Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-24978 | WIR-WMS-GD-007 | SV-30819r2_rule | ECSC-1 | High |
Description |
---|
The mobile device default security/IT policy on the MDM does not include most DoD-required security policies for data encryption, authentication, and access control. Also, non-STIG compliant policy may not meet critical (CAT I and CAT II) security requirements. DoD enclaves are at risk of data exposure and hacker attack if devices are assigned default or other non-STIG compliant security/IT policies. |
STIG | Date |
---|---|
Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG) | 2013-05-08 |
Check Text ( C-31348r6_chk ) |
---|
Mobile device accounts will only be assigned a STIG-compliant security/IT policy. Determine which policy sets on the MDM server user accounts have been assigned to using the following procedures: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server by using the following procedures: --Log into the MDM console. --View all iOS policies on the server. -Note: STIG-compliant policies should be identified as such in the policy title. An example is STIG_iOS_Policy. It is recommended that all non-STIG policies be deleted. Note: Other checks will be used to verify the policy sets identified as STIG-compliant are configured correctly. Verify all devices are assigned to a STIG policy set. The exact procedure will depend on the MDM product being reviewed. Mark as a finding if any mobile device account is assigned a policy set identified as not STIG-compliant. |
Fix Text (F-27619r6_fix) |
---|
Only assign mobile device accounts a STIG-compliant security/IT policy. |