| V-24975 | High | The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
| A mobile device user could get access to unauthorized network resources (application and content servers, etc.) via the communications link between the mobile device and mobile management server... |
| V-32764 | High | The MDIS server must identify unexpected changes in applications installed on the mobile device. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-32762 | High | The MDIS agent must operate separate and independent of the management of the mobile devices security policy.
| One of the key capabilities of the MDIS feature is the capability to determine if the device has been compromised. To ensure integrity of the feature, the MDIS must not be modified by any device... |
| V-32763 | High | The MDIS server must identify changes in file structure and files on the mobile device. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-26564 | High | Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements.
| CTO 07-15 Rev 1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. This is best enforced by requiring the server... |
| V-32749 | High | Mitigation actions must be implemented based on integrity validation scan findings. | If mitigation actions are not implemented after a scan finding, DoD data and the enclave could be at risk of being compromised because the security baseline of the device has been compromised. ... |
| V-32759 | High | The MDIS agent must not be capable of being disabled or controlled by the user or other mobile device application.
| The integrity of the device security baseline would be compromised if the MDIS agent could be disabled by the user or an application.
|
| V-32758 | High | The MDIS server must verify the integrity of all operating system files, device drivers, and security enforcement mechanisms at startup and at least every six hours thereafter, using one or more DoD-approved cryptographic mechanisms that compare attributes of the operating system configuration to a known good baseline. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-32754 | High | The MDIS server must provide a near real-time alert when any compromise or potential compromise indicators occurs. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-32753 | High | The MDIS server must alert when it identifies malicious code on managed mobile devices. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-32765 | Medium | The MDIS server must have the capability to maintain change history of individual devices. | Scan results must be maintained so auditors can verify mitigation actions have been completed, so a scan can be compared to a previous scan, and to determine if there are any security... |
| V-24972 | Medium | The required mobile device management server version (or later) must be used. | Earlier versions of the MDM server may have security vulnerabilities or not have required security features implemented. Therefore, sensitive DoD data could be exposed if required security... |
| V-24973 | Medium | The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.). | The host server where the mobile management server is installed must be compliant with the Windows STIG and applicable application STIGs to ensure the system is not vulnerable to attack resulting... |
| V-32761 | Medium | The MDIS server must base recommended mitigations for findings on the identified risk level of the finding. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-32748 | Medium | The results and mitigation actions from MDIS server on site managed mobile OS devices must be maintained by the site for at least 6 months (1 year recommended). | Scan results must be maintained so auditors can verify mitigation actions have been completed, so a scan can be compared to a previous scan, and to determine if there are any security... |
| V-32755 | Medium | The MDIS server must provide notifications regarding suspicious events to an organization defined list of response personnel, including the IAO and system administrator, who are identified by name and/or by role. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-33231 | Low | The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less. | There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use... |
| V-25754 | Low | The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate. | When a self-signed PKI certificate is used, a rogue mobile management server can impersonate the DoD mobile management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI. |
