| V-24993 | High | Data must be wiped after maximum number of password attempts (10 or less) is reached for the MDM server security container on the mobile device.
| A hacker with unlimited attempts can determine the password of a security container within a few minutes using password hacking tools, which could lead to unauthorized access to the security... |
| V-24975 | High | The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
| A mobile device user could get access to unauthorized network resources (application and content servers, etc.) via the communications link between the mobile device and mobile management server... |
| V-24976 | High | Security controls must be implemented on the MDM server for connections to back-office servers and applications by managed mobile devices.
| The secure connection from the smartphone to the MDM server can be used by the mobile device to allow a user to connect to back-office servers and applications located on the enclave network.... |
| V-24978 | High | Mobile device accounts must not be assigned default and non-STIG compliant security/IT policies. | The mobile device default security/IT policy on the MDM does not include most DoD-required security policies for data encryption, authentication, and access control. Also, non-STIG compliant... |
| V-26564 | High | Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements.
| CTO 07-15 Rev 1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. This is best enforced by requiring the server... |
| V-33994 | High | The MDM server must be configured to not autocomplete the entry of passwords to the security container. | If the autocomplete feature is enabled, a hacker could gain access to the Good security container by knowing only a few characters of the container password and then access sensitive data in the container. |
| V-25032 | Medium | Password or CAC authentication to the security container on the mobile device must be enabled. | A hacker could gain access to sensitive data in the security container on the mobile device and gain an attack vector to the enclave if the password access control/authentication feature of the... |
| V-24994 | Medium | Inactivity lock must be set to 15 minutes or less for the MDM server security container on the mobile device.
| Sensitive DoD data could be exposed to unauthorized viewing or use if the security container on a lost or stolen smartphone is not locked.
|
| V-24995 | Medium | The MDM must disable copying data from inside the security container to a non-secure data area on the mobile device in the security policy implemented on managed mobile devices.
| A security container is required on any device that uses a mobile OS that with an encryption module that is not FIPS 140-2 validated. An approved security container application uses a FIPS 140-2... |
| V-24998 | Medium | The Over-The-Air (OTA) device provisioning password must have expiration set. | The time period that a device can be provisioned via Over-The-Air (OTA) provisioning needs to be controlled to ensure unauthorized individuals do not have the capability to set up rogue devices on... |
| V-24992 | Medium | The MDM server must set the maximum number of invalid password attempts that can be entered to unlock the security container before the MDM server wipes the security container.
| A hacker with unlimited attempts can determine the password of a security container within a few minutes using password hacking tools, which could lead to unauthorized access to the security... |
| V-24990 | Medium | Minimum length of the MDM server security container password on the mobile device must be 8 characters.
| Short passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure of sensitive DoD data.
|
| V-26152 | Medium | S/MIME must be enabled on the server. | Sensitive DoD data could be exposed if the required setting is not configured on the Good server. If S/MIME support is not configured on the server, the user will not be able to view critical... |
| V-26135 | Medium | Sequential numbers must not be allowed in the password for the MDM server security container on the mobile device.
| Non-complex passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure of sensitive DoD data.
|
| V-24972 | Medium | The required mobile device management server version (or later) must be used. | Earlier versions of the MDM server may have security vulnerabilities or not have required security features implemented. Therefore, sensitive DoD data could be exposed if required security... |
| V-24973 | Medium | The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.). | The host server where the mobile management server is installed must be compliant with the Windows STIG and applicable application STIGs to ensure the system is not vulnerable to attack resulting... |
| V-32747 | Medium | The MDM server must implement one or more security containers on the mobile device if the mobile device operating system is not FIPS 140-2 validated or does not use AES for data-at-rest (DAR) encryption.
| The encryption module in iOS 6 is not FIPS 140-2 validated, and therefore the assurance level for data encrypted using iOS does not meet DoD requirements. A third party application must be used to... |
| V-33999 | Medium | A valid Apple MDM certificate must be installed on the MDM server. | Without the Apple MDM certificate, the MDM server will not be able to manage a security policy on the iOS mobile device and DoD data will be at risk of compromise. |
| V-26561 | Medium | “Require CAC to be present” must be set. | Sensitive DoD data is saved inside the security container app and could be exposed if strong authentication is not implemented. The security container stores sensitive DoD information. A hacker... |
| V-26562 | Medium | Upper case letters, lower case letters, and numbers must be used in the password of the MDM server security container on the mobile device.
| Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented.
|
| V-25000 | Medium | The MDM server must enable an MDM security profile on each managed iOS device.
| Sensitive DoD data could be compromised if an MDM security profile is not installed on DoD iOS devices. Other iOS profiles do not have access to all security APIs on the iOS device. If the iOS... |
| V-25004 | Low | The MDM server must implement jailbreak detection on managed mobile devices. | If a device is jailbroken, the user may have the ability to install unauthorized software that might disclose sensitive DoD information or attack other systems. The MDM should alert if there are... |
| V-25002 | Low | The MDM server must define the required mobile device hardware versions.
| Older devices do not support required security features. Therefore, sensitive data could be at risk of being exposed if required security features are not available. |
| V-25030 | Low | The MDM agent must provide the capability for a system administrator to select which data fields in the contacts database will be available to applications outside of the contact database. | The MDM agent contacts list could be considered sensitive information for some DoD mobile device users; therefore, access by the mobile OS to all data in the list must be restricted. Otherwise,... |
| V-24999 | Low | OTA Provisioning PIN reuse must not be allowed. | The reuse of the OTA PIN can allow a hacker to provision an unauthorized device on the system. |
| V-24991 | Low | Three or more repeated characters for the MDM server security container password on the mobile device must be disallowed.
| Repeated password characters reduces the strength of a password to withstand attacks by password hacking tools, which could lead to unauthorized access to the smartphone and exposure of sensitive... |
| V-33231 | Low | The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less. | There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use... |
| V-26728 | Low | The MDM server must define the required MDM agent version. | Older software versions do not support required security features. |
| V-32745 | Low | The MDM agent must wipe a managed mobile device if the MDM agent does not connect to the MDM server in 90 days or less.
| If a mobile device has not connected to the management server within the specified time period, this is an indication that the device is no longer being used, has been lost, or has been stolen. ... |
| V-24989 | Low | Previously used passwords of the MDM server security container on the mobile device must be disallowed.
| Previously used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the smartphone and sensitive DoD data stored on the smartphone.
|
| V-24988 | Low | The password age of the MDM server security container on the mobile device must be set to 120 days or less.
| In environments in which an adversary can learn the device or container password and have repeated access to the device without the user’s knowledge, expiring the password can prevent such... |
| V-25754 | Low | The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate. | When a self-signed PKI certificate is used, a rogue mobile management server can impersonate the DoD mobile management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI. |
| V-24987 | Low | The timeout for the PKI certificate PIN cache must be set at 120 minutes or less. (Note: 15 minutes or less is the recommended setting.) | Most mobile devices have the capability to cache the digital certificate PIN so that it does not need to be entered every time the user’s digital certificate has to be accessed when a PKI... |
| V-33996 | Low | The MDM server must be configured to display an alert to the administrator when handhelds have been inactive after a defined period of time. | An inactive mobile device is an indication that the device may have been lost or stolen. In addition, provisioned devices have monthly fees associated with them and management should consider... |
