UCF STIG Viewer Logo

Mobile Device Manager Security Requirements Guide


Overview

Date Finding Count (424)
2013-01-24 CAT I (High): 74 CAT II (Med): 285 CAT III (Low): 65
STIG Description
The MDM Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-36344 High The MDM server must protect audit tools from unauthorized access.
V-36347 High The MDM server must protect audit tools from unauthorized deletion.
V-36341 High The MDM server must capture/record and log all content related to an administrator session.
V-36342 High The MDM server must initiate session auditing upon start up.
V-36343 High The MDM server must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.
V-36262 High The MDM server must support and maintain the binding of digital signatures on software components and applications in process.
V-36349 High The MDM server must use cryptographic mechanisms to protect the integrity of audit tools.
V-36264 High The MDM server must support and maintain the binding of digital signatures on information in transmission.
V-36430 High The MDM server must have a DoD approved host-based firewall installed on the host server.
V-36195 High The MDM server device integrity validation component must identify unexpected changes in applications installed on the mobile device.
V-36194 High The MDM server device integrity validation component must identify changes in file structure and files on the mobile device.
V-36196 High The MDM server device integrity validation component must have the capability to maintain change history of individual devices.
V-36190 High The MDM server device integrity validation component must base recommended mitigations for findings on the identified risk level of the finding.
V-36192 High The MDM server device integrity validation component must operate separate and independent of the management of the mobile devices security policy.
V-36054 High The MDM server must employ NSA approved cryptography when cryptography is required to protect classified information.
V-36198 High The MDM server device integrity validation component must provide the capability for the site administrator to amend information on mitigation actions that have taken place (e.g., wipe the device) to the scan report before the report is archived.
V-36238 High The MDM server must prevent modification of key material except during secure, non-operable system states.
V-36029 High The MDM server must be capable of scanning the hardware version of managed mobile devices and alert if unsupported versions are found.
V-36028 High The MDM server must utilize only approved versions of components, including the mobile device integrity scanning component and mobile email management component (if used).
V-36010 High The MDM server, when the maximum number of unsuccessful attempts is exceeded, must automatically lock the account for an organization defined time period or must lock the account until released by an administrator IAW organizational policy.
V-36016 High The MDM server must have the ability to retain a session lock remaining in effect until the user re-authenticates using established identification and authentication procedures.
V-36017 High The MDM server must lock the application after an organization defined time period.
V-36018 High The MDM server must provide the capability for an administrator to lock the application console.
V-36019 High The MDM server session lock mechanism, when activated on the server, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.
V-36152 High The MDM server must be able to detect if the security policy has been modified, disabled, or bypassed on managed mobile devices.
V-36156 High The MDM server must deny all connections to DoD network servers by managed mobile devices except for network servers that have the capability to support PKI based mutual authentication between the network server and the mobile device user.
V-36181 High The MDM server device integrity validation component must use automated mechanisms to alert security personnel when the device has been jailbroken or rooted.
V-36186 High The MDM server device integrity validation component must verify the integrity of all operating system files, device drivers, and security enforcement mechanisms at startup and at least every six hours thereafter using one or more DoD approved cryptographic mechanisms that compare attributes of the operating system configuration to a known good baseline.
V-36187 High The MDM server device integrity validation component must not be capable of being disabled or controlled by the user or a mobile device application.
V-36184 High The MDM server device integrity validation component device integrity validation scan interval must be configurable (desired setting is 6 hours or less).
V-36063 High The MDM server must provide notification to an external device of failed automated security tests on the server.
V-36346 High The MDM server must protect audit tools from unauthorized modification.
V-36268 High The MDM server must only allow authorized administrators to associate PKI credentials with information.
V-36339 High The MDM server must ensure remote sessions for accessing the server by an administrator are audited.
V-36266 High The MDM server must maintain the binding of digital credentials to information with sufficient assurance that the information/credential association can be used as the basis for automated policy actions.
V-36182 High The MDM server must accept alerts from the mobile operating system when the mobile OS has detected integrity check failures.
V-36147 High The MDM server application white list for managed mobile devices must be set to Deny All by default when no applications are listed.
V-36025 High The MDM server must not transmit passwords in clear text.
V-36027 High The MDM server must enforce approved authorizations for logical access to the system in accordance with applicable policy.
V-36020 High The MDM server must enforce requirements for remote connections to the information system.
V-36189 High The MDM server device integrity validation component must identify the affected mobile device, severity of the finding, and provide a recommended mitigation.
V-36282 High The MDM server must support the transfer of audit logs to remote log or management servers.
V-36179 High The MDM server device integrity validation component must include the capability to notify an organization defined list of response personnel who are identified by name and/or by role notifications of suspicious events.
V-36178 High The MDM server device integrity validation component must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.
V-36175 High The MDM server device integrity validation component must alert when it identifies malicious code on managed mobile devices.
V-36174 High The MDM server device integrity validation component must scan for malicious code on managed mobile devices on an organization defined frequency.
V-36173 High The MDM server device integrity scanning component must implement detection and inspection mechanisms to identify unauthorized mobile code on managed mobile devices.
V-36172 High The MDM server device integrity validation component must employ automated mechanisms to detect the presence of unauthorized software on managed mobile devices and notify designated organizational officials in accordance with the organization defined frequency.
V-36170 High The MDM server must have the capability to enable and disable a managed mobile device.
V-36083 High The MDM server must provide mutual authentication between the MDM server and the provisioned device during a trusted over-the-air (OTA) provisioning session.
V-36085 High The MDM server must prevent the installation of applications that are not digitally signed with an organizationally accepted private key.
V-36288 High The MDM server must provide designated alerts to another enterprise network management application using an IPSec, TLS, or SSL encrypted secure connection.
V-36285 High The MDM server must provide designated alerts to another enterprise network management application using SNMPv3.
V-36284 High The MDM server must transfer audit logs from managed mobile devices to the MDM server.
V-36039 High The MDM server must require administrators to be authenticated with an individual authenticator prior to using a group authenticator.
V-36032 High The MDM server must configure the information system to specifically prohibit or restrict the use of organization defined functions, ports, protocols, and/or services on the server.
V-36033 High The MDM server host based firewall must be configured to Deny All except when explicitly authorized and block all incoming and outgoing ports, protocols, and IP address ranges except for those required to support the MDM server functions.
V-36037 High The MDM server must use multifactor authentication via an Enterprise Authentication Mechanism for network access to privileged accounts.
V-36058 High The MDM server must fail to an organization defined known-state for organization defined types of failures.
V-36048 High The MDM server must be able to filter both inbound and outbound traffic based on IP address and UDP/TCP port.
V-36044 High The MDM server must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.
V-36042 High The MDM server must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
V-36041 High The MDM server must disable administrative accounts after an organization defined time period of inactivity.
V-36040 High The MDM server must use organization defined replay-resistant authentication mechanisms for network access to privileged accounts.
V-36258 High The MDM server must support and maintain the binding of digital signatures on software components and applications in storage.
V-36350 High The MDM server must provide transaction recovery to avoid disabling the CMD in the event of an incomplete policy push.
V-36007 High The MDM server must automatically disable inactive administrator accounts after an organization defined time period.
V-36006 High The MDM server must provide automated support for account management functions.
V-36038 High The MDM server must use multifactor authentication via an Enterprise Authentication Mechanism for local access to privileged accounts.
V-36009 High The MDM server must enforce the organization defined limit of consecutive invalid access attempts by an administrator during the organization defined time period.
V-36008 High The MDM server must implement separation of administrator duties by requiring a specific role be assigned to each administrator account.
V-36164 High The MDM server must detect and report the version of the operating system, device drivers, and application software for managed mobile devices.
V-36165 High The MDM server must notify when it detects unauthorized changes to security configuration of managed mobile devices.
V-36166 High The MDM server must perform required actions when a security related alert is received.
V-36098 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable any supported Bluetooth profile.
V-36099 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable Bluetooth.
V-36090 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable data-at-rest encryption on the mobile device.
V-36091 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable device unlock password.
V-36092 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Maximum password age (e.g., 30 days, 90 days, 180 days).
V-36093 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Minimum password length for the device unlock password is configured to the organizationally defined value when DoD sensitive data is being protected.
V-36094 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Maximum password history.
V-36095 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Device inactivity timeout whereby the user must reenter their user password or Smart Card PIN to unlock the device.
V-36096 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the device inactivity timeout (the following settings must be available, at a minimum: Disable (no timeout), 15 minutes, and 60 minutes).
V-36097 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the mobile device Bluetooth stack.
V-36297 Medium Malicious code protection applications must update malicious code protection mechanisms only when directed by a privileged user.
V-36295 Medium Intrusion detection software must be able to interconnect using standard protocols to create a system wide intrusion detection system.
V-36293 Medium Applications providing malware and/or firewall protection must monitor inbound and outbound communications for unauthorized activities or conditions.
V-36291 Medium Applications providing IDS and prevention capabilities must prevent non-privileged users from circumventing intrusion detection and prevention capabilities.
V-36298 Medium The application must prevent non-privileged users from circumventing malicious code protection capabilities.
V-36345 Medium Boundary protection applications must fail securely in the event of an operational failure.
V-36269 Medium The application must invoke a system shutdown in the event of an audit failure, unless an alternative audit capability exists.
V-36340 Medium Applications involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 or class 4 certificates and hardware tokens that protect the users private key.
V-36263 Medium The application must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and includes or excludes access to the granularity of a single user.
V-36261 Medium Applications providing information flow control must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy.
V-36260 Medium Applications, when transferring information between different security domains, must implement or incorporate policy filters that constrain data object and structure attributes according to organizational security policy requirements.
V-36348 Medium Applications designed to enforce protocol formats must employ automated mechanisms to enforce strict adherence to protocol format.
V-36265 Medium Applications must support the organizational requirement to automatically monitor on atypical usage of accounts.
V-36120 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the video recorder.
V-36121 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the USB Port mass storage mode.
V-36122 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable tethering (Wi-Fi, Bluetooth, or USB).
V-36123 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Force the display of a warning banner on the mobile device.
V-36124 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disable any mobile OS service that connects to a non-DoD server.
V-36125 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of allowed repeated characters in the mobile device unlock password.
V-36126 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow sequential numbers in the mobile device unlock password.
V-36127 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of upper case letters in the device unlock password.
V-36128 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of special characters in the device unlock password.
V-36129 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of lower case letters in the device unlock password.
V-36031 Medium The MDM server must employ automated mechanisms to enforce access restrictions.
V-36197 Medium The application must support organizational requirements to enforce password complexity by the number of special characters used.
V-36191 Medium The application must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
V-36193 Medium Applications designed to address malware issues and/or enforce policy pertaining to organizational use of mobile code must take corrective actions, when unauthorized mobile code is identified.
V-36056 Medium The MDM server must terminate administrator sessions upon administrator logout or any other organization or policy defined session termination events such as idle time limit exceeded.
V-36057 Medium The MDM server must provide a logout functionality to allow the user to manually terminate the session.
V-36052 Medium The cryptographic module supporting encryption of the certificate store must be FIPS 140-2 validated.
V-36053 Medium The cryptographic module supporting encryption of data at rest must be FIPS 140-2 validated.
V-36393 Medium Applications employed to write data to portable digital media must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
V-36391 Medium The application must separate user functionality (including user interface services) from information system management functionality.
V-36390 Medium Applications must use security policy filters as a basis for making information flow control decisions.
V-36397 Medium The application must employ automated mechanisms enabling authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.
V-36396 Medium The application must monitor for unauthorized remote connections to the information system on an organization defined frequency.
V-36395 Medium Applications scanning for malicious code must scan all media used for system maintenance prior to use.
V-36279 Medium The application must only generate error messages that provide information necessary for corrective actions without revealing organization defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
V-36399 Medium The application must support taking organization defined list of least-disruptive actions to terminate suspicious events.
V-36398 Medium Applications related to incident tracking must support organizational requirements to employ automated mechanisms to assist in the tracking of security incidents.
V-36138 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of upper case letters in the MDM server agent password.
V-36270 Medium The MDM server must automatically audit on administrator account creation.
V-36271 Medium The MDM server must audit any use of privileged accounts, or roles, with access to organization defined security functions or security relevant information, when accessing other system functions.
V-36309 Medium Applications must support organizationally-defined requirements to load and execute from hardware-enforced, read-only media.
V-36300 Medium The application must automatically update malicious code protection mechanisms, including signature definitions. Examples include anti-virus signatures and malware data files employed to identify and/or block malicious software from executing.
V-36301 Medium Applications providing malicious code protection must support organizational requirements to configure malicious code protection mechanisms to perform real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy.
V-36303 Medium The MDM server must centralize the review and analysis of audit records from multiple components within the server.
V-36304 Medium Applications providing malicious code protection must support organizational requirements to update malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures.
V-36306 Medium Applications required to be non-modifiable must support organizational requirements to provide components that contain no writeable storage capability. These components must be persistent across restart and/or power on/off.
V-36234 Medium If the MDM server includes a mobile email management capability, the email client must support SHA2 signing operations.
V-36230 Medium If the MDM server includes a mobile email management capability, the email client must provide the mobile device user the capability to decrypt incoming email messages using software or hardware based digital certificates.
V-36231 Medium If the MDM server includes a mobile email management capability, the email client must provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP.
V-36407 Medium The application must support organizational requirements to enforce password complexity by the number of lower case characters used.
V-36406 Medium The application must use organization defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-36405 Medium The application must have the capability to produce audit records on hardware-enforced, write-once media.
V-36404 Medium The application must enforce configurable traffic volume thresholds representing auditing capacity for network traffic.
V-36403 Medium Applications managing network connections for devices must authenticate devices before establishing wireless network connections by using bidirectional authentication that is cryptographically based.
V-36402 Medium The application must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-36401 Medium Applications must include organization defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
V-36400 Medium Applications that are designed and intended to address incident response scenarios must provide a configurable capability to automatically disable an information system if any of the organization defined security violations are detected.
V-36409 Medium The application must support organizational requirements to enforce password complexity by the number of numeric characters used.
V-36015 Medium The MDM server must limit the number of concurrent sessions for each account to an organization defined number of sessions.
V-36159 Medium The cryptographic module supporting encryption of data in transit (including email and attachments) must be FIPS 140-2 validated.
V-36158 Medium The MDM server must deny all connections to DoD network servers by managed mobile devices unless the MDM server can support PKI based mutual authentication between the network server and the mobile device user.
V-36151 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disable copying data from inside a security container to a non-secure data area on a mobile device.
V-36150 Medium The MDM server must provide the administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user.
V-36153 Medium The MDM server must employ automated mechanisms to respond to unauthorized changes to the security policy or MDM server agent on managed mobile devices.
V-36155 Medium The MDM server must authenticate devices before establishing remote network connections using bidirectional cryptographically based authentication between devices.
V-36154 Medium The MDM server must uniquely identify mobile devices managed by the server prior to connecting to the device.
V-36157 Medium When the MDM server is configured to allow connections from managed mobile devices to back-office servers and network shares, the server must be configured to accept only trusted connections to those resources.
V-36148 Medium The MDM server must configure the mobile device to prohibit the mobile device user from installing unapproved applications.
V-36022 Medium The MDM server must protect against an individual falsely denying having performed a particular action.
V-36371 Medium Web services applications establishing identities at run-time for previously unknown entities must dynamically manage identifiers, attributes, and associated access authorizations.
V-36370 Medium Applications must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
V-36373 Medium The application must provide a mechanism to automatically terminate accounts designated as temporary or emergency accounts after an organization defined time period.
V-36372 Medium Applications must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-36375 Medium Applications must protect against or limit the effects of the organization defined or referenced types of Denial of Service (DoS) attacks.
V-36374 Medium Service Oriented Architecture (SOA) based applications must dynamically manage user privileges and associated access authorizations.
V-36377 Medium Applications must not share resources used to interface with systems operating at different security levels.
V-36376 Medium The application must enforce dual authorization, based on organizational policies and procedures for organization defined privileged commands.
V-36379 Medium Applications must meet organizational requirements to implement an information system isolation boundary that minimizes the number of non-security functions included within the boundary containing security functions.
V-36378 Medium Applications must enforce non-discretionary access control policies over users and resources where the policy rule set for each policy specifies: access control information (i.e., attributes) employed by the policy rule set (e.g., position, nationality, age, project, time of day).
V-36272 Medium The application must validate the binding of the reviewers identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.
V-36274 Medium Applications must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
V-36277 Medium The application must associate the identity of the information producer with the information.
V-36119 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable location services.
V-36118 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set security policy refresh interval (at least every 1, 6, 12, 24 hours should be supported).
V-36115 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the mobile device users access to an application store or repository.
V-36114 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the user's ability to switch devices.
V-36117 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the mobile device user modification of the security configuration file, policy, or profile on the mobile device.
V-36116 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Block access to specific web sites.
V-36111 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the near-field communications (NFC) radio.
V-36110 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the GPS receiver.
V-36113 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the memory card port.
V-36112 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the all cameras.
V-36183 Medium Applications utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
V-36180 Medium Applications that utilize Discretionary Access Control (DAC) must enforce a policy that Includes or excludes access to the granularity of a single user.
V-36185 Medium Applications utilizing mobile code must meet DoD-defined mobile code requirements.
V-36061 Medium The MDM server must support automated patch management tools to facilitate flaw remediation of all software components on the server.
V-36062 Medium The MDM server must periodically verify the correct operation of security functions in the server.
V-36064 Medium The MDM server must check the validity of information inputs.
V-36380 Medium Applications providing information flow control must use explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
V-36381 Medium Applications must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.
V-36382 Medium Applications must enforce information flow control using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions.
V-36383 Medium Applications must enforce information flow using dynamic control based on policy that allows or disallows information flow based on changing conditions or operational considerations.
V-36384 Medium Applications must prevent encrypted data from bypassing content-checking mechanisms.
V-36385 Medium Applications must enforce organization defined limitations on the embedding of data types within other data types.
V-36386 Medium Applications must isolate security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the integrity of, the hardware, software, and firmware that perform those security functions. The application must isolate security functions from non-security functions.
V-36387 Medium Applications providing remote access must have capabilities that allow all remote access to be routed through managed access control points.
V-36388 Medium Applications must enforce information flow control on metadata.
V-36389 Medium The application must prevent the presentation of information system management-related functionality at an interface utilized by general (i.e., non-privileged) users.
V-36335 Medium Applications utilizing mobile code must meet policy requirements regarding the acquisition, development, and/or use of mobile code.
V-36334 Medium The MDM server must automatically audit administrator account modification.
V-36337 Medium The MDM server must automatically audit administrator account termination.
V-36331 Medium The MDM server must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.
V-36330 Medium The MDM server must back up audit records on an organization defined frequency onto a different system or media than the system being audited.
V-36332 Medium Applications designed to enforce policy pertaining to organizational use of mobile code must prevent the download and execution of prohibited mobile code.
V-36338 Medium Applications must employ FIPS-validated cryptography to protect unclassified information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.
V-36408 Medium Applications using multifactor authentication when accessing non-privileged accounts via the network must provide one of the factors by a device separate from the information system gaining access.
V-36267 Medium The application must protect audit data records and integrity by using cryptographic mechanisms.
V-36200 Medium The application must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds.
V-36203 Medium Applications providing information flow control must uniquely authenticate destination domains when transferring information.
V-36202 Medium If the MDM server includes a mobile email management capability, the email client must alert the user if it receives a public-key certificate issued from an untrusted certificate authority.
V-36205 Medium Applications must uniquely identify destination domains for information transfer.
V-36204 Medium If the MDM server includes a mobile email management capability, the email client must give the user the option to deny acceptance of a certificate if the certificate was issued by an untrusted certificate authority.
V-36207 Medium The application must provide the capability to remotely view/hear all content related to an established user session in real time.
V-36206 Medium If the MDM server includes a mobile email management capability, the email client must alert the user if it receives an invalid public-key certificate.
V-36208 Medium If the MDM server includes a mobile email management capability, the email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid.
V-36414 Medium Applications must enforce password minimum lifetime restrictions.
V-36415 Medium The application must use multifactor authentication for network access to non-privileged accounts.
V-36416 Medium Applications must enforce password maximum lifetime restrictions.
V-36417 Medium The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-36410 Medium Applications using multifactor authentication when accessing privileged accounts via the network must provide one of the factors by a device that is separate from the information system gaining access.
V-36411 Medium The application must support organizational requirements to enforce the number of characters that get changed when passwords are changed.
V-36412 Medium The application must support organizational requirements to enforce password encryption for storage.
V-36413 Medium The application must use multifactor authentication for local access to non-privileged accounts.
V-36418 Medium The application must support organizational requirements to prohibit password reuse for the organization defined number of generations.
V-36419 Medium The application must support and must not impede organizational requirements to conduct backups of information system documentation including security-related documentation per organization defined frequency.
V-36068 Medium The MDM server must validate the binding of the information producers identity to the information.
V-36146 Medium The MDM server must configure the mobile device agent to prohibit the download of applications on mobile operating system devices without system administrator control (i.e., the SA either downloads and installs the application or enables the user to download/install the application).
V-36144 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the MDM server agent inactivity timeout (the following settings must be available, at a minimum: Disable (no timeout), 15 minutes, and 60 minutes).
V-36145 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set approved IP address ranges, ports, and protocols on a managed mobile device firewall.
V-36142 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Minimum MDM server agent password length of eight or more characters.
V-36143 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Maximum MDM server agent password history (3 previous passwords checked is the recommended setting).
V-36140 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of special characters in the MDM server agent password.
V-36141 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Maximum MDM server agent password age (e.g., 30 days, 90 days, 180 days).
V-36024 Medium The MDM server must support administrator authentication to the server via the Enterprise Authentication Mechanisms authentication.
V-36021 Medium The MDM server must monitor for unauthorized connections of mobile devices to the MDM server application.
V-36023 Medium The MDM server must require a password to access the servers private keys saved in the key certificate store that meets organizationally defined network administrator password requirements.
V-36149 Medium The MDM server must configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or MDM server).
V-36289 Medium The MDM server must allocate sufficient audit record storage capacity for 7 days of operation.
V-36188 Medium The information system automatically terminates emergency accounts after an organization defined time period for each type of account.
V-36283 Medium Applications that serve to protect organizations and individuals from SPAM messages must incorporate update mechanisms updating protection mechanisms and signature updates when new application releases are available in accordance with organizational configuration management policy and procedures.
V-36245 Medium The MDM server must have access to DoD root and intermediate PKI certificates when performing DoD PKI related transactions.
V-36244 Medium The MDM server must produce, control, and distribute asymmetric cryptographic keys using NSA-approved or NIST-approved key management technology and processes.
V-36247 Medium The MDM server PKI certificate store must encrypt contents using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired).
V-36246 Medium The application must notify the user of the number of unsuccessful login/access attempts occurring during an organization defined time period.
V-36243 Medium The MDM server must produce, control, and distribute symmetric cryptographic keys using NIST-approved or NSA approved key management technology and processes.
V-36242 Medium The MDM server must encrypt all data in transit (e.g., mobile device encryption keys, server PKI certificates, mobile device data bases) using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired).
V-36248 Medium In order to inform the user of the number of successful login attempts made with the user's account, the application must notify the user of the number of successful logins/accesses occurring during an organization defined time period.
V-36368 Medium Applications must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.
V-36366 Medium The MDM server, when used for non-local maintenance sessions, must protect those sessions through the use of a strong authenticator tightly bound to the user.
V-36367 Medium Boundary protection applications must be capable of preventing public access into the organizations internal networks except as appropriately mediated by managed interfaces.
V-36364 Medium Any software application designed to function as a firewall must be capable employing a default deny all configuration.
V-36365 Medium The master AES encryption key used to encrypt data between the MDM server and the agent on the mobile device must be rotated.
V-36362 Medium Applications providing remote connectivity must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communications path with resources in external networks.
V-36363 Medium The MDM server must be able to disable services that are not required by site-defined functions.
V-36360 Medium Proxy applications must support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Proxy applications must also be configurable with organization defined lists of authorized and unauthorized websites.
V-36361 Medium The MDM server must not enable information system functionality providing the capability for automatic execution of code on mobile devices without user direction.
V-36108 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the Voice recorder.
V-36109 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the Microphone.
V-36102 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Bluetooth mutual authentication immediately after the initial establishment of any Bluetooth connection between the mobile device and the smart card reader or hands free headset.
V-36103 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Bluetooth 128 bit encryption.
V-36100 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the Bluetooth discoverable mode.
V-36101 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Bluetooth pairing using a randomly generated passkey size of at least 8 digits.
V-36106 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the IR port.
V-36107 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable Wi-Fi.
V-36104 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set up a white list of Bluetooth devices that are authorized to pair to the mobile device (white list filters based on device Friendly Name).
V-36105 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable MMS messaging.
V-36077 Medium The MDM server must preserve organization defined system state information in the event of a system failure.
V-36074 Medium The MDM server must enforce the organization defined time period during which the limit of consecutive invalid access attempts by an administrator is counted.
V-36073 Medium The MDM server must disable the use of organization defined networking protocols within the operating system deemed to be non-secure except for explicitly identified components in support of specific operational requirements.
V-36070 Medium The MDM server must automatically audit administrator account disabling actions.
V-36078 Medium The MDM server must notify appropriate individuals when administrator accounts are created.
V-36079 Medium The MDM server must notify, as required, appropriate individuals when administrator accounts are modified.
V-36177 Medium The MDM server device integrity validation component must support organizational requirements to address the receipt of false positives during malicious code detection.
V-36176 Medium The application must prevent the execution of prohibited mobile code.
V-36171 Medium The MDM server must record an event in the server audit log if a success acknowledgement is not received from the MDM server agent after a device security policy has been pushed to a managed mobile device.
V-36089 Medium The MDM server must be configured to have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Removable storage media cards are bound to the mobile device so data stored on them can only be read by that mobile device.
V-36088 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Perform a Data Wipe function whereby all data stored in user addressable memory on the mobile device and the removable memory card is erased when the maximum number of incorrect passwords for device unlock has been reached.
V-36082 Medium The MDM server must accept alerts of certificate failures related to digital signatures on software applications or components on managed mobile devices.
V-36081 Medium The MDM server must notify appropriate individuals when administrator accounts are terminated.
V-36080 Medium The MDM server must notify, as required, appropriate individuals when administrator accounts are disabled.
V-36087 Medium The MDM server must be configured to have the administrative functionality to centrally manage configuration settings, including security policies, on managed mobile devices.
V-36086 Medium The MDM server must be configured to provide the administrative functionality to transmit a remote Data Wipe command, including removable media cards, to a managed mobile device.
V-36084 Medium The MDM server must deploy operating system and application updates via over-the-air (OTA) provisioning for managed mobile devices.
V-36321 Medium The application must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.
V-36326 Medium Applications, when operating as part of a distributed, hierarchical namespace, must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains.
V-36327 Medium The application must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.
V-36324 Medium The application must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
V-36325 Medium The MDM server must record an event in audit log each time the server makes a security relevant configuration change on a managed mobile device.
V-36281 Medium Applications that are utilized to address the issue of SPAM and provide protection from SPAM must automatically update any and all SPAM protection measures including signature definitions.
V-36328 Medium The MDM server must employ cryptographic mechanisms to protect the integrity and confidentiality for all audit logs managed by the server.
V-36329 Medium Applications designed to enforce policy pertaining to the use of mobile code must prevent the automatic execution of mobile code in organization defined software applications and require organization defined actions prior to executing the code.
V-36287 Medium The application must enforce organizational requirements to protect information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion.
V-36286 Medium For those instances where the organization requires encrypted traffic to be visible to information system monitoring tools, the application transmitting the encrypted traffic must make provisions to allow that traffic to be visible to specific system monitoring.
V-36354 Medium The MDM server must establish a trusted communications path between the Administrator and the systems authentication mechanism.
V-36353 Medium Applications functioning in the capacity of a firewall must check incoming communications to ensure the communications are coming from an authorized source and routed to an authorized destination.
V-36351 Medium Boundary protection applications must prevent discovery of specific system components (or devices) composing a managed interface.
V-36219 Medium If the MDM server includes a mobile email management capability, the email client must encrypt all email using a FIPS 140-2 validated encryption algorithm.
V-36216 Medium If the MDM server includes a mobile email management capability, the email client must give the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified.
V-36217 Medium If the MDM server includes a mobile email management capability, the email client must alert the user if it receives an unverified public-key certificate.
V-36214 Medium If the MDM server includes a mobile email management capability, the email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm.
V-36215 Medium If the MDM server includes a mobile email management capability, the email client must alert the user if the certificate uses an unverified CRL.
V-36212 Medium If the MDM server includes a mobile email management capability, the email client must alert the user if it receives a public-key certificate with a non-FIPS approved algorithm.
V-36213 Medium The application must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.
V-36358 Medium Applications performing extrusion detection must be capable of denying network traffic and auditing internal users (or malicious code) posing a threat to external information systems.
V-36421 Medium Applications providing flow control must identify data type, specification and usage when transferring information between different security domains so that policy restrictions may be applied.
V-36420 Medium The application must support organizational requirements to enforce minimum password length.
V-36423 Medium Applications must adhere to the principles of least functionality by providing only essential capabilities.
V-36422 Medium Backup / Disaster Recovery oriented applications must be capable of backing up user-level information per a defined frequency.
V-36425 Medium Applications must provide the ability to enforce security policies regarding information on interconnected systems.
V-36424 Medium Applications, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms.
V-36427 Medium The application must bind security attributes to information to facilitate information flow policy enforcement.
V-36426 Medium The MDM server must have the capability to use automated mechanisms to centrally apply configuration settings to managed mobile devices.
V-36429 Medium Applications must be able to function within separate processing domains (virtualized systems), when specified, so as to enable finer-grained allocation of user privileges.
V-36428 Medium The application must support the enforcement of a two-person rule for changes to organization defined application components and system-level information.
V-36133 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: When a mobile device lock occurs (user initiated or due to an inactivity timeout) all data must be re-encrypted.
V-36132 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of incorrect password attempts before a data wipe procedure is initiated (minimum requirement is 3-10).
V-36131 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Perform a Data Wipe function whereby all data stored in the security container is erased when the maximum number of incorrect passwords for the security container application has been reached.
V-36137 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow common password patterns for the MDM server agent password (e.g., letters in order from the top row of the keypad).
V-36135 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable an MDM server agent password.
V-36134 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: All data-at-rest inside the MDM server agent must be encrypted.
V-36030 Medium The host server where the MDM server components are installed must be hardened according to the appropriate Application and OS STIGs (Windows, SQL, Apache Web Server, Apache Tomcat, IIS, etc.).
V-36211 Medium If the MDM server includes a mobile email management capability, the email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified.
V-36036 Medium The MDM server must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
V-36034 Medium The MDM server must disable network access by unauthorized server components or notify designated organizational officials.
V-36035 Medium The MDM server data must be backed up per a defined frequency.
V-36059 Medium The MDM server must protect the confidentiality and integrity of information at rest.
V-36046 Medium The MDM server must use organizational requirements to employ cryptographic mechanisms to protect information in storage.
V-36045 Medium The MDM server must terminate all sessions and network connections when non-local maintenance is completed.
V-36043 Medium The PKI key store of the MDM server must be FIPS validated.
V-36336 Medium Software and/or firmware used for collaborative computing devices must prohibit remote activation excluding the organization defined exceptions where remote activation is to be allowed.
V-36050 Medium The MDM server must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, SSL VPN, or IPSEC tunnel.
V-36218 Medium If the MDM server includes a mobile email management capability, all email (including email attachments) sent over the wireless link from the mobile email client MDM server mobile email management component located on the DoD network must be encrypted using AES. AES 128 bit encryption key length is the minimum requirement; AES 256 desired.
V-36253 Medium Applications must uniquely identify source domains for information transfer.
V-36251 Medium Applications must uniquely authenticate source domains for information transfer.
V-36256 Medium The MDM server must encrypt all key data items (e.g., mobile device encryption keys, server PKI certificates, mobile device data bases) saved in memory using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired).
V-36257 Medium Applications must provide the ability to prohibit the transfer of unsanctioned information in accordance with security policy.
V-36255 Medium The MDM server must support organizational requirements to issue public-key certificates under an appropriate certificate policy or obtain public-key certificates under an appropriate certificate policy from an approved service provider.
V-36259 Medium Applications designed to control information flow must provide the ability to detect unsanctioned information being transmitted across security domains.
V-36318 Medium Applications that collectively provide name/address resolution service for an organization must implement internal/external role separation.
V-36311 Medium Applications must, for organization defined information system components, load and execute the operating environment from hardware-enforced, read-only media.
V-36316 Medium The MDM server must protect audit information from unauthorized deletion.
V-36315 Medium Only a Honey Pot information system and/or application must include components that proactively seek to identify web-based malicious code. Honey Pot systems must be not be shared or used for any other purpose other than described.
V-36314 Medium The MDM server must protect audit information from unauthorized modification.
V-36130 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of numbers in the device unlock password.
V-36136 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow sequential numbers in the MDM server agent password.
V-36392 Medium Applications providing information flow control must provide the capability for privileged administrators to enable/disable security policy filters.
V-36139 Medium The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of numbers in the MDM server agent password.
V-36225 Medium If the MDM server includes a mobile email management capability, the email client S/MIME cryptographic module must be FIPS 140-2 validated.
V-36224 Medium If the MDM server includes a mobile email management capability, the email client S/MIME encryption algorithm must be 3DES or AES. When AES is used, AES 128 bit encryption key length is the minimum requirement; AES 256 desired.
V-36222 Medium Applications must notify users of organization defined security-related changes to the user's account occurring during the organization defined time period.
V-36221 Medium Applications providing information flow control must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.
V-36220 Medium If the MDM server includes a mobile email management capability, the email client must be capable of providing S/MIME v3 (or later version) encryption of email.
V-36394 Medium Applications providing information flow controls must provide the capability for privileged administrators to configure security policy filters to support different organizational security policies.
V-36229 Medium If the MDM server includes a mobile email management capability, the email client must provide the mobile device user the capability to digitally sign and/or encrypt outgoing email messages using software or hardware based digital certificates.
V-36228 Medium If the MDM server includes a mobile email management capability, the email client must set the Smart Card or Certificate Store Password caching timeout period from at least 15 to 120 minutes, if Smart Card or Certificate Store Password caching is available.
V-36168 Medium The MDM server must use cryptography to protect the integrity of remote access sessions with managed mobile devices.
V-36169 Medium Applications managing network connectivity must have the capability to authenticate devices before establishing network connections by using bidirectional authentication that is cryptographically based.
V-36167 Medium The MDM server must provide automated support for the management of distributed security testing on managed mobile devices.
V-36160 Medium Applications providing remote access capabilities must utilize approved cryptography to protect the confidentiality of remote access sessions.
V-36161 Medium The MDM server must ensure authentication of both mobile device MDM server agent and server during the entire session.
V-36162 Medium The MDM server must support organizational requirements to install software updates automatically on managed mobile devices.
V-36163 Medium The application must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
V-36296 Low The MDM server must provide a warning when allocated audit record storage volume reaches an organization defined percentage of maximum audit record storage capacity.
V-36294 Low The MDM server must overwrite the oldest audit log entries when audit logs reach capacity.
V-36292 Low The MDM server Sever must alert designated organizational officials in the event of an audit processing failure.
V-36290 Low The MDM server must send alerts to the administrator or organizations central audit management system when the audit log size reaches an organization defined critical percentage of capacity and full capacity.
V-36299 Low The MDM server must provide a real-time alert when organization defined audit failure events occur.
V-36055 Low The MDM server must protect the integrity and availability of publicly available information and applications.
V-36199 Low If the MDM server includes a mobile email management capability, the email client must notify the user if it cannot verify the revocation status of the certificate.
V-36278 Low The MDM server must produce audit records containing sufficient information to establish the sources of the events.
V-36308 Low The MDM server must automatically process audit records for events of interest based upon selectable, event criteria.
V-36302 Low The MDM server must utilize the integration of audit review, analysis, and reporting processes by an organizations central audit management system to support organizational processes for investigation and response to suspicious activities.
V-36305 Low The MDM server must support an audit reduction capability.
V-36307 Low The MDM server audit records must be able to be used by a report generation capability.
V-36235 Low If the MDM server includes a mobile email management capability, the email client must either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device.
V-36236 Low If the MDM server includes a mobile email management capability, the email client must support SHA2 signature verification.
V-36237 Low If the MDM server includes a mobile email management capability, all email sent to the mobile device must be managed by the MDM server mobile email component. Desktop or Internet controlled email redirection are not authorized.
V-36232 Low If the MDM server includes a mobile email management capability, the email client must provide a noticeable warning to the user if the CRL, SCVP, or OCSP server cannot be contacted or the revocation data provided cannot be verified
V-36233 Low If the MDM server includes a mobile email management capability, the email client must support retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes.
V-36239 Low The MDM server must query the certification authority to determine whether a public-key certificate has been revoked before accepting the certificate for authentication purposes.
V-36011 Low The MDM server must display an approved system use notification message or banner before granting access to the system.
V-36012 Low The MDM server must retain the logon banner on the screen unless the administrator takes explicit actions to logon to the server.
V-36013 Low The MDM server, upon successful logon, must display to the administrator the date and time of the last logon (access).
V-36014 Low The MDM server, before or upon successful unlock, must display to the administrator the number of unsuccessful unlock attempts since the last successful unlock.
V-36273 Low The MDM server must produce audit records containing the severity level of each recorded event.
V-36275 Low The MDM server must include date and timestamps in each event recorded in audit logs.
V-36276 Low The MDM server must include the software component (e.g., administration module, mobile device security policy module, etc.) that generated each event recorded in audit logs.
V-36069 Low The MDM server must display an approved system use notification message or banner before granting access to the system.
V-36060 Low The MDM server must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.
V-36065 Low The MDM server must identify potentially security relevant error conditions on the server.
V-36067 Low The MDM server must activate an organization defined alarm and/or automatically shut down the server, if a server component failure is detected.
V-36066 Low The MDM server must reveal error messages only to authorized personnel.
V-36333 Low The MDM server must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
V-36201 Low If the MDM server includes a mobile email management capability, the email client must give the user the option to deny acceptance of a certificate if it cannot verify the certificates revocation status.
V-36209 Low If the MDM server includes a mobile email management capability, the email client must not accept certificate revocation information without verifying its authenticity.
V-36026 Low The MDM server must obscure a password when it is entered on the server.
V-36323 Low The MDM server must record an event in the device audit log each time the server is started.
V-36241 Low The MDM server must ensure that PKI-based authentication maps the authenticated identity to the user account.
V-36240 Low The MDM server must verify all digital certificates in the certificate chain when performing PKI transactions.
V-36249 Low The MDM server must implement required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
V-36076 Low The MDM server must ensure unauthorized, security relevant configuration changes are tracked if detected.
V-36075 Low The MDM server must limit privileges to change software resident within software libraries (including privileged programs).
V-36072 Low The MDM server must display to the administrator the identity of the entity that signed the downloaded software before installing the software.
V-36071 Low The MDM server must only allow authorized entities to change security attributes.
V-36322 Low The MDM server must support the capability to compile audit records from multiple components within the server into a system-wide (logical or physical) audit trail that is time-correlated to within an organization defined level of tolerance for the relationship between time stamps of individual records in the audit trail.
V-36320 Low The MDM server must generate audit records for the DoD-required auditable events.
V-36280 Low The MDM server must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
V-36357 Low The MDM server must respond to security function anomalies in accordance with organization defined responses and alternative action(s).
V-36356 Low The MDM server application must generate unique session identifiers with organization defined randomness requirements.
V-36355 Low The MDM server application must generate a unique session identifier for each session.
V-36352 Low The MDM server must separate the security functions between the management of the server itself, and the management of the mobile device.
V-36359 Low The MDM server application must recognize only system-generated session identifiers.
V-36210 Low If the MDM server includes a mobile email management capability, the email client must verify all digital certificates in the certificate chain when performing PKI transactions.
V-36049 Low The MDM server must be configured so the connection between the MDM server and the mobile device is initiated based on an out-bound connection request from the MDM server only.
V-36047 Low The MDM server must prevent unauthorized and unintended access to shared system resources by applications on managed mobile devices.
V-36051 Low The MDM server must terminate the network connection associated with a communications session at the end of the session or after an organization defined time period of inactivity.
V-36252 Low The MDM server must associate digital certificates used to sign applications, security policies, etc., with information exchanged between information systems.
V-36250 Low If the MDM server includes a mobile email management capability, the email client must support the capability to enable or disable contact list data elements transferred to the phone application.
V-36254 Low The MDM server must validate the integrity of digital certificates exchanged between systems.
V-36319 Low The MDM server must allow designated administrators to select which auditable events are to be audited by the server.
V-36313 Low The MDM server must protect audit information from unauthorized read access.
V-36312 Low The MDM server must synchronize internal information system clocks with United States Naval Observatory (USNO or other DoD-approved) time servers at least once every 24 hours.
V-36310 Low The MDM server must use internal system clocks to generate timestamps for audit records.
V-36317 Low The MDM server must provide audit record generation capability for the auditable events defined at the organizational level for defined information system components.
V-36227 Low If the MDM server includes a mobile email management capability, the email client must cache the certificate status of signed emails that have been received on the handheld device for a period not extending beyond the expiration period of the revocation data.
V-36226 Low If the MDM server includes a mobile email management capability, the email client must provide the mobile device user the capability to save public certificates of contacts in the contact object.
V-36223 Low If the MDM server includes a mobile email management capability, the email client S/MIME must be fully interoperable with DoD PKI and CAC/PIV. CAC/PIV (hard token) and PKCS#12 (soft token) certificate stores must be supported.