| V-24974 | High | The smartphone management server email system must be set up with the required system components in the required network architecture. | The wireless email server architecture must comply with the DoD environment because approval of the smartphone management server is contingent on installation with the correct settings. DoD... |
| V-24975 | High | The smartphone management server host-based or appliance firewall must be installed and configured as required. | A smartphone user could get access to unauthorized network resources (application and content servers, etc.) if the smartphone management server host firewall is not set up as required. |
| V-24976 | High | Security controls must be implemented on the smartphone management server for connections to back-office servers and applications. | The secure connection from the smartphone to the smartphone management server can be used by the smartphone user to connect to back-office servers and applications located on the enclave network. ... |
| V-26564 | High | Authentication on system administration accounts for wireless management servers must be configured. | CTO 07-15Rev1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. |
| V-25004 | Medium | A compliance rule must be setup in the server implementing jailbreak detection on smartphones. Devices will be wiped if they have been jailbroken. | DoD-required security policies can be bypassed on jailbroken smartphone . Jailbroken devices can expose sensitive DoD data to unauthorized people and could lead to a network attack. |
| V-25032 | Medium | Password access to the Good app on the smartphone must be enabled. | A hacker could gain access to sensitive data in the smartphone application and gain an attack vector to the enclave if the password access control/authentication feature of the application is not enabled. |
| V-24994 | Medium | Inactivity lock must be set as required for the smartphone security/email client. | Sensitive DoD data could be exposed to unauthorized viewing or use if lost or stolen smartphone screen was not locked. |
| V-24995 | Medium | "Do not allow data to be copied from the Good application" must be checked. | Sensitive data could be saved in the non-FIPS 140-2 validated area of memory on the smartphone, which would violate DoD policy and may expose sensitive DoD data. |
| V-24998 | Medium | The Over-The-Air (OTA) device provisioning PIN must have expiration set. | The time period that a device can be provisioned via Over-The-Air (OTA) provisioning needs to be controlled to ensure unauthorized people do not have the capability to setup rogue devices on the network. |
| V-24992 | Medium | Maximum invalid password attempts must be set as required for the smartphone security/email client. | A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and... |
| V-24993 | Medium | Data must be wiped after maximum password attempts reached for the smartphone security/email client. | A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and... |
| V-24990 | Medium | Password minimum length must be set as required for the smartphone security/email client. | Short passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data. |
| V-26729 | Medium | "Do not allow data to be copied into the Good application" must be checked in the Good security policy for the handheld. | Malware could be copied into the secure Good sandbox on the smartphone, which would put sensitive data at risk of being compromised. |
| V-26152 | Medium | S/MIME must be enabled on the Good server. | Sensitive DoD data could be exposed if the required setting is not configured on the Good server. If S/MIME support is not configured on the server, the user will not be able to view critical... |
| V-26135 | Medium | Password complexity must be set as required. | Non-complex passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data. |
| V-24972 | Medium | The required smartphone management server or later version must be used. | Earlier versions of the smartphone management server may have security vulnerabilities or have not implemented required security features. |
| V-24973 | Medium | The host server where the smartphone management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Web Server, Apache Tomcat, IIS, etc.). | Wireless email services are installed on a Windows Server. The server must be compliant with the Windows STIG and applicable Application STIGs to ensure the system is not vulnerable to attack... |
| V-24978 | Medium | Smartphone user accounts must not be assigned to the default security/IT policy. | The smartphone default security/IT policy on the smartphone management server does not include most DoD required security policies for data encryption, authentication, and access control. DoD... |
| V-26561 | Medium | “Require CAC to be present” must be set. | Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good applications stores sensitive DoD information. A hacker with access to... |
| V-26560 | Medium | Either CAC or password authentication must be enabled for user access to the Good app on the smartphone. | Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good application stores sensitive DoD information. A hacker with access to... |
| V-26562 | Medium | “Require both letters and numbers” must be set as required for the smartphone security/email client. | Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. |
| V-25000 | Medium | The Good server must be configured to push an iPhone configuration profile to each managed iPhone. | Sensitive DoD data could be compromised if a security profile is not installed on DoD iPhone/iPad/iPod touch devices. |
| V-26563 | Medium | “Do not allow sequential numbers” must be set as required for the smartphone security/email client. | Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. |
| V-25002 | Low | A compliance rule must be set up in the server defining required smartphone hardware versions. | Older devices do not support required security features. |
| V-25030 | Low | If access is enabled to the Good app contacts lists by the smartphone, the list of contact information must be limited. | Sensitive contact information could be exposed. |
| V-24999 | Low | OTA Provisioning PIN reuse must not be allowed. | The reuse of the OTA PIN can allow a hacker to provision an unauthorized device on the system. |
| V-24991 | Low | Repeated password characters must be disallowed for the Good app. | Repeated password characters reduces the strength of a password to withstand attacks by password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data. |
| V-26728 | Low | A compliance rule must be set up on the server defining required Good client versions. | Older software versions do not support required security features. |
| V-24977 | Low | The smartphone management server must be configured to control HTML and RTF formatted email.
| HTML email and inline images in email can contain malware or links to web sites with malware. |
| V-25754 | Low | The PKI digital certificate installed on the wireless email management server must be a DoD PKI-issued certificate. | When a self signed PKI certificate is used, a rogue wireless email management server can impersonate the DoD wireless email management server. DoDI 8520-02 requires PKI certificates come from a... |
| V-24989 | Low | Previously used passwords must be disallowed for security/email client on smartphone. | Previously used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the smartphone and sensitive DoD data stored on the smartphone. |
| V-24988 | Low | Handheld password must be set as required. | Long used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the iPhone/iPad and sensitive DoD data stored on the iPhone/iPad. |
| V-24987 | Low | “Re-challenge for CAC PIN every” must be set. | A user’s CAC PIN or software certificate PIN is cached in memory on the device for a short period of time so a user does not have to re-enter his/her PIN every time the user’s digital certificates... |
