UCF STIG Viewer Logo

Mobile device accounts must not be assigned default and non-STIG compliant security/IT policies.


Overview

Finding ID Version Rule ID IA Controls Severity
V-24978 WIR-WMS-GD-007 SV-30819r2_rule ECSC-1 High
Description
The mobile device default security/IT policy on the MDM does not include most DoD-required security policies for data encryption, authentication, and access control. Also, non-STIG compliant policy may not meet critical (CAT I and CAT II) security requirements. DoD enclaves are at risk of data exposure and hacker attack if devices are assigned default or other non-STIG compliant security/IT policies.
STIG Date
Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG) 2013-05-08

Details

Check Text ( C-31348r6_chk )
Mobile device accounts will only be assigned a STIG-compliant security/IT policy.

Determine which policy sets on the MDM server user accounts have been assigned to using the following procedures:

-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server by using the following procedures:
--Log into the MDM console.

--View all iOS policies on the server.

-Note: STIG-compliant policies should be identified as such in the policy title. An example is STIG_iOS_Policy. It is recommended that all non-STIG policies be deleted.

Note: Other checks will be used to verify the policy sets identified as STIG-compliant are configured correctly.

Verify all devices are assigned to a STIG policy set. The exact procedure will depend on the MDM product being reviewed.

Mark as a finding if any mobile device account is assigned a policy set identified as not STIG-compliant.
Fix Text (F-27619r6_fix)
Only assign mobile device accounts a STIG-compliant security/IT policy.