BlackBerry devices must be protected by authenticated login procedures to unlock the device. Either CAC or Password authentication is required. IT Policy rule “Password Required” (Device Only policy group) must be set to “Yes” or “True”.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3545	WIR1400-01	SV-3545r2_rule	ECSC-1	High

Description
Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.

STIG	Date
BlackBerry Enterprise Server, Part 3 Security Technical Implementation Guide	2012-10-01

Details

Check Text ( C-11522r2_chk )
This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the following procedure. 1. Make a list of all IT Policies that have been assigned to BlackBerry user accounts. The list of IT Policies set up on the BES can be viewed as follows (do not list the default IT Policy) (Use Method #1 or Method #2 below): Method #1 BAS > BlackBerry solution management box > Policy > Manage IT policies. Look at each IT policy listed under Manage IT policies to be checked. -Click on the policy name. -Click on “View users with IT policy.” -Click Search. A list of all users assigned to the policy will be shown. For each policy that has users assigned to it, complete steps. Method #2 -Launch and log into the BlackBerry Monitoring Service. -On the monitoring menu, expand Reporting. -Click Create custom report. -Select the following fields for the report: Select report type: User. Report title: IT Policies on BES. Select the following columns: “IT policy name” and “User name.” Sort by “IT policy name”. Report format: PDF recommended. Generate report. 2. Check each “Required” IT Policy rule listed in Table 1, BlackBerry STIG Configuration Tables. (There are approximately 125 rules with required configuration settings.) Note all IT policy rules that have not been set correctly and the name of the IT policy currently being reviewed. The name of each IT policy that has an IT policy rule not set correctly should be noted in VMS. Note: Table 1 shows which Check STIG ID # should be marked as a finding for each IT policy rule not set correctly. 3. Repeat step 2 for each IT Policy that has users assigned to it. 4. In VMS, for each check with a finding, list the IT Policies that were found to be noncompliant. ***** For this check, verify IT Policy rule “Password Required” (Device Only policy group) is set as required.

Check Text ( C-11522r2_chk )

This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the following procedure.

1. Make a list of all IT Policies that have been assigned to BlackBerry user accounts. The list of IT Policies set up on the BES can be viewed as follows (do not list the default IT Policy) (Use Method #1 or Method #2 below):

Method #1
BAS > BlackBerry solution management box > Policy > Manage IT policies. Look at each IT policy listed under Manage IT policies to be checked.
-Click on the policy name.
-Click on “View users with IT policy.”
-Click Search. A list of all users assigned to the policy will be shown. For each policy that has users assigned to it, complete steps.

Method #2
-Launch and log into the BlackBerry Monitoring Service.
-On the monitoring menu, expand Reporting.
-Click Create custom report.
-Select the following fields for the report:
**Select report type: User.
**Report title: IT Policies on BES.
**Select the following columns: “IT policy name” and “User name.”
**Sort by “IT policy name”.
**Report format: PDF recommended.
**Generate report.

2. Check each “Required” IT Policy rule listed in Table 1, BlackBerry STIG Configuration Tables. (There are approximately 125 rules with required configuration settings.) Note all IT policy rules that have not been set correctly and the name of the IT policy currently being reviewed. The name of each IT policy that has an IT policy rule not set correctly should be noted in VMS.

Note: Table 1 shows which Check STIG ID # should be marked as a finding for each IT policy rule not set correctly.

3. Repeat step 2 for each IT Policy that has users assigned to it.

4. In VMS, for each check with a finding, list the IT Policies that were found to be noncompliant.

***** For this check, verify IT Policy rule “Password Required” (Device Only policy group) is set as required.

Fix Text (F-23386r1_fix)
Configure the IT Policy rule as specified in the "Checks" block.