BlackBerry accounts must not be assigned to the default IT policy on the BES or any other non-STIG compliant IT policy. Accounts will only be assigned a STIG compliant IT policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19226	WIR1340-01	SV-21115r3_rule	ECSC-1	High

Description
The BlackBerry default policy on the BES does not include many DoD-required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned the default (or other non-STIG compliant) IT policy.

STIG	Date
BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide	2015-07-02

Details

Check Text ( C-23164r3_chk )
Detailed Policy Requirements: 1. Separate STIG compliant IT policies will be set up on the BES: one for users that have been issued an approved Bluetooth headset/handsfree device and one for users that have not been issued an approved Bluetooth headset/handsfree device. 2. All user accounts will be assigned to a STIG compliant IT policy. Check Procedures: Interview the BlackBerry system administrator. Ask the administrator to identify the default IT policy on the BES (usually labeled "Default") and any other non-STIG compliant IT policies set up on the BES. View the list of IT policies set up on the BES as follows: BAS >> BlackBerry solution management box >> Policy >> Manage IT policies Verify no users are assigned to the default IT policy or any other non-STIG IT policy by performing the following steps for each policy. For the default IT policy and other non-STIG compliant policies, look at each IT policy listed under Manage IT policies to be checked: - Click on the policy name. - Click on "View users with IT policy". - Click "Search". A list of all users assigned to the policy will be shown. - Click on the "IT Policy Name" column heading to sort the list of users by IT policy. - Determine if any users have been assigned to the default or other non-STIG compliant IT policy. If yes, this is a finding. Note: IT policies identified by the BES administrator as STIG compliant should be reviewed to verify compliance when reviewing the WIR14xx series of checks.

Check Text ( C-23164r3_chk )

Detailed Policy Requirements:

1. Separate STIG compliant IT policies will be set up on the BES: one for users that have been issued an approved Bluetooth headset/handsfree device and one for users that have not been issued an approved Bluetooth headset/handsfree device.

2. All user accounts will be assigned to a STIG compliant IT policy.

Check Procedures:
Interview the BlackBerry system administrator.

Ask the administrator to identify the default IT policy on the BES (usually labeled "Default") and any other non-STIG compliant IT policies set up on the BES.

View the list of IT policies set up on the BES as follows:

BAS >> BlackBerry solution management box >> Policy >> Manage IT policies

Verify no users are assigned to the default IT policy or any other non-STIG IT policy by performing the following steps for each policy.

For the default IT policy and other non-STIG compliant policies, look at each IT policy listed under Manage IT policies to be checked:

- Click on the policy name.
- Click on "View users with IT policy".
- Click "Search". A list of all users assigned to the policy will be shown.
- Click on the "IT Policy Name" column heading to sort the list of users by IT policy.
- Determine if any users have been assigned to the default or other non-STIG compliant IT policy. If yes, this is a finding.

Note: IT policies identified by the BES administrator as STIG compliant should be reviewed to verify compliance when reviewing the WIR14xx series of checks.

Fix Text (F-23379r1_fix)
User accounts will only be assigned a STIG compliant IT policy.