| V-65695 | High | BlackBerry OS 10.3 must protect data at rest on removable storage media. The requirement applies only to Work - Only Activation types. | The BlackBerry device must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to... |
| V-65759 | High | BlackBerry OS 10.3 must protect data at rest on built-in storage media for Personal space. This requirement only applies to Work and Personal Corporate and Work and personal - Regulated activation types. | The BlackBerry device must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to... |
| V-65683 | High | BlackBerry OS 10.3 must require a valid password be successfully entered before the mobile device data is unencrypted. | Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of... |
| V-65699 | Medium | BlackBerry OS 10.3 must not allow the USB mass storage mode. | USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a... |
| V-65715 | Medium | BlackBerry OS 10.3 must implement the management setting: disable the transfer of any file-based data via Bluetooth. | Bluetooth data transfers, except when using an approved smart card reader, do not use FIPS validated encryption. Therefore data transfer via Bluetooth must be disabled to mitigate the possible... |
| V-65691 | Medium | BlackBerry OS 10.3 must not allow protocols supporting wireless remote access connections. | Having wireless remote access connections enabled could allow establishment of unauthorized remote access connections, which may give an adversary unintended capabilities. These remote access... |
| V-65763 | Medium | BlackBerry OS 10.3 must prevent untrusted connections to the mail server. | If an untrusted connection to a mail server is allowed, the device may connect to either a rogue email server or a compromised DoD email server. In either case, sensitive DoD data could be... |
| V-65761 | Medium | BlackBerry OS 10.3 must prevent opening links in work email messages in the personal browser. This requirement only applies to Work and personal - Corporate and Work and personal - Regulated activation types. | If web links in work email were opened using the personal browser, there is a possibility that sensitive DoD data could spill from the Work space to the Personal space, which could lead to public... |
| V-65749 | Medium | BlackBerry OS 10.3 must force the use of BBM Protected mode. | BBM Protected mode provides strong data encryption for the Blackberry chat service. If data-in-transit is unencrypted, it is vulnerable to disclosure.
SFR ID: FMT_SMF_EXT.1.1 #45 |
| V-65705 | Medium | BlackBerry OS 10.3 must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), and SPP (Serial Port Profile). | Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore should be disabled.
SFR... |
| V-65707 | Medium | BlackBerry OS 10.3 must be configured to prevent non-approved updates of system software. | FOTA allows the user to download and install firmware updates over-the-air. These updates can include OS upgrades, security patches, bug fixes, new features and applications. Since the updates are... |
| V-65725 | Medium | BlackBerry OS 10.3 must implement the management setting: disable lock screen preview of work content. | Sensitive data could be viewed if the preview of data on the locked screen is not disabled and could be exposed to unauthorized viewers.
SFR ID: FMT_SMF_EXT.1.1 #45 |
| V-65723 | Medium | BlackBerry OS 10.3 must implement the management setting: disable BlackBerry Bridge. | BlackBerry Bridge is used to view information on the BlackBerry via the BlackBerry Playbook tablet. Use of the BlackBerry Playbook is not allowed in the DoD, therefore BlackBerry Bridge must be... |
| V-65721 | Medium | BlackBerry OS 10.3 must implement the management setting: disallow Personal Space applications access to the Work Space network connection. This requirement does not apply to the Work space only activation type. | Allowing movement of files and data from the personal Space to the Work Space will result in both personal data and sensitive DoD data being placed in the same space. This can potentially result... |
| V-65711 | Medium | BlackBerry OS 10.3 must implement the management setting: must bind removable storage media cards to the mobile device via centrally managed policy. This requirement is applicable to Work space only activation Type. | The removable media card is an extension of the embedded device media. In order to protect sensitive data stored on the media card, the data must be encrypted and bound to the device such that it... |
| V-65703 | Medium | BlackBerry OS 10.3 work space whitelist must not include applications with the following characteristics: (See Vulnerability Discussion for list). | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-65717 | Medium | BlackBerry OS 10.3 must implement the management setting: disable the transfer of any file-based data via Near Field Communication (NFC) via centrally managed policy. | NFC data transfers do not use FIPS validated encryption. Therefore data transfer via NFC must be disabled to mitigate the possible loss of sensitive DoD information.
SFR ID: FMT_SMF_EXT.1.1 #45 |
| V-65693 | Medium | BlackBerry OS 10.3 must not allow use of developer modes. | Developer modes expose features of the BlackBerry device that are not available during standard operation. When the Development Mode is enabled on BlackBerry 10 OS devices, the user has the... |
| V-65687 | Medium | BlackBerry OS 10.3 must lock the Work Space after 15 minutes (or less) of inactivity. | The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain... |
| V-65773 | Medium | BlackBerry OS 10.3 must prevent third-party apps from using BlackBerry Blend. | If third party apps are allowed to use BlackBerry Blend, it may be possible for DoD data on the BlackBerry that is being displayed on a PC via the Blend connection to be saved to the PC. Sensitive... |
| V-65709 | Medium | BlackBerry OS 10.3 must implement the management setting: limit Work Space contact data available in Personal space. | The contact database often contains a significant amount of information beyond each person's name and phone number. The records may contain addresses and other identifying or sensitive information... |
| V-65765 | Medium | BlackBerry OS 10.3 must prevent the use of BlackBerry Protect. | BlackBerry Protect gives users the ability to remotely lock, wipe, send audible alerts, and locate their BlackBerry device, but can become a maintainability issue for enterprise deployments. If a... |
| V-65719 | Medium | BlackBerry OS 10.3 must implement the management setting: enforce the minimum password length for the Personal Space password to 4 digits. This requirement does not apply to the Work space only activation type. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. The ability to crack a password is a function of how many attempts an adversary is... |
| V-65713 | Medium | BlackBerry OS 10.3 must implement the management setting: disable Bluetooth Discoverable Mode via centrally managed policy. This requirement only applies to Work space only and Work and personal - Regulated activation types. | Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. Disabling Discoverable mode reduces the risk of a non-authorized... |
| V-65753 | Medium | BlackBerry OS 10.3 must implement the management setting: disable Voice Dictation in Work Applications. | Voice Dictation in Work Applications uses a cloud based services to provide dictation support. Sensitive DoD data could be at risk of exposures if this service is enabled.
SFR ID: FMT_SMF_EXT.1.1 #45 |
| V-65757 | Medium | BlackBerry OS 10.3 must implement the management setting: Check certificate expiry for MDM connection. | Without strong authentication of the MDM, the MDM agent may connect to a rogue MDM and the mobile device could then come under management control of the rogue MDM. This could lead to exposure of... |
| V-65755 | Medium | BlackBerry OS 10.3 must implement the management setting: display External Email Address Warning Message. | The "External Email Address Warning Message" allows administrators to enforce a feature on the BlackBerry 10 smartphones to display a warning message for email addresses that are deemed as... |
| V-65689 | Low | BlackBerry OS 10.3 must not allow more than 10 consecutive failed authentication attempts. | The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of... |
| V-65733 | Low | The BlackBerry MDM Agent must be configured to generate an audit record of successful required events, including: (See Vulnerability Discussion for list). This requirement only applies to Work space only and Work and personal - Regulated activation types and to version 10.3.3 and later of the BlackBerry OS. | Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their... |
| V-65697 | Low | BlackBerry OS 10.3 must display the DoD advisory warning message each time the device restarts. This requirement does not apply to Work and personal - Corporate. | The BlackBerry OS 10.3 is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent... |
| V-65727 | Low | The BlackBerry MDM Agent must be configured to operate in a NIAP Common Criteria mode of operation, to enable generation of audit records of required events: (See Vulnerability Discussion for list). This requirement only applies to Work space only and Work and personal - Regulated activation types. | Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their... |
| V-65741 | Low | The BlackBerry MDM Agent must be configured to generate an audit record of required Informational level events, which may include: (See Vulnerability Discussion for list). This requirement only applies to Work space only and Work and personal - Regulated activation types and to version 10.3.3 and later of the BlackBerry OS. | Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their... |
| V-65743 | Low | The BlackBerry MDM Agent must be configured to generate an audit record of failed required events, which may include: (See Vulnerability Discussion for list). This requirement only applies to Work space only and Work and personal - Regulated activation types and to version 10.3.3 and later of the BlackBerry OS. | Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their... |
| V-65745 | Low | The BlackBerry MDM Agent must be configured to generate an audit record of required error level events, which may include: (See Vulnerability Discussion for list). This requirement only applies to Work space only and Work and personal - Regulated activation types and to version 10.3.3 and later of the BlackBerry OS. | Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their... |
| V-65685 | Low | BlackBerry OS 10.3 must enforce a minimum password length of 6 characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is... |
| V-65731 | Low | The BlackBerry MDM Agent must be configured to generate an audit record of required events: (See Vulnerability Discussion for list). This requirement only applies to Work space only and Work and personal - Regulated activation types and to version 10.3.3 and later of the BlackBerry OS. | Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their... |
| V-65701 | Low | BlackBerry OS 10.3 must disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. | Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real world field behavior and improve the product... |
| V-65751 | Low | The BlackBerry MDM Agent must be configured to synchronize generated audit records of required events every 6 hours or less. This requirement only applies to Work space only and Work and personal - Regulated activation types and to version 10.3.3 and later of the BlackBerry OS. | Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their... |
| V-65747 | Low | The BlackBerry MDM Agent must be configured to generate an audit record of required warning level events, which may include: (See Vulnerability Discussion for list). This requirement only applies to Work space only and Work and personal - Regulated activation types and to version 10.3.3 and later of the BlackBerry OS. | Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their... |
