Only the BlackBerry Enterprise Server (BES) email solution must be used.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-14021	WIR1200-01	SV-14632r3_rule	ECSC-1	High

Description
If the required BlackBerry system is not used, DoD networks are at risk of being penetrated or DoD data could be exposed.

STIG	Date
BlackBerry Enterprise Server (version 5.x), Part 1 Security Technical Implementation Guide	2015-07-02

Details

Check Text ( C-11486r4_chk )
Detailed Policy Requirements: Only the BlackBerry Enterprise Server (BES) email solution must be used in the DoD. The BlackBerry Desktop Redirector, BlackBerry Connect, BlackBerry Express, and BlackBerry Professional Services Software are not authorized for use. Note: The purpose of this requirement is to ensure a STIG compliant IT policy is enforced on all DoD BlackBerry devices. This requirement applies to the DoD (primary) email account received on the BlackBerry device. All DoD BlackBerry devices must be managed via a STIG-compliant IT policy pushed from a BES. Required/approved versions of the BES are as follows: BES 5.0.4 (or later version). Note: An Authorizing Official (AO) may authorize users to connect BlackBerry devices to additional, secondary email accounts (e.g., Verizon email) based on mission needs. Use IT Policy rule Allow Other Message Services, Service Exclusivity policy group to control connections to secondary email accounts. Check Procedures: Interview ISSO and BlackBerry system administrator. - Verify the BES is part of the site’s BlackBerry architecture and the site uses a BES to manage site BlackBerry devices. - Verify BES Express is not used. Interview BES admin. - Determine if the site authorizes users to connect BlackBerry devices to additional, secondary or personal email accounts (e.g., Verizon email, BlackBerry Internet Service (BIS)) based on mission needs. If yes, verify the AO (or designee) has approved this service. Ask to see documentation of AO approval.

Check Text ( C-11486r4_chk )

Detailed Policy Requirements:

Only the BlackBerry Enterprise Server (BES) email solution must be used in the DoD. The BlackBerry Desktop Redirector, BlackBerry Connect, BlackBerry Express, and BlackBerry Professional Services Software are not authorized for use.

Note: The purpose of this requirement is to ensure a STIG compliant IT policy is enforced on all DoD BlackBerry devices. This requirement applies to the DoD (primary) email account received on the BlackBerry device. All DoD BlackBerry devices must be managed via a STIG-compliant IT policy pushed from a BES.

Required/approved versions of the BES are as follows:
BES 5.0.4 (or later version).

Note: An Authorizing Official (AO) may authorize users to connect BlackBerry devices to additional, secondary email accounts (e.g., Verizon email) based on mission needs. Use IT Policy rule Allow Other Message Services, Service Exclusivity policy group to control connections to secondary email accounts.

Check Procedures:
Interview ISSO and BlackBerry system administrator.

- Verify the BES is part of the site’s BlackBerry architecture and the site uses a BES to manage site BlackBerry devices.
- Verify BES Express is not used. Interview BES admin.
- Determine if the site authorizes users to connect BlackBerry devices to additional, secondary or personal email accounts (e.g., Verizon email, BlackBerry Internet Service (BIS)) based on mission needs. If yes, verify the AO (or designee) has approved this service. Ask to see documentation of AO approval.

Fix Text (F-23356r1_fix)
Only the BlackBerry Enterprise Server (BES) email solution is used.