note: The site has the ability to disable the camera by using the iPhone profile if camera use is not approved, or allow the use of the camera if use is approved and documented in the site physical security policy. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Determine if \u201cAllow use of camera\u201d is unchecked or checked.\nIf checked, verify the site physical security policy allows the use of CMD cameras.\n\nMark as a finding if \u201cAllow use of camera\u201d is checked in the iOS policy on the MDM and the site physical security policy does not allow the use of CMD cameras.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "This is an operational security issue. DoD sensitive information could be compromised if cameras are allowed in areas not authorized by the site physical security plan.",
"fixid": "F-27665r3_fix",
"fixtext": "Disable (uncheck) \"Allow use of camera\" in the iOS policy on the MDM server unless documented approval exists in the site physical security policy.",
"iacontrols": [
"ECWN-1"
],
"id": "V-25014",
"ruleID": "SV-30799r3_rule",
"severity": "low",
"title": "Mobile device cameras must be used only if documented approval is in the site physical security policy.\n",
"version": "WIR-MOS-iOS-G-021"
},
"V-25015": {
"checkid": "C-31219r5_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \u201cAllow screen capture\u201d is unchecked.\n \nMark as a finding if the required rule is not set up on the MDM server.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "Sensitive data, including FOUO data displayed on the screen, could be saved in unsecure memory on the device.",
"fixid": "F-27666r2_fix",
"fixtext": "Disable (uncheck) \"Allow screen capture\" in the iOS policy on the MDM server.",
"iacontrols": [
"ECWN-1"
],
"id": "V-25015",
"ruleID": "SV-30801r2_rule",
"severity": "medium",
"title": "Mobile device screen capture must not be allowed.\n",
"version": "WIR-MOS-iOS-G-022"
},
"V-25016": {
"checkid": "C-32252r7_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \"Minimum length of\" is set to 8 or more in the iOS security policy.\n\nMark as a finding if the required rule is not set up on the MDM server.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "Sensitive DoD data could be compromised if a device unlock password/passcode is not set to required length on DoD CMDs. ",
"fixid": "F-27687r5_fix",
"fixtext": "Configure the mobile operating system to enforce a minimum length for the device unlock password. Where a security container application is used in lieu of mobile operating system protections, configure the security container application to enforce a minimum length password for entry into the application. ",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-25016",
"ruleID": "SV-32026r3_rule",
"severity": "medium",
"title": "The device minimum password/passcode length must be set. ",
"version": "WIR-MOS-iOS-G-011"
},
"V-25017": {
"checkid": "C-31211r7_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to and, in turn, verify the required settings are in the policy. Verify \"Auto-lock\" is set to a value other than \"Never\". \n\nIf the required rule is not set up on the MDM server, this is a finding. \n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "The \"Auto-lock\" feature enforces an inactivity timeout when coupled with a password lock. Without an inactivity timeout, sensitive DoD data on the device could be easily disclosed to anyone who obtains physical possession of the device. The absence of auto-lock would also facilitate the ability of an adversary to install malware on the device. Finally, the \"Auto Lock\" feature mitigates the risk of denial of service from battery depletion because less power is needed to light the display when the device automatically locks.",
"fixid": "F-27688r4_fix",
"fixtext": "Set the CMD Auto-Lock to a value other than \"Never\". Five minutes or less is recommended.",
"iacontrols": [
"PESL-1"
],
"id": "V-25017",
"ruleID": "SV-30793r3_rule",
"severity": "low",
"title": "Apple iOS Auto-Lock must be set.",
"version": "WIR-MOS-iOS-G-014"
},
"V-25018": {
"checkid": "C-31212r7_chk",
"checktext": "Password history is only required if the DAA deems it necessary for passwords to expire due to the operational risk and mission need. If used, the recommended value is 3 or more. If used, verify the setting has been set correctly using the following procedure:\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \u201cPasscode history\u201d is checked and set to 3 or more in the iOS security policy.\n\nMark as a finding if the required rule is not set up on the MDM server, if the DAA requires this setting.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "The passcode would be more susceptible to compromise if the user can select frequently used passcodes.",
"fixid": "F-27689r4_fix",
"fixtext": "Set the mobile device passcode history setting to 3 or more if the DAA requires this setting. ",
"iacontrols": [
"IAIA-1"
],
"id": "V-25018",
"ruleID": "SV-30794r2_rule",
"severity": "low",
"title": "The mobile device passcode/password history setting must be set.",
"version": "WIR-MOS-iOS-G-015"
},
"V-25019": {
"checkid": "C-31220r5_chk",
"checktext": "The list of Bluetooth devices the iOS device has connected to should only contain authorized smart card readers (SCR) and headsets. Currently, only Bluetooth SCRs and headsets manufactured by Biometric Associates (BAI) have been approved.\n\nOn a sample of site-managed iOS devices (pick 3-4 random devices), verify the iOS device has only been connected to authorized Bluetooth peripherals.\n\n-Have the user log into the device.\n-Go to Settings > Bluetooth.\n-Verify only approved devices are listed under \u201cDevices\u201d.\n\nMark as a finding if unauthorized peripherals have been connected to the iOS device. ",
"description": "The Bluetooth radio can be used by a hacker to connect to the iOS device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
"fixid": "F-27690r3_fix",
"fixtext": "Train the user to not connect the iOS device to unauthorized Bluetooth peripherals. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-25019",
"ruleID": "SV-34930r3_rule",
"severity": "medium",
"title": "The mobile device Bluetooth radio must only connect to authorized Bluetooth peripherals.",
"version": "WIR-MOS-iOS-040-01"
},
"V-25022": {
"checkid": "C-31203r8_chk",
"checktext": "The following banner is required: \n\u201cI've read & consent to terms in IS user agreem't.\u201d \n\nCheck Procedure: \n\nOn the iOS device, complete the following:\nCheck a sample of devices (3-4). The procedure will vary, depending on the MDM server used. For iOS, the banner is only displayed when logging into the security container.\n\nThe banner must exactly match the required phrase.\n\nMark as a finding if the required banner is not configured to display during device unlock/logon.\n\nIf the Good Technology MDM server is used, complete the following:\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify either password or CAC authentication has been enabled for the MDM agent.\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n-Select a policy set to review and click on the policy. \n-On the left tab, select Compliance Manager. \n-Verify a \"Custom\" or \"iOS DoD Login Banner\" rule is listed. (Note the rule title does not have to be exact.) \n-Open the rule by checking the box next to the rule and then click Edit. \n-Verify \"Failure Action\" is set to \"Quit Good for Enterprise\".\n-Verify \"Check Every\" is set to \"6 hours\".\n-Verify Rule File = disclaimer.xml.",
"description": " DoD CIO memo requires all CMDs to have a consent banner displayed during logon/device unlock to ensure users understand their responsibilities to safeguard DoD data. ",
"fixid": "F-27693r1_fix",
"fixtext": "Display the required banner during device unlock/logon. ",
"iacontrols": [
"ECWM-1"
],
"id": "V-25022",
"ruleID": "SV-30786r2_rule",
"severity": "medium",
"title": "All mobile devices must display the required banner during device unlock/logon.\n",
"version": "WIR-MOS-iOS-007"
},
"V-25033": {
"checkid": "C-31256r5_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \u201cAllow use of Safari\u201d is not checked. \n \nMark as a finding if the required rule is not set up on the MDM server.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "The Safari browser does not support FIPS 140-2 validated encryption and CAC authentication to DoD websites. FIPS validation provides a level of assurance that encrypted sensitive data will not be compromised.",
"fixid": "F-27720r3_fix",
"fixtext": "Disable (uncheck) \"Allow use of Safari\" in the iOS policy on the MDM server.",
"iacontrols": [
"ECWN-1",
"ECSC-1"
],
"id": "V-25033",
"ruleID": "SV-30834r2_rule",
"severity": "low",
"title": "iOS Safari must be disabled.\n",
"version": "WIR-MOS-iOS-G-018-01"
},
"V-25051": {
"checkid": "C-31304r3_chk",
"checktext": "Location based services is a User Based Enforcement (UBE) service.\n\nOn a sample of 3-4 devices managed by the site, verify iOS Location Services is disabled for all applications unless the site has a letter/memo stating the DAA or the Command Application Configuration Control Board (CCB) has approved location-based services for specific applications (e.g., Google Maps, Camera, etc.).\n\nGo to Settings > Privacy > Location Services. Verify the service is off for all applications or off for unapproved applications.\n\nMark as a finding if any application not authorized for location services has location services turned on.",
"description": "Mobile device location services allow applications to gather information about the location of the handheld device and possibly forward it to servers located on the Internet. This is an operational security issue for DoD mobile devices.",
"fixid": "F-27774r2_fix",
"fixtext": "Turn off location services during device provisioning and users will not enable the service unless approved for use. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-25051",
"ruleID": "SV-34932r2_rule",
"severity": "low",
"title": "Location services must be turned off unless authorized for use for particular applications, in which case, location services must only be available to the authorized applications.",
"version": "WIR-MOS-iOS-042"
},
"V-25092": {
"checkid": "C-31417r6_chk",
"checktext": "On a sample of site-managed iOS devices (pick 3-4 random devices), have the user turn on and log into the device. \n\n-Go to Settings > Wi-Fi. \n-Touch Wi-Fi.\n-Check the setting of \"Ask to Join Networks\". \n\nVerify \"Ask to Join Networks\" is set to off (not selected).\n\nMark as a finding if \"Ask to Join Networks\" is not set to off.",
"description": "When \u201cAsk to Join Networks\u201d is set to on, the user is alerted whenever they are in the vicinity of a Wi-Fi hotspot and could be tempted to connect to an unauthorized public hotspot, which could be managed by a hacker. Although the risk of exposing sensitive DoD data is low, setting this configuration as specified is a security best practice. ",
"fixid": "F-27875r4_fix",
"fixtext": "Set \"Ask to Join Networks\" to \"Off\".\n ",
"iacontrols": [
"ECWN-1"
],
"id": "V-25092",
"ruleID": "SV-31000r3_rule",
"severity": "low",
"title": "The iOS device Wi-Fi setting Ask to Join Networks must be set to Off at all times (User Based Enforcement (UBE)).\n",
"version": "WIR-iOS-005"
},
"V-25755": {
"checkid": "C-32247r5_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \u201cAllow In-App Purchases\u201d is unchecked.\n \nMark as a finding if the required rule is not set up on the MDM server.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "Strong configuration management of all applications installed on DoD devices is required to ensure the security baseline of the system is maintained. Otherwise, sensitive DoD data could be compromised. Therefore, the ability for the user to download unapproved applications must be disabled.",
"fixid": "F-28612r2_fix",
"fixtext": "Disable (uncheck) \"Allow In-App Purchases\" in the iOS policy on the MDM server.",
"iacontrols": [
"DCCB-1",
"DCCB-2"
],
"id": "V-25755",
"ruleID": "SV-32021r3_rule",
"severity": "low",
"title": "Access to online application purchases must be disabled.",
"version": "WIR-MOS-iOS-G-023"
},
"V-27635": {
"checkid": "C-35072r5_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify the MDM has a setting that will wipe all data and non-core applications when a wipe commend is sent to managed mobile devices.\n \nMark as a finding if the required rule is not set up on the MDM server.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.\n\nIf the Good Technology MDM server is used, complete the following:\n-Verify \"Enable remote full device wipe\" is checked.",
"description": "Sensitive DoD data could be compromised if mobile OS device data could not be wiped when directed by the system administrator.",
"fixid": "F-30358r2_fix",
"fixtext": "Enable remote full device wipe on iOS devices.\n",
"iacontrols": [
"ECWN-1",
"ECCR-1"
],
"id": "V-27635",
"ruleID": "SV-35228r2_rule",
"severity": "medium",
"title": "Remote full device wipe must be enabled.",
"version": "WIR-MOS-iOS-G-008"
},
"V-32686": {
"checkid": "C-41051r5_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \"Allow Siri\" is not enabled.\n\nMark as a finding if not set as required.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "The Siri application connects to Apple servers and stores information about the device and user inquiries on those servers. The use of Siri could lead to the compromise of sensitive DoD information.\n",
"fixid": "F-36587r1_fix",
"fixtext": "Disable Siri in the iOS security policy.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32686",
"ruleID": "SV-43032r1_rule",
"severity": "medium",
"title": "iOS Siri application must be disabled.\n",
"version": "WIR-MOS-iOS-50-02"
},
"V-32688": {
"checkid": "C-41052r5_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \"Allow multiplayer gaming\" is not enabled.\nMark as a finding if not set as required.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "The game function connects to Apple servers and allows the transfer of device data to other iOS devices. The use of the game function could lead to the compromise of sensitive DoD information.",
"fixid": "F-36588r1_fix",
"fixtext": "Disable multiplayer gaming in the iOS security policy.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32688",
"ruleID": "SV-43034r1_rule",
"severity": "medium",
"title": "iOS Multiplayer Gaming must be disabled.\n",
"version": "WIR-MOS-iOS-50-03"
},
"V-32689": {
"checkid": "C-41053r5_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \"Adding Game Center Friends\" is not enabled.\n\nMark as a finding if not set as required.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.\n",
"description": "The game function connects to Apple servers and allows the transfer of device data to other iOS devices. The use of the game function could lead to the compromise of sensitive DoD information.\n",
"fixid": "F-36589r1_fix",
"fixtext": "Disable Adding Game Center Friends in the iOS security policy.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32689",
"ruleID": "SV-43035r1_rule",
"severity": "medium",
"title": "Adding Game Center Friends must be disabled.\n",
"version": "WIR-MOS-iOS-50-04"
},
"V-32690": {
"checkid": "C-41054r5_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \"Allow iCloud Backup\" is not enabled.\n\nMark as a finding if not set as required.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.\n",
"description": "The iCloud feature (and associated iCloud setting in iOS) stores iOS device data on Apple controlled servers. Sensitive DoD data saved on the iOS device could be compromised when it is stored on the Apple servers. Acceptable backup methods include backup to the MDM server or backup to a DoD PC via a USB connection.",
"fixid": "F-36590r1_fix",
"fixtext": "Disable iCloud Backup in the iOS security policy.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32690",
"ruleID": "SV-43036r1_rule",
"severity": "medium",
"title": "iCloud Backup must be disabled. ",
"version": "WIR-MOS-iOS-50-05"
},
"V-32691": {
"checkid": "C-41055r5_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \"Allow Document Syncing\" is not enabled.\n\nMark as a finding if not set as required.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "The iCloud feature (and associated iCloud setting in iOS) stores iOS device data on Apple controlled servers. Sensitive DoD data saved on the iOS device could be compromised when it is stored on the Apple servers.",
"fixid": "F-36591r1_fix",
"fixtext": "Disable Document Syncing in the iOS security policy.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32691",
"ruleID": "SV-43037r1_rule",
"severity": "medium",
"title": "Document Syncing must be disabled. ",
"version": "WIR-MOS-iOS-50-06"
},
"V-32693": {
"checkid": "C-41056r7_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \"Allow Photo Stream\" is not enabled.\n\nMark as a finding if not set as required.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "The iCloud feature (and associated iCloud setting in iOS) stores iOS device data on Apple controlled servers. Sensitive DoD data saved on the iOS device could be compromised when it is stored on the Apple servers.",
"fixid": "F-36592r1_fix",
"fixtext": "Disable Photo Stream in the iOS security policy.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32693",
"ruleID": "SV-43039r1_rule",
"severity": "low",
"title": "Photo Stream must be disabled.\n",
"version": "WIR-MOS-iOS-50-07"
},
"V-32695": {
"checkid": "C-41057r6_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \"Allow Diagnostic Data to be Sent to Apple\" is not enabled.\n\nMark as a finding if not set as required.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "Sensitive DoD information could be compromised if this setting is not implemented. DoD mobile device diagnostic data could be considered sensitive data and should not be sent to Apple and reside on Apple servers.\n",
"fixid": "F-36593r2_fix",
"fixtext": "Disable \"Allow Diagnostic Data to be Sent to Apple\" in the iOS security policy.",
"iacontrols": [
"ECWM-1"
],
"id": "V-32695",
"ruleID": "SV-43041r2_rule",
"severity": "medium",
"title": "Diagnostic Data must not be sent to Apple or other unauthorized entity.",
"version": "WIR-MOS-iOS-50-08"
},
"V-32696": {
"checkid": "C-41058r4_chk",
"checktext": "This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Note: Use of a VPN to access DoD email on a mobile device is not required.\nInterview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets. Verify the VPN client is configured to timeout an inactive session after a set period of inactivity. The check procedures will vary depending on the VPN client used.\n\nMark as a finding if the VPN client is not configured to timeout after 4 hours.",
"description": "DoD data and the DoD network could be compromised if transmitted data is not secured with a compliant VPN. A VPN provides an open connection to the DoD network. If the VPN client does not timeout after the required period of inactivity, and a hacker is able to bypass the device password controls, they would have access to the DoD network.\n",
"fixid": "F-36594r3_fix",
"fixtext": "Configure the VPN client to timeout a session after 4 hours of inactivity.",
"iacontrols": [
"ECWN-1"
],
"id": "V-32696",
"ruleID": "SV-43042r1_rule",
"severity": "medium",
"title": "All mobile device VPN clients must timeout after a set period of inactivity. \n",
"version": "WIR-MOS-iOS-034-05"
},
"V-32697": {
"checkid": "C-41059r3_chk",
"checktext": "This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Note: Use of a VPN to access DoD email on a mobile device is not required.\nInterview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets. Verify the VPN client is inactive session timeout has been set to 2 hours or less, if this parameter is configurable. If the specification sheets do not provide evidence of this capability, authenticate the VPN, wait two hours, and verify the system prompts the user for fresh credentials.\n\nMark as a finding if the timeout period is not set as required.",
"description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN. User authentication credentials (CAC PIN) may be compromised if a hacker credential cache is not wiped on a periodic basis.",
"fixid": "F-36595r2_fix",
"fixtext": "Configure the VPN client to timeout an inactive session of 2 hours or less.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32697",
"ruleID": "SV-43043r1_rule",
"severity": "medium",
"title": "The mobile operating system must not cache smart card or certificate store passwords used by the VPN client for more than two hours.\n",
"version": "WIR-MOS-iOS-034-06"
},
"V-32698": {
"checkid": "C-41061r4_chk",
"checktext": "Check the list of applications in Settings on a sample of 2-3 iOS devices. Verify an MDM, MAM, and integrity validation agent are installed on the device.\n\nNote that one or more agents may be used. Some agents may perform one or more of these functions. Ask the site for the name of the product(s) used. Mark as a finding if any of the required agent(s) are not installed.",
"description": "The MDM, MAM, and integrity scanning agents all perform various security management functions on the iOS devices (some products integrate all three functions into one agent). If these agents are not on the mobile device, key security controls may not be enforced, which could lead to the compromise of sensitive DoD data.\n",
"fixid": "F-36596r2_fix",
"fixtext": "Install MDM, MAM, and integrity validation agent(s) on the iOS device.",
"iacontrols": [
"ECWN-1"
],
"id": "V-32698",
"ruleID": "SV-43044r1_rule",
"severity": "high",
"title": "MDM, MAM, and integrity validation agent(s) must be installed on the mobile OS device. ",
"version": "WIR-MOS-60"
},
"V-32699": {
"checkid": "C-41062r6_chk",
"checktext": "Apple iOS 6 meets this requirement if an MDM profile is used on the iOS device to manage the device security policy. Verify an MDM profile is installed on a sample of devices (3-4): Settings > General > Profiles.\n\nMark as a finding if the site does not use an MDM profile to manage the security policy on site-managed iOS devices (it has already been verified that iOS 6 does not permit a user to modify the MDM profile).\n",
"description": "The integrity of the security policy and enforcement mechanisms is critical to the IA posture of the operating system. If a user can modify a device's security policy or enforcement mechanisms, then a wide range of subsequent attacks are possible, including unauthorized access to information and networks. Access controls that prevent a user from making modifications such as these mitigate the risk of operating system compromise.\n",
"fixid": "F-36597r4_fix",
"fixtext": "Use an MDM profile to manage the security policy on site-managed iOS devices.",
"iacontrols": [
"ECWN-1"
],
"id": "V-32699",
"ruleID": "SV-43045r2_rule",
"severity": "high",
"title": "The mobile operating system must not permit a user to disable or modify the security policy or enforcement mechanisms on the device.\n",
"version": "WIR-MOS-iOS-65-01"
},
"V-32700": {
"checkid": "C-41063r5_chk",
"checktext": "The link between iOS 6 and Apple meets this requirement for iOS updates from Apple.\n\nReview the software loading process between the mobile device and the provisioning server (MDM and/or MAM) to determine if it meets the necessary assurance for mutual authentication. Acceptable mutual authentication mechanisms may include PKI or shared secret based systems. A review of product documentation may be necessary. Mark as a finding if the trusted loading process does not meet the criteria.",
"description": "When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. Mutual authentication ensures both that the device is authorized for provisioning and that a rogue provisioning server is not used to obtain software.\n",
"fixid": "F-36598r2_fix",
"fixtext": "Configure the mobile operating system to authenticate the provisioning server prior to accepting provisioned software.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32700",
"ruleID": "SV-43046r1_rule",
"severity": "high",
"title": "The mobile operating system must provide mutual authentication between the provisioning server and the provisioned device during a trusted over-the-air (OTA) provisioning session.\n",
"version": "WIR-MOS-iOS-65-02"
},
"V-32701": {
"checkid": "C-41064r5_chk",
"checktext": "The link between iOS 6 and Apple meets this requirement for iOS updates from Apple.\n\nReview system documentation and operating system configuration to determine if there is appropriate cryptography protecting the confidentiality of OTA provisioning between the mobile device and the provisioning server (MDM and/or MAM). AES encryption is one example of an acceptable cryptography. A review of product documentation may be needed. If the provisioning data is not protected by cryptographic means during an OTA provisioning procedure, this is a finding.",
"description": "Provisioning data may be sensitive and therefore must be adequately protected. An adversary within the general proximity of the mobile device can eavesdrop on OTA transactions, making them particularly vulnerable to attack if confidentiality protections are not in place. Proper use of cryptography provides strong assurance that provisioning data is protected against confidentiality attacks. \n",
"fixid": "F-36599r1_fix",
"fixtext": "Configure the operating system to use cryptography providing confidentiality for provisioning downloads.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32701",
"ruleID": "SV-43047r1_rule",
"severity": "medium",
"title": "The mobile operating system must protect the confidentiality of the provisioning data downloaded to the handheld device during a trusted over-the-air (OTA) provisioning session.\n",
"version": "WIR-MOS-iOS-65-03"
},
"V-32702": {
"checkid": "C-41065r4_chk",
"checktext": "The link between iOS 6 and Apple meets this requirement for iOS updates from Apple.\n\nReview system documentation and operating system configuration to determine if there are appropriate integrity mechanisms protecting the confidentiality of OTA provisioning between the mobile device and the provisioning server (MDM and/or MAM). A review of product documentation may be needed. Appropriate integrity mechanisms generally involve the use of FIPS validated cryptographic modules implementing algorithms that provide integrity services. If there are no such mechanisms present, this is a finding.",
"description": "Provisioning data may be sensitive and therefore must be adequately protected. It may be possible for an adversary within the general proximity of the mobile device to hijack provisioning sessions and modify data transmitted during the provisioning process. Proper use of cryptography provides strong assurance that provisioning data is protected against integrity attacks. \n",
"fixid": "F-36600r1_fix",
"fixtext": "Configure the operating system to use cryptography providing integrity for provisioning downloads.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32702",
"ruleID": "SV-43048r1_rule",
"severity": "medium",
"title": "The mobile operating system must protect the integrity of the provisioning data downloaded to the handheld device during a trusted over-the-air (OTA) provisioning session.\n",
"version": "WIR-MOS-iOS-65-04"
},
"V-32703": {
"checkid": "C-41066r5_chk",
"checktext": "Review system documentation and operating system configuration to determine if the system administrator has the ability to disable OTA provisioning on the MDM and/or MAM server.\n\nThe Good Technology server meets this requirement.",
"description": "In some environments, the risk of OTA provisioning may outweigh any convenience benefit it offers. In addition, some OTA mechanisms do not provide appropriate authentication and cryptographic integrity measures. In such cases, the administrator should have the ability to disable OTA provisioning to ensure secure breaches do not occur from use of this technique.\n",
"fixid": "F-36601r2_fix",
"fixtext": "Disable OTA provisioning if threat conditions warrant this action. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-32703",
"ruleID": "SV-43049r1_rule",
"severity": "low",
"title": "The mobile operating system must support the capability for the system administrator to disable over-the-air (OTA) provisioning. \n",
"version": "WIR-MOS-iOS-65-05"
},
"V-32706": {
"checkid": "C-41069r8_chk",
"checktext": "Review a sample of site-managed devices (3-4), interview the IAO, and review product documentation. \nNote: iOS does not currently provide a FIPS 140-2 validated cryptographic module for application services. Accordingly, third-party applications transmitting or receiving DoD sensitive information (MDM agent, email client, or browser) that leverage FIPS 140-2 validated cryptographic modules must be used to meet the requirement. VPN clients that do not possess the Apple VPN entitlement must also use a third-party FIPS 140-2 validated cryptographic module.\n\nIf a site uses an application that transmits or receives sensitive DoD information, verify the application (MDM agent, email client, browser, or VPN client) leverages a FIPS 140-2 validated cryptographic module for this purpose. Review system documentation to identify the FIPS 140-2 certificate for the cryptographic module. Visit the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid.\n\nIf a site uses a third-party application that handles data in transit (MDM agent, email client, or browser) using cryptography that has not been FIPS 140-2 validated, this is a finding. ",
"description": "The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140 validation provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government.\n",
"fixid": "F-36604r4_fix",
"fixtext": "Stop using the operating system until the vendor has obtained FIPS validation, or install a third-party product that has a FIPS 140-2 validated cryptographic module.",
"iacontrols": [
"DCNR-1"
],
"id": "V-32706",
"ruleID": "SV-43052r2_rule",
"severity": "medium",
"title": "The cryptographic module supporting encryption of data in transit (including email and attachments) must be FIPS 140-2 validated.\n",
"version": "WIR-MOS-iOS-65-08"
},
"V-32711": {
"checkid": "C-41072r4_chk",
"checktext": "Review the operating system and browser configuration to determine if traffic is forced through DoD proxy servers. \n\nIf greater assurance is required, access a number of Internet web sites and verify traffic flows through a DoD proxy server by viewing the traffic using a network protocol analyzer or by communicating with personnel that manage the proxy server. \n\nNote: Although in iOS 6, Safari can be configured to meet this requirement, Safari encryption is not FIPS 140-2 validated and cannot be used in the DoD. Therefore, a third-party browser must be used.\n\nThere are two acceptable implementations for this requirement.\n\n1. The device uses a mobile VPN to route all data traffic to the DoD enclave, which forces all browser traffic to the DoD Internet gateway. \n\n2. The device browser supports a proxy server setting that forces all traffic to a specified the proxy server when configured to do so. The configuration must be from an MDM server and not user modifiable. In some implementations, the user may enter a container application to access the browser functionality. \n\nVerify that none of the unauthorized browsers can be used. On a sample of 3-4 devices, identify the browsers on the device. If any are unauthorized, verify they are not functional. \n\nMark as a finding if any non-compliant browser is functional. ",
"description": "Proxy servers can inspect traffic for malware and other signs of a security attack. Allowing a mobile device to access the public Internet without proxy server inspection forgoes the protection that the proxy server would otherwise provide. Malware downloaded onto the device could have a wide variety of malicious consequences, including loss of sensitive DoD information. Forcing traffic to flow through a proxy server greatly mitigates the risk of access to public Internet resources.\n",
"fixid": "F-36607r2_fix",
"fixtext": "Disable browsers that do not support a feature to direct all traffic to a DoD proxy server. Configure browsers that support this functionality to direct all traffic to a DoD proxy server. \n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32711",
"ruleID": "SV-43057r2_rule",
"severity": "medium",
"title": "The mobile operating system must prevent a user from using a browser that does not direct its traffic to a DoD proxy server. \n",
"version": "WIR-MOS-iOS-65-11"
},
"V-32716": {
"checkid": "C-41076r5_chk",
"checktext": "The method for meeting this requirement using an iOS device is by implementing MDIS and MAM servers in the system architecture. \n\nVerify the site has implemented both the MDIS and MAM servers by reviewing system documentation and interviewing the IAO and verify the MDIS and MAM agents are installed on a sample (3-4) of site-managed devices. \n\nMark as a finding if an MDIS and MAM server are not installed in the system architecture.",
"description": "In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can result in the disclosure of sensitive information or cause a denial of service. Anti-virus applications are not common on mobile operating systems but one or more methods to mitigate the risk of malware must be in place to protect DoD information and networks.\n",
"fixid": "F-36611r2_fix",
"fixtext": "Install MDIS and MAM servers in the system architecture. \n",
"iacontrols": [
"ECVP-1"
],
"id": "V-32716",
"ruleID": "SV-43062r2_rule",
"severity": "high",
"title": "The mobile operating system must employ a DoD-approved anti-malware protections.",
"version": "WIR-MOS-iOS-65-15"
},
"V-34172": {
"checkid": "C-42133r2_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \"Allow Shared Photo Stream\" is not enabled.\n\nMark as a finding if not set as required.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "The iCloud feature (and associated iCloud setting in iOS) stores iOS device data on Apple controlled servers. Sensitive DoD data saved on the iOS device could be compromised when it is stored on the Apple servers.",
"fixid": "F-38082r1_fix",
"fixtext": "Disable Shared Photo Stream in the iOS security policy.",
"iacontrols": [
"ECWN-1"
],
"id": "V-34172",
"ruleID": "SV-44625r1_rule",
"severity": "medium",
"title": "Shared Photo Stream must be disabled. ",
"version": "WIR-MOS-iOS-70-01"
},
"V-34173": {
"checkid": "C-42134r1_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify \u201cAllow Passbook\u201d is not enabled.\n \nMark as a finding if not set as required.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "iOS Passbook allows applications to be accessed after the iOS device is locked. The icons for passbook enabled apps are shown on the device screen after the device is locked. Any sensitive data stored in the available application would be available if the iOS device is lost or stolen. Therefore, sensitive DoD data could be exposed. ",
"fixid": "F-38083r2_fix",
"fixtext": "Disable access to Passbook in the iOS security policy.",
"iacontrols": [
"ECWN-1"
],
"id": "V-34173",
"ruleID": "SV-44626r1_rule",
"severity": "medium",
"title": "Access to iOS Passbook applications must be disabled.",
"version": "WIR-MOS-iOS-70-02"
},
"V-34174": {
"checkid": "C-42135r2_chk",
"checktext": "This is a User-Based Enforcement (UBE) control.\nOn a sample of site-managed iOS devices (pick 3-4 random devices), check that no applications have been enabled for Bluetooth sharing.\n\n-Have the user log into the device.\n-Go to Settings > Privacy > Bluetooth Sharing.\n-Verify there are no applications listed.\n\nMark as a finding if any applications are listed on the Bluetooth sharing screen.",
"description": "The iOS device Bluetooth sharing feature allows applications to share data saved on the iOS device with other iOS devices via Bluetooth connections between the devices. This feature allows the wireless transmission of sensitive DoD data without using FIPS 140-2 validated encryption as required by DoD policy and could expose sensitive DoD data to unauthorized individuals.",
"fixid": "F-38084r1_fix",
"fixtext": "Delete all applications listed on the Bluetooth sharing screen or disable sharing of these applications.",
"iacontrols": [
"ECWN-1"
],
"id": "V-34174",
"ruleID": "SV-44627r1_rule",
"severity": "medium",
"title": "The iOS device user must not allow applications to share data between iOS devices via Bluetooth.",
"version": "WIR-MOS-iOS-70-03"
},
"V-34316": {
"checkid": "C-42310r2_chk",
"checktext": "This check is not applicable if the site does not use any iOS devices from ATT.\n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. Verify a Wi-Fi profile has been set up in the security policy with the following features:\n\u2022SSID: attwifi.\n\u2022Passphrase: any eight-character or larger passphrase.\n\u2022Auto-join: set to off.\n\n(Note: This setting effectively stops the iOS device from automatically connecting to the attwifi network when in range of a network access point and also disables the ability of a user from connecting the network.)\n\nMark as a finding if the required Wi-Fi profile is not set up in the security policy and it does not have the required configuration.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.\n\nOn the Good Technology MDM server, the Wi-Fi profile is found in the \u201cWiFi\u201d tab of the \u201ciOS Configuration\u201d section of the security policy.",
"description": "iOS has the capability to \u201cauto-join\u201d public Wi-Fi networks that are pre-configured in iOS. This feature is available in iOS to improve a user\u2019s experience when connecting to the Internet. The \u201cattwifi\u201d public network has been found to be monitored by hackers and easily spoofed, so users do not know if they are connecting to the real network or the hacker-controlled network. Sensitive DoD data could be exposed if a DoD user\u2019s iOS device is connected to a hacker-controlled Wi-Fi network. An iOS GSM device from ATT will attempt to auto-join any attwifi network in the vicinity of the device. ",
"fixid": "F-38277r1_fix",
"fixtext": "Set up a Wi-Fi profile on the MDM server security policy to disable attwifi network connections.",
"iacontrols": [
"ECWN-1"
],
"id": "V-34316",
"ruleID": "SV-44841r2_rule",
"severity": "medium",
"title": "A Wi-Fi profile must be set up on managed iOS devices to disable access to any public Wi-Fi network that iOS may otherwise auto-join. ",
"version": "WIR-MOS-iOS-70-04"
},
"V-34322": {
"checkid": "C-42312r7_chk",
"checktext": "Interview the site IAO and iOS device system administrator. Also, perform the following actions on a random sample of site-managed iOS devices (3-4 devices, iPhone and iPad).\n\n-Verify an iOS restriction has been placed on the iOS devices and the system administrator has assigned a four character passcode, so the user cannot remove it. The iOS Restriction passcode must meet the same complexity requirements as the device unlock passcode: no sequential numbers and no repeating numbers.\n\n*Have the site iOS system administrator show that a Restriction policy is on the device. Go to Settings > General > Restrictions. Mark as a finding if no Restriction exists. \n\n*Have the site iOS system administrator log into the Restriction policy. Mark as a finding if the restriction passcode is not 4 characters and does not meet the complexity requirements.\n\n*Interview several users and determine if they have been given the Restriction passcode by the system administrator. If yes, mark as a finding.\n\n-After the system administrator opens the Restriction, verify the following configuration setting has been set in the Restriction policy to disable the capability for a device wipe command to be initiated on the device when received from an iCloud account:\n\n----Allow Changes > Accounts > Don't Allow Changes (If the DAA has not approved the use of personal email, this setting must be checked. If not checked, ask to see documentation showing DAA approval of personal email on site-managed iOS devices.) \n\n-If personal email is allowed, verify the following configuration setting has been set in the Restriction policy:\n\n----Privacy > Location Services > Find My iPhone set to Off.\n\nMark as a finding if any of these settings is not set as required.",
"description": "If a DoD iOS device is associated with an iCloud account, a user of that iCloud account, or anyone who gains access to that iCloud account, can send a device wipe command to the iOS device and the device will wipe itself. This will cause a Denial-Of-Service (DOS) attack on the device. There are two possible mitigations for this vulnerability: \n\n1. Disable all personal email on the iOS device via an iOS Restriction. This is the recommended method. The use of personal email on iOS devices could cause sensitive DoD data to be saved on the device outside the security container if a DoD email message with sensitive data is forwarded to a personal email account and that email message is viewed on the device. Disabling all personal email also disables \"Find My iPhone\" which, if functional, would have the capability of wiping a DoD iOS device from an iCloud account, which is configured to a personal email address.\n\n2. Disable \"Find My iPhone\" via an iOS Restriction. This method should only be used if there is a mission need for a user to have personal email accounts set up on their DoD iOS device and use of personal email has been approved by the DAA.",
"fixid": "F-38284r2_fix",
"fixtext": "Set up the required Restriction policy on each site-managed iOS device.",
"iacontrols": [
"ECWN-1"
],
"id": "V-34322",
"ruleID": "SV-44851r2_rule",
"severity": "medium",
"title": "The ability to wipe a DoD iOS device via an iCloud account must be disabled.",
"version": "WIR-MOS-iOS-70-05"
},
"V-35006": {
"checkid": "C-43430r1_chk",
"checktext": "On a sample of site-managed iOS devices (pick 3-4 random devices), have the user turn on and log into the device. \n\n-Go to Settings > Messages > iMessage. \n-Check the setting of \"iMessage\". \n\nVerify \"iMessage\" is set to off (not selected).\n\nMark as a finding if \"iMessage\" is not set to off.\n",
"description": "iOS iMessage service provides the potential for the exposure of private and possibly sensitive DoD information. When a DoD iOS device is transferred to a new user or disposed of, the device may still receive iMessages sent to the previous DoD user. iMessage phone numbers on a specific iOS device can persist after a SIM has been removed from the phone. For example, SIM A is placed in phone, activated on iMessage, and then swapped out for SIM B. That phone will receive iMessages bound for the phone numbers on both SIM A and B until the iMessage service on the phone has been turned off and then back on again. This vulnerability exists for GSM devices but not for CDMA devices. When the original device user receives messages via their iMessage account, the message will be displayed on their old iOS device. The wipe procedure for the iOS device must include specific procedures (outlined in the STIG Overview) to mitigate this risk.\n",
"fixid": "F-39560r1_fix",
"fixtext": "Set \"iMessage\" to \"Off\".",
"iacontrols": [
"ECWN-1"
],
"id": "V-35006",
"ruleID": "SV-46252r1_rule",
"severity": "low",
"title": "The iOS device iMessage service must be set to Off at all times (User Based Enforcement (UBE)). ",
"version": "WIR-MOS-iOS-70-06"
},
"V-37769": {
"checkid": "C-45642r2_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to and, in turn, verify the required settings are in the policy. Verify \"Alphanumeric\u201d is checked in the policy.\n\nMark as a finding if the required rule is not set up on the MDM server.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.",
"description": "Sensitive DoD data could be compromised if a device unlock password/passcode is not set to the required complexity on DoD CMDs. ",
"fixid": "F-42656r1_fix",
"fixtext": "Select the \u201cAlphanumeric\u201d configuration setting in the MDM security policy.",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-37769",
"ruleID": "SV-49532r1_rule",
"severity": "medium",
"title": "The iOS Passcode must contain at least one alphabetic and one numeric character.",
"version": "WIR-MOS-iOS-G-024"
},
"V-37770": {
"checkid": "C-45643r2_chk",
"checktext": "1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.\n2. Select each security policy iOS devices are assigned to and, in turn, verify the required settings are in the policy. Verify \"Minimum number of complex characters\u201d is checked and at least \u201c1 character\u201d is selected in the iOS security policy.\n\nMark as a finding if the required rule is not set up on the MDM server.\n\nNote: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.\n",
"description": "Sensitive DoD data could be compromised if a device unlock password/passcode is not set to the required complexity on DoD CMDs. The DoD CMD password requirements for protecting sensitive data are that the password must be at least 8 characters in length and contain at least one lowercase letter, one uppercase letter, and one number. In addition, sequential characters/numbers may not be used in the password. It is not currently possible to require both an uppercase letter and lowercase letter for the iOS passcode, or to enforce the sequential character restriction, so the iOS passcode must contain a special character to approximate the same password strength as the DoD-specified password complexity rules.",
"fixid": "F-42657r1_fix",
"fixtext": "Select the \u201cMinimum number of complex characters\u201d and \u201c1 character\u201d configuration settings in the MDM iOS security policy.",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-37770",
"ruleID": "SV-49533r1_rule",
"severity": "medium",
"title": "The iOS Passcode must contain at least one complex (non-alphanumeric) character.",
"version": "WIR-MOS-iOS-G-025"
},
"V-54983": {
"checkid": "C-55611r1_chk",
"checktext": "Apple support for iOS6 ended 18 September 2013. If iOS6 is installed on a mobile device, this is a finding.",
"description": "Apple iOS operating systems that are no longer supported by Apple for security updates are not evaluated or updated for vulnerabilities, leaving them open to potential attack. Organizations must transition to a supported operating system to ensure continued support.",
"fixid": "F-59847r1_fix",
"fixtext": "Upgrade iOS6 mobile devices to a supported operating system.",
"iacontrols": [
"DCSQ-1"
],
"id": "V-54983",
"ruleID": "SV-69229r1_rule",
"severity": "high",
"title": "Apple iOS operating systems that are no longer supported by the vendor for security updates must not be installed on a system.",
"version": "WIR-MOS-iOS-500"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25007": "true",
"V-25008": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25019": "true",
"V-25022": "true",
"V-25033": "true",
"V-25051": "true",
"V-25092": "true",
"V-25755": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32706": "true",
"V-32711": "true",
"V-32716": "true",
"V-34172": "true",
"V-34173": "true",
"V-34174": "true",
"V-34316": "true",
"V-34322": "true",
"V-35006": "true",
"V-37769": "true",
"V-37770": "true",
"V-54983": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25007": "true",
"V-25008": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25019": "true",
"V-25022": "true",
"V-25033": "true",
"V-25051": "true",
"V-25092": "true",
"V-25755": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32706": "true",
"V-32711": "true",
"V-32716": "true",
"V-34172": "true",
"V-34173": "true",
"V-34174": "true",
"V-34316": "true",
"V-34322": "true",
"V-35006": "true",
"V-37769": "true",
"V-37770": "true",
"V-54983": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25007": "true",
"V-25008": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25019": "true",
"V-25022": "true",
"V-25033": "true",
"V-25051": "true",
"V-25092": "true",
"V-25755": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32706": "true",
"V-32711": "true",
"V-32716": "true",
"V-34172": "true",
"V-34173": "true",
"V-34174": "true",
"V-34316": "true",
"V-34322": "true",
"V-35006": "true",
"V-37769": "true",
"V-37770": "true",
"V-54983": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25007": "true",
"V-25008": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25019": "true",
"V-25022": "true",
"V-25033": "true",
"V-25051": "true",
"V-25092": "true",
"V-25755": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32706": "true",
"V-32711": "true",
"V-32716": "true",
"V-34172": "true",
"V-34173": "true",
"V-34174": "true",
"V-34316": "true",
"V-34322": "true",
"V-35006": "true",
"V-37769": "true",
"V-37770": "true",
"V-54983": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25007": "true",
"V-25008": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25019": "true",
"V-25022": "true",
"V-25033": "true",
"V-25051": "true",
"V-25092": "true",
"V-25755": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32706": "true",
"V-32711": "true",
"V-32716": "true",
"V-34172": "true",
"V-34173": "true",
"V-34174": "true",
"V-34316": "true",
"V-34322": "true",
"V-35006": "true",
"V-37769": "true",
"V-37770": "true",
"V-54983": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25007": "true",
"V-25008": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25019": "true",
"V-25022": "true",
"V-25033": "true",
"V-25051": "true",
"V-25092": "true",
"V-25755": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32706": "true",
"V-32711": "true",
"V-32716": "true",
"V-34172": "true",
"V-34173": "true",
"V-34174": "true",
"V-34316": "true",
"V-34322": "true",
"V-35006": "true",
"V-37769": "true",
"V-37770": "true",
"V-54983": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25007": "true",
"V-25008": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25019": "true",
"V-25022": "true",
"V-25033": "true",
"V-25051": "true",
"V-25092": "true",
"V-25755": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32706": "true",
"V-32711": "true",
"V-32716": "true",
"V-34172": "true",
"V-34173": "true",
"V-34174": "true",
"V-34316": "true",
"V-34322": "true",
"V-35006": "true",
"V-37769": "true",
"V-37770": "true",
"V-54983": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25007": "true",
"V-25008": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25019": "true",
"V-25022": "true",
"V-25033": "true",
"V-25051": "true",
"V-25092": "true",
"V-25755": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32706": "true",
"V-32711": "true",
"V-32716": "true",
"V-34172": "true",
"V-34173": "true",
"V-34174": "true",
"V-34316": "true",
"V-34322": "true",
"V-35006": "true",
"V-37769": "true",
"V-37770": "true",
"V-54983": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25007": "true",
"V-25008": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25019": "true",
"V-25022": "true",
"V-25033": "true",
"V-25051": "true",
"V-25092": "true",
"V-25755": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32706": "true",
"V-32711": "true",
"V-32716": "true",
"V-34172": "true",
"V-34173": "true",
"V-34174": "true",
"V-34316": "true",
"V-34322": "true",
"V-35006": "true",
"V-37769": "true",
"V-37770": "true",
"V-54983": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "apple_ios6",
"title": "Apple iOS6 Security Technical Implementation Guide",
"version": "1"
}
}