| V-19192 | High | The BES host-based or appliance firewall must be configured as required. | BlackBerry user could get access to unauthorized network resources (application and content servers, etc.) if the BES firewall is not set up as required. |
| V-14022 | High | The BlackBerry wireless email system must be set up with the required system components and software installed on the handheld device. | The wireless email server architecture must comply with the DoD environment because approval of the BES is contingent on installation with the correct settings. DoD enclaves could be at risk of... |
| V-19226 | High | BlackBerry accounts must not be assigned to the default IT policy on the BES or any other non-STIG compliant IT policy. Accounts will only be assigned a STIG compliant IT policy. | The BlackBerry default policy on the BES does not include many DoD required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and... |
| V-22042 | High | Each Application White List software configuration assigned to each user account must be configured with top-level default “disallow” for all applications. Applications must be specifically allowed at a lower level. | The primary BlackBerry malware control is to set up an Application White List where the use of all applications is denied unless an application is expressly allowed. Otherwise, malware could be... |
| V-16341 | High | An Application White List software configuration must be assigned to all BES user accounts. | The primary BlackBerry malware control is to set up one or more Application White List software configurations on the BES. Every user and group account must be assigned at least one Application... |
| V-22703 | Medium | All Access Control Rules assigned to user and group accounts must be configured to deny access to all file shares. | The BES MDS Connection Service allows BlackBerry users to search the enclave for files and documents of interest to the user without any authentication requirements to the enclave. Access control... |
| V-22055 | Medium | Application repositories must be located on a DoD-controlled server within a DoD enclave. If not set up, this check is Not Applicable. | A DoD application repository must contain only authorized applications and only approved and unaltered versions of those applications. If DoD application repositories are not on DoD controlled... |
| V-22056 | Medium | All user and or group accounts must have an Access Control Rule assigned to the account.
| The BES MDS Connection Service allows BlackBerry users to search the enclave for files and documents of interest to the user without any authentication requirements to the enclave. Access... |
| V-19203 | Medium | An Application Control Policy must be assigned to each application listed in any Application White List software configuration assigned to user accounts on the BES.
Note: This check applies to BES 4.1.x only. On BES 5, an application control policy is automatically assigned when an application is selected for a software configuration. | Applications must only have access to BlackBerry resources (e.g., microphone, address book, browser, email messages, etc.) they need for their function; otherwise, sensitive data could be exposed... |
| V-19206 | Medium | Security controls must be set up on the BES for connections to “back-office” servers. | Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the BlackBerry system that are not authorized to access the server. |
| V-25430 | Medium | BlackBerry Web Desktop Manager must be configured to disable a user’s capability to perform self-service tasks. | The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized... |
| V-25431 | Medium | BlackBerry Web Desktop Manager must be configured to permit users to activate new BlackBerry devices only. | The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized... |
| V-19215 | Medium | The BlackBerry Bluetooth Smart Card Reader (SCR) used with site PCs must be compliant with requirements.
| Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack. |
| V-22102 | Medium | The BlackBerry Administration Server (BAS) must be configured for Active Directory authentication with a CTO 07-15Rev1 compliant administrator password. | The BAS provides the administrator interface for the BES. CTO 07-15Rev1 requires administrator accounts use either CAC authentication or use complex passwords to ensure storing access control is enforced. |
| V-16343 | Medium | The BES must be configured to disable the capability of the BES to proxy a user’s authentication to back-office application, web, and content servers. Users must authenticate directly to back-office servers using a USCYBERCOM CTO 07-15Rev1 authorized method.
| User authentication credentials should not be proxied by the BES, because the BES would then be saving DoD user authentication credentials in its database. |
| V-7078 | Medium | The BlackBerry MDS Integration Service must not be installed on a production BES. | The BlackBerry Enterprise Service MDS Integration Service is a software development platform and should not be installed on a production BES. The service, if not properly configured, can allow... |
| V-19202 | Low | Non-core applications used on the BlackBerry must be approved. | Unapproved applications could include malware or introduce other vulnerabilities to the BlackBerry system and enclave. |
| V-19201 | Low | The BES must be configured to accept only trusted connections to back-office enclave application or web push servers. Push servers are set up to push content to BlackBerry users (e.g., Remedy ticket notification system).
| Only authorized servers should be able to push content to BlackBerry devices. |
| V-25548 | Low | The server PKI digital certificate installed on the BES to support BAS and BWDM authentication must be a DoD PKI issued certificate. A self signed certificate will not be used. | When a self signed PKI certificate is used, a rogue BES can impersonate the DoD BES during SA connections to the BlackBerry Administration Service (BAS) or when a BlackBerry user uses BlackBerry... |
| V-11877 | Low | The Device Transport Key must be configured on the BES for AES encryption. | AES encryption provides a higher level of security for BlackBerry data. |
| V-18394 | Low | The BES must be configured to convert HTML and RTF formatted email into text format before sending to a BlackBerry smartphone and prevent the BES from sending email messages with inline images to BlackBerry smartphones. | HTML email and inline images in email can contain malware or links to web sites with malware. |
| V-22165 | Low | The BlackBerry Administration Service must be configured to disable a user from creating an activation password via BWDM. | The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized... |
| V-22164 | Low | The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default. | The key store password protects the server digital authentication certificates from unauthorized use. |
| V-19224 | Low | Required security controls must be used when BlackBerry Wi-Fi is used by the site to connect to a DoD Wi-Fi network. Required security controls are in Table 2, BlackBerry STIG Configuration Tables. | If BlackBerry Wi-Fi controls are not implemented, DoD data can be compromised. |
