Data-at-Rest encryption (Content Protection) must be enabled on BlackBerry devices. IT Policy rule “Content Protection Strength” (Security policy group) must be set as required.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-12164	WIR1445-01	SV-12718r3_rule	ECSC-1	Medium

Description
DoD 8500 policy requires data-at-rest protection be enabled on all IT devices containing sensitive data in case the device is lost or stolen. This protection normally involves password or pin protected access.

STIG	Date
BlackBerry Enterprise Server (version 5.x), Part 3 Security Technical Implementation Guide	2014-08-25

Details

Check Text ( C-14991r3_chk )
***For this check, set IT Policy rule “Content Protection Strength” (Security policy group) to “Stronger or Strongest”. Data-at-Rest encryption (Content Protection) must be enabled on BlackBerry devices. Note: When Content Protection is enabled in BES 4.1.4 and earlier and BlackBerry handheld software version before 4.5, the BES system administrator cannot remotely unlock a BlackBerry device and remotely reset the device password. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). ***Verify IT Policy rule “Content Protection Strength” (Security policy group) is set as required. This check can also be verified on a sample of site BlackBerrys (3-4 devices) but the preferred procedure is to verify on the BES. Use the following procedure on BlackBerry devices: o Settings>Options>Security Options>General Settings>Content Protection. o Verify Content Protection is set to Enabled. o Verify the setting cannot be changed. Mark as a finding if not set as required.

Check Text ( C-14991r3_chk )

*****For this check, set IT Policy rule “Content Protection Strength” (Security policy group) to “Stronger or Strongest”.

Data-at-Rest encryption (Content Protection) must be enabled on BlackBerry devices. Note: When Content Protection is enabled in BES 4.1.4 and earlier and BlackBerry handheld software version before 4.5, the BES system administrator cannot remotely unlock a BlackBerry device and remotely reset the device password.

Check Procedures:

This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545).

*****Verify IT Policy rule “Content Protection Strength” (Security policy group) is set as required.

This check can also be verified on a sample of site BlackBerrys (3-4 devices) but the preferred procedure is to verify on the BES. Use the following procedure on BlackBerry devices:

o Settings>Options>Security Options>General Settings>Content Protection.
o Verify Content Protection is set to Enabled.
o Verify the setting cannot be changed.

Mark as a finding if not set as required.

Fix Text (F-23386r4_fix)
Configure the IT Policy rule as specified in the "Checks" block.