| V-32759 | High | The MDIS server must not be capable of being disabled or controlled by the user or other mobile device application.
| Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-32758 | High | The MDIS server must verify the integrity of all operating system files, device drivers, and security enforcement mechanisms at startup and at least every six hours thereafter, using one or more DoD approved cryptographic mechanisms that compare attributes of the operating system configuration to a known good baseline. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-32756 | High | The MDIS server must use automated mechanisms to alert security personnel when the device has been jailbroken or rooted. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-32754 | High | The MDIS server must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-32753 | High | The MDIS server must alert when it identifies malicious code on managed mobile devices. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-32751 | High | The MDIS server must implement detection and inspection mechanisms to identify unauthorized mobile code on managed mobile devices. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-32750 | High | The MDIS server must employ automated mechanisms to detect the presence of unauthorized software on managed mobile devices and notify designated organizational officials in accordance with the organization defined frequency.
| Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-24975 | High | The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
| A mobile device user could get access to unauthorized network resources (application and content servers, etc.) via the communications link between the mobile device and mobile management server... |
| V-32764 | High | The MDIS server must identify unexpected changes in applications installed on the mobile device. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-32762 | High | The MDIS server must operate separate and independent of the management of the mobile devices security policy.
| One of the key capabilities of the MDIS feature is the capability to determine if the device has been compromised. The MDIS must not be modified by any device management feature to ensure... |
| V-32763 | High | The MDIS server must identify changes in file structure and files on the mobile device. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-32749 | High | Mitigation actions identified by MDIS server scans on site managed mobile OS devices must be implemented. | If mitigation actions identified by the Mobile OS device integrity tool are not implemented, DoD data and the enclave could be at risk of being compromised because the security baseline of the... |
| V-26564 | High | Authentication on system administration accounts for mobile management servers must be configured to support Microsoft Active Directory (AD) authentication.
| CTO 07-15 Rev 1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. This is best enforced by requiring the server... |
| V-32757 | Medium | The MDIS server must accept alerts from the mobile operating system when the mobile OS has detected integrity check failures. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-32755 | Medium | The MDIS server must provide notifications regarding suspicious events to an organization defined list of response personnel who are identified by name and/or by role. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-32752 | Medium | The MDIS server must scan for malicious code on managed mobile devices on an organization defined frequency. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-24973 | Medium | The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Web Server, Apache Tomcat, IIS, etc.).
| The host server where the mobile management server is installed must be compliant with the Windows STIG and applicable application STIGs to ensure the system is not vulnerable to attack resulting... |
| V-32765 | Medium | MDIS server must archive results of scans for individual devices.
| Scan results must be maintained so auditors can verify mitigation actions have been completed, so a scan can be compared to a previous scan, and to determine if there is any security vulnerability... |
| V-32760 | Medium | The MDIS server must identify the affected mobile device, severity of the finding, and provide a recommended mitigation.
| |
| V-32761 | Medium | The MDIS server must base recommended mitigations for findings on the identified risk level of the finding. | Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on... |
| V-32748 | Medium | The results and mitigation actions from MDIS server on site managed mobile OS devices must be maintained by the site for at least 6 months (1 year recommended). | Scan results must be maintained, so auditors can verify mitigation actions have been completed, a scan can be compared to a previous scan, and to determine if there is any security vulnerability... |
| V-33231 | Low | The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed on a periodic basis. | If the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be... |
| V-32766 | Low | The MDIS server must provide the capability for the site administrator to amend information on mitigation actions that have taken place (e.g., wipe the device) to the scan report before the report is archived.
| Accurate scan results and mitigation actions must be maintained so auditors can verify mitigation actions have been completed, so a scan can be compared to a previous scan, and to determine if... |
| V-25754 | Low | The PKI digital certificate installed on mobile management servers must be a DoD PKI-issued certificate.
| When a self signed PKI certificate is used, a rogue mobile management server can impersonate the DoD mobile management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.
|
