UCF STIG Viewer Logo

Mobile Device Integrity Scanning (MDIS) Server Security Technical Implementation Guide (STIG)


Date Finding Count (22)
2013-01-17 CAT I (High): 11 CAT II (Med): 8 CAT III (Low): 3
STIG Description
This STIG provides technical security controls required for the use of a mobile MDIS server to audit the integrity of mobile devices in the DoD environment. The requirements listed in this benchmark apply to any DoD iOS implementation when iOS devices process sensitive DoD information, connect to a DoD network or network connected PC, or provide service to a DoD email system. The requirements can be implemented in an application server separate from the MDM server or included in the MDM server. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-32759 High The MDIS agent must not be capable of being disabled or controlled by the user or other mobile device application.
V-32758 High The MDIS server must verify the integrity of all operating system files, device drivers, and security enforcement mechanisms at startup and at least every six hours thereafter, using one or more DoD-approved cryptographic mechanisms that compare attributes of the operating system configuration to a known good baseline.
V-32754 High The MDIS server must provide a near real-time alert when any compromise or potential compromise indicators occurs.
V-32753 High The MDIS server must alert when it identifies malicious code on managed mobile devices.
V-32750 High The MDIS server must employ automated mechanisms to detect the presence of unauthorized software on managed mobile devices.
V-24975 High The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
V-32764 High The MDIS server must identify unexpected changes in applications installed on the mobile device.
V-32762 High The MDIS agent must operate separate and independent of the management of the mobile devices security policy.
V-32763 High The MDIS server must identify changes in file structure and files on the mobile device.
V-32749 High Mitigation actions must be implemented based on integrity validation scan findings.
V-26564 High Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements.
V-32755 Medium The MDIS server must provide notifications regarding suspicious events to an organization defined list of response personnel, including the IAO and system administrator, who are identified by name and/or by role.
V-32752 Medium The MDIS server must scan for malicious code on managed mobile devices at least every 6 hours.
V-32760 Medium The MDIS server must identify the affected mobile device, the severity of the finding, and provide a recommended mitigation.
V-24973 Medium The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.).
V-32765 Medium The MDIS server must have the capability to maintain change history of individual devices.
V-24972 Medium The required mobile device management server version (or later) must be used.
V-32761 Medium The MDIS server must base recommended mitigations for findings on the identified risk level of the finding.
V-32748 Medium The results and mitigation actions from MDIS server on site managed mobile OS devices must be maintained by the site for at least 6 months (1 year recommended).
V-33231 Low The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less.
V-32766 Low The MDIS server must provide the capability for the site administrator to append information on mitigation actions that have taken place (e.g., wipe the device) to the scan report before the report is archived.
V-25754 Low The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate.