{
"stig": {
"date": "2019-05-17",
"description": "This STIG contains the policy, training, and operating procedure security controls for the use of MDM servers in the DoD environment. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-24955": {
"checkid": "C-31114r11_chk",
"checktext": "Detailed Policy Requirements: \nThis requirement applies to mobile operating system (OS) mobile devices.\n\nThis requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO).\n\nIn accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or \u201cdata spill\u201d occurs when a classified email is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer to include web browser downloads and files transferred through tethered connections. Mobile devices are not authorized for processing classified data. \n\nA data spill also occurs if a classified document is attached to an otherwise unclassified email. A data spill will only occur if the classified attached document is viewed or opened by the mobile device user since the mobile device system only downloads an attachment on the mobile device if the user views or opens the attachment. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for smartphone destruction procedures. \n\nCheck Procedures: \nInterview the ISSO. Verify classified incident handling, response, and reporting procedures are documented in site mobile device procedures or security policies. If classified incident handling, response, and reporting procedures are not documented in site mobile device procedures or security policies, this is a finding.\n\nThis requirement applies at both sites where mobile devices are issued and managed and at sites where the mobile device management server is located.\n\n- At the mobile device management server site, verify Incident Handling and Response procedures include actions to sanitize the mobile device management server and email servers (e.g., Exchange, Oracle mail). \n\n- At mobile device sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified smartphone devices. The following actions will be followed for all mobile devices involved in a data spill:\n\nIf Incident Handling and Response procedures do not include required information, this is a finding.\n",
"description": "When a data spill occurs on a mobile device, classified or sensitive data must be protected to prevent disclosure. After a data spill, the mobile device must either be wiped using approved procedures, or destroyed if no procedures are available, so classified or sensitive data is not exposed. If a data spill procedure is not published, the site may not use approved procedures to remediate after a data spill occurs and classified data could be exposed.",
"fixid": "F-27582r3_fix",
"fixtext": "Publish a Classified Message Incident (CMI) procedure or policy for the site.",
"iacontrols": null,
"id": "V-24955",
"ruleID": "SV-30692r6_rule",
"severity": "medium",
"title": "Publish data spill procedures for mobile devices",
"version": "WIR-SPP-003-01"
},
"V-24957": {
"checkid": "C-31115r9_chk",
"checktext": "Detailed Policy Requirements: \nThis requirement applies to mobile operating system (OS) mobile devices.\n\nThis requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO).\n\nIf a data spill occurs on a mobile device, the following actions must be completed: \n\n- The mobile device management server and email servers (i.e., Exchange, Oracle mail, etc.) are handled as classified systems until they are sanitized according to appropriate procedures. (See NSA/CSS Storage Device Declassification Manual 9-12 for sanitization procedures.)\n\n- The mobile device is handled as a classified device and destroyed according to DoD guidance for destroying classified equipment or sanitized as directed in Check WIR-SPP-003-01. \n\nCheck Procedures: \nInterview the ISSO. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. \n\nIf the site had a data spill within the previous 24 months and required procedures were not followed, this is a finding.\n",
"description": "If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel.",
"fixid": "F-27583r4_fix",
"fixtext": "Follow required procedures after a data spill occurs.",
"iacontrols": null,
"id": "V-24957",
"ruleID": "SV-30694r6_rule",
"severity": "high",
"title": "If a data spill (Classified Message Incident (CMI)) occurs on a mobile device, the site must follow required data spill procedures.",
"version": "WIR-SPP-003-02"
},
"V-24962": {
"checkid": "C-31122r10_chk",
"checktext": "Detailed Policy Requirements: \n\nThe site (location where mobile devices are issued and managed and the site where the mobile operating system (OS) based mobile device management server is located) must publish procedures to follow if a mobile device has been lost or stolen. The procedures should include (as appropriate):\n\n- Mobile device user notifies ISSO, SM, and other site personnel, as required by the site\u2019s Incident Response Plan, within the timeframe required by the site\u2019s Incident Response Plan. \n\n- The ISSO notifies the mobile device management server system administrator and other site personnel, as required by the site\u2019s Incident Response Plan, within the timeframe required by the site\u2019s Incident Response Plan. \n\nThe site mobile device management server administrator sends a wipe command to the mobile device and then disables the user account on the management server or removes the mobile device from the user account.\n\n- The site will contact the carrier to have the device deactivated on the carrier\u2019s network.\n\nCheck procedures: \nInterview the ISSO. \n\nReview the site\u2019s Incident Response Plan or other policies to determine if the site has a written plan of action.\n\nIf the site does not have a written plan of action following a lost or stolen mobile device, this is a finding.\n",
"description": "Sensitive DoD data could be stored in memory on a DoD operated mobile operating system (OS) based mobile device and the data could be compromised if required actions are not followed when a mobile device is lost or stolen. Without procedures for lost or stolen mobile operating system (OS) based mobile devices, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.",
"fixid": "F-27603r3_fix",
"fixtext": "Publish procedures to follow if a mobile operating system (OS) based mobile device is lost or stolen. ",
"iacontrols": null,
"id": "V-24962",
"ruleID": "SV-30699r7_rule",
"severity": "low",
"title": "The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.",
"version": "WIR-SPP-007-01"
},
"V-24969": {
"checkid": "C-31133r5_chk",
"checktext": "Interview the ISSO. Determine if any site mobile devices were reported lost or stolen within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. \n\nIf the site had a lost or stolen mobile device within the previous 24 months and required procedures were not followed, this is a finding. \n ",
"description": "If procedures for lost or stolen mobile devices are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.",
"fixid": "F-27592r4_fix",
"fixtext": "Follow required actions when a mobile device is reported lost or stolen. ",
"iacontrols": null,
"id": "V-24969",
"ruleID": "SV-30706r6_rule",
"severity": "low",
"title": "Required actions must be followed at the site when a mobile device has been lost or stolen.",
"version": "WIR-SPP-007-02"
},
"V-24970": {
"checkid": "C-31134r9_chk",
"checktext": "Detailed policy requirements: \nThe MDM server administrator must be trained on the following requirements: \n\n- Requirement that administrative service accounts will not be used to log into the mobile device management server or any server service. \n\n- Activation passwords or PINs will consist of a pseudo-random pattern of at least eight characters consisting of at least two letters and two numbers. A new activation password must be selected each time one is assigned (e.g., the same password cannot be used for all users or for a group of users). \n\n- User and group accounts on the MDM server will always be assigned a STIG-compliant security/IT policy.\n\nCheck procedures: \n-Verify the MDM server administrator(s) has received the required training. The site should document when the training was completed.\n\nIf the MDM server administrator did not receive required training, this is a finding.\n",
"description": "The security posture of the MDM server could be compromised if the administrator is not trained to follow required procedures. ",
"fixid": "F-27604r2_fix",
"fixtext": "Have MDM server administrator complete and document his/her training. ",
"iacontrols": null,
"id": "V-24970",
"ruleID": "SV-30707r7_rule",
"severity": "low",
"title": "The mobile device management (MDM) server administrator must receive required training.",
"version": "WIR-WMSP-001-01"
},
"V-28313": {
"checkid": "C-35162r6_chk",
"checktext": "The site should document when training was completed.\n\n-Verify training is renewed annually.\n\nIf the MDM server administrator training is not renewed annually, this is a finding.",
"description": "The MDM server administrator must renew required training annually.",
"fixid": "F-30410r1_fix",
"fixtext": "Renew required training annually.",
"iacontrols": null,
"id": "V-28313",
"ruleID": "SV-36041r6_rule",
"severity": "low",
"title": "MDM server administrator training must be renewed annually.",
"version": "WIR-WMSP-001-02"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-24955": "true",
"V-24957": "true",
"V-24962": "true",
"V-24969": "true",
"V-24970": "true",
"V-28313": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-24955": "true",
"V-24957": "true",
"V-24962": "true",
"V-24969": "true",
"V-24970": "true",
"V-28313": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-24955": "true",
"V-24957": "true",
"V-24962": "true",
"V-24969": "true",
"V-24970": "true",
"V-28313": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-24955": "true",
"V-24957": "true",
"V-24962": "true",
"V-24969": "true",
"V-24970": "true",
"V-28313": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-24955": "true",
"V-24957": "true",
"V-24962": "true",
"V-24969": "true",
"V-24970": "true",
"V-28313": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-24955": "true",
"V-24957": "true",
"V-24962": "true",
"V-24969": "true",
"V-24970": "true",
"V-28313": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-24955": "true",
"V-24957": "true",
"V-24962": "true",
"V-24969": "true",
"V-24970": "true",
"V-28313": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-24955": "true",
"V-24957": "true",
"V-24962": "true",
"V-24969": "true",
"V-24970": "true",
"V-28313": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-24955": "true",
"V-24957": "true",
"V-24962": "true",
"V-24969": "true",
"V-24970": "true",
"V-28313": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "mdm_server_policy",
"title": "MDM Server Policy Security Technical Implementation Guide (STIG)",
"version": "2"
}
}