UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Apple iOS 6 Interim Security Configuration Guide (ISCG)


Overview

Date Finding Count (60)
2013-01-17 CAT I (High): 5 CAT II (Med): 39 CAT III (Low): 16
STIG Description
This ISCG contains technical security controls required for the use of Apple iOS 6 devices (iPhone and iPad) in the DoD environment when managed by an approved mobile management server. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-32716 High The mobile operating system must employ a DoD approved anti-malware protections.
V-32698 High MDM, MAM, and integrity validation agent(s) must be installed on the mobile OS device.
V-32699 High The mobile operating system must not permit a user to disable or modify the security policy or enforcement mechanisms on the device.
V-32700 High The mobile operating system must provide mutual authentication between the provisioning server and the provisioned device during a trusted over-the-air (OTA) provisioning session.
V-36442 High Adobe Flash Player and AIR Buffer Overflow Vulnerability
V-32712 Medium The mobile operating system must encrypt all data on the mobile device using AES encryption.
V-32711 Medium The mobile operating system must prevent a user from using a browser that does not direct its traffic to a DoD proxy server.
V-32695 Medium Diagnostic Data must not be sent to Apple or other unauthorized entity.
V-34173 Medium Access to iOS Passbook applications must be disabled.
V-34172 Medium Shared Photo Stream must be disabled.
V-25007 Medium Mobile devices must be configured to require a password/passcode for device unlock.
V-25011 Medium Passcode maximum failed attempts must be set to required value.
V-27635 Medium Remote full device wipe must be enabled.
V-25013 Medium Users ability to download iOS applications must be disabled.
V-34322 Medium The ability to wipe a DoD iOS device via an iCloud account must be disabled.
V-25019 Medium The mobile device Bluetooth radio must be disabled if not authorized for use.
V-32696 Medium All mobile device VPN clients must timeout after a set period of inactivity.
V-32697 Medium The mobile operating system must not cache smart card or certificate store passwords used by the VPN client for more than two hours.
V-25016 Medium The device minimum password/passcode length must be set.
V-25010 Medium The mobile device must be set to lock the device after a set period of user inactivity.
V-32690 Medium iCloud Backup must be disabled.
V-32691 Medium Document Syncing must be disabled.
V-25022 Medium All mobile devices must display the required banner during device unlock/logon.
V-34174 Medium The iOS device user must not allow applications to share data between iOS devices via Bluetooth.
V-32701 Medium The mobile operating system must protect the confidentiality of the provisioning data downloaded to the handheld device during a trusted over-the-air (OTA) provisioning session.
V-32702 Medium The mobile operating system must protect the integrity of the provisioning data downloaded to the handheld device during a trusted over-the-air (OTA) provisioning session.
V-32704 Medium The mobile operating system must encrypt all data in transit using AES encryption when communicating with DoD information resources (128-bit key length is the minimum requirement; 256-bit desired).
V-32705 Medium The mobile operating system PKI certificate store must encrypt contents using AES encryption.
V-32706 Medium The cryptographic module supporting encryption of data in transit (including email and attachments) must be FIPS 140-2 validated.
V-32707 Medium The cryptographic module supporting encryption of data at rest must be FIPS 140-2 validated.
V-32708 Medium The cryptographic module supporting encryption of the certificate store must be FIPS 140-2 validated.
V-25012 Medium Access to public media stores must be disabled.
V-19899 Medium All mobile device VPN clients must have split tunneling disabled.
V-19898 Medium All mobile device VPN clients used for remote access to DoD networks must be configured to require CAC authentication.
V-19897 Medium All mobile device VPN clients used for remote access to DoD networks must support AES encryption.
V-34316 Medium A Wi-Fi profile must be set up on managed iOS devices to disable access to any public Wi-Fi network that iOS may otherwise auto-join.
V-32686 Medium iOS Siri application must be disabled.
V-32689 Medium Adding Game Center Friends must be disabled.
V-32688 Medium iOS Multiplayer Gaming must be disabled.
V-35485 Medium Multiple Security Vulnerabilities in Google Chrome
V-25003 Medium Mobile devices must have required operating system software version installed.
V-24983 Medium S/MIME must be installed on mobile device, so users can sign/encrypt email
V-25015 Medium Mobile device screen capture must not be allowed.
V-18627 Medium The VPN client on mobile devices used for remote access to DoD networks must be FIPS 140-2 validated.
V-35006 Low The iOS device iMessage service must be set to Off at all times (User Based Enforcement (UBE)).
V-25051 Low Location services must be turned off unless authorized for use for particular applications, in which case, location services must only be available to the authorized applications.
V-25033 Low iOS Safari must be disabled.
V-25018 Low The mobile device passcode/password history setting must be set.
V-25017 Low Apple iOS Auto-Lock must be set.
V-32693 Low Photo Stream must be disabled.
V-25092 Low The iOS device Wi-Fi setting Ask to Join Networks must be set to Off at all times (User Based Enforcement (UBE)).
V-32703 Low The mobile operating system must support the capability for the system administrator to disable over-the-air (OTA) provisioning.
V-25020 Low The mobile device Wi-Fi radio must be disabled as the default setting and is enabled only when Wi-Fi connectivity is required.
V-25008 Low The iOS device password complexity must be set to the required value.
V-25755 Low Access to online application purchases must be disabled.
V-24984 Low If mobile device email auto signatures are used, the signature message must not disclose the email originated from a CMD (e.g., Sent From My Wireless Handheld).
V-25009 Low Maximum passcode age must be set.
V-24982 Low Smart Card Readers (SCRs) used with CMDs must have required software version installed.
V-25014 Low Mobile device cameras must be used only if documented approval is in the site physical security policy.
V-24985 Low The browser must direct all traffic to a DoD Internet proxy gateway.