UCF STIG Viewer Logo

Apple iOS 6 Security Technical Implementation Guide (STIG)


Overview

Date Finding Count (54)
2013-05-23 CAT I (High): 4 CAT II (Med): 35 CAT III (Low): 15
STIG Description
This STIG contains technical security controls required for the use of Apple iOS 6 devices (iPhone and iPad) in the DoD environment when managed by an approved mobile management server. Comments or proposed revisions to this document should be sent via email to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-32716 High The mobile operating system must employ a DoD-approved anti-malware protections.
V-32698 High MDM, MAM, and integrity validation agent(s) must be installed on the mobile OS device.
V-32699 High The mobile operating system must not permit a user to disable or modify the security policy or enforcement mechanisms on the device.
V-32700 High The mobile operating system must provide mutual authentication between the provisioning server and the provisioned device during a trusted over-the-air (OTA) provisioning session.
V-34174 Medium The iOS device user must not allow applications to share data between iOS devices via Bluetooth.
V-32711 Medium The mobile operating system must prevent a user from using a browser that does not direct its traffic to a DoD proxy server.
V-34173 Medium Access to iOS Passbook applications must be disabled.
V-34172 Medium Shared Photo Stream must be disabled.
V-25010 Medium The mobile device must be set to lock the device after a set period of user inactivity.
V-25011 Medium Passcode maximum failed attempts must be set to required value.
V-27635 Medium Remote full device wipe must be enabled.
V-25013 Medium Users ability to download iOS applications must be disabled.
V-25007 Medium Mobile devices must be configured to require a password/passcode for device unlock.
V-34322 Medium The ability to wipe a DoD iOS device via an iCloud account must be disabled.
V-25019 Medium The mobile device Bluetooth radio must only connect to authorized Bluetooth peripherals.
V-32696 Medium All mobile device VPN clients must timeout after a set period of inactivity.
V-32697 Medium The mobile operating system must not cache smart card or certificate store passwords used by the VPN client for more than two hours.
V-25016 Medium The device minimum password/passcode length must be set.
V-32695 Medium Diagnostic Data must not be sent to Apple or other unauthorized entity.
V-37769 Medium The iOS Passcode must contain at least one alphabetic and one numeric character.
V-32690 Medium iCloud Backup must be disabled.
V-32691 Medium Document Syncing must be disabled.
V-25022 Medium All mobile devices must display the required banner during device unlock/logon.
V-32701 Medium The mobile operating system must protect the confidentiality of the provisioning data downloaded to the handheld device during a trusted over-the-air (OTA) provisioning session.
V-32702 Medium The mobile operating system must protect the integrity of the provisioning data downloaded to the handheld device during a trusted over-the-air (OTA) provisioning session.
V-32706 Medium The cryptographic module supporting encryption of data in transit (including email and attachments) must be FIPS 140-2 validated.
V-25012 Medium Access to public media stores must be disabled.
V-19899 Medium All mobile device VPN clients must have split tunneling disabled.
V-19898 Medium All mobile device VPN clients used for remote access to DoD networks must be configured to require CAC authentication.
V-32688 Medium iOS Multiplayer Gaming must be disabled.
V-19897 Medium All mobile device VPN clients used for remote access to DoD networks must support AES encryption.
V-34316 Medium A Wi-Fi profile must be set up on managed iOS devices to disable access to any public Wi-Fi network that iOS may otherwise auto-join.
V-37770 Medium The iOS Passcode must contain at least one complex (non-alphanumeric) character.
V-32686 Medium iOS Siri application must be disabled.
V-32689 Medium Adding Game Center Friends must be disabled.
V-25003 Medium Mobile devices must have the required operating system software version installed.
V-24983 Medium S/MIME must be installed on mobile device, so users can sign/encrypt email.
V-25015 Medium Mobile device screen capture must not be allowed.
V-18627 Medium The VPN client on mobile devices used for remote access to DoD networks must be FIPS 140-2 validated.
V-25017 Low Apple iOS Auto-Lock must be set.
V-35006 Low The iOS device iMessage service must be set to Off at all times (User Based Enforcement (UBE)).
V-25051 Low Location services must be turned off unless authorized for use for particular applications, in which case, location services must only be available to the authorized applications.
V-25033 Low iOS Safari must be disabled.
V-25018 Low The mobile device passcode/password history setting must be set.
V-32693 Low Photo Stream must be disabled.
V-25092 Low The iOS device Wi-Fi setting Ask to Join Networks must be set to Off at all times (User Based Enforcement (UBE)).
V-32703 Low The mobile operating system must support the capability for the system administrator to disable over-the-air (OTA) provisioning.
V-25755 Low Access to online application purchases must be disabled.
V-25009 Low Maximum passcode age must be set.
V-24984 Low If mobile device email auto signatures are used, the signature message must not disclose the email originated from a CMD (e.g., Sent From My Wireless Handheld).
V-25008 Low The iOS device password complexity must be set to the required value.
V-24982 Low Smart Card Readers (SCRs) used with CMDs must have required software version installed.
V-25014 Low Mobile device cameras must be used only if documented approval is in the site physical security policy.
V-24985 Low The browser must direct all traffic to a DoD Internet proxy gateway.