| V-254716 | High | The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use HTTPS. | Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism to protect the information during transmission to web... |
| V-254727 | High | If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use SSL for LDAP lookup to connect to the Office Web App Server (e.g., SharePoint). | Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is... |
| V-254710 | Medium | The firewall protecting the BEMS must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BEMS functions. | Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
| V-254711 | Medium | The firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured so that only DOD-approved ports, protocols, and services are enabled. | All ports, protocols, and services used on DOD networks must be approved and registered via the DOD PPSM process. This is to ensure that a risk assessment has been completed before a new port,... |
| V-254712 | Medium | The BlackBerry Enterprise Mobility Server (BEMS) must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version. | Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism to protect the information during... |
| V-254713 | Medium | The BlackBerry Enterprise Mobility Server (BEMS) must remove all export ciphers to protect the confidentiality and integrity of transmitted information. | During the initial setup of a Transport Layer Security (TLS) connection to the application server, the client sends a list of supported cipher suites in order of preference. The application server... |
| V-254714 | Medium | The BlackBerry Enterprise Mobility Server (BEMS) must be configured to have at least one user in the following Administrator roles: Server primary administrator, auditor. | Having several administrative roles for the BEMS supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management... |
| V-254715 | Medium | The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use Windows Authentication for the database connection. | To ensure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the... |
| V-254717 | Medium | The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use DOD certificates for SSL. | Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient... |
| V-254718 | Medium | The BlackBerry Enterprise Mobility Server (BEMS) must be configured with an inactivity timeout of 15 minutes or less. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the... |
| V-254719 | Medium | If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection. | To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the... |
| V-254732 | Medium | If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable the proxy server authentication type (if a proxy is used). | The web proxy provides a secure gateway for the BlackBerry Docs service so that BEMS can securely connect to enterprise servers. |
| V-254730 | Medium | If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable the Web Proxy. | The web proxy provides a secure gateway for the BlackBerry Connect service so that BEMS can securely connect to the internet. |
| V-254729 | Medium | The BlackBerry Enterprise Mobility Server (BEMS) server must be configured to enable FIPS mode. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and... |
| V-254728 | Medium | If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable audit logs. | Logging must be used to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. |
| V-254721 | Medium | If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP when using LDAP Lookup for users. | Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is... |
| V-254720 | Medium | If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Integrated Authentication for the Exchange connection. | To ensure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the... |
| V-254723 | Medium | If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection. | To ensure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the... |
| V-254722 | Medium | If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP for certificate directory lookup. | Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is... |
| V-254725 | Medium | If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection. | To ensure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the... |
| V-254724 | Medium | If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable SSL support for BlackBerry Proxy and use only DOD approved certificates. | Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is... |
| V-254726 | Medium | If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use NTLM authentication. | To ensure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the... |
| V-254707 | Medium | The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from unauthorized modification. | If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In... |
| V-254706 | Medium | The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from any type of unauthorized read access. | If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In... |
| V-254709 | Medium | The BlackBerry Enterprise Mobility Server (BEMS) platform must be protected by a DOD-approved firewall. | Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential... |
| V-254708 | Medium | The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from unauthorized deletion. | If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve.... |
| V-254731 | Low | If the BlackBerry Presence service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured with the whitelisting control to limit presence subscriptions to only single domain/tenant. | Whitelisting in Presence subscriptions is used to control which internal and federated environments can be subscribed to. Presence subscriptions should be limited to only DOD environments to... |
