| V-54981 | High | BlackBerry Device service 6.2 and BlackBerry Enterprise Service 10.1.x BlackBerry Device Service MDM servers that are no longer supported by the vendor for security updates must not be installed on a system. | BlackBerry Device service 6.2 and BlackBerry Enterprise Service 10.1.x BlackBerry Device Service MDM servers that are no longer supported by BlackBerry for security updates are not evaluated or... |
| V-38939 | High | The BlackBerry Device Service server must direct all Work Space application traffic through the BlackBerry Device Service server via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-38935 | High | The BlackBerry Device Service server must disallow mobile device applications the ability to reset the Work Space lock timer via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-38937 | High | The BlackBerry Device Service server must disable any mobile OS service that connects to a cloud storage server via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-38954 | High | BlackBerry accounts must not be assigned to the default IT policy on the BlackBerry Device Service server or any other non-STIG compliant IT policy. | The BlackBerry default policy on the BDS server does not include many DoD required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data... |
| V-38951 | High | The BlackBerry Device Service server must implement separation of administrator duties by requiring a specific role be assigned to each administrator account. | Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the... |
| V-39039 | High | The BlackBerry Device Service server must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions. | Lack of authentication enables anyone to gain access to the MDM. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy.... |
| V-39038 | High | The BlackBerry Device Service server must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. | MDM applications utilizing encryption are required to use approved encryption modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations,... |
| V-39031 | High | The BlackBerry Device Service server must require administrators to be authenticated with an individual authenticator prior to using a group authenticator. | To assure individual accountability and prevent unauthorized access, MDM administrators and users (and any processes acting on behalf of users) must be individually identified and authenticated. ... |
| V-38965 | High | The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the transfer of any file-based data via Bluetooth. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-38948 | High | The BlackBerry Device Service server must disable copying data from inside a non-secure data area on a mobile device into the security container via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-39032 | High | The BlackBerry Device Service server must use organization defined replay-resistant authentication mechanisms for network access to privileged accounts. | An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Replay attacks, if... |
| V-39022 | Medium | The BlackBerry Device Service server must set the Work Space inactivity timeout to 15 minutes via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-38959 | Medium | If the BlackBerry Device Service server includes a mobile email management capability, the email client S/MIME encryption algorithm must be 3DES or AES. When AES is used, AES-128 bit encryption key length is the minimum requirement; AES-256 is desired. | Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data.... |
| V-38952 | Medium | The BlackBerry Device Service server must deploy operating system and application updates via over-the-air (OTA) provisioning for managed mobile devices. | Without the MDM ability to deploy operating systems and application updates over the air, it is possible for the mobile devices under the MDM's control to be susceptible to a zero day attack. ... |
| V-39018 | Medium | The BlackBerry Device Service server must enable a Work Space password length of eight or more characters via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-38992 | Medium | BlackBerry Web Desktop Manager must be configured to permit users to activate new BlackBerry devices only. | The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized... |
| V-39013 | Medium | The BlackBerry Device Service server must enable a Work Space password via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-39012 | Medium | The BlackBerry Device Service server must set the number of incorrect password attempts before a data wipe procedure is initiated to 10 via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-39015 | Medium | The BlackBerry Device Service server must set the number of numbers in the Work Space password to at least one via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-39014 | Medium | The BlackBerry Device Service server must set the number of uppercase letters in the Work Space password to at least one via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-40718 | Medium | The BlackBerry Device Service server must disable the Advanced Audio Distribution Profile (A2DP) Bluetooth profile via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-39023 | Medium | The BlackBerry Device Service server must be configured to restrict the download of software within the Work Space to DoD-approved sources only (e.g., DoD-operated mobile device application store or BlackBerry Device Service server). | DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD approved source,... |
| V-40719 | Medium | The BlackBerry Device Service server must disable the Audio/Video Remote Control Profile (AVRCP) Bluetooth profile via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-38966 | Medium | The BlackBerry Device Service server must enable Bluetooth pairing using a randomly generated passkey size of at least 8 digits via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-38967 | Medium | The BlackBerry Device Service server must enable Bluetooth 128-bit encryption via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-38964 | Medium | The BlackBerry Device Service server must disable Bluetooth Discoverable Mode via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-39036 | Medium | The BlackBerry Device Service server must support administrator authentication to the server via the Enterprise Authentication Mechanisms authentication. | In the DoD, Administrator credential requirements for authentication are defined by CTO 07-115Rev1, which is usually enforced by the Enterprise Authentication Mechanism. Non-complaint credential... |
| V-39035 | Medium | The BlackBerry Device Service server must be configured to accept only trusted connections to back-office enclave application or web push servers. Push servers are set up to push content to BlackBerry users. | Device authentication is a solution enabling an organization to manage both users and devices. This requirement applies to MDM servers that provide mobile device and user access to network shares,... |
| V-38940 | Medium | The BlackBerry Device Service server must disallow Personal Space applications access to the Work Space network connection via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-38941 | Medium | The BlackBerry Device Service server must have the administrative functionality disallow hyperlinks within Work Space applications from opening within the Personal Space browser application via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-40727 | Medium | The BlackBerry Device Service server must disable the transfer of work messages using Bluetooth MAP via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-40726 | Medium | The BlackBerry Device Service server must disable the transfer of work files using Bluetooth OPP via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-40725 | Medium | The BlackBerry Device Service server must force the display of a warning banner on the lock screen of the mobile device via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-40724 | Medium | The BlackBerry Device Service server must disable the mobile device users access to BlackBerry World for Work Space and only allow access to apps published from BlackBerry Device Service. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-40723 | Medium | The BlackBerry Device Service server must disable the Personal Area Networking Profile (PAN) Bluetooth profile via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-40722 | Medium | The BlackBerry Device Service server must disable the Message Access Profile (MAP) Bluetooth profile via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-40721 | Medium | The BlackBerry Device Service server must disable the Hands-Free Profile (HFP) Bluetooth profile via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-40720 | Medium | The BlackBerry Device Service server must disable the Phone Book Access Profile (PBAP) Bluetooth profile via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-39026 | Medium | BlackBerry Web Desktop Manager must be configured to disable a users capability to perform self-service tasks. | The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized... |
| V-40729 | Medium | The BlackBerry Device Service server must disable the Bluetooth transfer of Work Space contacts via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-40728 | Medium | The BlackBerry Device Service server must disable the transfer of work messages using Bluetooth MAP without a user prompt via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-39028 | Low | The BlackBerry Device Service server must disallow any native applications pertaining to billing via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-38943 | Low | The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of allowed repeated characters in the mobile device unlock password. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-38932 | Low | The BlackBerry Device Service server must enforce the minimum password length for the Personal Space password to 4 digits via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-39037 | Low | The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default. | The key store password protects the server digital authentication certificates from unauthorized use. |
| V-39029 | Low | The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow any native applications pertaining to billing on a managed mobile device. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-38949 | Low | The BlackBerry Device Service server must allow only Work Space contacts to be read from a native Personal Space application via centrally managed policy. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-38946 | Low | The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow sequential numbers in the mobile device unlock password. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-39027 | Low | BlackBerry Web Desktop Manager must be configured to disable a users capability to perform a backup or restore of the Work Space. | The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized... |
| V-39040 | Low | The server PKI digital certificate installed on the BlackBerry Device Service (BDS) Server to support BlackBerry Administration Service and BlackBerry Web Desktop Manager (BWDM) authentication must be a DoD PKI issued certificate. A self signed certificate will not be used. | When a self signed PKI certificate is used, a rogue BDS server can impersonate the DoD BDS server during SA connections to the BAS or when a BlackBerry user uses BWDM to connect to the BAS. In... |
