CMD Management Server Policy Security Technical Implementation Guide (STIG)

Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

CMD Management Server Policy Security Technical Implementation Guide (STIG)

Overview

Version	Date	Finding Count (7)			Downloads
2	2013-04-16 2013-01-10 2013-01-10 2014-08-05 2014-08-05 2014-08-05 2014-08-05 2014-08-05 2014-08-05	CAT I (High): 1	CAT II (Med): 1	CAT III (Low): 5	Excel	JSON	XML

STIG Description
This STIG contains the policy, training, and operating procedure security controls for the use of CMD management servers in the DoD environment. This STIG replaces the Wireless Management Server STIG (V1R6). Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles

Classified	Public	Sensitive
I - Mission Critial Classified	I - Mission Critial Public	I - Mission Critial Sensitive	II - Mission Support Classified	II - Mission Support Public	II - Mission Support Sensitive	III - Administrative Classified	III - Administrative Public	III - Administrative Sensitive

Findings (MAC III - Administrative Sensitive)

Finding ID	Severity	Title	Description
V-24957	High	If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures.	If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel.
V-24955	Medium	A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site CMDs.	When a data spill occurs on a CMD, classified or sensitive data must be protected to prevent disclosure. After a data spill, the CMD must either be wiped using approved procedures, or destroyed if...
V-24970	Low	The CMD management server administrator must receive required training.	The security posture of the CMD management server could be compromised if the administrator is not trained to follow required procedures.
V-24962	Low	The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.	Sensitive DoD data could be stored in memory on a DoD operated mobile operating system (OS) based CMD and the data could be compromised if required actions are not followed when a CMD is lost or...
V-24969	Low	Required actions must be followed at the site when a CMD has been lost or stolen.	If procedures for lost or stolen CMDs are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.
V-28313	Low	CMD management server administrator training must be renewed annually.	The CMD management server administrator must renew required training annually.
V-24971	Low	The IAO at the mobile device management server site must verify local sites, where mobile devices are provisioned, issued, and managed, are conducting annual self assessments.	The security integrity of the mobile device system depends on local sites where mobile devices are provisioned and issued complying with STIG requirements. The risk of malware introduced on a...