{
"stig": {
"date": "2012-02-08",
"description": "Contains the technical security requirements for the BlackBerry Playbook Tablet OS version 1.x when used in the DoD environment.",
"findings": {
"V-24986": {
"checkid": "C-39058r1_chk",
"checktext": "Detailed Requirements:\nCore applications are applications included in the mobile operating system by the operating system vendor. A list of core applications is usually in the STIG overview document or the STIG Configuration Tables document. All non-core applications on the mobile device must be approved by the DAA or the Command IT CCB. Approval must be documented in some type of approval (memo, letter, etc.). Non-core applications include applications added to the device by the carrier (AT&T or Verizon Wireless map application).\n\nCheck Procedures:\n\nFirst, review the procedures the site or command uses to review and approve third-party applications used on site managed mobile devices. Have the IAO or DAA representative provide a copy of the application review. \n\nSecond, select 2-3 random devices managed by the site to review.\n\n-Make a list of non-core applications on each device. Look in the smartphone memory and on the SD card.\n\n--Have the user log into the device and show the list of applications installed on the device and the media card (procedure will vary, depending on mobile OS).\n\n--Verify the site has written approval to use the app from the DAA or Command IT CCB.\n\n-Mark as a finding if any app has not been approved. \n",
"description": "Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). The DAA or Command IT Configuration Control Board (CCB) is responsible for setting up procedures to review, test, and approve smartphone applications. It is expected the process will be similar to what is used to approve and manage applications on command PCs.",
"fixid": "F-27627r2_fix",
"fixtext": "Have DAA or Command IT CCB review and approve all non-core applications on mobile OS devices. ",
"iacontrols": [
"DCCB-1",
"ECWN-1"
],
"id": "V-24986",
"ruleID": "SV-40110r1_rule",
"severity": "low",
"title": "All non-core applications on mobile devices must be approved by the DAA or Command IT Configuration Control Board. ",
"version": "WIR-MOS-NS-006-01"
},
"V-25007": {
"checkid": "C-39059r1_chk",
"checktext": "This check applies to any mobile device (smartphones, tablets, etc.). \n\nCheck a sample of 2-3 devices managed by the site to verify a device unlock password/passcode has been enabled on the device. The exact procedure will vary, depending on the OS. \nHave the user show that a device unlock password/passcode has been enabled on the device.\n\nMark as a finding if configuration is not set as required.\n",
"description": "Sensitive DoD data could be compromised if a device unlock password/passcode is not set up on DoD smartphones.",
"fixid": "F-27657r2_fix",
"fixtext": "Configure the smartphone to require a passcode for device unlock.",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-25007",
"ruleID": "SV-40111r1_rule",
"severity": "low",
"title": "Smartphones must be configured to require a password/passcode for device unlock.",
"version": "WIR-MOS-NS-010"
},
"V-25010": {
"checkid": "C-39060r1_chk",
"checktext": "This check applies to any mobile OS device (smartphones, tablets, etc.). \n\nCheck a sample of 2-3 devices managed by the site to verify a device inactivity timeout has been set to 60 minutes or less (15 minutes is recommended). The exact procedure will vary, depending on the mobile OS. \n\nHave the user show that a device inactivity timeout has been set to 60 minutes or less.\n\nMark as a finding if configuration is not set as required.\n",
"description": "Sensitive DoD data could be compromised if the smartphone does not automatically lock after the required period of inactivity.",
"fixid": "F-27661r1_fix",
"fixtext": "Set the smartphone inactivity timeout to required value. ",
"iacontrols": [
"PESL-1"
],
"id": "V-25010",
"ruleID": "SV-40112r1_rule",
"severity": "low",
"title": " The smartphone inactivity timeout must be set.",
"version": "WIR-MOS-NS-016"
},
"V-25016": {
"checkid": "C-39061r1_chk",
"checktext": "This check applies to any mobile OS device (smartphones, tablets, etc.). \n\nCheck a sample of 2-3 devices managed by the site to verify the device unlock password/passcode has been set to 8 or more alphanumeric characters. The exact procedure will vary, depending on the mobile OS. \n\nHave the user show that a device unlock password/passcode has been set to 8 or more alphanumeric characters.\n\nMark as a finding if configuration is not set as required.\n",
"description": "Sensitive DoD data could be compromised if a device unlock password/passcode is not set to required length on DoD smartphones. ",
"fixid": "F-27687r2_fix",
"fixtext": "Set the smartphone minimum password/passcode length as required. ",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-25016",
"ruleID": "SV-40113r1_rule",
"severity": "low",
"title": "The device minimum password/passcode length must be set. ",
"version": "WIR-MOS-NS-011"
},
"V-30412": {
"checkid": "C-39064r1_chk",
"checktext": "Check a sample (2-3) of mobile devices managed at the site authorized to connect to a DoD network or store or process sensitive or classified DoD information. Review the Command\u2019s Mobile Device Personal Use policy.\n\nDetermine if any personally owned apps are installed on the mobile device, including the SD media card. The exact procedure will vary, depending on the OS. If personally owned apps are found, determine if these apps are authorized by the Command\u2019s Mobile Device Personal Use Policy.\n\nMark as a finding if unauthorized personal apps are found on site managed devices. This check is not applicable if the Command\u2019s Mobile Device Personal Use Policy allows the installation of user owned applications.\n",
"description": "The risk of installing personally owned or freeware apps on a DoD mobile device should be evaluated by the DAA against mission need and how the device is intended to be used. There is a risk that personally owned or freeware apps could introduce malware on the device, which could impact the performance of the device and corrupt non-sensitive data stored on the device.",
"fixid": "F-34175r1_fix",
"fixtext": "Remove unauthorized applications.",
"iacontrols": [
"ECWN-1"
],
"id": "V-30412",
"ruleID": "SV-40117r1_rule",
"severity": "low",
"title": "The installation of user owned applications on the mobile device must be based on the Command\u2019s Mobile Device Personal Use Policy.",
"version": "WIR-MOS-NS-050-01 "
},
"V-30417": {
"checkid": "C-39069r1_chk",
"checktext": "Check a sample (2-3) of mobile devices managed at the site authorized to connect to a DoD network or store or process sensitive or classified DoD information. Review the Command\u2019s Mobile Device Personal Use Policy.\n\nDetermine if devices are being used to view personal email or store personal email messages. The exact procedure will vary, depending on the mobile OS. If personal email is being viewed or downloaded, determine if this use of the device is authorized by the Command\u2019s Mobile Device Personal Use Policy.\n\nMark as a finding if unauthorized personal email is being viewed or downloaded on site managed devices. This check is not applicable if the Command\u2019s Mobile Device Personal Use Policy allows viewing and/or download of personal email.\n",
"description": "The risk of viewing and downloading personal email on a non-DoD-network connected mobile device that does not contain sensitive or classified DoD data/information should be evaluated by the DAA against mission need and how the device is intended to be used. There is a risk that personal email could introduce malware on the device, which could impact the performance of the device and corrupt non-sensitive data stored on the device.",
"fixid": "F-34180r1_fix",
"fixtext": "Train users to not view or download personal email unless authorized by the Command\u2019s Mobile Device Personal Use Policy. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-30417",
"ruleID": "SV-40123r1_rule",
"severity": "low",
"title": "The use of the mobile device to view and/or download personal email must be based on the Command\u2019s Mobile Device Personal Use Policy.",
"version": "WIR-MOS-NS-050-02 "
},
"V-30418": {
"checkid": "C-39070r1_chk",
"checktext": "Check a sample (2-3) of mobile devices managed at the site authorized to connect to a DoD network or store or process sensitive or classified DoD information. \n\nReview the Command\u2019s Mobile Device Personal Use Policy.\n\nDetermine if any user owned data (music files, picture files, etc.) are installed on the mobile device, including the SD media card. The exact procedure will vary, depending on the mobile OS. \n\nIf user owned data (music files, picture files, etc.) are found, determine if these apps are authorized by the Command\u2019s Mobile Device Personal Use Policy.\n\nMark as a finding if unauthorized user owned data (music files, picture files, etc.) are found on site managed devices. This check is not applicable if the Command\u2019s Mobile Device Personal Use Policy allows the download of personal data files.\n",
"description": "The risk of installing user owned data (music files, picture files, etc.) on a non-DoD-network connected mobile device that does not contain sensitive or classified DoD data/information should be evaluated by the DAA against mission need and how the device is intended to be used. There is a risk that user owned data (music files, picture files, etc.) could introduce malware on the device, which could impact the performance of the device and corrupt non-sensitive data stored on the device.",
"fixid": "F-34181r1_fix",
"fixtext": "Do not install personal data files on the mobile device unless authorized by the Command\u2019s Mobile Device Personal Use Policy. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-30418",
"ruleID": "SV-40125r1_rule",
"severity": "low",
"title": "Download of user owned data (music files, picture files, etc.) on mobile devices must be based on the Command\u2019s Mobile Device Personal Use Policy.",
"version": "WIR-MOS-NS-050-03 "
},
"V-30419": {
"checkid": "C-39072r1_chk",
"checktext": "Check a sample (2-3) of mobile devices managed at the site and are not authorized to connect to a DoD network or store or process sensitive or classified DoD information. \n\nReview the Command\u2019s Mobile Device Personal Use Policy.\n\nDetermine if the mobile device is being used to connect to user social media web accounts. Look for social media icons on the device and talk to the user. The exact procedure will vary, depending on the mobile OS. \n\nIf the device is being used to connect to user social media accounts, determine if these applications are authorized by the Command\u2019s Mobile Device Personal Use Policy.\n\nMark as a finding if the device is being used to connect to unauthorized user social media accounts. This check is not applicable if the Command\u2019s Mobile Device Personal Use Policy allows connecting to user social media web accounts.\n",
"description": "The risk of connecting to user social media web accounts on a non-DoD-network connected mobile device that does not contain sensitive or classified DoD data/information should be evaluated by the DAA against mission need and how the device is intended to be used. There is a risk that connecting to user social media web accounts could introduce malware on the device, which could impact the performance of the device and corrupt non-sensitive data stored on the device.",
"fixid": "F-34182r1_fix",
"fixtext": "Train user to not connect to unauthorized social media web sites unless authorized by the Command\u2019s Mobile Device Personal Use Policy. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-30419",
"ruleID": "SV-40127r1_rule",
"severity": "low",
"title": "Connecting mobile devices to user social media web accounts (Facebook, Twitter, etc.) must be based on the Command\u2019s Mobile Device Personal Use Policy.",
"version": "WIR-MOS-NS-050-04 "
},
"V-30766": {
"checkid": "C-39355r1_chk",
"checktext": "Select a sample of site managed Playbook tablets to review (2-3 devices selected at random). \n\nDetermine the installed OS version number as follows:\n-Have the user log into the Playbook tablet.\n-Navigate to the OS version number: Settings > About\n\nMark as a finding if the required OS version is not installed.\n",
"description": "Required security features are not available in earlier OS versions. In addition, BlackBerry Playbook tablet OS 2.x may not be used until a STIG update has been released covering that version. New STIG checks are required to adequately secure new features expected in the OS 2.x release, otherwise sensitive DoD information may be compromised.",
"fixid": "F-34466r1_fix",
"fixtext": "Install the latest version of BlackBerry Playbook tablet OS 1.x. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-30766",
"ruleID": "SV-40613r1_rule",
"severity": "medium",
"title": "The installed version of the BlackBerry Playbook tablet operation system must be the latest version of OS 1.x.",
"version": "WIR1100-01"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-24986": "true",
"V-25007": "true",
"V-25010": "true",
"V-25016": "true",
"V-30412": "true",
"V-30417": "true",
"V-30418": "true",
"V-30419": "true",
"V-30766": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-24986": "true",
"V-25007": "true",
"V-25010": "true",
"V-25016": "true",
"V-30412": "true",
"V-30417": "true",
"V-30418": "true",
"V-30419": "true",
"V-30766": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-24986": "true",
"V-25007": "true",
"V-25010": "true",
"V-25016": "true",
"V-30412": "true",
"V-30417": "true",
"V-30418": "true",
"V-30419": "true",
"V-30766": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-24986": "true",
"V-25007": "true",
"V-25010": "true",
"V-25016": "true",
"V-30412": "true",
"V-30417": "true",
"V-30418": "true",
"V-30419": "true",
"V-30766": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-24986": "true",
"V-25007": "true",
"V-25010": "true",
"V-25016": "true",
"V-30412": "true",
"V-30417": "true",
"V-30418": "true",
"V-30419": "true",
"V-30766": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-24986": "true",
"V-25007": "true",
"V-25010": "true",
"V-25016": "true",
"V-30412": "true",
"V-30417": "true",
"V-30418": "true",
"V-30419": "true",
"V-30766": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-24986": "true",
"V-25007": "true",
"V-25010": "true",
"V-25016": "true",
"V-30412": "true",
"V-30417": "true",
"V-30418": "true",
"V-30419": "true",
"V-30766": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-24986": "true",
"V-25007": "true",
"V-25010": "true",
"V-25016": "true",
"V-30412": "true",
"V-30417": "true",
"V-30418": "true",
"V-30419": "true",
"V-30766": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-24986": "true",
"V-25007": "true",
"V-25010": "true",
"V-25016": "true",
"V-30412": "true",
"V-30417": "true",
"V-30418": "true",
"V-30419": "true",
"V-30766": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "blackberry_playbook",
"title": "BlackBerry PlayBook Security Technical Implementation Guide",
"version": "1"
}
}