UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Email client services for Commercial Mobile Devices must be documented in the Email Domain Security Plan (EDSP).


Overview

Finding ID Version Rule ID IA Controls Severity
V-39139 EMG3-055 EMail SV-50955r3_rule DCFA-1 Medium
Description
Commercial Mobile Devices (CMDs) introduce additional IA concerns to email systems because of the additional guidance pertaining specifically to CMDs. The Department of Defense (DoD) Chief Information Officer (CIO) put forth specific guidance concerning CMD implementation on 6 Apr 2011. The memo states, "Email redirection from the email server (e.g., Exchange Server) to the device shall be controlled via centrally managed server." Therefore the native clients used on CMD cannot access the email system directly but instead must be managed by mobile email management (MEM) services. The Exchange 2010 configuration relies on Exchange ActiveSync (EAS) as the client communication protocol. Natively, EAS is an inbound initiated, bidirectional protocol, which is problematic for DoD networks. Acceptable implementations avoid inbound initiated connections and use external secure network operation centers (NOC) in secure tunnels from the management servers residing in the DoD to the NOC and from the NOC to the CMD. For email systems that do not deliver email directly to the device but rather use browser access to DoD email systems, this requirement would not apply but client-access path guidance does (EMG3-108 Email). The EDSP must include the functional architecture of the integration of the email system, required MEM, NOC if used, and CMDs. Protocols communicating with the CMD or NOC must be secured to protect sensitive DoD data from being compromised using accepted FIPS 140-2 approved modules.
STIG Date
Email Services Policy STIG 2015-03-10

Details

Check Text ( C-46505r2_chk )
For systems not providing Internet-sourced email client services to CMDs, this check is N/A.

Access the Email Domain Security Plan (EDSP) for email systems. Review for functional architecture of the email system for all required components, including the MEM, NOC, CMDs, etc., when providing service to CMDs. Confirm the design requires secure communication from the email system to the MEM. Verify the MEM, NOC, and CMDs are approved for use in DoD. If the email domain employs the required architecture and is documented in the EDSP, this is not a finding.

If the architecture uses the EAS protocol to Commercial Mobile Devices (CMD) without connecting through external secure NOCs and encapsulating in a secure tunnel from the management servers residing in the DoD to the NOC and from the NOC to the CMD, this is a finding. If the use of EAS is not documented in the EDSP, this is a finding.
Fix Text (F-44116r1_fix)
Email client services to Commercial Mobile Devices, including the required components of the architecture, must be documented in the Email Domain Security Plan (EDSP).