| V-26564 | High | Authentication on system administration accounts for mobile management servers must be configured to support Microsoft Active Directory (AD) authentication.
| CTO 07-15 Rev 1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. This is best enforced by requiring the server... |
| V-24975 | High | The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
| A mobile device user could get access to unauthorized network resources (application and content servers, etc.) via the communications link between the mobile device and mobile management server... |
| V-24976 | High | Security controls must be implemented on the MDM server for connections to back-office servers and applications by managed mobile devices.
| The secure connection from the smartphone to the MDM server can be used by the mobile device allows a user to connect to back-office servers and applications located on the enclave network. These... |
| V-25004 | Medium | A compliance rule must be setup in the MDM server implementing jailbreak detection on managed mobile devices. Devices will be wiped if they have been jailbroken.
| If a device is jailbroken, the user has access to all data on the device and sensitive DoD data would be exposed. Therefore, the MDM should alert if there are indicators that the device has been... |
| V-25032 | Medium | Password or CAC authentication to the security container on the mobile device must be enabled. | A hacker could gain access to sensitive data in the security container on the mobile device and gain an attack vector to the enclave if the password access control/authentication feature of the... |
| V-24995 | Medium | The MDM must disable copying data from inside the security container to a non-secure data area on the mobile device in the security policy implemented on managed mobile devices.
| A security container is required on any device that uses a mobile OS that with an encryption module that is not FIPS 140-2 validated. An approved security container application uses FIPS 140-2... |
| V-24998 | Medium | The over-the-air (OTA) device provisioning password must have expiration set. | The time period that a device can be provisioned via Over-The-Air (OTA) provisioning needs to be controlled to ensure unauthorized people do not have the capability to setup rogue devices on the... |
| V-32747 | Medium | The MDM server must implement one or more security containers on the mobile device if the mobile OS device operating system is not FIPS 140-2 validated or does not use AES for data-at-rest (DAR) encryption.
| The encryption module in iOS 5 is not FIPS 140-2 validated, and therefore the assurance level for data encrypted using iOS does not meet DoD requirements. A third party application must be used... |
| V-24992 | Medium | The MDM server must set the maximum number of invalid password attempts that can be entered to unlock the security container before the MDM server wipes the security container.
| A hacker with unlimited attempts can determine the password of a security container within a few minutes using password hacking tools, which could lead to unauthorized access to the security... |
| V-24993 | Medium | Data must be wiped after maximum password attempts reached for the MDM server security container on the mobile device.
| A hacker with unlimited attempts can determine the password of a security container within a few minutes using password hacking tools, which could lead to unauthorized access to the security... |
| V-24990 | Medium | Password minimum length of the MDM server security container on the mobile device must be set as required.
| Short passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.
|
| V-26729 | Medium | The MDM must disable copying data from outside the security container into the security container application on the mobile device in the security policy implemented on managed mobile devices.
| A security container is required on any device using a mobile OS with an encryption module which is not FIPS 140-2 validated. An approved security container application uses FIPS 140-2 validated... |
| V-24994 | Medium | Inactivity lock must be set as required for the MDM server security container on the mobile device.
| Sensitive DoD data could be exposed to unauthorized viewing or use if the security container on a lost or stolen smartphone is not locked.
|
| V-24972 | Medium | The required MDM server version (or later) must be used.
| Earlier versions of the MDM server may have security vulnerabilities or have not implemented required security features. Therefore sensitive DoD data could be exposed if required security features... |
| V-24973 | Medium | The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Web Server, Apache Tomcat, IIS, etc.).
| The host server where the mobile management server is installed must be compliant with the Windows STIG and applicable application STIGs to ensure the system is not vulnerable to attack resulting... |
| V-24978 | Medium | Mobile device user accounts must not be assigned to the default security/IT policy.
| The mobile device default security/IT policy on the MDM does not include most DoD required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of... |
| V-26135 | Medium | Sequential numbers must not be allowed in the password for the MDM server security container on the mobile device.
| Non-complex passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.
|
| V-26562 | Medium | Upper case letters, lower case letters, and numbers must be used in the password of the MDM server security container on the mobile device.
| Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented.
|
| V-25000 | Medium | The MDM server must enable an MDM security profile on each managed iOS device.
| Sensitive DoD data could be compromised if a MDM security profile is not installed on DoD iOS devices. Other iOS profiles do not have access to all security APIs on the iOS device. If the iOS MDM... |
| V-33231 | Low | The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed on a periodic basis. | If the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be... |
| V-24991 | Low | Repeated password characters must be disallowed for the MDM server security container on the mobile device.
| Repeated password characters reduces the strength of a password to withstand attacks by password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive... |
| V-26728 | Low | A compliance rule must be set up on the MDM server defining required MDM agent/secure container versions.
| Older software versions do not support required security features. |
| V-32745 | Low | The MDM agent must wipe a managed mobile device if the MDM agent cannot connect to the MDM server within the specified time period.
| If a mobile device has not connected to the management server within the specified time period, this is an indication that the device is no longer being used, has been lost, or has been stolen. ... |
| V-25754 | Low | The PKI digital certificate installed on mobile management servers must be a DoD PKI-issued certificate.
| When a self signed PKI certificate is used, a rogue mobile management server can impersonate the DoD mobile management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.
|
| V-24989 | Low | Previously used passwords of the MDM server security container on the mobile device must be disallowed.
| Previously used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the smartphone and sensitive DoD data stored on the smartphone.
|
| V-24988 | Low | The password age of the MDM server security container on the mobile device must be set as required.
| Long used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the smartphone and sensitive DoD data stored on the mobile device. |
| V-25002 | Low | A compliance rule must be set up in the MDM server defining required mobile device hardware versions.
| Older devices do not support required security features. Therefore, sensitive data could be at risk of being exposed if required security features are not available. |
