UCF STIG Viewer Logo

Ivanti MobileIron Sentry 9.x NDM Security Technical Implementation Guide


Overview

Date Finding Count (26)
2021-09-15 CAT I (High): 7 CAT II (Med): 13 CAT III (Low): 6
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-251001 High MobileIron Sentry must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.
V-251007 High MobileIron Sentry must be running an operating system release that is currently supported by MobileIron.
V-251006 High MobileIron Sentry must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO.
V-250996 High MobileIron Sentry must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirement.
V-250994 High MobileIron Sentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.
V-250995 High MobileIron Sentry must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
V-250988 High MobileIron Sentry must be configured to use DoD PKI as multi-factor authentication (MFA) for interactive logins.
V-251000 Medium The MobileIron Sentry must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
V-251005 Medium MobileIron Sentry must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
V-250997 Medium MobileIron Sentry must generate unique session identifiers using a FIPS 140-2 approved random number generator.
V-250992 Medium MobileIron Sentry must enforce password complexity by requiring that at least one numeric character be used.
V-250993 Medium MobileIron Sentry must enforce password complexity by requiring that at least one special character be used.
V-250990 Medium MobileIron Sentry must enforce password complexity by requiring that at least one upper-case character be used.
V-250991 Medium MobileIron Sentry must enforce password complexity by requiring that at least one lower-case character be used.
V-250999 Medium MobileIron Sentry must be configured to synchronize internal information system clocks using redundant authoritative time sources.
V-250989 Medium MobileIron Sentry device must enforce a minimum 15-character password length.
V-250983 Medium MobileIron Sentry must be configured to limit the network access of the Sentry System Manager Portal behind the corporate firewall and whitelist source IP range.
V-250982 Medium MobileIron Sentry must limit the number of concurrent sessions for the CLISH interface to an organization-defined number for each administrator account and/or administrator account type.
V-250984 Medium MobileIron Sentry must initiate a session lock after a 15-minute period of inactivity.
V-250987 Medium MobileIron Sentry must display the Standard Mandatory DoD Notice and Consent Banner in the Sentry web interface before granting access to the device.
V-251003 Low MobileIron Sentry must enforce access restrictions associated with changes to the system components.
V-251002 Low MobileIron Sentry must off-load audit records onto a different system or media than the system being audited.
V-251004 Low MobileIron Sentry must be configured to conduct backups of system level information contained in the information system when changes occur.
V-250998 Low MobileIron Sentry must generate an immediate real-time alert of all audit failure events requiring real-time alerts.
V-250985 Low MobileIron Sentry must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
V-250986 Low MobileIron Sentry must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.