| V-24974 | High | The smartphone management server email system must be set up with the required system components in the required network architecture. | The wireless email server architecture must comply with the DoD environment because approval of the smartphone management server is contingent on installation with the correct settings. DoD... |
| V-24975 | High | The smartphone management server host-based or appliance firewall must be installed and configured as required. | A smartphone user could get access to unauthorized network resources (application and content servers, etc.) if the smartphone management server host firewall is not set up as required. |
| V-26564 | High | Authentication on system administration accounts for wireless management servers must be configured. | CTO 07-15Rev1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. |
| V-26107 | Medium | The following Bluetooth configuration must be set as required: Basic Imaging Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26132 | Medium | The following Data Encryption configuration must be set as required: My Music. | Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders. |
| V-26104 | Medium | The following Bluetooth configuration must be set as required: Wireless Application Protocol Bearer. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-25032 | Medium | Password access to the Good app on the smartphone must be enabled. | A hacker could gain access to sensitive data in the smartphone application and gain an attack vector to the enclave if the password access control/authentication feature of the application is not enabled. |
| V-24994 | Medium | Inactivity lock must be set as required for the smartphone security/email client. | Sensitive DoD data could be exposed to unauthorized viewing or use if lost or stolen smartphone screen was not locked. |
| V-24995 | Medium | "Do not allow data to be copied from the Good application" must be checked. | Sensitive data could be saved in the non-FIPS 140-2 validated area of memory on the smartphone, which would violate DoD policy and may expose sensitive DoD data. |
| V-26099 | Medium | The following Bluetooth configuration must be set as required: Dial Up Network Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26098 | Medium | The following Bluetooth configuration must be set as required: Common ISDN Access Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-24998 | Medium | The Over-The-Air (OTA) device provisioning PIN must have expiration set. | The time period that a device can be provisioned via Over-The-Air (OTA) provisioning needs to be controlled to ensure unauthorized people do not have the capability to setup rogue devices on the network. |
| V-26106 | Medium | The following Bluetooth configuration must be set as required: Advanced Audio Distribution Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-24992 | Medium | Maximum invalid password attempts must be set as required for the smartphone security/email client. | A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and... |
| V-24993 | Medium | Data must be wiped after maximum password attempts reached for the smartphone security/email client. | A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and... |
| V-26093 | Medium | The following Bluetooth configuration must be set as required: General Audio/Video Distribution Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26095 | Medium | The following Bluetooth configuration must be set as required: Serial Port Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26094 | Medium | The following Bluetooth configuration must be set as required: Personal Area Networking Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26097 | Medium | The following Bluetooth configuration must be set as required: Generic Object (Exchange) Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26096 | Medium | The following Bluetooth configuration must be set as required: Enable discovery. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26114 | Medium | The following Bluetooth configuration must be set as required: Video Conferencing Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26115 | Medium | The following Bluetooth configuration must be set as required: Message Access Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26116 | Medium | The following Bluetooth configuration must be set as required: External Service Discovery Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26117 | Medium | The following Bluetooth configuration must be set as required: Device ID Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26110 | Medium | The following Bluetooth configuration must be set as required: Object Push Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26111 | Medium | The following Bluetooth configuration must be set as required: Synchronization Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26112 | Medium | The following Bluetooth configuration must be set as required: Phone Book Access Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26113 | Medium | The following Bluetooth configuration must be set as required: Video Distribution Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26150 | Medium | The following Good Mobile Access configuration must be set as required: Allow internet access on handheld when Good Mobile Access is not running. | The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly. |
| V-26122 | Medium | The following Bluetooth configuration must be set as required: Human Interface Device Profile (Service and Host). | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26134 | Medium | The following Data Encryption configuration must be set as required: Personal. | Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders. |
| V-26135 | Medium | Password complexity must be set as required. | Non-complex passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data. |
| V-26118 | Medium | The following Bluetooth configuration must be set as required: Service Discovery Application Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26119 | Medium | The following Bluetooth configuration must be set as required: Unrestricted Digital Information. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26130 | Medium | The following Data Encryption configuration must be set as required: My Pictures. | Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders. |
| V-26102 | Medium | The following Bluetooth configuration must be set as required: Cordless Telephony Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-24990 | Medium | Password minimum length must be set as required for the smartphone security/email client. | Short passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data. |
| V-26101 | Medium | The following Bluetooth configuration must be set as required: LAN Access Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-24972 | Medium | The required smartphone management server or later version must be used. | Earlier versions of the smartphone management server may have security vulnerabilities or have not implemented required security features. |
| V-24973 | Medium | The host server where the smartphone management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Web Server, Apache Tomcat, IIS, etc.). | Wireless email services are installed on a Windows Server. The server must be compliant with the Windows STIG and applicable Application STIGs to ensure the system is not vulnerable to attack... |
| V-26100 | Medium | The following Bluetooth configuration must be set as required: Fax Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-24978 | Medium | Smartphone user accounts must not be assigned to the default security/IT policy. | The smartphone default security/IT policy on the smartphone management server does not include most DoD required security policies for data encryption, authentication, and access control. DoD... |
| V-26105 | Medium | The following Bluetooth configuration must be set as required: Active Sync.
| The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26129 | Medium | The following Data Encryption configuration must be set as required: My Music. | Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders. |
| V-26109 | Medium | The following Bluetooth configuration must be set as required: OBEX File Transfer Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26151 | Medium | The following Good Mobile Access configuration must be set as required: Route only Intranet traffic through Good Mobile Access. | The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly. |
| V-26152 | Medium | S/MIME must be enabled on the Good server. | Sensitive DoD data could be exposed if the required setting is not configured on the Good server. If S/MIME support is not configured on the server, the user will not be able to view critical... |
| V-26561 | Medium | “Require CAC to be present” must be set. | Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good applications stores sensitive DoD information. A hacker with access to... |
| V-26560 | Medium | Either CAC or password authentication must be enabled for user access to the Good app on the smartphone. | Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good application stores sensitive DoD information. A hacker with access to... |
| V-26108 | Medium | The following Bluetooth configuration must be set as required: Basic Printing. Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26133 | Medium | following Data Encryption configuration must be set as required: My Pictures. | Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders. |
| V-26121 | Medium | The following Bluetooth configuration must be set as required: HeadSet and Hands Free Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26120 | Medium | The following Bluetooth configuration must be set as required: Audio / Video Remote Control Transport Protocol. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26123 | Medium | The following Bluetooth configuration must be set as required: Hard Copy Cable Replacement Profile. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26148 | Medium | The following Good Mobile Access configuration must be set as required: Require user to authenticate via NTLM. | The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly. |
| V-26125 | Medium | The Infrared radio must be disabled. | The Infrared radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26124 | Medium | The following Bluetooth configuration must be set as required: SIM Access. | The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26127 | Medium | The following Storage Card configuration must be set as required: Enable storage card encryption. | Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on external data storage cards (e.g., MicroSD, etc.). |
| V-26126 | Medium | The following Storage Card configuration must be set as required: Wipe storage card when wiping data. | Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on external data storage cards (e.g., MicroSD, etc.). |
| V-26149 | Medium | The following Good Mobile Access configuration must be set as required: Route both Intranet and Internet traffic through Good Mobile Access. | The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly. |
| V-26128 | Medium | The following Storage Card configuration must be set as required: Allow encrypted storage cards to work only with handheld that originally encrypted them. | Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on external data storage cards (e.g., MicroSD, etc.). |
| V-26103 | Medium | The following Bluetooth configuration must be set as required: Intercom Profile.
| The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to... |
| V-26131 | Medium | The following Data Encryption configuration must be set as required: Personal. | Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders. |
| V-26146 | Medium | The following Good Mobile Access configuration must be set as required: Enable Good Mobile Access. | The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly. |
| V-26145 | Medium | A list of Windows Mobile Smartphone blocked apps must be set up on the Good server. | Malware could be installed on the smartphone if required controls are not followed. |
| V-26144 | Medium | A list of Windows Mobile Pocket PC blocked apps must be set up on the Good server. | Malware could be installed on the smartphone if required controls are not followed. |
| V-25030 | Low | If access is enabled to the Good app contacts lists by the smartphone, the list of contact information must be limited. | Sensitive contact information could be exposed. |
| V-24999 | Low | OTA Provisioning PIN reuse must not be allowed. | The reuse of the OTA PIN can allow a hacker to provision an unauthorized device on the system. |
| V-24991 | Low | Repeated password characters must be disallowed for the Good app. | Repeated password characters reduces the strength of a password to withstand attacks by password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data. |
| V-25754 | Low | The PKI digital certificate installed on the wireless email management server must be a DoD PKI-issued certificate. | When a self signed PKI certificate is used, a rogue wireless email management server can impersonate the DoD wireless email management server. DoDI 8520-02 requires PKI certificates come from a... |
| V-24989 | Low | Previously used passwords must be disallowed for security/email client on smartphone. | Previously used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the smartphone and sensitive DoD data stored on the smartphone. |
| V-24988 | Low | Handheld password will be set as required. | Long used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the iPhone/iPad and sensitive DoD data stored on the iPhone/iPad. |
| V-24987 | Low | “Re-challenge for CAC PIN every” must be set. | A user’s CAC PIN or software certificate PIN is cached in memory on the device for a short period of time so a user does not have to re-enter his/her PIN every time the user’s digital certificates... |
