{
"stig": {
"date": "2011-12-14",
"description": "This STIG provides technical security controls required for the use of the Good Mobility Suite with Android 2.2 (Dell version) mobile operating system devices in the DoD environment.\n\n",
"findings": {
"V-24972": {
"checkid": "C-31225r1_chk",
"checktext": "The required Good Mobile Control (GMC) server version is 1.0.3.95 or later.\n\nClick on the Settings tab in the console to view the GMC Version.\n\nThe required Good Mobile Messaging (GMM) server version is 6.0.3.46 or later.\n\nClick on the Servers tab in the console to view the GMM server version.\n\nIf either server version is not as required, mark as a finding.\n",
"description": "Earlier versions of the smartphone management server may have security vulnerabilities or have not implemented required security features. ",
"fixid": "F-27612r1_fix",
"fixtext": "Upgrade to required (or later) server version. ",
"iacontrols": [
"ECSC-1"
],
"id": "V-24972",
"ruleID": "SV-30809r2_rule",
"severity": "medium",
"title": "The required smartphone management server or later version must be used.",
"version": "WIR-WMS-GD-001"
},
"V-24973": {
"checkid": "C-31226r2_chk",
"checktext": "Work with the OS Reviewer or check VMS for last review of each host Good computer asset. The review should include the SQL server and Apache Tomcat.\n\nMark as a finding if the previous or current OS review of the Windows server did not include a review of the SQL server and Apache Tomcat. If IIS is installed, the review should also include IIS.",
"description": "Wireless email services are installed on a Windows Server. The server must be compliant with the Windows STIG and applicable Application STIGs to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the wireless email server.",
"fixid": "F-27613r1_fix",
"fixtext": "Ensure all applications installed on the host server are STIG compliant.",
"iacontrols": [
"ECSC-1"
],
"id": "V-24973",
"ruleID": "SV-30810r2_rule",
"severity": "medium",
"title": "The host server where the smartphone management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Web Server, Apache Tomcat, IIS, etc.). ",
"version": "WIR-WMS-GD-002"
},
"V-24974": {
"checkid": "C-31227r2_chk",
"checktext": "Verify the Good servers (Good Mobile Control server and Good Mobile Messaging server) are installed with all required components. See the STIG Technology Overview, section 2 for more information. \n\nMark as a finding if the Good server components are not installed in the enclave with the email server.\n",
"description": "The wireless email server architecture must comply with the DoD environment because approval of the smartphone management server is contingent on installation with the correct settings. DoD enclaves could be at risk of penetration or DoD data could be compromised if the smartphone management server is not installed as required.",
"fixid": "F-27615r1_fix",
"fixtext": "Install required smartphone management server components in required network architecture.",
"iacontrols": [
"ECSC-1"
],
"id": "V-24974",
"ruleID": "SV-30811r2_rule",
"severity": "high",
"title": "The smartphone management server email system must be set up with the required system components in the required network architecture. ",
"version": "WIR-WMS-GD-003"
},
"V-24975": {
"checkid": "C-31229r2_chk",
"checktext": "The Good server host-based or appliance firewall must be configured as required. \n\nThe Good server firewall is configured with the following rules: \n\n- Deny all except when explicitly authorized. \n\n- Internal traffic from the Good server is limited to internal systems used to host the smartphone services (e.g., email and LDAP servers) and approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized. \n\n- Internet traffic from the Good server is limited to only those specified smartphone services (e.g., Good NOC server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the Good server and/or service. \n\n- Firewall settings listed in the STIG/ISCG Technology Overview will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trusted IP addresses and subnets. \n\nNote: At a minimum, the IP address of the site Internet proxy server must be listed so the Good secure browser can connect to the Internet. \n\nNote: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above. \n\nCheck Procedures: \n-Verify the firewall configuration meets approved architecture configuration requirements (or have the Network Reviewer do the review of the firewall). \n\n-Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers the Good server connects to should be included on this list. \n\n-Mark as a finding if a list of trusted networks by IP address is not configured on the Good server host-based firewall.\n",
"description": "A smartphone user could get access to unauthorized network resources (application and content servers, etc.) if the smartphone management server host firewall is not set up as required.",
"fixid": "F-27616r2_fix",
"fixtext": "Install the smartphone management server host-based or appliance firewall and configure as required. ",
"iacontrols": [
"ECSC-1"
],
"id": "V-24975",
"ruleID": "SV-30812r2_rule",
"severity": "high",
"title": "The smartphone management server host-based or appliance firewall must be installed and configured as required.",
"version": "WIR-WMS-GD-004"
},
"V-24976": {
"checkid": "C-31230r1_chk",
"checktext": "Detailed Policy requirements\nAccess to internal Intranet sites via the Good Browser must be blocked.\n\nCheck Procedures\nVerify a local security policy has been set up on the Good server to block access to Intranet sites via the Good browser.\n\n1. On the Windows host server for the Good Mobile Messaging Server, browse to Start Menu > Administrative Tools > Local Security Policies. \n\n2. Within Local Security Policies right click on IP Security Policies on Local Computer.\n\n3. Open the policy and verify the following setting has been configured:\n\n-Activate the default response rule is unchecked. \n\n4. Go to the properties of the security policy and verify the following rules are included:\na. Allow access from the GMM Server to the Default Gateway. \nb. Allow access from the GMM Server to the DNS Servers. \nc. Allow access from the GMM Server to the Exchange Servers. \nd. Allow access from remote workstations to GMM Server in case Terminal Services will be used to manage the server remotely. \ne. Deny access to everything else. \n\nVerify the IP Security policy has been assigned to the Windows server.\n\nMark as a finding if a local security policy has not been set up on the Good server to block access to Internet sites via the good browser or if the policy has not been configured as required.\n\n",
"description": "The secure connection from the smartphone to the smartphone management server can be used by the smartphone user to connect to back-office servers and applications located on the enclave network. These connections bypass network authentication controls setup on the enclave. Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the smartphone system that are not authorized to access the back-office servers and applications.",
"fixid": "F-27617r1_fix",
"fixtext": "Set up required controls on the smartphone management server for connections to back-office servers. ",
"iacontrols": [
"ECSC-1"
],
"id": "V-24976",
"ruleID": "SV-30814r1_rule",
"severity": "high",
"title": "Security controls must be implemented on the smartphone management server for connections to back-office servers and applications.",
"version": "WIR-WMS-GD-005"
},
"V-24977": {
"checkid": "C-31238r1_chk",
"checktext": "Detailed Requirements:\n- Convert HTML and RTF formatted email into text format before sending to a smartphone. \n- Prevent the smartphone management server from sending email messages with inline images to smartphones. \n\nVerify the following Windows registry setting is set on the Good server: \n[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\GoodLinkServer\\parameters\\sync]\n\"htmlEmail\"=\"1\"\n\n\nMark as a finding if the Windows registry key is not configured as required.",
"description": "HTML email and inline images in email can contain malware or links to web sites with malware.",
"fixid": "F-27618r1_fix",
"fixtext": "Configure the smartphone management server to: \n- Convert HTML and RTF formatted email into text format before sending to a smartphone. \n- Prevent the smartphone management server from sending email messages with inline images to smartphones.",
"iacontrols": [
"ECWN-1"
],
"id": "V-24977",
"ruleID": "SV-30818r1_rule",
"severity": "low",
"title": "The smartphone management server must be configured to control HTML and RTF formatted email.\n",
"version": "WIR-WMS-GD-006"
},
"V-24978": {
"checkid": "C-31348r2_chk",
"checktext": "User accounts will only be assigned a STIG-compliant security/IT policy.\n\nDetermine which policy sets on the Good server user accounts have been assigned to using the following procedures:\n\n-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server by using the following procedures:\n--Log into the Good Mobile Control console.\n--Click on the Policies tab.\n--View all policy set on the server.\n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non STIG-compliant policy sets be deleted except for a \"Provisioning\" policy set, which is used for initial setup and software update of the Android device.\n\nNote: Other checks will be used to verify the policy sets identified as STIG-compliant are configured correctly.\n\nVerify all users are assigned to a STIG policy set. \n--Log into the Good Mobile Control console.\n--Click on the Handhelds tab.\n\nMark as a finding if any user account is assigned a policy set identified as not STIG-compliant.\n\n",
"description": "The smartphone default security/IT policy on the smartphone management server does not include most DoD required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned the default (or other non-STIG compliant) security/IT policy.",
"fixid": "F-27619r1_fix",
"fixtext": "User accounts will only be assigned a STIG compliant security/IT policy.",
"iacontrols": [
"ECSC-1"
],
"id": "V-24978",
"ruleID": "SV-30819r2_rule",
"severity": "medium",
"title": "Smartphone user accounts must not be assigned to the default security/IT policy. ",
"version": "WIR-WMS-GD-007"
},
"V-24987": {
"checkid": "C-31142r2_chk",
"checktext": "This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n-Launch the Good Mobile Control Web console and click on the Policies tab.\n-Select the policy set for the smartphone devices and click on Handheld Authentication on the left side.\n\n-Verify \u201cRe-challenge for CAC PIN every\u201d is checked and set to 60 minutes or less. \n(Note: 15 minutes or less is the recommended setting.)\n\nMark as a finding if \u201cRe-challenge for CAC PIN every\u201d is not checked and not set to the required value.\n",
"description": "A user\u2019s CAC PIN or software certificate PIN is cached in memory on the device for a short period of time so a user does not have to re-enter his/her PIN every time the user\u2019s digital certificates are required for an S/MIME operation. The cached memory is cleared after a set period of time to limit exposure of the digital certificates to unauthorized use. Otherwise, a hacker may be able to gain access to the device while the PIN is still cached in memory and access the Good application and gain access to sensitive DoD information.",
"fixid": "F-27628r2_fix",
"fixtext": "Set the \u201cRe-challenge for CAC PIN every\u201d to checked and set to required value.",
"iacontrols": [
"ECSC-1"
],
"id": "V-24987",
"ruleID": "SV-30727r2_rule",
"severity": "low",
"title": "\u201cRe-challenge for CAC PIN every\u201d must be set.",
"version": "WIR-GMMS-004"
},
"V-24988": {
"checkid": "C-39021r1_chk",
"checktext": "This check is Not Applicable if \u201cAuthenticate with CAC PIN\u201d is checked.\n\nThis is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n-Select the policy set for the smartphone and click on Handheld Authentication on the left side.\n-Verify \u201cAfter X invalid password attempts:\u201d is set to 10 or less.\n\nMark as a finding if \u201cAfter X invalid password attempts:\u201d is not set to 10 or less.\n\n\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n-Select the policy set for the smartphone and click on Handheld Authentication on the left side.\n-Verify \u201cExpire password after\u201d is set to 90 days or less.\n\n",
"description": "Long used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the smartphone and sensitive DoD data stored on the mobile device.",
"fixid": "F-27629r1_fix",
"fixtext": "Set handheld password as required.",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-24988",
"ruleID": "SV-39982r3_rule",
"severity": "low",
"title": "Handheld password must be set as required.",
"version": "WIR-WMS-GD-009-01"
},
"V-24989": {
"checkid": "C-31242r2_chk",
"checktext": "This check is not applicable if \u201cAuthenticate with CAC PIN\u201d is checked.\n\nThis is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n-Select the policy set for the smartphone and click on Handheld Authentication on the left side.\n-Verify \u201cDisallow previously used passwords\u201d is set to 3 or more.\n\nMark as a finding if \u201cDisallow previously used passwords\u201d is not set to 3 or more.\n",
"description": "Previously used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the smartphone and sensitive DoD data stored on the smartphone.",
"fixid": "F-27630r1_fix",
"fixtext": "Disallow previously used passwords.",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-24989",
"ruleID": "SV-30822r2_rule",
"severity": "low",
"title": "Previously used passwords must be disallowed for security/email client on smartphone.",
"version": "WIR-WMS-GD-009-02"
},
"V-24990": {
"checkid": "C-31243r2_chk",
"checktext": "This check is not applicable if \u201cAuthenticate with CAC PIN\u201d is checked.\n\nThis is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n\n\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n-Select the policy set for the smartphone and click on Handheld Authentication on the left side.\n-Verify \u201cRequire minimum length of\u201d is set to 8 or more for the STIG/ISCG Policy Set.\n\nMark as a finding if \u201cRequire minimum length of\u201d is not set to 8 or more for the STIG/ISCG Policy Set.\n",
"description": "Short passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.",
"fixid": "F-27631r1_fix",
"fixtext": "Require password minimum length is set as required.",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-24990",
"ruleID": "SV-30823r2_rule",
"severity": "medium",
"title": "Password minimum length must be set as required for the smartphone security/email client.",
"version": "WIR-WMS-GD-009-03"
},
"V-24991": {
"checkid": "C-31244r2_chk",
"checktext": "This check is not applicable if \u201cAuthenticate with CAC PIN\u201d is checked.\n\nThis is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n-Select the policy set for the smartphone and click on Handheld Authentication on the left side.\n\n-Verify \u201cDisallow repeated characters after\u201d is set to 1 or 2.\n\nMark as a finding if \u201cDisallow repeated characters after\u201d is not set to 1 or 2.\n",
"description": "Repeated password characters reduces the strength of a password to withstand attacks by password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.",
"fixid": "F-27632r1_fix",
"fixtext": "Disallow repeated password characters.",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-24991",
"ruleID": "SV-30824r2_rule",
"severity": "low",
"title": "Repeated password characters must be disallowed for the Good app.",
"version": "WIR-WMS-GD-009-04"
},
"V-24992": {
"checkid": "C-31245r2_chk",
"checktext": "This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n-Select the policy set for the smartphone and click on Handheld Authentication on the left side.\n-Verify \u201cAfter X invalid password attempts:\u201d is set to 10 or less.\n\nMark as a finding if \u201cAfter X invalid password attempts:\u201d is not set to 10 or less.\n",
"description": "A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.",
"fixid": "F-27633r2_fix",
"fixtext": "Set the maximum invalid password attempts as required.",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-24992",
"ruleID": "SV-30825r2_rule",
"severity": "medium",
"title": "Maximum invalid password attempts must be set as required for the smartphone security/email client.",
"version": "WIR-WMS-GD-009-06"
},
"V-24993": {
"checkid": "C-31248r2_chk",
"checktext": "This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n-Select the policy set for the smartphone and click on Handheld Authentication on the left side.\n-Verify \u201cAfter X invalid password attempts:\u201d is set to 10 or less.\n\nMark as a finding if \u201cAfter X invalid password attempts:\u201d is not set to 10 or less.\n\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n-Select the policy set for the smartphone and click on Handheld Authentication on the left side.\n-Verify \u201cWipe handheld data\u201d is selected.\n\nMark as a finding if \u201cWipe handheld data\u201d is not selected.\n",
"description": "A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.\n\n",
"fixid": "F-27634r1_fix",
"fixtext": "Wipe handheld data after maximum password attempts have been reached.",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-24993",
"ruleID": "SV-30827r2_rule",
"severity": "medium",
"title": "Data must be wiped after maximum password attempts reached for the smartphone security/email client.",
"version": "WIR-WMS-GD-009-07"
},
"V-24994": {
"checkid": "C-31247r2_chk",
"checktext": "This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n\n\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n-Select the policy set for the smartphone and click on Handheld Authentication on the left side.\n-Verify \u201cRequire password when idle for more than\u201d is set to 15 minutes or less.\n\nMark as a finding if \u201cRequire password when idle for more than\u201d is not set to 15 minutes or less.\n.",
"description": "Sensitive DoD data could be exposed to unauthorized viewing or use if lost or stolen smartphone screen was not locked.",
"fixid": "F-27635r2_fix",
"fixtext": "Set the handheld inactivity lock as required.",
"iacontrols": [
"PESL-1"
],
"id": "V-24994",
"ruleID": "SV-30826r2_rule",
"severity": "medium",
"title": "Inactivity lock must be set as required for the smartphone security/email client.",
"version": "WIR-WMS-GD-009-05"
},
"V-24995": {
"checkid": "C-31143r2_chk",
"checktext": "This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n-Launch the Good Mobile Control Web console and click on the Policies tab.\n\n-Select the policy set for the smartphone and click on Messaging on the left side.\n\n-Verify \u201cDo not allow data to be copied from the Good application\u201d is checked.\n\nMark as a finding if \u201cDo not allow data to be copied from the Good application\u201d is not checked.\n",
"description": "Sensitive data could be saved in the non-FIPS 140-2 validated area of memory on the smartphone, which would violate DoD policy and may expose sensitive DoD data.",
"fixid": "F-27637r1_fix",
"fixtext": "Check \"Do not allow data to be copied from the Good application\" in the Good console. ",
"iacontrols": [
"ECCR-1"
],
"id": "V-24995",
"ruleID": "SV-30735r2_rule",
"severity": "medium",
"title": "\"Do not allow data to be copied from the Good application\" must be checked.",
"version": "WIR-GMMS-006-01"
},
"V-24998": {
"checkid": "C-31148r2_chk",
"checktext": "This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n-Launch the Good Mobile Control Web console and click on the Policies tab.\n-Select the policy set for the smartphone and click on Provisioning on the left side.\n\n-Verify \u201cOTA Provisioning PIN expires after\u201d is checked and is set to 7 days or less.\n\nMark as a finding if \u201cOTA Provisioning PIN expires after\u201d is not checked or is not set to 7 days or less.\n",
"description": "The time period that a device can be provisioned via Over-The-Air (OTA) provisioning needs to be controlled to ensure unauthorized people do not have the capability to setup rogue devices on the network.",
"fixid": "F-27641r2_fix",
"fixtext": "Set the Over-the-Air (OTA) device provisioning PIN as required. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-24998",
"ruleID": "SV-30738r2_rule",
"severity": "medium",
"title": "The Over-The-Air (OTA) device provisioning PIN must have expiration set.",
"version": "WIR-GMMS-008"
},
"V-24999": {
"checkid": "C-31149r2_chk",
"checktext": "This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n-Launch the Good Mobile Control Web console and click on the Policies tab.\n\n-Select the policy set for the smartphone and click on Provisioning on the left side.\n\n-Verify \u201cAllow OTA Provisioning PIN reuse\u201d is unchecked.\n\nMark as a finding if \u201cAllow OTA Provisioning PIN reuse\u201d is checked.\n",
"description": "The reuse of the OTA PIN can allow a hacker to provision an unauthorized device on the system.",
"fixid": "F-27642r1_fix",
"fixtext": "Do not allow OTA Provisioning PIN reuse.",
"iacontrols": [
"ECWN-1"
],
"id": "V-24999",
"ruleID": "SV-30739r2_rule",
"severity": "low",
"title": "OTA Provisioning PIN reuse must not be allowed.",
"version": "WIR-GMMS-009"
},
"V-25002": {
"checkid": "C-34842r1_chk",
"checktext": "This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\nFirst, ask the site IAO, which models of Android devices are approved for use at the site. Then do the following:\n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\nNote: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n---------------------------\n\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n\n-Select a policy set to review and click on the policy. \n\n-On the left tab, select Compliance Manager. \n-Verify the \u201cAndroid Hardware Verification\u201d rule is listed. (Note: The rule title does not have to be exact.) \n-Open the rule by checking the box next to the rule, then click on Edit. \n\n-Verify the following are set: \nPlatform: Android\nCheck to Run: Hardware Model Verification \n\n-Verify only devices approved for use at the site are checked. \n\n-Verify \"Failure Action\" is set to \"Quit Good for Enterprise\".\n\n-Verify \"Check Every\" is set to \"1 hour\".\n\nMark as a finding if the \u201cAndroid Hardware Verification\u201d rule has not been set up or is not configured as required.",
"description": "Older devices do not support required security features.",
"fixid": "F-27647r1_fix",
"fixtext": "Set up compliance rules in the server defining required smartphone hardware versions. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-25002",
"ruleID": "SV-34963r1_rule",
"severity": "low",
"title": "A compliance rule must be set up in the server defining required smartphone hardware versions. ",
"version": "WIR-GMMS-AND-010-01"
},
"V-25004": {
"checkid": "C-34844r1_chk",
"checktext": "This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\nNote: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n---------------------------\n\n-Launch the Good Mobile Control Web console and click on the Policies tab.\n\n-Select a policy set to review and click on the policy.\n-On the left tab, select Compliance Manager.\n-Verify the \"Android Jailbreak Detection\" rule is listed. (Note: The rule title does not have to be exact.)\n-Open the rule by checking the box next to the rule, and then click on Edit.\n\n-Verify the following are set as indicated:\n\nCheck to Run: Jailbreak/Rooted Detection\n-Verify \u201cHypervigilant mode\u201d is checked.\n\n-Verify \"Failure Action\" is set to \"Wipe Enterprise Data\".\n\n-Verify \"Check Every\" is set to \"1 hour\".\n\nMark as a finding if the \u201cAndroid Jailbreak Detection\u201d rule has not been set up or is not configured as required.\n",
"description": "DoD-required security policies can be bypassed on jailbroken and rooted smartphone . Jailbroken and rooted devices can expose sensitive DoD data to unauthorized people and could lead to a network attack.",
"fixid": "F-27653r1_fix",
"fixtext": "Set up compliance rules in the server implementing jailbreak detection. Devices will be wiped if they have been jail broken. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-25004",
"ruleID": "SV-34966r1_rule",
"severity": "medium",
"title": "A compliance rule must be setup in the server implementing jailbreak or rooting detection on smartphones. ",
"version": "WIR-GMMS-AND-010-03"
},
"V-25030": {
"checkid": "C-31251r1_chk",
"checktext": "This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n- Launch the Good Mobile Control Web console and click on the Policies tab. \n\n-Select the policy set for the smartphone and click on Messaging section on the left side.\n\n-If \u201cEnable access to Good Contacts\u201d is checked, click on the Choose Fields button and verify only the following fields are checked: first name, last name, work number, mobile number, and pager number.\n\nMark as a finding if \u201cEnable access to Good Contacts\u201d is checked and more than the following fields are checked: first name, last name, work number, mobile number, and pager number.\n",
"description": "Sensitive contact information could be exposed.",
"fixid": "F-27717r1_fix",
"fixtext": "If access is enabled to the Good app contacts lists by the smartphone OS, limit contact information to only default fields: First name, Last name, Work number, Mobile number, and Pager number.",
"iacontrols": [
"ECWN-1"
],
"id": "V-25030",
"ruleID": "SV-30830r1_rule",
"severity": "low",
"title": "If access is enabled to the Good app contacts lists by the smartphone, the list of contact information must be limited. ",
"version": "WIR-GMMS-007"
},
"V-25032": {
"checkid": "C-31255r2_chk",
"checktext": "This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n\n-Select the policy set for the smartphone and click on Handheld section on the left side.\n\n-Verify S/MIME with password-protected lock screen or CAC PIN (Enables S/MIME) is checked.\n\nMark as a finding if S/MIME with password-protected lock screen or CAC PIN (Enables S/MIME) is not checked.\n",
"description": "A hacker could gain access to sensitive data in the smartphone application and gain an attack vector to the enclave if the password access control/authentication feature of the application is not enabled.",
"fixid": "F-27719r1_fix",
"fixtext": "Password access to the Good app on the smartphone shall be enabled. ",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-25032",
"ruleID": "SV-30832r2_rule",
"severity": "medium",
"title": "Password access to the Good app on the smartphone must be enabled. ",
"version": "WIR-GMMS-001"
},
"V-25754": {
"checkid": "C-32242r2_chk",
"checktext": "Verify that a DoD server certificate has been installed on the Good wireless email management server and that the self-signed certificate, available as an option during the setup of the wireless email management server, has not been installed.\n\nAsk the SA to access the Good server using Internet Explorer. Verify no certificate error occurs. Click the Lock icon next to the address bar then select \u201cview certificates\u201d. On the General tab, verify the \u201cIssued to:\u201d and \u201cIssued by:\u201d fields do not show the same value. Then on the Certification Path tab, verify the top certificate is a trusted DoD Root certificate authority (e.g., DoD Root CA 2) and the certificate status field states \u201cThis certificate is OK\u201d. \n\nIf a certificate error occurs, either the default self-signed certificate is still installed, the Good server has not been rebooted since the DoD issued certificate has been installed, or the computer accessing the Good server does not have the DoD Root and Intermediate certificate authorities installed. The reviewer can select the \u201cContinue to this website\u201d option and follow the same procedure above. If the certificate is issued from an approved DoD PKI, ask the SA to run InstallRoot on the computer accessing the Good server. Otherwise, have the SA follow the procedures outlined in the STIG/ISCG to request/install a certificate issued from a trusted DoD PKI.\n\nMark as a finding if a DoD server certificate has not been installed on the Good wireless email management server or that the self-signed certificate has been installed.\n",
"description": "When a self signed PKI certificate is used, a rogue wireless email management server can impersonate the DoD wireless email management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.",
"fixid": "F-28607r1_fix",
"fixtext": "Use a DoD issued digital certificate on the wireless email management server.",
"iacontrols": [
"IATS-1"
],
"id": "V-25754",
"ruleID": "SV-32013r2_rule",
"severity": "low",
"title": "The PKI digital certificate installed on the wireless email management server must be a DoD PKI-issued certificate. ",
"version": "WIR-WMS-GD-010"
},
"V-26135": {
"checkid": "C-33493r2_chk",
"checktext": "This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n-Select the policy set for the smartphone and click on Handheld Authentication on the left side.\n-Verify \u201cDo not allow sequential numbers\u201d is checked for the STIG/ISCG Policy Set.\n",
"description": "Non-complex passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.",
"fixid": "F-29190r1_fix",
"fixtext": "Set password complexity as required. ",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-26135",
"ruleID": "SV-32817r3_rule",
"severity": "medium",
"title": "Password complexity must be set as required.",
"version": "WIR-WMS-GD-009-08"
},
"V-26152": {
"checkid": "C-33609r2_chk",
"checktext": "This is a Good server configuration check. \n\nLog into the Good server management interface, select the Setting tab, and open the Secure Messaging (S/MIME) section.\n\nVerify Enable Secure Messaging (S/MIME) is checked.\n\nMark as a finding if Enable Secure Messaging (S/MIME) is not checked.\n",
"description": "Sensitive DoD data could be exposed if the required setting is not configured on the Good server. If S/MIME support is not configured on the server, the user will not be able to view critical encrypted email or be able to encrypt email with sensitive DoD information.",
"fixid": "F-29209r1_fix",
"fixtext": "Enable S/MIME on the Good server.",
"iacontrols": [
"ECCR-1"
],
"id": "V-26152",
"ruleID": "SV-32858r2_rule",
"severity": "medium",
"title": "S/MIME must be enabled on the Good server. ",
"version": "WIR-GMMS-012"
},
"V-26560": {
"checkid": "C-34026r1_chk",
"checktext": "This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n-Launch the Good Mobile Control Web console and click on the Policies tab.\n-Select the policy set for the mobile OS device devices and click on Handheld Authentication on the left side.\n\n-Verify either \u201cAuthenticate with CAC PIN\u201d or \u201cAuthenticate with password\u201d is selected. \n\nMark as a finding if either of the required settings is not configured in the policy.\n",
"description": "Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good application stores sensitive DoD information. A hacker with access to the smartphone could easily gain access to the Good application if the required authentication control is not set.",
"fixid": "F-29711r1_fix",
"fixtext": "Set user authentication on the Good app on the smartphone to either CAC or password authentication. ",
"iacontrols": [
"IAIA-1"
],
"id": "V-26560",
"ruleID": "SV-33567r1_rule",
"severity": "medium",
"title": "Either CAC or password authentication must be enabled for user access to the Good app on the smartphone.",
"version": "WIR-GMMS-002"
},
"V-26561": {
"checkid": "C-34029r1_chk",
"checktext": "This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n-Launch the Good Mobile Control Web console and click on the Policies tab.\n-Select the policy set for the smartphone and click on Handheld Authentication on the left side.\n\n- If \u201cAuthenticate with CAC PIN\u201d is checked (CAC authentication is required) verify \u201cRequire CAC to be present\u201d is also checked. Note: if \u201cAuthenticate with CAC PIN\u201d is not checked, then \u201cRequire CAC to be present\u201d does not need to be checked.\n\nMark as a finding if not set as required. \n",
"description": "Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good applications store sensitive DoD information. A hacker with access to the smartphone could easily gain access to the Good application if the required authentication control is not set.",
"fixid": "F-29713r1_fix",
"fixtext": "Set \u201cRequire CAC to be present\u201d to required value. ",
"iacontrols": [
"IAIA-1"
],
"id": "V-26561",
"ruleID": "SV-33569r1_rule",
"severity": "medium",
"title": "\u201cRequire CAC to be present\u201d must be set.",
"version": "WIR-GMMS-003"
},
"V-26562": {
"checkid": "C-34034r1_chk",
"checktext": "This check is not applicable if \u201cAuthenticate with CAC PIN\u201d is checked.\n\nThis is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n-Select the policy set for the smartphone and click on Handheld Authentication on the left side.\n-Verify \u201cRequire both letters and numbers\u201d is checked.\n\nMark as a finding if \u201cRequire both letters and numbers\u201d is not checked.\n",
"description": "Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented.",
"fixid": "F-29716r1_fix",
"fixtext": "Set \u201cRequire both letters and numbers\u201d as required for the Good app.",
"iacontrols": null,
"id": "V-26562",
"ruleID": "SV-33584r1_rule",
"severity": "medium",
"title": "\u201cRequire both letters and numbers\u201d must be set as required for the smartphone security/email client.",
"version": "WIR-WMS-GD-009-09"
},
"V-26563": {
"checkid": "C-34040r1_chk",
"checktext": "This check is not applicable if \u201cAuthenticate with CAC PIN\u201d is checked.\n\nThis is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n-Select the policy set for the smartphone and click on Handheld Authentication on the left side.\n-Verify \u201cDo not allow sequential numbers\u201d is checked.\n\nMark as a finding if \u201cDo not allow sequential numbers\u201d is not checked.\n",
"description": "Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented.",
"fixid": "F-29719r1_fix",
"fixtext": "Set \u201cDo not allow sequential numbers\u201d as required for the Good app.",
"iacontrols": [
"IAIA-1"
],
"id": "V-26563",
"ruleID": "SV-33579r1_rule",
"severity": "medium",
"title": "\u201cDo not allow sequential numbers\u201d must be set as required for the smartphone security/email client.",
"version": "WIR-WMS-GD-009-10"
},
"V-26564": {
"checkid": "C-34053r1_chk",
"checktext": "Detailed Policy Requirements:\nOne of the following authentications methods must be enforced for system administrator accounts: \n\n1. CAC authentication. \n\n2. The account password must be compliant with CTO 07-15 Rev1. \n\u2013Password must be a 14+ character complex password consisting of at least 2 of the following: upper case letter, lower case letter, numbers, and special characters. The password must be changed every 60 days. \n\nCheck Procedures:\nThe Good messaging server uses Active Directory authentication for admin accounts to the management console. Site admin accounts are usually set up with a user ID/password authentication rather than CAC authentication. Therefore, verify the site AD is set up to require admin accounts to use passwords meeting the requirements of CTO 07-15Rev1. Discuss with the Network and AD reviewer and site IAO to verify compliance.\n\nMark as a finding if site admin accounts do not meet the requirements.\n",
"description": "CTO 07-15Rev1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced.",
"fixid": "F-29731r1_fix",
"fixtext": "Configure required authentication on system administration accounts for wireless management servers.",
"iacontrols": [
"IAIA-1",
"IATS-1"
],
"id": "V-26564",
"ruleID": "SV-33591r1_rule",
"severity": "high",
"title": "Authentication on system administration accounts for wireless management servers must be configured.",
"version": "WIR-WMS-GD-011"
},
"V-26728": {
"checkid": "C-34845r1_chk",
"checktext": "This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\nNote: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n---------------------------\n\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n\n-Select a policy set to review and click on the policy. \n\n-On the left tab, select Compliance Manager. \n-Verify the \u201cClient Version Verification\u201d rule is listed. (Note: The rule title does not have to be exact.) \n-Open the rule by checking the box next to the rule, and then click on Edit. \n\n-Verify the following are set: \nPlatform: Android\nCheck to Run: Hardware Model Verification \n\n-Verify the client version checked is at least 1.7.x. \n\n-Verify \"Failure Action\" is set to \"Quit Good for Enterprise\".\n\n-Verify \"Check Every\" is set to \"1 hour\".\n\nMark as a finding if the \u201cClient Version Verification\u201d rule has not been set up or is not configured as required.\n",
"description": "Older software versions do not support required security features.",
"fixid": "F-30027r1_fix",
"fixtext": "Set up a compliance rule to check the version of the Good client.",
"iacontrols": [
"ECWN-1"
],
"id": "V-26728",
"ruleID": "SV-34968r1_rule",
"severity": "low",
"title": "A compliance rule must be set up on the server defining required Good client versions. ",
"version": "WIR-GMMS-AND-010-04"
},
"V-26729": {
"checkid": "C-34498r1_chk",
"checktext": "This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n-Launch the Good Mobile Control Web console and click on the Policies tab.\n\n-Select the policy set for the smartphone and click on Messaging on the left side.\n\n-Verify \u201cDo not allow data to be copied into the Good application\u201d is checked.\n\nMark as a finding if \u201cDo not allow data to be copied into the Good application\u201d is not checked.\n\n",
"description": "Malware could be copied into the secure Good sandbox on the smartphone, which would put sensitive data at risk of being compromised.",
"fixid": "F-30028r1_fix",
"fixtext": "Check \"Do not allow data to be copied into the Good application\" in the Good console.",
"iacontrols": [
"ECCR-1"
],
"id": "V-26729",
"ruleID": "SV-33972r1_rule",
"severity": "medium",
"title": "\"Do not allow data to be copied into the Good application\" must be checked in the Good security policy for the handheld.",
"version": "WIR-GMMS-006-02"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-24972": "true",
"V-24973": "true",
"V-24974": "true",
"V-24975": "true",
"V-24976": "true",
"V-24977": "true",
"V-24978": "true",
"V-24987": "true",
"V-24988": "true",
"V-24989": "true",
"V-24990": "true",
"V-24991": "true",
"V-24992": "true",
"V-24993": "true",
"V-24994": "true",
"V-24995": "true",
"V-24998": "true",
"V-24999": "true",
"V-25002": "true",
"V-25004": "true",
"V-25030": "true",
"V-25032": "true",
"V-25754": "true",
"V-26135": "true",
"V-26152": "true",
"V-26560": "true",
"V-26561": "true",
"V-26562": "true",
"V-26563": "true",
"V-26564": "true",
"V-26728": "true",
"V-26729": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-24972": "true",
"V-24973": "true",
"V-24974": "true",
"V-24975": "true",
"V-24976": "true",
"V-24977": "true",
"V-24978": "true",
"V-24987": "true",
"V-24988": "true",
"V-24989": "true",
"V-24990": "true",
"V-24991": "true",
"V-24992": "true",
"V-24993": "true",
"V-24994": "true",
"V-24995": "true",
"V-24998": "true",
"V-24999": "true",
"V-25002": "true",
"V-25004": "true",
"V-25030": "true",
"V-25032": "true",
"V-25754": "true",
"V-26135": "true",
"V-26152": "true",
"V-26560": "true",
"V-26561": "true",
"V-26562": "true",
"V-26563": "true",
"V-26564": "true",
"V-26728": "true",
"V-26729": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-24972": "true",
"V-24973": "true",
"V-24974": "true",
"V-24975": "true",
"V-24976": "true",
"V-24977": "true",
"V-24978": "true",
"V-24987": "true",
"V-24988": "true",
"V-24989": "true",
"V-24990": "true",
"V-24991": "true",
"V-24992": "true",
"V-24993": "true",
"V-24994": "true",
"V-24995": "true",
"V-24998": "true",
"V-24999": "true",
"V-25002": "true",
"V-25004": "true",
"V-25030": "true",
"V-25032": "true",
"V-25754": "true",
"V-26135": "true",
"V-26152": "true",
"V-26560": "true",
"V-26561": "true",
"V-26562": "true",
"V-26563": "true",
"V-26564": "true",
"V-26728": "true",
"V-26729": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-24972": "true",
"V-24973": "true",
"V-24974": "true",
"V-24975": "true",
"V-24976": "true",
"V-24977": "true",
"V-24978": "true",
"V-24987": "true",
"V-24988": "true",
"V-24989": "true",
"V-24990": "true",
"V-24991": "true",
"V-24992": "true",
"V-24993": "true",
"V-24994": "true",
"V-24995": "true",
"V-24998": "true",
"V-24999": "true",
"V-25002": "true",
"V-25004": "true",
"V-25030": "true",
"V-25032": "true",
"V-25754": "true",
"V-26135": "true",
"V-26152": "true",
"V-26560": "true",
"V-26561": "true",
"V-26562": "true",
"V-26563": "true",
"V-26564": "true",
"V-26728": "true",
"V-26729": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-24972": "true",
"V-24973": "true",
"V-24974": "true",
"V-24975": "true",
"V-24976": "true",
"V-24977": "true",
"V-24978": "true",
"V-24987": "true",
"V-24988": "true",
"V-24989": "true",
"V-24990": "true",
"V-24991": "true",
"V-24992": "true",
"V-24993": "true",
"V-24994": "true",
"V-24995": "true",
"V-24998": "true",
"V-24999": "true",
"V-25002": "true",
"V-25004": "true",
"V-25030": "true",
"V-25032": "true",
"V-25754": "true",
"V-26135": "true",
"V-26152": "true",
"V-26560": "true",
"V-26561": "true",
"V-26562": "true",
"V-26563": "true",
"V-26564": "true",
"V-26728": "true",
"V-26729": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-24972": "true",
"V-24973": "true",
"V-24974": "true",
"V-24975": "true",
"V-24976": "true",
"V-24977": "true",
"V-24978": "true",
"V-24987": "true",
"V-24988": "true",
"V-24989": "true",
"V-24990": "true",
"V-24991": "true",
"V-24992": "true",
"V-24993": "true",
"V-24994": "true",
"V-24995": "true",
"V-24998": "true",
"V-24999": "true",
"V-25002": "true",
"V-25004": "true",
"V-25030": "true",
"V-25032": "true",
"V-25754": "true",
"V-26135": "true",
"V-26152": "true",
"V-26560": "true",
"V-26561": "true",
"V-26562": "true",
"V-26563": "true",
"V-26564": "true",
"V-26728": "true",
"V-26729": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-24972": "true",
"V-24973": "true",
"V-24974": "true",
"V-24975": "true",
"V-24976": "true",
"V-24977": "true",
"V-24978": "true",
"V-24987": "true",
"V-24988": "true",
"V-24989": "true",
"V-24990": "true",
"V-24991": "true",
"V-24992": "true",
"V-24993": "true",
"V-24994": "true",
"V-24995": "true",
"V-24998": "true",
"V-24999": "true",
"V-25002": "true",
"V-25004": "true",
"V-25030": "true",
"V-25032": "true",
"V-25754": "true",
"V-26135": "true",
"V-26152": "true",
"V-26560": "true",
"V-26561": "true",
"V-26562": "true",
"V-26563": "true",
"V-26564": "true",
"V-26728": "true",
"V-26729": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-24972": "true",
"V-24973": "true",
"V-24974": "true",
"V-24975": "true",
"V-24976": "true",
"V-24977": "true",
"V-24978": "true",
"V-24987": "true",
"V-24988": "true",
"V-24989": "true",
"V-24990": "true",
"V-24991": "true",
"V-24992": "true",
"V-24993": "true",
"V-24994": "true",
"V-24995": "true",
"V-24998": "true",
"V-24999": "true",
"V-25002": "true",
"V-25004": "true",
"V-25030": "true",
"V-25032": "true",
"V-25754": "true",
"V-26135": "true",
"V-26152": "true",
"V-26560": "true",
"V-26561": "true",
"V-26562": "true",
"V-26563": "true",
"V-26564": "true",
"V-26728": "true",
"V-26729": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-24972": "true",
"V-24973": "true",
"V-24974": "true",
"V-24975": "true",
"V-24976": "true",
"V-24977": "true",
"V-24978": "true",
"V-24987": "true",
"V-24988": "true",
"V-24989": "true",
"V-24990": "true",
"V-24991": "true",
"V-24992": "true",
"V-24993": "true",
"V-24994": "true",
"V-24995": "true",
"V-24998": "true",
"V-24999": "true",
"V-25002": "true",
"V-25004": "true",
"V-25030": "true",
"V-25032": "true",
"V-25754": "true",
"V-26135": "true",
"V-26152": "true",
"V-26560": "true",
"V-26561": "true",
"V-26562": "true",
"V-26563": "true",
"V-26564": "true",
"V-26728": "true",
"V-26729": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "good_mobility_suite_server_android_os",
"title": "Good Mobility Suite Server (Android OS) Security Technical Implementation Guide",
"version": "1"
}
}