UCF STIG Viewer Logo

Mobile Device Integrity Scanning (MDIS) Server Security Technical Implementation Guide (STIG)


Overview

Date Finding Count (18)
2013-05-08 CAT I (High): 10 CAT II (Med): 6 CAT III (Low): 2
STIG Description
This STIG provides technical security controls required for the use of a mobile MDIS server to audit the integrity of mobile devices in the DoD environment. The requirements listed in this benchmark apply to any DoD iOS implementation when iOS devices process sensitive DoD information, connect to a DoD network or network connected PC, or provide service to a DoD email system. The requirements can be implemented in an application server separate from the MDM server or included in the MDM server. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-24975 High The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
V-32764 High The MDIS server must identify unexpected changes in applications installed on the mobile device.
V-32762 High The MDIS agent must operate separate and independent of the management of the mobile devices security policy.
V-32763 High The MDIS server must identify changes in file structure and files on the mobile device.
V-26564 High Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements.
V-32749 High Mitigation actions must be implemented based on integrity validation scan findings.
V-32759 High The MDIS agent must not be capable of being disabled or controlled by the user or other mobile device application.
V-32758 High The MDIS server must verify the integrity of all operating system files, device drivers, and security enforcement mechanisms at startup and at least every six hours thereafter, using one or more DoD-approved cryptographic mechanisms that compare attributes of the operating system configuration to a known good baseline.
V-32754 High The MDIS server must provide a near real-time alert when any compromise or potential compromise indicators occurs.
V-32753 High The MDIS server must alert when it identifies malicious code on managed mobile devices.
V-32765 Medium The MDIS server must have the capability to maintain change history of individual devices.
V-24972 Medium The required mobile device management server version (or later) must be used.
V-24973 Medium The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.).
V-32761 Medium The MDIS server must base recommended mitigations for findings on the identified risk level of the finding.
V-32748 Medium The results and mitigation actions from MDIS server on site managed mobile OS devices must be maintained by the site for at least 6 months (1 year recommended).
V-32755 Medium The MDIS server must provide notifications regarding suspicious events to an organization defined list of response personnel, including the IAO and system administrator, who are identified by name and/or by role.
V-33231 Low The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less.
V-25754 Low The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate.