| V-24975 | High | The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
| A mobile device user could get access to unauthorized network resources (application and content servers, etc.) via the communications link between the mobile device and mobile management server... |
| V-26564 | High | Authentication on system administration accounts for mobile management servers must be configured to support Microsoft Active Directory (AD) authentication.
| CTO 07-15 Rev 1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. This is best enforced by requiring the server... |
| V-32769 | High | The MAM server must manage a list of required applications (white list) by device account and by group account.
| Application white list enforcement ensures only authorized applications are installed on managed mobile devices. An unauthorized application could contain malware. In addition, the white list... |
| V-32771 | High | The MAM server must scan the list of installed applications on managed mobile devices on a predefined periodic basis and take a predefined action if unapproved applications are found.
| An unauthorized application could contain malware or be a malware application. If the malware is not removed in a timely manner, DoD data and the enclave could be at risk of being compromised... |
| V-24973 | Medium | The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Web Server, Apache Tomcat, IIS, etc.).
| The host server where the mobile management server is installed must be compliant with the Windows STIG and applicable application STIGs to ensure the system is not vulnerable to attack resulting... |
| V-32767 | Medium | The MAM server must be able to obtain applications from a DoD managed application store.
| Applications installed on the device must come from approved sources to ensure the security baseline of the device is not compromised by the application, otherwise sensitive DoD data and the... |
| V-32770 | Medium | The MAM server must prohibit the removal of required applications on managed devices or alert and take a predefined action if required applications have been removed.
| Some required applications are used to implement required security controls, which affect the security baseline of the device. If the security baseline is not maintained sensitive DoD data and... |
| V-32773 | Medium | The MAM server must prevent unauthorized and unintended access to shared system resources by applications on managed mobile devices.
| Applications on mobile devices must be prohibited from performing insecure actions on the device, including reading data from another application's memory space, accessing the contacts list and... |
| V-32772 | Medium | The MAM server must manage the installation of updates and patches for installed applications on managed mobile devices.
| Timely installation of application patches is a key mitigation action against compromise of an IT system by known attack methods.
|
| V-32775 | Medium | The MAM server must install DoD managed applications, including the browser, email client, and VPN client, in an approved security container on managed mobile devices. | The browser, email client, and VPN process sensitive DoD data, which must be saved only inside the device security container.
|
| V-32774 | Medium | The MAM server must enable the inspection of installed applications on a managed iOS device.
| The MAM must be able to determine the name, version, source, and other key attributes of managed applications to ensure only authorized applications are installed on the device.
|
| V-25754 | Low | The PKI digital certificate installed on mobile management servers must be a DoD PKI-issued certificate.
| When a self signed PKI certificate is used, a rogue mobile management server can impersonate the DoD mobile management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.
|
| V-32768 | Low | The MAM server must install required applications on managed mobile devices.
| Some required applications are used to implement required security controls, which affect the security baseline of the device. If the security baseline is not maintained sensitive DoD data and... |
| V-33231 | Low | The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed on a periodic basis. | If the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be... |
