| V-70097 | High | Windows 10 Mobile must protect data at rest on removable storage media. | The MOS must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the... |
| V-70095 | High | Windows 10 Mobile must protect data at rest on built-in storage media. | The MOS must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even... |
| V-70143 | Medium | Windows 10 Mobile devices must be upgraded to the Windows 10 Mobile Enterprise edition. Enterprise edition provides the ability to leverage several enhanced controls that have a dependency on the enterprise edition. | During ongoing operating system development, Windows 10 has a cadence of MOS updates that add new features including improved enterprise and security capabilities as well as fixes to issues... |
| V-69709 | Medium | Windows 10 Mobile must not display notifications in the Action Center when the device is locked. | Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there... |
| V-70109 | Medium | Windows 10 Mobile must not allow backup to locally connected systems. | Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally... |
| V-70091 | Medium | Windows 10 Mobile must lock the display after 15 minutes (or less) of inactivity. | The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain... |
| V-70125 | Medium | Windows 10 Mobile must be configured to implement the management setting: Disable the device Bluetooth Discoverable Mode. | Bluetooth usage could provide an attack vector for a hacker to connect to a mobile OS device without the knowledge of the user. Disabling Discoverable mode reduces the risk of a non-authorized... |
| V-70123 | Medium | Windows 10 Mobile must be configured to implement the management setting: Disable the ability for a user to add new email accounts. | Personal or unauthorized email accounts can lead to the transmission of sensitive DoD data to unauthorized recipients Disabling this feature mitigates the risk. The use of personal or non-DoD... |
| V-70099 | Medium | Windows 10 Mobile must be configured to disable automatic updates of system software. | FOTA allows the user to download and install firmware updates over-the-air. These updates can include OS upgrades, security patches, bug fixes, new features and applications. Since the updates are... |
| V-69713 | Medium | Windows 10 Mobile must disable the Windows Store. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing... |
| V-70117 | Medium | Windows 10 Mobile must not allow a USB mass storage mode. | USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a... |
| V-69711 | Medium | Windows 10 Mobile must not allow use of developer modes. | Developer modes expose features of the MOS that are not available during standard operation. An adversary may leverage a vulnerability inherent in a developer mode to compromise the... |
| V-70105 | Medium | Windows 10 Mobile must be configured to disable VPN split-tunneling (if the MD provides a configurable control for FDP_IFC_EXT.1.1). | Spilt-tunneling allows multiple simultaneous remote connections to the mobile device. Without VPN split-tunneling disabled, malicious applications can covertly off-load device data to a... |
| V-70107 | Medium | Windows 10 Mobile must not allow backup to remote systems and must have a mechanism to restrict abilities of applications and OS components that leverage cloud storage by blocking backup to OneDrive. | Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the MOS. Where the remote backup involves a... |
| V-70113 | Medium | Windows 10 Mobile must enable all IP traffic (other than IP traffic required to establish the VPN connection) to flow through the IPsec VPN client or provide an interface to VPN applications for this purpose. | It is common for mobile devices to connect directly to wireless networks that DoD does not manage, including direct Internet access through the cellular service provider. This condition leaves the... |
| V-71681 | Medium | Windows10 Mobile must be running at a minimum an OS build number of 10.0.14393.10 or higher to meet all requirements in the STIG. | During ongoing operating system development, Windows 10 has a cadence of MOS updates that adds new features, including improved enterprise and security capabilities as well as fixes to issues... |
| V-70131 | Medium | Windows 10 Mobile must be configured to implement the management setting: Require a password be used before unlocking a Windows 10 Mobile device. | Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of... |
| V-70085 | Medium | Windows 10 Mobile must be configured to implement the management setting: Disable the ability for a device to send out advertisements/Bluetooth beacons to a Bluetooth peripheral. | Bluetooth usage could provide an attack vector for a hacker to connect to a mobile OS device without the knowledge of the user. Disabling Bluetooth advertising/beaconing reduces the risk of a... |
| V-70135 | Medium | Windows 10 Mobile must be configured to implement the management setting: Disable the capability of the Cortana personal assistant A.I. to be functional when the device is locked. | When a mobile device is locked, there should be no access to its protected/sensitive data as it could enable unauthorized people with physical access to the device to bring up and view sensitive... |
| V-70083 | Medium | Windows 10 Mobile must enforce an application installation policy by specifying an application whitelist. | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-70111 | Medium | Windows 10 Mobile must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor (e.g., using a fingerprint), unless mechanism is DoD-approved. | The fingerprint reader or iris scan (supported by some Windows 10 Mobile devices) can be used to authenticate the user in order to unlock the mobile device. At this time, no biometric reader has... |
| V-70139 | Medium | Windows 10 Mobile must be configured to implement the management setting:
Disable the capability for synching settings such as the theme, application settings, Internet Explorer sites visited, and cached passwords to Microsoft OneDrive cloud storage. | Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the MOS. Where the remote backup involves a... |
| V-70137 | Medium | Windows 10 Mobile must be configured to implement the management setting: Disable the capability for a user to manually unenroll from MDM management. | The use of an MDM allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls... |
| V-70119 | Medium | Windows 10 Mobile must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), and SPP (Serial Port Profile). | Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore should be disabled.... |
| V-70103 | Medium | Windows 10 Mobile whitelist must not include applications with the following characteristics:
- back up MD data to non-DoD cloud servers (including user and application access to cloud backup services, i.e. OneDrive, Box, Dropbox, Google Drive, Amazon Cloud Drive, Azure);
- transmit MD diagnostic data to non-DoD servers;
- voice assistant application if available when MD is locked;
- voice dialing application if available when MD is locked;
- allows synchronization of data or applications between devices associated with user;
- payment processing; and
- allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers. | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-70093 | Low | Windows 10 Mobile must enforce a minimum password length of 6 characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is... |
| V-70127 | Low | Windows 10 Mobile must be configured to implement the management setting: Disable the ability of the Edge browser to cache passwords in the Password Manager. | Access to websites that require authentication can be streamlined for faster logon if credentials like passwords can be saved. But eliminating password prompts leaves protected websites vulnerable... |
| V-70121 | Low | Windows 10 Mobile must disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. | Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real world field behavior and improve the product... |
| V-70087 | Low | Windows 10 Mobile must not allow passwords that include more than two repeating or sequential characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier... |
| V-70101 | Low | Windows 10 Mobile must enable VPN protection. | A key characteristic of a mobile device is that they typically will communicate wirelessly and are often expected to reside in locations outside the physical security perimeter of a DoD facility.... |
| V-70115 | Low | Windows 10 Mobile must generate audit records. | Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their... |
| V-70129 | Low | Windows 10 Mobile must be configured to implement the management setting: Disable the capability to use NFC. | NFC is a wireless technology that transmits small amounts of information from the device to the NFC reader. The data-in-transit (DIT) is not encrypted using FIPS 140-2 validated encryption. Any... |
| V-70089 | Low | Windows 10 Mobile must not allow more than 10 consecutive failed authentication attempts. | The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of... |
| V-70133 | Low | Windows 10 Mobile must be configured to implement the management setting:
Disable the ability to copy and paste data between trusted and non-trusted applications and between trusted and non-trusted networks. | Copy/Paste data protection provides the capability to restrict transfer of data between managed (work/enterprise) and non-managed (personal) apps. Sensitive DoD data could be compromised if this... |
