UCF STIG Viewer Logo

BlackBerry 10 OS VPN client must employ DoD PKI-approved mechanisms for authentication when connecting to DoD networks.


Overview

Finding ID Version Rule ID IA Controls Severity
V-47193 BB10-2X-000250 SV-60065r3_rule Medium
Description
VPNs are vulnerable to attack if they are not supported by strong authentication. An adversary may be able to gain access to network resources and sensitive information if they can compromise the authentication process. Common Access Card (CAC) authentication is a strong cryptographic two-factor authentication that greatly mitigates the risk of VPN authentication breaches. Other DoD-approved PKI mechanisms provide similar levels of assurance. Reference the DoD CIO memorandum regarding interim guidance on the use of derived PKI credentials (2015-05-06 DoD Interim Guidance for Implementing Derived PKI Credentials on Unclass CMDs) for BlackBerry certificate configuration information.
STIG Date
BlackBerry 10.2.x OS Security Technical Implementation Guide 2015-07-02

Details

Check Text ( C-50019r4_chk )
From either the Work Space or Personal Space, navigate to "Settings >> Network Connections >> VPN ".

Select and hold a VPN profile to check, and select "Edit Profile" to edit the VPN Profile.

For each VPN Profile connecting to DoD networks:

- Select the VPN Profile to edit.
- Verify "Authentication Type" is set to "PKI" or "XAUTH-PKI" and grayed out. Otherwise, this is a finding.

NOTE: If the VPN Profile listed under "Settings >> Network Connections >> VPN" has a brief case logo on the right side, it was created on BlackBerry Device Service published to the device. "Authentication Type" for this VPN Profile will be grayed out and enforced. If no VPN profiles are saved, this requirement is NA.
Fix Text (F-50897r3_fix)
On BlackBerry Device Service, select the applicable VPN Profile and set "Authentication Type" to "PKI" or "XAUTH-PKI".