UCF STIG Viewer Logo

BlackBerry accounts must not be assigned to the default IT policy installed on the BES or any other non-STIG compliant IT policy. Accounts will only be assigned a STIG compliant IT policy.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19226 WIR1340-01 SV-21115r4_rule High
Description
The BlackBerry default policy installed on the BES does not include many DoD-required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned to a non-STIG compliant IT policy.
STIG Date
BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide 2016-09-08

Details

Check Text ( C-23164r4_chk )
Detailed Policy Requirements:

1. Separate STIG compliant IT policies will be set up on the BES: one for users that have been issued an approved Bluetooth headset/handsfree device and one for users that have not been issued an approved Bluetooth headset/handsfree device.

2. All user accounts will be assigned to a STIG compliant IT policy.

Check Procedures:
Interview the BlackBerry system administrator.

Ask the administrator to identify the default IT policy installed on the BES (usually labeled "Default") and any other non-STIG compliant IT policies set up on the BES.

View the list of IT policies set up on the BES as follows:

BAS >> BlackBerry solution management box >> Policy >> Manage IT policies

Verify no users are assigned to the default IT policy or any other non-STIG IT policy by performing the following steps for each policy.

For the default IT policy:

- Click on the policy name.
- Click on "View users with IT policy".
- Click "Search". A list of all users assigned to the policy will be shown.
- Determine if any users have been assigned to the default or other non-STIG compliant IT policy.

If any users have been assigned to the default IT policy, this is a finding.

Note: If the default IT policy has been configured to be STIG compliant, the severity of this specific finding may be downgraded to a CAT II.

For the non-STIG compliant policies, look at each IT policy listed under “Manage IT policies” to be checked:

- Click on the policy name.
- Click on "View users with IT policy".
- Click "Search". A list of all users assigned to the policy will be shown.
- Click on the "IT Policy Name" column heading to sort the list of users by IT policy.
- Determine if any users have been assigned to the non-STIG compliant IT policy.

If any users have been assigned to the non-STIG compliant IT policy, this is a finding.

Note: IT policies identified by the BES administrator as STIG compliant should be reviewed to verify compliance when reviewing the WIR14xx series of checks.
Fix Text (F-23379r2_fix)
User accounts will only be assigned a STIG compliant IT policy.