BlackBerry devices must be provisioned so users can digitally sign and encrypt email notifications or any other email required by DoD policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-11871	WIR1055-01	SV-12371r3_rule	ECSC-1	Low

Description
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance that the message is authentic and is required by DoD policy. Reference the DoD CIO memorandum regarding interim guidance on the use of derived PKI credentials (2015-05-06 DoD Interim Guidance for Implementing Derived PKI Credentials on Unclass CMDs) for BlackBerry certificate configuration information.

Description

S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance that the message is authentic and is required by DoD policy. Reference the DoD CIO memorandum regarding interim guidance on the use of derived PKI credentials (2015-05-06 DoD Interim Guidance for Implementing Derived PKI Credentials on Unclass CMDs) for BlackBerry certificate configuration information.

STIG	Date
BlackBerry OS 7.x Security Technical Implementation Guide	2015-07-02

Details

Check Text ( C-14987r2_chk )
Perform the following steps on a sample of site BlackBerry devices (use 2-3 devices as a random sample), as appropriate, to verify users have the capability to sign and encrypt email. Verify S/MIME is configured such that users may sign messages. Check a sample of BlackBerry devices: - Verify S/MIME application and Smart Card Reader drivers are installed on the device: o On the BlackBerry go to Settings>Options>Advanced Options>Applications. o Look for the following applications: ---S/MIME Support Package ---PIV Drivers (optional) ---BlackBerry Smart Card Reader ---DoD Root Certificates -Verify Certificates are configured on the BlackBerry: ---Settings>Options>Security Options>Certificate Servers – GDS and OCSP servers should be listed. ---Settings>Options>Security Options>Certificate - DoD Root certificates should be listed. ---Settings>Options>Security Options>S/MIME – User’s public keys should be loaded.

Check Text ( C-14987r2_chk )

Perform the following steps on a sample of site BlackBerry devices (use 2-3 devices as a random sample), as appropriate, to verify users have the capability to sign and encrypt email.

Verify S/MIME is configured such that users may sign messages.

Check a sample of BlackBerry devices:

- Verify S/MIME application and Smart Card Reader drivers are installed on the device:
o On the BlackBerry go to Settings>Options>Advanced Options>Applications.
o Look for the following applications:
---S/MIME Support Package
---PIV Drivers (optional)
---BlackBerry Smart Card Reader
---DoD Root Certificates

-Verify Certificates are configured on the BlackBerry:
---Settings>Options>Security Options>Certificate Servers – GDS and OCSP servers should be
listed.
---Settings>Options>Security Options>Certificate - DoD Root certificates should be listed.
---Settings>Options>Security Options>S/MIME – User’s public keys should be loaded.

Fix Text (F-23347r2_fix)
BlackBerry devices must be provisioned so users can digitally sign and encrypt emergency and/or critical email notifications.