{
"stig": {
"date": "2013-01-24",
"description": "The MDM Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.",
"findings": {
"V-36006": {
"checkid": "C-44245r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server is providing automated support for account management functions. If this function is not being performed, this is a finding.\n",
"description": "A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels.\n\nAs accounts are created or terminated and privilege levels are updated, the MDM server implementation must be configured so it automatically recognizes and supports this activity and immediately enforces the current account policy.",
"fixid": "F-40536r1_fix",
"fixtext": "Configure the MDM server to provide automated support for account management functions.\n",
"iacontrols": null,
"id": "V-36006",
"ruleID": "SV-47395r1_rule",
"severity": "high",
"title": "The MDM server must provide automated support for account management functions.",
"version": "SRG-APP-023-MDM-001-SRV"
},
"V-36007": {
"checkid": "C-44246r1_chk",
"checktext": "Review the MDM server configuration to determine whether an inactive administrator account can automatically be disabled after a set period of time. If the duration is not set in accordance to the organization's policy, this is a finding.\n",
"description": "Users are often the first line of defense within an application. Account management and distribution is vital to the security of the application. If an attacker compromises an account, the entire MDM server infrastructure, including the mobile devices on the network, are at risk. Authentication for user or administrative access to the system is required at all times. Inactive accounts could be reactivated or compromised by unauthorized users allowing them to exploit vulnerabilities and maintain undetected access to the system. \n\nThere is always a risk for inactive accounts to be reactivated or compromised by unauthorized users who could then gain full control of the device; thereby enabling them to trigger a Denial of Service, intercept sensitive information, or disrupt the MDM server.",
"fixid": "F-40537r1_fix",
"fixtext": "Configure the MDM server to automatically disable an inactive administrator account after a set period of time.\n",
"iacontrols": null,
"id": "V-36007",
"ruleID": "SV-47396r1_rule",
"severity": "high",
"title": "The MDM server must automatically disable inactive administrator accounts after an organization defined time period.\n",
"version": "SRG-APP-025-MDM-002-SRV"
},
"V-36008": {
"checkid": "C-44247r1_chk",
"checktext": "Review the MDM server configuration to ensure there are accounts associated with the following roles: \n \n- MDM server administrative account administrator: responsible for server installation, initial configuration, and maintenance functions.\n- Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies.\n- Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion.\n- Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.\n\nIf this separation of duties is not present, this is a finding.",
"description": "Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system, and the authority to delete any record of those changes. \nThis requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of a role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. \n It is recommended that the following or similar roles be supported: \n- MDM server administrative account administrator: responsible for server installation, initial configuration, and maintenance functions.\n- Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies.\n- Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion.\n- Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.",
"fixid": "F-40538r1_fix",
"fixtext": "Create and configure accounts to be aligned with the following roles:\n \n- MDM server administrative account administrator: responsible for server installation, initial configuration, and maintenance functions.\n- Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies.\n- Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion.\n- Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.\n",
"iacontrols": null,
"id": "V-36008",
"ruleID": "SV-47397r1_rule",
"severity": "high",
"title": "The MDM server must implement separation of administrator duties by requiring a specific role be assigned to each administrator account.\n",
"version": "SRG-APP-062-MDM-003-SRV"
},
"V-36009": {
"checkid": "C-44248r1_chk",
"checktext": "Review the MDM server configuration to determine whether the number of consecutive invalid access attempts is limited to the organization defined value. If the number of invalid attempts is not set, or is set to something different than the organization defined value, this is a finding.\n",
"description": "Anytime an authentication method is exposed so as to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access. \nOne of the most prevalent ways an attacker tries to gain access to a system is by repeatedly trying to access an account and guessing a password. \n\nTo reduce the risk of malicious access attempts being successful, the MDM server must define and limit the number of times a user account may consecutively fail a login attempt within a defined time period.\n\nBy limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attack, is reduced. ",
"fixid": "F-40539r1_fix",
"fixtext": "Configure the MDM server to limit the number of consecutive invalid access attempts by an administrator.\n",
"iacontrols": null,
"id": "V-36009",
"ruleID": "SV-47398r1_rule",
"severity": "high",
"title": "The MDM server must enforce the organization defined limit of consecutive invalid access attempts by an administrator during the organization defined time period.\n",
"version": "SRG-APP-065-MDM-004-SRV"
},
"V-36010": {
"checkid": "C-44249r1_chk",
"checktext": "Review the MDM server configuration to determine whether an account can be locked after the organization's defined number of unsuccessful attempts has been reached. If this cannot be set or is set to something other than the organization's policy, this is a finding.\n",
"description": "One of the most prevalent ways an attacker tries to gain access to a system is by repeatedly trying to access an account and guessing a password. \n\nTo reduce the risk of malicious access attempts being successful, the MDM server must define and limit the number of times a user account may consecutively fail a login attempt within a defined time period, and subsequently lock that account when the maximum numbers have been reached. \n\nBy limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attack, is reduced. ",
"fixid": "F-40540r1_fix",
"fixtext": "Configure the MDM server to lock accounts when the maximum number of unsuccessful attempts is exceeded. \n",
"iacontrols": null,
"id": "V-36010",
"ruleID": "SV-47399r1_rule",
"severity": "high",
"title": "The MDM server, when the maximum number of unsuccessful attempts is exceeded, must automatically lock the account for an organization defined time period or must lock the account until released by an administrator IAW organizational policy.\n",
"version": "SRG-APP-067-MDM-005-SRV"
},
"V-36011": {
"checkid": "C-44250r1_chk",
"checktext": "Review the MDM server configuration to determine whether an approved system use notification is displayed before granting access. If there is no banner, or the banner is not displayed before granting access, this is a finding.\n",
"description": "Applications are required to display an approved system use notification message or banner before granting access to the system providing privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: \n\n(i) users are accessing a U.S. Government information system; \n(ii) system usage may be monitored, recorded, and subject to audit; \n(iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and \n(iv) the use of the system indicates consent to monitoring and recording.\n\nSystem use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. \n\nSystem use notification is intended only for information system access including an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist. \n\nUse this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the MDM server), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating \u201cOK\u201d.\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n \n\nFor BlackBerry and other PDAs/PEDs with severe character limitations use the following:\n\n\"I've read & consent to terms in IS user agreement.\"",
"fixid": "F-40541r1_fix",
"fixtext": "Configure the MDM server to display an approved system use notification message or banner before granting access to the system. \n",
"iacontrols": null,
"id": "V-36011",
"ruleID": "SV-47400r1_rule",
"severity": "low",
"title": "The MDM server must display an approved system use notification message or banner before granting access to the system.\n",
"version": "SRG-APP-068-MDM-006-SRV"
},
"V-36012": {
"checkid": "C-44251r1_chk",
"checktext": "Review the MDM server configuration to determine that the logon banner is displayed until the user takes action to acknowledge the agreement. If the banner is presented by the operating system, a banner presented by the MDM server application is not required. If the banner screen continues on to the logon screen without user interaction, this is a finding.\n",
"description": "To establish acceptance of system usage policy, a click-through banner at application logon is required. The banner shall prevent further activity on the application unless and until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\". The text of this banner should be customizable in the event of future user agreement changes. Failure to display the required login warning banner prior to log on attempts will limit the ability to prosecute unauthorized access and also presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. In addition, DoD's ability to monitor the device's usage is limited unless a proper warning banner is displayed.\n",
"fixid": "F-40542r1_fix",
"fixtext": "Configure the MDM server to retain the logon banner on the screen unless the administrator takes explicit actions to logon to the server. \n",
"iacontrols": null,
"id": "V-36012",
"ruleID": "SV-47401r1_rule",
"severity": "low",
"title": "The MDM server must retain the logon banner on the screen unless the administrator takes explicit actions to logon to the server.\n",
"version": "SRG-APP-069-MDM-007-SRV"
},
"V-36013": {
"checkid": "C-44252r1_chk",
"checktext": "Review the MDM server configuration to determine whether the administrator is informed of the date and time of the last logon. If the administrator is not informed of this information, this is a finding.\n",
"description": "MDM server users need to be very vigilant in maintaining situational awareness of activity that occurs regarding their accounts. Providing them with information regarding the date and time of their last successful login allows them to determine if any unauthorized activity has occurred, gives them an opportunity to notify appropriate security personnel if necessary, and ensure other systems have not been affected. If administrators are not aware of potential attacks against a system, they cannot perform due diligence to ensure access is not granted to unauthorized users.",
"fixid": "F-40543r1_fix",
"fixtext": "Configure the MDM server to display, upon logon, to the administrator the date and time of the last logon. \n",
"iacontrols": null,
"id": "V-36013",
"ruleID": "SV-47402r1_rule",
"severity": "low",
"title": "The MDM server, upon successful logon, must display to the administrator the date and time of the last logon (access).\n",
"version": "SRG-APP-075-MDM-008-SRV"
},
"V-36014": {
"checkid": "C-44253r1_chk",
"checktext": "Review the MDM server configuration to determine whether the administrator is informed of the number of unsuccessful unlock attempts since the last successful unlock. If the administrator is not informed of this information, this is a finding.\n",
"description": "MDM server users need to be very vigilant in maintaining situational awareness of activity that occurs regarding their accounts. Providing them with information regarding the date and time of unsuccessful login allows them to determine if any unauthorized activity has occurred, gives them an opportunity to notify appropriate security personnel if necessary, and ensure other systems have not been affected. If administrators are not aware of potential attacks against a system, they cannot perform due diligence to ensure access is not granted to unauthorized users.\n",
"fixid": "F-40544r1_fix",
"fixtext": "Configure the MDM server to, before or upon successful unlock, display to the administrator the number of unsuccessful unlock attempts since the last successful unlock. \n",
"iacontrols": null,
"id": "V-36014",
"ruleID": "SV-47403r1_rule",
"severity": "low",
"title": "The MDM server, before or upon successful unlock, must display to the administrator the number of unsuccessful unlock attempts since the last successful unlock.\n",
"version": "SRG-APP-076-MDM-009-SRV"
},
"V-36015": {
"checkid": "C-44254r1_chk",
"checktext": "Review the MDM server configuration to determine whether the number of concurrent sessions for each account is limited to an organization defined number of sessions. If number of concurrent user sessions is not set to the organization defined value, this is a finding.\n",
"description": "Limiting the number of concurrent sessions reduces the risk of Denial of Service (DoS) to the MDM server from overburdening the system from a potential attacker.",
"fixid": "F-40545r1_fix",
"fixtext": "Configure the MDM server to limit the number of concurrent sessions for each account to an organization defined number of sessions. \n",
"iacontrols": null,
"id": "V-36015",
"ruleID": "SV-47404r1_rule",
"severity": "medium",
"title": "The MDM server must limit the number of concurrent sessions for each account to an organization defined number of sessions.\n",
"version": "SRG-APP-001-MDM-010-SRV"
},
"V-36016": {
"checkid": "C-44255r1_chk",
"checktext": "Review the MDM server configuration to determine whether a lock feature is configured. If a lock feature is not configured, this is a finding.\n",
"description": "If the MDM server does not support a lock feature, then anyone who gains access to the application may be able to access sensitive DoD information or perform other authorized functions. The lock features mitigates the risk of unauthorized access.\n",
"fixid": "F-40546r1_fix",
"fixtext": "Configure the MDM server to retain a session lock remaining in effect until the user re-authenticates using established identification and authentication procedures.\n",
"iacontrols": null,
"id": "V-36016",
"ruleID": "SV-47405r1_rule",
"severity": "high",
"title": "The MDM server must have the ability to retain a session lock remaining in effect until the user re-authenticates using established identification and authentication procedures.\n",
"version": "SRG-APP-005-MDM-011-SRV"
},
"V-36017": {
"checkid": "C-44256r1_chk",
"checktext": "Review the MDM server configuration to determine whether the system is locked after a period of inactivity. Clock the time on a different device to validate the application is correctly enforcing the time period. If the session lock does not occur, this is a finding.\n",
"description": "If the MDM server does not support a lock feature, then anyone who gains access to the application may be able to access sensitive DoD information or perform other authorized functions. The lock feature mitigates the risk of unauthorized access.\n",
"fixid": "F-40547r1_fix",
"fixtext": "Configure the MDM server to lock the server after an organization defined time period. \n",
"iacontrols": null,
"id": "V-36017",
"ruleID": "SV-47406r1_rule",
"severity": "high",
"title": "The MDM server must lock the application after an organization defined time period.\n",
"version": "SRG-APP-003-MDM-012-SRV"
},
"V-36018": {
"checkid": "C-44257r1_chk",
"checktext": "Review the MDM server configuration to determine whether the system is configured to support a lock feature. If a lock feature is not present, this is a finding.\n",
"description": "If the MDM server does not support a lock feature, then anyone who gains access to the application may be able to access sensitive DoD information or perform other authorized functions. The lock features mitigates the risk of unauthorized access.\n",
"fixid": "F-40548r1_fix",
"fixtext": "Configure the MDM server so the administrator can lock the console. \n",
"iacontrols": null,
"id": "V-36018",
"ruleID": "SV-47407r1_rule",
"severity": "high",
"title": "The MDM server must provide the capability for an administrator to lock the application console.\n",
"version": "SRG-APP-004-MDM-013-SRV"
},
"V-36019": {
"checkid": "C-44258r1_chk",
"checktext": "Review the MDM server configuration to determine whether the display is able to hide what was previously visible when in a locked state. If any portion of the user display remains, even if it does not reveal data, this is a finding.\n",
"description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. \n\nThe session lock is implemented at the point where session activity can be determined. This is typically at the operating system-level, but may be at the application-level. \n\nWhen the application design specifies the application rather than the operating system will determine when to lock the session, the application session lock event must include an obfuscation of the display screen so as to prevent other users from reading what was previously displayed. \n\nAn example of obfuscation is a screensaver creating a viewable pattern that overwrites the entire screen rendering the screen contents unreadable. ",
"fixid": "F-40549r1_fix",
"fixtext": "Configure the MDM server sever to place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen. \n",
"iacontrols": null,
"id": "V-36019",
"ruleID": "SV-47408r1_rule",
"severity": "high",
"title": "The MDM server session lock mechanism, when activated on the server, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.\n",
"version": "SRG-APP-002-MDM-014-SRV"
},
"V-36020": {
"checkid": "C-44259r1_chk",
"checktext": "Review the MDM server configuration to determine whether the system enforces the requirements for remote connections. If the system is not enforcing these requirements, or the remote connection settings are not in accordance with the requirements, this is a finding.\n",
"description": "The organization will define the requirements for connection of remote connections. In order to ensure the connection provides adequate integrity and confidentiality of the connection, the MDM server must enforce these requirements.\n\nThis rule requires explicit authorization prior to allowing remote access to an information system without specifying a specific format for that authorization. For example, while the organization may deem it appropriate to use a system interconnection agreement to authorize a given remote access, such agreements are not required by this rule.",
"fixid": "F-40550r1_fix",
"fixtext": "Configure the MDM server to enforce the requirements for remote connections.\n",
"iacontrols": null,
"id": "V-36020",
"ruleID": "SV-47409r1_rule",
"severity": "high",
"title": "The MDM server must enforce requirements for remote connections to the information system.\n",
"version": "SRG-APP-140-MDM-015-SRV"
},
"V-36021": {
"checkid": "C-44260r1_chk",
"checktext": "Review the MDM server configuration to determine whether the system is monitoring for unauthorized connections of mobile devices to the MDM server application. If the MDM server is not performing this monitoring function, this is a finding.\n",
"description": "Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). \n\nUnapproved or unrecognized devices connected to the network and being served by an MDM server as well can lead to malware possibly gaining control over the MDM server. ",
"fixid": "F-40551r1_fix",
"fixtext": "Configure the MDM server to monitor for unauthorized connections of mobile devices to the MDM server application. \n",
"iacontrols": null,
"id": "V-36021",
"ruleID": "SV-47410r1_rule",
"severity": "medium",
"title": "The MDM server must monitor for unauthorized connections of mobile devices to the MDM server application.\n",
"version": "SRG-APP-021-MDM-018-SRV"
},
"V-36022": {
"checkid": "C-44261r1_chk",
"checktext": "Review the MDM server configuration to determine whether the system is protecting against an individual falsely denying having performed a particular action. If the system is not performing this function, this is a finding.\n",
"description": "Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nWhen non-repudiation techniques are not employed, high assurance that an individual performed a specific action cannot be guaranteed and the individual can falsely deny having performed such action and therefore, be held unaccountable. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document.",
"fixid": "F-40552r1_fix",
"fixtext": "Configure the MDM server to protect against an individual falsely denying having performed a particular action. \n",
"iacontrols": null,
"id": "V-36022",
"ruleID": "SV-47411r1_rule",
"severity": "medium",
"title": "The MDM server must protect against an individual falsely denying having performed a particular action.\n",
"version": "SRG-APP-080-MDM-019-SRV"
},
"V-36023": {
"checkid": "C-44262r1_chk",
"checktext": "Review the MDM server configuration to determine the system can require a password to access the server's private keys saved in the key certificate store that meets organizationally defined network administrator password requirements. If the MDM server cannot require this password, this is a finding.\n",
"description": "The cornerstone of the PKI is the private key used to encrypt or digitally sign information. Allowing unauthenticated access to private keys can enable an adversary in possession of the device to decrypt messages encrypted with the public-key and to digitally sign data, thereby potentially enabling an adversary to impersonate the user in any application that uses that private key for user authentication. Requiring a password to access keys saved in the certificate store mitigates the risk of unauthorized access.\n",
"fixid": "F-40553r1_fix",
"fixtext": "Configure the MDM server to require a password to access the server's private keys saved in the key certificate store that meets organizationally defined network administrator password requirements. \n",
"iacontrols": null,
"id": "V-36023",
"ruleID": "SV-47412r1_rule",
"severity": "medium",
"title": "The MDM server must require a password to access the servers private keys saved in the key certificate store that meets organizationally defined network administrator password requirements.\n",
"version": "SRG-APP-176-MDM-020-SRV"
},
"V-36024": {
"checkid": "C-44263r1_chk",
"checktext": "Review the MDM server configuration to determine whether authentication to the server is being performed by the Enterprise Authentication Mechanism. If access to the server is not being authenticated via this method, this is a finding.\n",
"description": "In the DoD, Administrator credential requirements for authentication are defined by CTO 07-115 Rev 1, which is usually enforced by the Enterprise Authentication Mechanism. Non-complaint credential enforcement mechanisms make the DoD IS vulnerable to attack.\n",
"fixid": "F-40554r1_fix",
"fixtext": "Configure the MDM server to support administrator authentication to the server via the Enterprise Authentication Mechanism's authentication. \n",
"iacontrols": null,
"id": "V-36024",
"ruleID": "SV-47413r1_rule",
"severity": "medium",
"title": "The MDM server must support administrator authentication to the server via the Enterprise Authentication Mechanisms authentication. \n",
"version": "SRG-APP-166-MDM-021-SRV"
},
"V-36025": {
"checkid": "C-44264r1_chk",
"checktext": "Review the MDM server configuration to determine whether it is possible to transmit passwords in clear text. If it is determined that the system transmits passwords in clear text, this is a finding.\n",
"description": "Transmission of passwords in clear text reveals the password to any adversary who can successfully eavesdrop on the communication. In the case of wireless communication, the ability to eavesdrop is available to anyone within the range of the device\u2019s radio signal, which in some cases can be miles. Once an adversary has obtained a password, the adversary may be able to use it to compromise sensitive DoD information or other DoD information systems. Using methods that avoid the transmission of passwords in clear text mitigates the risk of this attack.",
"fixid": "F-40555r1_fix",
"fixtext": "Configure the MDM server so it does not transmit passwords in clear text. \n",
"iacontrols": null,
"id": "V-36025",
"ruleID": "SV-47414r1_rule",
"severity": "high",
"title": "The MDM server must not transmit passwords in clear text.\n",
"version": "SRG-APP-172-MDM-022-SRV"
},
"V-36026": {
"checkid": "C-44265r1_chk",
"checktext": "Review the MDM server configuration to determine whether passwords entered are obfuscated. It is acceptable for the passwords to be revealed for very brief periods of time (less than a second), so the user can verify if the character was entered correctly. Characters may be obfuscated via asterisks or other means. If the MDM server does not otherwise hide passwords as they are entered, this is a finding.\n",
"description": "To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from the MDM server shall not provide any information that would allow an unauthorized user to compromise the authentication mechanism. During the authentication process, malicious users can gain knowledge of passwords by simply walking by a user logging on, and viewing what had been input. Obfuscation of user provided information when typed into the system is a method used in addressing this risk. \n",
"fixid": "F-40556r1_fix",
"fixtext": "Configure the MDM server to obscure passwords when entered. \n",
"iacontrols": null,
"id": "V-36026",
"ruleID": "SV-47415r1_rule",
"severity": "low",
"title": "The MDM server must obscure a password when it is entered on the server. \n",
"version": "SRG-APP-178-MDM-023-SRV"
},
"V-36027": {
"checkid": "C-44266r1_chk",
"checktext": "Review the MDM server configuration to determine whether the system can enforce approved authorizations for logical access to the system in accordance with applicable policy. If the MDM server cannot provide these access controls, this is a finding.\n",
"description": "Strong access controls are critical to securing the MDM server. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) must be employed by the MDM server when applicable to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the MDM server.\n\nWithout stringent logical access and authorization controls to the MDM server, an adversary may have the ability, with very little effort, to compromise the MDM server and associated supporting infrastructure. ",
"fixid": "F-40557r1_fix",
"fixtext": "Configure the MDM server to enforce approved authorizations for logical access to the system in accordance with applicable policy. \n",
"iacontrols": null,
"id": "V-36027",
"ruleID": "SV-47416r1_rule",
"severity": "high",
"title": "The MDM server must enforce approved authorizations for logical access to the system in accordance with applicable policy.\n",
"version": "SRG-APP-033-MDM-024-SRV"
},
"V-36028": {
"checkid": "C-44267r1_chk",
"checktext": "Review the MDM server configuration to determine whether approved versions of all components have been used, including the mobile device integrity scanning component and mobile email management component (if used). If a non-approved version of a component exists, this is a finding.\n",
"description": "Approved versions of components have gone though all required phases of testing, approval, etc. Using non-approved versions of server components could compromise the functionality of the MDM server environment.\n",
"fixid": "F-40558r1_fix",
"fixtext": "Use only approved versions of MDM server components.\n",
"iacontrols": null,
"id": "V-36028",
"ruleID": "SV-47417r1_rule",
"severity": "high",
"title": "The MDM server must utilize only approved versions of components, including the mobile device integrity scanning component and mobile email management component (if used).\n",
"version": "SRG-APP-999-MDM-026-SRV"
},
"V-36029": {
"checkid": "C-44268r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server is able to be configured to scan the version of the mobile device hardware and alert if unsupported versions are found. If the MDM server cannot be configured to scan the hardware version of managed mobile devices and alert if unsupported versions are found, this is a finding.\n",
"description": "Approved versions of devices have gone though all required phases of testing, approval, etc., and are able to support required security features. Using non-approved versions of mobile device hardware could compromise the security baseline of the mobile system, since some required security features may not be supported.\n",
"fixid": "F-40559r1_fix",
"fixtext": "Use only MDM servers that are capable of scanning the hardware version of managed mobile devices and alert if unsupported versions are found.\n",
"iacontrols": null,
"id": "V-36029",
"ruleID": "SV-47418r1_rule",
"severity": "high",
"title": "The MDM server must be capable of scanning the hardware version of managed mobile devices and alert if unsupported versions are found.\n",
"version": "SRG-APP-999-MDM-027-MDIS"
},
"V-36030": {
"checkid": "C-44269r1_chk",
"checktext": "Work with the OS Reviewer or check VMS for last review of each host server where a MDM server component is installed. This includes the host server for the MDM server, MAM, MDIS, and MEM servers.\n",
"description": "The host server where the MDM server components are installed must be compliant with the Windows STIG and applicable application STIGs to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the MDM server environment.",
"fixid": "F-40560r1_fix",
"fixtext": "Conduct required STIG reviews of the OS and all installed applications on the host server.\n",
"iacontrols": null,
"id": "V-36030",
"ruleID": "SV-47419r1_rule",
"severity": "medium",
"title": "The host server where the MDM server components are installed must be hardened according to the appropriate Application and OS STIGs (Windows, SQL, Apache Web Server, Apache Tomcat, IIS, etc.).\n",
"version": "SRG-APP-999-MDM-028-SRV"
},
"V-36031": {
"checkid": "C-44270r1_chk",
"checktext": "Review the MDM server configuration to determine whether the system is employing automated mechanisms to enforce access restrictions. If the MDM server is not providing these access controls, this is a finding.\n",
"description": "When dealing with access restrictions pertaining to change control, it should be noted that, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. \n\nAny changes to the hardware, software, and/or firmware components of the MDM server can potentially have significant effects on the overall security of the system. Therefore, only qualified and authorized individuals should be allowed to obtain access to the MDM server components for the purposes of implementing any changes or upgrades.",
"fixid": "F-40561r1_fix",
"fixtext": "Configure the MDM server to employ automated mechanisms to enforce access restrictions. \n",
"iacontrols": null,
"id": "V-36031",
"ruleID": "SV-47420r1_rule",
"severity": "medium",
"title": "The MDM server must employ automated mechanisms to enforce access restrictions.\n",
"version": "SRG-APP-129-MDM-026-SRV"
},
"V-36032": {
"checkid": "C-44271r1_chk",
"checktext": "Review the MDM server configuration to determine whether the system is configured to specifically prohibit or restrict the use of organization defined functions, ports, protocols, and/or services on the server. If these restrictions are not implemented, this is a finding.\n",
"description": "Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Unneeded services and processes provide additional threat vectors and avenues of attack to the information system. The MDM server is a critical component of the mobility architecture and it must be configured to only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. The DoD Category Assurance List (CAL) should be referenced for compliance.",
"fixid": "F-40562r1_fix",
"fixtext": "Configure the MDM server to specifically prohibit or restrict the use of organization defined functions, ports, protocols, and/or services on the server. \n",
"iacontrols": null,
"id": "V-36032",
"ruleID": "SV-47421r1_rule",
"severity": "high",
"title": "The MDM server must configure the information system to specifically prohibit or restrict the use of organization defined functions, ports, protocols, and/or services on the server.\n\n\n",
"version": "SRG-APP-142-MDM-027-SRV"
},
"V-36033": {
"checkid": "C-44272r1_chk",
"checktext": "Examine the server configuration to determine whether the DoD approved host based firewall is configured to \"Deny All\" except when explicitly authorized and block all incoming and outgoing ports, protocols, and IP address ranges except for those required to support the MDM server functions. If the firewall is not locked down to only support the MDM server functions, this is a finding.\n",
"description": "Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since the MDM server is a critical component of the mobility architecture and it must be configured to only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A host firewall installed on the MDM server provides a protection mechanism to ensure unwanted service requests do not reach the MDM server and outbound traffic is limited to only MDM server functionality. By not allowing only known good traffic into the MDM server, the MDM server could be vulnerability to denial of service attacks, as well as brute-force attacks by intruders.\n",
"fixid": "F-40563r1_fix",
"fixtext": "Configure the DoD approved host based firewall to \"Deny All\" except when explicitly authorized and block all incoming and outgoing ports, protocols, and IP address ranges except for those required to support the MDM server functions.\n",
"iacontrols": null,
"id": "V-36033",
"ruleID": "SV-47422r1_rule",
"severity": "high",
"title": "The MDM server host based firewall must be configured to Deny All except when explicitly authorized and block all incoming and outgoing ports, protocols, and IP address ranges except for those required to support the MDM server functions.\n",
"version": "SRG-APP-142-MDM-029-SRV"
},
"V-36034": {
"checkid": "C-44273r1_chk",
"checktext": "Review the MDM server configuration to determine how the system needs to be configured to disable access by unauthorized components. If the MDM server is not configured to restrict access to authorized components or does not notify designated organizational officials, this is a finding.\n",
"description": "Maintaining system and network integrity requires all systems on the network are identified and accounted for. Without an accurate accounting of systems utilizing the network, the opportunity exists for the introduction of rogue systems. The significance of this manner of security compromise increases exponentially over time and could become a persistent threat. Therefore, organizations must employ automated mechanisms to detect the addition unauthorized devices. Eliminating unauthorized access to the network is vital to maintaining a secured network. For an MDM server, this accounting extends to the allowance of specific mobile devices to access the network via the MDM server.",
"fixid": "F-40564r1_fix",
"fixtext": "Configure the MDM server to disable network access by unauthorized server components. Notifying a designated organization official of access being granted to a component is also sufficient.\n",
"iacontrols": null,
"id": "V-36034",
"ruleID": "SV-47423r1_rule",
"severity": "medium",
"title": "The MDM server must disable network access by unauthorized server components or notify designated organizational officials.\n",
"version": "SRG-APP-228-MDM-030-SRV"
},
"V-36035": {
"checkid": "C-44274r1_chk",
"checktext": "Review the MDM server configuration to determine the MDM server data is backed up per a defined frequency. If the MDM server data is not backed up per defined frequency, this is a finding.\n",
"description": "Information system backup is a critical step in maintaining data assurance and availability. \n\nUser-level information is data generated by information system and/or application users. In order to assure availability of this data in the event of a system failure, DoD organizations are required to ensure user generated data is backed up at a defined frequency. This includes data stored on file systems, within databases or within any other storage media.\n\nApplications performing backups must be capable of backing up user-level information per the DoD defined frequency.",
"fixid": "F-40565r1_fix",
"fixtext": "Configure the MDM server so the MDM server data is backed up per a defined frequency.\n",
"iacontrols": null,
"id": "V-36035",
"ruleID": "SV-47424r1_rule",
"severity": "medium",
"title": "The MDM server data must be backed up per a defined frequency.\n",
"version": "SRG-APP-145-MDM-031-SRV"
},
"V-36036": {
"checkid": "C-44275r1_chk",
"checktext": "Review the MDM server configuration, server configuration, and organizational policy to determine backup strategy. Backups must be consistent with recovery time and recovery point objectives. If a system-level backup strategy is not in place, this is a finding.\n",
"description": "MDM server backup is a critical step in maintaining data assurance and availability. Without available back up data to restore a system in the event of a system failure, the system may be rendered useless. If the MDM server fails and there is no backup of the MDM server information, a denial of service condition is possible for all who utilize this critical network component. ",
"fixid": "F-40566r1_fix",
"fixtext": "Implement system level backup strategy.\n",
"iacontrols": null,
"id": "V-36036",
"ruleID": "SV-47425r1_rule",
"severity": "medium",
"title": "The MDM server must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.\n",
"version": "SRG-APP-146-MDM-032-SRV"
},
"V-36037": {
"checkid": "C-44276r1_chk",
"checktext": "Review the MDM server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism via multifactor authentication. If the MDM server is not authenticating through the Enterprise Authentication Mechanism, this is a finding. If the MDM server is not configured for multifactor authentication, this is a finding.\n",
"description": "Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily hacked with the right tools. Multifactor authentication utilizes multiple levels of identification and authorization criteria and provides a much stronger level of security than single factor. As privileged users have access to most of the files on the platform, using a single factor authentication approach provides an easy avenue of attack for a malicious user. \n\nMultifactor authentication includes: \n\n(i) something a user knows (e.g., password/PIN); \n(ii) something a user has (e.g., cryptographic identification device, token); or \n(iii) something a user is (e.g., biometric). ",
"fixid": "F-40567r1_fix",
"fixtext": "Configure MDM server to authenticate through the Enterprise Authentication Mechanism.\n\nConfigure the MDM server for multifactor authentication.",
"iacontrols": null,
"id": "V-36037",
"ruleID": "SV-47426r1_rule",
"severity": "high",
"title": "The MDM server must use multifactor authentication via an Enterprise Authentication Mechanism for network access to privileged accounts.\n",
"version": "SRG-APP-149-MDM-033-SRV"
},
"V-36038": {
"checkid": "C-44277r1_chk",
"checktext": "Review the MDM server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism via multifactor authentication. If the MDM server is not authenticating through the Enterprise Authentication Mechanism, this is a finding. If the MDM server is not configured for multifactor authentication, this is a finding.\n",
"description": "Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily hacked with the right tools. Multifactor authentication utilizes multiple levels of identification and authorization criteria and provides a much stronger level of security than single factor. As privileged users have access to most of the files on the platform, using a single factor authentication approach provides an easy avenue of attack for a malicious user. \n\nMultifactor authentication includes: \n\n(i) something a user knows (e.g., password/PIN); \n(ii) something a user has (e.g., cryptographic identification device, token); or \n(iii) something a user is (e.g., biometric). ",
"fixid": "F-40568r1_fix",
"fixtext": "Configure MDM server to authenticate through the Enterprise Authentication Mechanism.\n\nConfigure the MDM server for multifactor authentication.",
"iacontrols": null,
"id": "V-36038",
"ruleID": "SV-47427r1_rule",
"severity": "high",
"title": "The MDM server must use multifactor authentication via an Enterprise Authentication Mechanism for local access to privileged accounts.\n",
"version": "SRG-APP-151-MDM-034-SRV"
},
"V-36039": {
"checkid": "C-44278r1_chk",
"checktext": "Review the MDM server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that performs individual authentication prior to performing group authentication. If the MDM server is not authenticating through the Enterprise Authentication Mechanism, this is a finding. \n",
"description": "To assure individual accountability and prevent unauthorized access, MDM server administrators and users (and any processes acting on behalf of users) must be individually identified and authenticated. Without individual accountability, there can be no traceability back to an individual if there were a security incident on the system. In addition, group accounts can be shared with individuals who do not have authorized access. \n",
"fixid": "F-40569r1_fix",
"fixtext": "Configure the MDM server to authenticate through the Enterprise Authentication Mechanism.\n",
"iacontrols": null,
"id": "V-36039",
"ruleID": "SV-47428r1_rule",
"severity": "high",
"title": "The MDM server must require administrators to be authenticated with an individual authenticator prior to using a group authenticator.\n",
"version": "SRG-APP-153-MDM-035-SRV"
},
"V-36040": {
"checkid": "C-44279r1_chk",
"checktext": "Review the MDM server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that employs replay-resistant features. If the MDM server is not authenticating through the Enterprise Authentication Mechanism, this is a finding. \n",
"description": "An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Replay attacks, if successfully used against a MDM server account could result in unfettered access to the MDM server settings and data records. ",
"fixid": "F-40570r1_fix",
"fixtext": "Configure the MDM server to authenticate through the Enterprise Authentication Mechanism.\n",
"iacontrols": null,
"id": "V-36040",
"ruleID": "SV-47429r1_rule",
"severity": "high",
"title": "The MDM server must use organization defined replay-resistant authentication mechanisms for network access to privileged accounts.\n",
"version": "SRG-APP-156-MDM-036-SRV"
},
"V-36041": {
"checkid": "C-44280r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server disables administrator accounts after an organization defined time period of inactivity. If the MDM server is not configured to disable administrator accounts after an organization defined time period of inactivity, this is a finding. \n",
"description": "Users are often the first line of defense within an application. Active users take notice of system and data conditions and are usually the first to notify systems administrators when they notice a system or application related anomaly, particularly if the anomaly is related to their own account. \n\nInactive user accounts pose a risk to systems and applications. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to the system. Systems need to track periods of user inactivity and disable accounts after an organization defined period of inactivity. Such a process greatly reduces the risk that accounts will be misused, hijacked, or will have data compromised.",
"fixid": "F-40571r1_fix",
"fixtext": "Configure the MDM server to disable inactive administrator accounts per the organizations specified time period.\n",
"iacontrols": null,
"id": "V-36041",
"ruleID": "SV-47430r1_rule",
"severity": "high",
"title": "The MDM server must disable administrative accounts after an organization defined time period of inactivity.\n",
"version": "SRG-APP-163-MDM-037-SRV"
},
"V-36042": {
"checkid": "C-44281r1_chk",
"checktext": "Review the MDM server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism utilizing a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. If the MDM server is not authenticating through the Enterprise Authentication Mechanism, this is a finding. \n",
"description": "MDM server applications utilizing encryption are required to use approved encryption modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms. ",
"fixid": "F-40572r1_fix",
"fixtext": "Configure the MDM server to authenticate through the Enterprise Authentication Mechanism utilizing a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.\n",
"iacontrols": null,
"id": "V-36042",
"ruleID": "SV-47431r1_rule",
"severity": "high",
"title": "The MDM server must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.\n",
"version": "SRG-APP-179-MDM-038-SRV"
},
"V-36043": {
"checkid": "C-44282r1_chk",
"checktext": "Review system documentation to identify the FIPS 140 certificate for the PKI key store. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. If the module is not currently FIPS validated, this is a finding.\n",
"description": " MDM server applications utilizing encryption are required to use approved encryption modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms. FIPS validation ensures the encryption algorithm is suitable for the DoD environment.\n",
"fixid": "F-40573r1_fix",
"fixtext": "Stop using the system until the vendor has obtained FIPS validation or install a third party product that contains a FIPS validated cryptographic module providing the same services in the operating system\u2019s non-FIPS validated implementation of cryptography.\n",
"iacontrols": null,
"id": "V-36043",
"ruleID": "SV-47432r1_rule",
"severity": "medium",
"title": "The PKI key store of the MDM server must be FIPS validated.\n",
"version": "SRG-APP-179-MDM-039-SRV"
},
"V-36044": {
"checkid": "C-44283r1_chk",
"checktext": "Review the MDM server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions. If the MDM server is not authenticating through an Enterprise Authentication Mechanism that employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions, this is a finding. \n",
"description": "Lack of authentication enables anyone to gain access to the MDM server. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Authorization for access to the MDM server to perform maintenance and diagnostics requires an individual account identifier that has been approved, assigned, and configured. Authentication of non-local maintenance and diagnostics sessions must be accomplished through two-factor authentication via the combination of passwords, tokens, and biometrics.",
"fixid": "F-40574r1_fix",
"fixtext": "Configure the MDM server to authenticate through an Enterprise Authentication Mechanism that employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.\n",
"iacontrols": null,
"id": "V-36044",
"ruleID": "SV-47433r1_rule",
"severity": "high",
"title": "The MDM server must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.\n",
"version": "SRG-APP-185-MDM-040-SRV"
},
"V-36045": {
"checkid": "C-44284r1_chk",
"checktext": "Review the MDM server configuration to determine whether the system is configured to terminate all sessions and network connections when non-local maintenance is completed. If the MDM server is not set to terminate these sessions, this is a finding.\n",
"description": "In the event the remote node has abnormally terminated or an upstream link from the MDM server is down, the management session will be terminated; thereby, freeing device resources and eliminating any possibility of an unauthorized user being orphaned to an open idle session of the MDM server.\n",
"fixid": "F-40575r1_fix",
"fixtext": "Configure the MDM server to terminate all sessions and network connections when non-local maintenance is completed.\n",
"iacontrols": null,
"id": "V-36045",
"ruleID": "SV-47434r1_rule",
"severity": "medium",
"title": "The MDM server must terminate all sessions and network connections when non-local maintenance is completed.\n",
"version": "SRG-APP-186-MDM-041-SRV"
},
"V-36046": {
"checkid": "C-44285r1_chk",
"checktext": "Review the MDM server configuration, server configuration, and organizational requirements to ensure cryptographic mechanisms to protect information in storage are employed. If information in storage is not protected to the level the organization requires, this is a finding.\n",
"description": "When data is written to digital media, there is risk of loss of data along with integrity and data confidentiality. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring physical protection. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on the organization or individuals if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls to the facility where the media resides provide adequate protection. \n\nAs part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information. The strength of mechanisms is commensurate with the classification and sensitivity of the information.",
"fixid": "F-40576r1_fix",
"fixtext": "Configure the MDM server to utilize cryptographic mechanisms to protect information in storage to the level specified by the organization.\n",
"iacontrols": null,
"id": "V-36046",
"ruleID": "SV-47435r1_rule",
"severity": "medium",
"title": "The MDM server must use organizational requirements to employ cryptographic mechanisms to protect information in storage.\n",
"version": "SRG-APP-188-MDM-042-SRV"
},
"V-36047": {
"checkid": "C-44286r1_chk",
"checktext": "Review the MDM server configuration to determine whether the system supports multiple user environments. If it does, verify the system has controls for preventing DoD applications from accessing non-DoD data. Attempt to access non-DoD data from the MDM server. If it is feasible to do so, this is a finding.\n",
"description": "The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse. This prevents inadvertent data disclosure from one process to another.\n",
"fixid": "F-40577r1_fix",
"fixtext": "Configure the MDM server to prevent DoD applications from accessing non-DoD data.\n",
"iacontrols": null,
"id": "V-36047",
"ruleID": "SV-47436r1_rule",
"severity": "low",
"title": "The MDM server must prevent unauthorized and unintended access to shared system resources by applications on managed mobile devices.\n",
"version": "SRG-APP-243-MDM-043-MDM"
},
"V-36048": {
"checkid": "C-44287r1_chk",
"checktext": "Examine the server configuration to determine whether there is a DoD approved host-based firewall installed, and configured to filter both inbound and outbound traffic based on IP address and UDP/TCP port. If no firewall is installed, this is a finding. If a non-approved firewall is installed, this is a finding.\n",
"description": "A host-based boundary protection mechanism is a host-based firewall. Host-based boundary protection mechanisms are employed on mobile devices, such as notebook/laptop computers, and other types of mobile devices where such boundary protection mechanisms are available. This helps mitigate attacks at the network interface.\n",
"fixid": "F-40578r1_fix",
"fixtext": "Remove any non-approved firewalls if present. \n\nInstall a DoD approved host-based firewall, and configure to filter both inbound and outbound traffic based on IP address and UDP/TCP port.",
"iacontrols": null,
"id": "V-36048",
"ruleID": "SV-47437r1_rule",
"severity": "high",
"title": "The MDM server must be able to filter both inbound and outbound traffic based on IP address and UDP/TCP port.\n",
"version": "SRG-APP-250-MDM-044-SRV"
},
"V-36049": {
"checkid": "C-44288r1_chk",
"checktext": "Review the MDM server configuration to ensure the system is configured so the connection between the MDM server and the mobile device is initiated based on an out-bound connection request from the MDM server only. If the MDM server's configuration is otherwise set, this is a finding.\n",
"description": "By configuring the MDM server to connect to the mobile device on an out-bound connection, the traffic is segregated which made it more difficult for an intruder to compromise the device management session.\n",
"fixid": "F-40579r1_fix",
"fixtext": "Configure the system so the connection between the MDM server and the mobile device is initiated based on an out-bound connection request from the MDM server only.\n",
"iacontrols": null,
"id": "V-36049",
"ruleID": "SV-47438r1_rule",
"severity": "low",
"title": "The MDM server must be configured so the connection between the MDM server and the mobile device is initiated based on an out-bound connection request from the MDM server only.\n",
"version": "SRG-APP-250-MDM-045-SRV"
},
"V-36050": {
"checkid": "C-44289r1_chk",
"checktext": "Review the MDM server configuration to determine the functionality exists to maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission. When transmitting data, the MDM server needs to leverage transmission protection mechanisms, such as TLS, SSL VPN, or IPSEC tunnel. If the MDM server is not configured to use this functionality, this is a finding.\n",
"description": "Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. Without these cryptographic mechanisms, the data could be disclosed to unauthorized users or processes during aggregation, packaging, and transformation in preparation for transmission.\n",
"fixid": "F-40580r1_fix",
"fixtext": "Configure the MDM server to leverage transmission protection mechanisms, such as TLS, SSL VPN, or IPSEC tunnel when transmitting data.\n",
"iacontrols": null,
"id": "V-36050",
"ruleID": "SV-47439r1_rule",
"severity": "medium",
"title": "The MDM server must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, SSL VPN, or IPSEC tunnel. \n",
"version": "SRG-APP-230-MDM-046-SRV"
},
"V-36051": {
"checkid": "C-44290r1_chk",
"checktext": "Review the MDM server configuration to verify the system terminates network connections after an organization defined time period of inactivity. If communications are not terminated at the end of a session or after an organization defined time period of inactivity, this is a finding.\n",
"description": "If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to highjack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions after a certain period of inactivity is a method for mitigating the risk of this vulnerability.\n",
"fixid": "F-40581r1_fix",
"fixtext": "Configure the MDM server to terminate network connections at the end of the session or after the organization defined time period of inactivity.\n",
"iacontrols": null,
"id": "V-36051",
"ruleID": "SV-47440r1_rule",
"severity": "low",
"title": "The MDM server must terminate the network connection associated with a communications session at the end of the session or after an organization defined time period of inactivity.\n",
"version": "SRG-APP-190-MDM-047-SRV"
},
"V-36052": {
"checkid": "C-44291r2_chk",
"checktext": "Review system documentation to identify the FIPS 140 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. If the module is not currently FIPS validated, this is a finding.",
"description": "The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140 validation provides assurance that the relevant cryptography has been implemented correctly to ensure confidentiality of the data store. FIPS validation is also a strict requirement for use of cryptography in the Federal Government.\n",
"fixid": "F-40582r1_fix",
"fixtext": "Stop using the system until the vendor has obtained FIPS validation or install a third party product that contains a FIPS validated cryptographic module providing the same services in the operating system\u2019s non-FIPS validated implementation of cryptography.\n",
"iacontrols": null,
"id": "V-36052",
"ruleID": "SV-47441r1_rule",
"severity": "medium",
"title": "The cryptographic module supporting encryption of the certificate store must be FIPS 140-2 validated.\n",
"version": "SRG-APP-197-MDM-048-SRV"
},
"V-36053": {
"checkid": "C-44292r1_chk",
"checktext": "Review system documentation to identify the FIPS 140 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. If the module is not currently FIPS validated, this is a finding.\n",
"description": "The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140 validation provides assurance that the relevant cryptography has been implemented correctly to ensure confidentiality of the data at rest. FIPS validation is also a strict requirement for use of cryptography in the Federal Government.\n",
"fixid": "F-40583r1_fix",
"fixtext": "Stop using the system until the vendor has obtained FIPS validation or install a third party product that contains a FIPS validated cryptographic module providing the same services in the operating system\u2019s non-FIPS validated implementation of cryptography.\n",
"iacontrols": null,
"id": "V-36053",
"ruleID": "SV-47442r1_rule",
"severity": "medium",
"title": "The cryptographic module supporting encryption of data at rest must be FIPS 140-2 validated.\n",
"version": "SRG-APP-197-MDM-049-SRV"
},
"V-36054": {
"checkid": "C-44293r2_chk",
"checktext": "Identify the classified data stored, transmitted, or processed by the MDM server. Data processed by the MDM server that may be classified includes, but is not limited to, vulnerability-related alerts and audit log entries and, if the MDM processes email, the content of classified email messages. \n\nOnce the classified data are identified, determine whether there are any applicable DAR and DIT requirements for cryptography. Classified DIT transmitted between CMD and the MDM server must be encrypted. In general, if either classified DIT or DAR remain within a protected enclave that otherwise meets requirements for classified computing, then there are no requirements for encryption. However, local command or site policies requiring encryption will apply if they exist. If classified DIT leaves a protected enclave then it must be encrypted. For example, classified vulnerability messages transmitted to an enterprise intrusion detection or response center must be encrypted if those messages are transmitted from the enclave in which the MDM server resides to the enclave in which the enterprise servers reside over a medium at a lower level of classification. \n\nOnce the requirements have been identified, determine the network component used to comply with the requirement. For example, when classified DIT is transmitted across network boundaries, HAIPE technology in the infrastructure may be used to protect DIT. In this case, the requirement does not apply to the MDM server. \n\nFor all identified classified DAR and DIT requirements addressed by the MDM server, review documentation associated with the cryptography implemented to comply with the requirement. Any cryptography used to protect classified DAR or DIT in this circumstance must be NSA-approved, although not necessarily with classified algorithms. If cryptography is not employed, or if the cryptography the MDM server employs is not NSA approved, this is a finding. \n\nNote: In cases where NSA approved encryption is not required as described above, organizations may implement cryptography to protect classified DAR or DIT when as a defense in depth measure or other for reasons. In these cases, the cryptography need not be NSA-approved.",
"description": "The most common vulnerabilities with cryptographic modules are those associated with poor implementation. NSA approval is required for cryptography for classified data and applications when such data is not adequately protected through local physical security controls. NSA approval provides assurance that the implementation is not vulnerable to attacks that might impact the confidentiality, integrity, or availability of the information.",
"fixid": "F-40584r2_fix",
"fixtext": "Stop using the MDM server until the NSA has approved the required applications of cryptography.",
"iacontrols": null,
"id": "V-36054",
"ruleID": "SV-47444r1_rule",
"severity": "high",
"title": "The MDM server must employ NSA approved cryptography when cryptography is required to protect classified information.",
"version": "SRG-APP-198-MDM-050-SRV"
},
"V-36055": {
"checkid": "C-44294r1_chk",
"checktext": "Review the MDM server configuration to ensure the system is configured to protect the integrity and availability of publicly available information and applications. If the system is configured otherwise, this is a finding.\n",
"description": "The MDM server may provide information that has to be made publicly available, therefore security of the MDM server system is paramount to protect the integrity and availability of the MDM server structure and the information that it provides to the network and public. The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications with such protection likely being implemented as part of other security controls. \n",
"fixid": "F-40585r1_fix",
"fixtext": "Configure the MDM server to protect the integrity and availability of publicly available information and applications.\n",
"iacontrols": null,
"id": "V-36055",
"ruleID": "SV-47445r1_rule",
"severity": "low",
"title": "The MDM server must protect the integrity and availability of publicly available information and applications.\n",
"version": "SRG-APP-201-MDM-051-SRV"
},
"V-36056": {
"checkid": "C-44295r1_chk",
"checktext": "Review the MDM server configuration, server configuration, and organizational policy to determine the system is configured to terminate administrator sessions upon administrator logout or any other organization or policy defined session termination events such as idle time limit exceeded. If the configuration is not set to terminate administrator sessions per defined events, this is a finding.\n",
"description": "If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to highjack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions after a certain period of inactivity is a method for mitigating the risk of this vulnerability.\n",
"fixid": "F-40586r1_fix",
"fixtext": "Configure the MDM server to terminate administrator sessions upon administrator logout or any other organization or policy defined session termination events.\n",
"iacontrols": null,
"id": "V-36056",
"ruleID": "SV-47446r1_rule",
"severity": "medium",
"title": "The MDM server must terminate administrator sessions upon administrator logout or any other organization or policy defined session termination events such as idle time limit exceeded.\n",
"version": "SRG-APP-220-MDM-052-SRV"
},
"V-36057": {
"checkid": "C-44296r1_chk",
"checktext": "Review the MDM server configuration to ensure sessions can be manually terminated. If a session cannot be manually terminated, this is a finding.\n",
"description": "Manually terminating an application session allows users to immediately depart the physical vicinity of the system they are logged into without the risk of subsequent system users reactivating or continuing their application session. Users who log into the MDM server application must have the ability to manually terminate their application session. \n",
"fixid": "F-40587r1_fix",
"fixtext": "Configure the MDM server to provide a logout functionality to allow the user to manually terminate the session. \n",
"iacontrols": null,
"id": "V-36057",
"ruleID": "SV-47447r1_rule",
"severity": "medium",
"title": "The MDM server must provide a logout functionality to allow the user to manually terminate the session.\n",
"version": "SRG-APP-221-MDM-053-SRV"
},
"V-36058": {
"checkid": "C-44297r1_chk",
"checktext": "Review the MDM server configuration to ensure the system will fail to an organization defined known-state for organization defined types of failures. If the MDM server is not configured in this fashion, this is a finding.\n",
"description": "Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. It helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving system state information facilitates system restart and return to the operational mode of the organization with less disruption of mission/business processes.\n",
"fixid": "F-40588r1_fix",
"fixtext": "Configure the MDM server to fail to an organization defined known-state for organization defined types of failures.\n",
"iacontrols": null,
"id": "V-36058",
"ruleID": "SV-47448r1_rule",
"severity": "high",
"title": "The MDM server must fail to an organization defined known-state for organization defined types of failures.\n",
"version": "SRG-APP-225-MDM-054-SRV"
},
"V-36059": {
"checkid": "C-44298r1_chk",
"checktext": "Review the MDM server configuration to ensure the system is protecting the confidentiality and integrity of information at rest. If the MDM server is not configured in this fashion, this is a finding.\n",
"description": "This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive). The MDM server must ensure the data being written to these devices is protected. In most cases, this is done via encryption. Without encryption, data while at rest can be copied from secondary storage by an attacker.\n",
"fixid": "F-40589r1_fix",
"fixtext": "Configure the MDM server to protect the confidentiality and integrity of information at rest.\n",
"iacontrols": null,
"id": "V-36059",
"ruleID": "SV-47449r1_rule",
"severity": "medium",
"title": "The MDM server must protect the confidentiality and integrity of information at rest.\n",
"version": "SRG-APP-231-MDM-055-SRV"
},
"V-36060": {
"checkid": "C-44299r1_chk",
"checktext": "Review the MDM server configuration to ensure the system is protecting the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission. If the MDM server is not configured in this fashion, this is a finding.\n",
"description": "Information can be subjected to unauthorized changes (e.g., malicious and/or unintentional modification) at information aggregation or protocol transformation points. It is therefore imperative the application take steps to validate and assure the integrity of data while at these stages of processing. \n",
"fixid": "F-40590r1_fix",
"fixtext": "Configure the MDM server to protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.\n",
"iacontrols": null,
"id": "V-36060",
"ruleID": "SV-47450r1_rule",
"severity": "low",
"title": "The MDM server must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.\n",
"version": "SRG-APP-239-MDM-056-SRV"
},
"V-36061": {
"checkid": "C-44300r1_chk",
"checktext": "Verify the presence of an automated patch management tool. If there is no patch management system or it is not functioning as expected, this is a finding.\n",
"description": "The organization (including any contractor to the organization) must promptly install security relevant software updates (e.g., patches, service packs, hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, must also be addressed. Left un-patched, software may be vulnerable to a variety of exploits that could disclose sensitive information or lead to subsequent security breaches. An automated patch management tool can mitigate this risk.\n",
"fixid": "F-40591r1_fix",
"fixtext": "Install an automated patch management tool on the MDM server.\n",
"iacontrols": null,
"id": "V-36061",
"ruleID": "SV-47451r1_rule",
"severity": "medium",
"title": "The MDM server must support automated patch management tools to facilitate flaw remediation of all software components on the server.\n",
"version": "SRG-APP-271-MDM-057-SRV"
},
"V-36062": {
"checkid": "C-44301r1_chk",
"checktext": "Review the MDM server configuration to ensure the system can periodically verify the correct operation of the security functions on the server. If the MDM server is not configured in this fashion, this is a finding.\n",
"description": "Security functional testing involves testing the operating system for conformance to the operating system security function specifications, as well as, for the underlying security model. The need to verify security functionality applies to all security functions. The conformance criteria state the conditions necessary for the MDM server to exhibit the desired security behavior or satisfy a security property for example, successful login triggers an audit entry. If tests are not provided and periodically run, the integrity of the system state cannot be verified. \n",
"fixid": "F-40592r1_fix",
"fixtext": "Configure the MDM server to periodically verify the correct operation of security functions in the server.\n",
"iacontrols": null,
"id": "V-36062",
"ruleID": "SV-47453r1_rule",
"severity": "medium",
"title": "The MDM server must periodically verify the correct operation of security functions in the server.\n",
"version": "SRG-APP-289-MDM-058-SRV"
},
"V-36063": {
"checkid": "C-44302r1_chk",
"checktext": "Review the MDM server configuration to determine how the system responds in the event of a failed automated security test. Determine if there is some form of beaconing or alerting that could be detectable by the MDM server or other network management system. If there are any known security tests for which notification does not occur, this is a finding.\n",
"description": "Automated security tests are critical in the detection of IA attacks. Such checks include verification of the integrity of system files, device drivers, and security enforcement mechanisms. However, users and systems administrators can only benefit from the security tests of they are notified in case of failure. A notification mechanism reduces the risk that a security breach will go undetected.\n",
"fixid": "F-40593r1_fix",
"fixtext": "Configure the operating system to provide notification of failed automated security tests.\n",
"iacontrols": null,
"id": "V-36063",
"ruleID": "SV-47454r1_rule",
"severity": "high",
"title": "The MDM server must provide notification to an external device of failed automated security tests on the server.\n",
"version": "SRG-APP-275-MDM-059-SRV"
},
"V-36064": {
"checkid": "C-44303r1_chk",
"checktext": "Review the MDM server configuration to determine the system can check the validity of information inputs. If this function cannot be performed, this is a finding.\n",
"description": "Invalid user input occurs when a user inserts data or characters into an applications data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. \n",
"fixid": "F-40594r3_fix",
"fixtext": "Configure the MDM server to check the validity of information inputs. \n",
"iacontrols": null,
"id": "V-36064",
"ruleID": "SV-47455r1_rule",
"severity": "medium",
"title": "The MDM server must check the validity of information inputs.\n",
"version": "SRG-APP-251-MDM-060-SRV"
},
"V-36065": {
"checkid": "C-44304r1_chk",
"checktext": "Review the MDM server configuration to determine the system identifies potentially security relevant error conditions on the server. If this function is not performed, this is a finding.\n",
"description": "Error messages generated by the MDM server can indicate a possible security violation or breach. The MDM server system must be configured to be able to recognize those error messages that can be a symptom of a compromise and to provide notification. If security-relevant error conditions are not identified by the MDM server they may be overlooked by the personnel responsible for addressing them.\n",
"fixid": "F-40595r1_fix",
"fixtext": "Configure the MDM server to identify potentially security relevant error conditions on the server. \n",
"iacontrols": null,
"id": "V-36065",
"ruleID": "SV-47456r1_rule",
"severity": "low",
"title": "The MDM server must identify potentially security relevant error conditions on the server.\n",
"version": "SRG-APP-265-MDM-061-SRV"
},
"V-36066": {
"checkid": "C-44305r1_chk",
"checktext": "Review the MDM server configuration to determine the system reveals error messages only to authorized personnel. If error messages are displayed to unauthorized personnel, this is a finding.\n",
"description": "If the MDM server provides too much information in error logs and administrative messages to the screen it could lead to compromise. The structure and content of error messages need to be carefully considered by the organization.\n",
"fixid": "F-40596r1_fix",
"fixtext": "Configure the MDM server so error messages are only revealed to authorized personnel. \n",
"iacontrols": null,
"id": "V-36066",
"ruleID": "SV-47457r1_rule",
"severity": "low",
"title": "The MDM server must reveal error messages only to authorized personnel.\n",
"version": "SRG-APP-267-MDM-062-SRV"
},
"V-36067": {
"checkid": "C-44306r1_chk",
"checktext": "Review the MDM server configuration to ensure the system can enforce the requirement that organizations, if a server component failure is detected, must activate an organization defined alarm and/or automatically shuts down the server. If this function cannot be performed, this is a finding.\n",
"description": "Predictable failure prevention requires organizational planning to address system failure issues. Since the MDM server is key to maintaining security, if it fails to function, the system could continue operating in an insecure state. The MDM server must alarm for such conditions and/or automatically shuts down.\n",
"fixid": "F-40597r1_fix",
"fixtext": "Configure the MDM server to activate an alarm if a server component failure is detected. \n",
"iacontrols": null,
"id": "V-36067",
"ruleID": "SV-47458r1_rule",
"severity": "low",
"title": "The MDM server must activate an organization defined alarm and/or automatically shut down the server, if a server component failure is detected.\n",
"version": "SRG-APP-268-MDM-063-SRV"
},
"V-36068": {
"checkid": "C-44307r1_chk",
"checktext": "Review the MDM server configuration to determine whether the digital signatures on software components and applications are being validated. If the system fails this test or documentation or configuration shows that the capability is not present, this is a finding.\n",
"description": "Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. For the MDM server, this requirement applies for software updates or applications pushed from the server to managed devices. The MDM server must validate the origin of software updates and applications.\n",
"fixid": "F-40598r1_fix",
"fixtext": "Configure the MDM server to validate the digital signature on signed software components or applications.\n",
"iacontrols": null,
"id": "V-36068",
"ruleID": "SV-47459r1_rule",
"severity": "medium",
"title": "The MDM server must validate the binding of the information producers identity to the information.\n",
"version": "SRG-APP-082-MDM-064-SRV"
},
"V-36069": {
"checkid": "C-44308r1_chk",
"checktext": "Review the MDM server configuration to determine whether an approved system use notification displayed at logon and/or unlock. If the banner is presented by the operating system, a banner presented by the MDM server application is not required. If there is no banner, or if the banner\u2019s wording does not match the approved wording, this is a finding.\n",
"description": "If the MDM server does not display an appropriate warning display, the organization may not be able to take appropriate legal action in the case of a system compromise.\n",
"fixid": "F-40599r1_fix",
"fixtext": "Configure the MDM server to display an approved system use notification message or banner before granting access to the system. \n",
"iacontrols": null,
"id": "V-36069",
"ruleID": "SV-47460r1_rule",
"severity": "low",
"title": "The MDM server must display an approved system use notification message or banner before granting access to the system.\n",
"version": "SRG-APP-070-MDM-065-SRV"
},
"V-36070": {
"checkid": "C-44309r1_chk",
"checktext": "Review the MDM server configuration to determine whether the system is configured to automatically audit administrator account disabling actions. If this is not configured, this is a finding.\n",
"description": "When accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying processes themselves. In order to detect and respond to events the MDM server must audit account disabling actions and, as required, notify the appropriate individuals, so they can investigate the event. Such a capability greatly reduces the risk that accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes.\n",
"fixid": "F-40600r1_fix",
"fixtext": "Configure the MDM server to automatically audit administrator account disabling actions. \n",
"iacontrols": null,
"id": "V-36070",
"ruleID": "SV-47461r1_rule",
"severity": "medium",
"title": "The MDM server must automatically audit administrator account disabling actions.\n",
"version": "SRG-APP-028-MDM-070-SRV"
},
"V-36071": {
"checkid": "C-44310r1_chk",
"checktext": "Review server configuration to ensure only the administrator can change security attributes. If any other accounts can modify security attributes, this is a finding.\n",
"description": "Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are typically associated with internal data structures (e.g., records, buffers, files, registry keys) within the system and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. If unauthorized entities were able to change them, the integrity and/or confidentiality of the MDM server could be compromised.\n",
"fixid": "F-40601r1_fix",
"fixtext": "Configure the MDM server to only allow the administrator to change security attributes.\n",
"iacontrols": null,
"id": "V-36071",
"ruleID": "SV-47462r1_rule",
"severity": "low",
"title": "The MDM server must only allow authorized entities to change security attributes.\n",
"version": "SRG-APP-010-MDM-071-SRV"
},
"V-36072": {
"checkid": "C-44311r1_chk",
"checktext": "Review the MDM server configuration to ensure downloaded software displays the signed identity of the package to the administrator prior to installation. If the software does not display the signed identity, this is a finding.\n",
"description": "The user provides an important line of defense in protecting the system against the installation of malicious software. It is more likely that software will be installed from unknown sources if the user is unaware of the transactions. Revealing the signatory of downloaded software to the user enables the user to identify rogue or suspect sources prior to installation, and possibly abort the transaction or report the concern to the IAO. \n",
"fixid": "F-40602r1_fix",
"fixtext": "Configure the MDM server to display to the user the identity of the entity that signed a downloaded application before installing the application.\n",
"iacontrols": null,
"id": "V-36072",
"ruleID": "SV-47463r1_rule",
"severity": "low",
"title": "The MDM server must display to the administrator the identity of the entity that signed the downloaded software before installing the software.\n",
"version": "SRG-APP-013-MDM-072-SRV"
},
"V-36073": {
"checkid": "C-44312r1_chk",
"checktext": "Review the MDM server configuration to ensure only organization defined network protocols are enabled. Explicitly identified components deemed necessary to support operation requirements are allowed. If non-organizational components are enabled, this is a finding.\n",
"description": "Some networking protocols may not meet security requirements to protect data and components. The organization can either make a determination as to the relative security of the networking protocol or base the security decision on the assessment of other entities. Based on that assessment some may be deemed to be non-secure except for explicitly identified components in support of specific operational requirements. Networking protocols used may be complaint with the DoD The Category Assurance List (CAL).\n",
"fixid": "F-40603r1_fix",
"fixtext": "Configure the MDM server to disable the use of organization defined networking protocols within the operating system deemed to be non-secure except for explicitly identified components in support of specific operational requirements.\n",
"iacontrols": null,
"id": "V-36073",
"ruleID": "SV-47464r1_rule",
"severity": "medium",
"title": "The MDM server must disable the use of organization defined networking protocols within the operating system deemed to be non-secure except for explicitly identified components in support of specific operational requirements.\n",
"version": "SRG-APP-020-MDM-073-SRV"
},
"V-36074": {
"checkid": "C-44313r1_chk",
"checktext": "Review the MDM server configuration to ensure the organization defined time period during which the limit of consecutive invalid access attempts by an administrator is counted. If no time limit is set or is set to a value different than the organizations policy, this is a finding.\n",
"description": "By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.\n",
"fixid": "F-40604r1_fix",
"fixtext": "Configure the MDM server to enforce the organization defined time period during which the limit of consecutive invalid access attempts by an administrator is counted.\n",
"iacontrols": null,
"id": "V-36074",
"ruleID": "SV-47465r1_rule",
"severity": "medium",
"title": "The MDM server must enforce the organization defined time period during which the limit of consecutive invalid access attempts by an administrator is counted.\n",
"version": "SRG-APP-066-MDM-074-SRV"
},
"V-36075": {
"checkid": "C-44314r1_chk",
"checktext": "Review the MDM server configuration to ensure only the administrator can change software resident within software libraries. If any other user is allowed to change resident software within software libraries, this is a finding.\n",
"description": "Any changes to the MDM server software can potentially have significant effects on the overall security and functionality of the system. Therefore, only qualified and authorized individuals should be allowed to obtain access to the MDM server software resident within the software libraries. If non-authorized users were to make changes to software libraries, those changes could be implemented without undergoing the appropriate testing, validation, and approval, as well as lead to system degradation and denial of service. \n",
"fixid": "F-40605r1_fix",
"fixtext": "Configure the MDM server to only allow the administrator to change software resident within software libraries.\n",
"iacontrols": null,
"id": "V-36075",
"ruleID": "SV-47466r1_rule",
"severity": "low",
"title": "The MDM server must limit privileges to change software resident within software libraries (including privileged programs).\n",
"version": "SRG-APP-133-MDM-075-SRV"
},
"V-36076": {
"checkid": "C-44315r1_chk",
"checktext": "Review the MDM server configuration to ensure unauthorized, security relevant configuration changes detected are tracked. If the system is not configured to track these changes, this is a finding.\n",
"description": "Uncoordinated or incorrect configuration changes to MDM server can potentially lead to outages and possibly compromises. Configuration changes must be tracked and detected to prevent these outages and compromises.\n",
"fixid": "F-40606r1_fix",
"fixtext": "Configure the MDM server to detect and track unauthorized, security relevant changes.\n",
"iacontrols": null,
"id": "V-36076",
"ruleID": "SV-47467r1_rule",
"severity": "low",
"title": "The MDM server must ensure unauthorized, security relevant configuration changes are tracked if detected.\n",
"version": "SRG-APP-139-MDM-076-SRV"
},
"V-36077": {
"checkid": "C-44316r1_chk",
"checktext": "Review the MDM server configuration to ensure organization defined system state information is preserved in the event of a failure. If the system is not configured to preserve this information, this is a finding.\n",
"description": "Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the operating system or a component of the system. \n",
"fixid": "F-40607r1_fix",
"fixtext": "Configure the MDM server to preserve organization defined system state information in the event of a system failure.\n",
"iacontrols": null,
"id": "V-36077",
"ruleID": "SV-47468r1_rule",
"severity": "medium",
"title": "The MDM server must preserve organization defined system state information in the event of a system failure.\n",
"version": "SRG-APP-226-MDM-077-SRV"
},
"V-36078": {
"checkid": "C-44317r1_chk",
"checktext": "Review the MDM server configuration to ensure the system is configured to notify appropriate individuals when administrator accounts are created. If the system is not configured to notify appropriate individuals when administrator accounts are created, this is a finding.\n",
"description": "Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. By notifying personnel when an account is created, action can be taken immediately to terminate the access.\n",
"fixid": "F-40608r1_fix",
"fixtext": "Configure the MDM server to notify appropriate individuals when administrator accounts are created.\n",
"iacontrols": null,
"id": "V-36078",
"ruleID": "SV-47469r1_rule",
"severity": "medium",
"title": "The MDM server must notify appropriate individuals when administrator accounts are created.\n",
"version": "SRG-APP-291-MDM-078-SRV"
},
"V-36079": {
"checkid": "C-44318r1_chk",
"checktext": "Review the MDM server configuration to ensure the system is configured to notify appropriate individuals when administrator accounts are modified. If the system is not configured to notify appropriate individuals when administrator accounts are modified, this is a finding.\n",
"description": "Monitoring account modification is critical to ensure only appropriate personnel have access to the MDM server. This reduces the possibility that an account will be given more access than is intended. In order to facilitate the monitoring, the MDM server must notify designated personnel when an account is modified.\n",
"fixid": "F-40609r1_fix",
"fixtext": "Configure the MDM server to notify appropriate individuals when administrator accounts are modified.\n",
"iacontrols": null,
"id": "V-36079",
"ruleID": "SV-47470r1_rule",
"severity": "medium",
"title": "The MDM server must notify, as required, appropriate individuals when administrator accounts are modified.\n",
"version": "SRG-APP-292-MDM-079-SRV"
},
"V-36080": {
"checkid": "C-44319r1_chk",
"checktext": "Review the MDM server configuration to ensure the system is configured to notify appropriate individuals when administrator accounts are disabled. If the system is not configured to notify appropriate individuals when administrator accounts are disabled, this is a finding.\n",
"description": "Monitoring account disabling is critical to ensure a denial of service situation does not exist on the operating system. An unexpected account deletion can also be a sign that there is a rogue administrator account that may be deleting traces of activity. In order to facilitate the monitoring, the MDM server must notify designated personnel when an account is disabled.\n",
"fixid": "F-40610r1_fix",
"fixtext": "Configure the MDM server to notify appropriate individuals when administrator accounts are disabled.\n",
"iacontrols": null,
"id": "V-36080",
"ruleID": "SV-47471r1_rule",
"severity": "medium",
"title": "The MDM server must notify, as required, appropriate individuals when administrator accounts are disabled.\n",
"version": "SRG-APP-293-MDM-080-SRV"
},
"V-36081": {
"checkid": "C-44320r1_chk",
"checktext": "Review the MDM server configuration to ensure the system is configured to notify appropriate individuals when administrator accounts are terminated. If the system is not configured to notify appropriate individuals when administrator accounts are terminated, this is a finding.\n",
"description": "When MDM server accounts are terminated, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events that affect user accessibility and application processing, applications must notify the appropriate individuals when an account is terminated, so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. \n",
"fixid": "F-40611r1_fix",
"fixtext": "Configure the MDM server to notify appropriate individuals when administrator accounts are terminated.\n",
"iacontrols": null,
"id": "V-36081",
"ruleID": "SV-47472r1_rule",
"severity": "medium",
"title": "The MDM server must notify appropriate individuals when administrator accounts are terminated.\n",
"version": "SRG-APP-294-MDM-081-SRV"
},
"V-36082": {
"checkid": "C-44321r1_chk",
"checktext": "Review the MDM server configuration to determine whether this capability is present. If the MDM server is not set to notify the user of certificate failures related to digital signatures on software applications or components, this is a finding.\n",
"description": "A certificate failure related to a digital signature on software applications or components is strong evidence of a system breach. Notifying the MDM server of such an occurrence allows the enterprise to assess the situation, contain the breach if there is one, and possibly invoke incident response procedures.\n",
"fixid": "F-40612r1_fix",
"fixtext": "Configure the MDM server to notify the user of certificate failures related to digital signatures on software applications or components.\n",
"iacontrols": null,
"id": "V-36082",
"ruleID": "SV-47473r1_rule",
"severity": "medium",
"title": "The MDM server must accept alerts of certificate failures related to digital signatures on software applications or components on managed mobile devices.\n",
"version": "SRG-APP-053-MDM-082-MDM"
},
"V-36083": {
"checkid": "C-44322r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is mutual authentication between the provisioning server and the provisioned device. If additional assurance is required, validate the provisioning server will not provision software and data to an unauthorized device and that an authorized device will not connect to an unauthorized provisioning server (e.g., a valid provisioning server with its credentials temporarily removed for the test). If either the device does not authenticate the provisioning infrastructure, or vice versa, this is a finding. \n",
"description": "If mutual authentication is not performed between the MDM server and the provisioned devices during the provisioning, rogue devices could connect to the MDM server or a rogue MDM server could connect to the device. In either case, an integrity issue would exist within the mobility infrastructure. The mutual authentication ensures that the MDM server and the device are known entities before provisioning.\n",
"fixid": "F-40613r1_fix",
"fixtext": "Configure the MDM server to ensure authentication occurs at the provisioning server prior to accepting provisioned software.\n",
"iacontrols": null,
"id": "V-36083",
"ruleID": "SV-47474r1_rule",
"severity": "high",
"title": "The MDM server must provide mutual authentication between the MDM server and the provisioned device during a trusted over-the-air (OTA) provisioning session.\n",
"version": "SRG-APP-128-MDM-083-MDM"
},
"V-36084": {
"checkid": "C-44324r1_chk",
"checktext": "Review the MDM server configuration to determine whether the system can deploy mobile operation system and application updates via an over-the-air (OTA) session. If the MDM server cannot be configured to send MOS and MAP updates OTA, this is a finding.\n",
"description": "Without the MDM server capability to deploy operating systems and application updates OTA, it is possible for the mobile devices under the MDM server's control to be susceptible to a zero day attack. The ability to apply updates OTA allows for rapid response to patching.\n",
"fixid": "F-40614r1_fix",
"fixtext": "Configure the MDM server to deploy MOS and MAP updates via an OTA session.\n",
"iacontrols": null,
"id": "V-36084",
"ruleID": "SV-47475r1_rule",
"severity": "medium",
"title": "The MDM server must deploy operating system and application updates via over-the-air (OTA) provisioning for managed mobile devices.\n",
"version": "SRG-APP-128-MDM-084-MAM"
},
"V-36085": {
"checkid": "C-44325r1_chk",
"checktext": "Review the MDM server configuration to determine whether the system prevents the installation of applications that are not digitally signed with an organizationally accepted private key. If the system does not prevent the installation of applications that are not digitally signed with an organizationally accepted private key, this is a finding.\n",
"description": "Any additions of applications can potentially have significant effects on the overall security of the system. Digital signatures on code provide assurance that the code comes from a known source and has not been modified. This feature is a key malware control on mobile devices.\n",
"fixid": "F-40615r1_fix",
"fixtext": "Configure the MDM server to prevent the installation of applications that are not digitally signed with an organizationally accepted private key.\n",
"iacontrols": null,
"id": "V-36085",
"ruleID": "SV-47476r1_rule",
"severity": "high",
"title": "The MDM server must prevent the installation of applications that are not digitally signed with an organizationally accepted private key.\n",
"version": "SRG-APP-131-MDM-085-MDM"
},
"V-36086": {
"checkid": "C-44326r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to transmit a remote data wipe command, including removable media cards, to a managed mobile device. If this function is not present, this is a finding.\n",
"description": "Without a Data Wipe capability, the data on the mobile device can be compromised in the event of a lost or stolen device.\n",
"fixid": "F-40616r1_fix",
"fixtext": "Configure the MDM server so it has the administrative functionality to transmit a remote data wipe command, including removable media cards, to a managed mobile device.\n",
"iacontrols": null,
"id": "V-36086",
"ruleID": "SV-47477r1_rule",
"severity": "medium",
"title": "The MDM server must be configured to provide the administrative functionality to transmit a remote Data Wipe command, including removable media cards, to a managed mobile device.\n",
"version": "SRG-APP-135-MDM-086-MDM"
},
"V-36087": {
"checkid": "C-44327r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage configuration settings, including security policies, on managed mobile devices. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40617r1_fix",
"fixtext": "Configure the MDM server security policy to centrally manage configuration settings, including security policies, on managed mobile devices.\n",
"iacontrols": null,
"id": "V-36087",
"ruleID": "SV-47478r1_rule",
"severity": "medium",
"title": "The MDM server must be configured to have the administrative functionality to centrally manage configuration settings, including security policies, on managed mobile devices.\n",
"version": "SRG-APP-135-MDM-087-MDM"
},
"V-36088": {
"checkid": "C-44328r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is an administrative functionality to centrally manage the managed mobile device security policy rule to perform a \u201cData Wipe\u201d function whereby all data stored in user addressable memory on the mobile device and the removable memory card is erased when the maximum number of incorrect passwords for device unlock has been reached. If this function is not configured, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. Data wipe could be accomplished by deleting the data-at-rest encryption key (data obfuscation). ",
"fixid": "F-40618r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to perform a \u201cData Wipe\u201d function whereby all data stored in user addressable memory on the mobile device and the removable memory card is erased when the maximum number of incorrect passwords for device unlock has been reached.\n",
"iacontrols": null,
"id": "V-36088",
"ruleID": "SV-47479r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Perform a Data Wipe function whereby all data stored in user addressable memory on the mobile device and the removable memory card is erased when the maximum number of incorrect passwords for device unlock has been reached. \n",
"version": "SRG-APP-135-MDM-088-MDM"
},
"V-36089": {
"checkid": "C-44329r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is an administrative functionality to centrally manage the managed mobile device security policy rule so removable storage media cards are bound to the mobile device so data stored on them can only be read by that mobile device. If this function is not configured, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40619r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule so removable storage media cards are bound to the mobile device so stored on them can only be read by that mobile device. \n",
"iacontrols": null,
"id": "V-36089",
"ruleID": "SV-47480r1_rule",
"severity": "medium",
"title": "The MDM server must be configured to have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Removable storage media cards are bound to the mobile device so data stored on them can only be read by that mobile device.\n",
"version": "SRG-APP-135-MDM-089-MDM"
},
"V-36090": {
"checkid": "C-44330r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable data-at-rest encryption on the mobile device. If this function is not configured, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40620r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable data-at-rest encryption on the mobile device.\n",
"iacontrols": null,
"id": "V-36090",
"ruleID": "SV-47481r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable data-at-rest encryption on the mobile device. \n",
"version": "SRG-APP-135-MDM-090-MDM"
},
"V-36091": {
"checkid": "C-44331r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable device unlock password. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40621r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable device unlock password. \n",
"iacontrols": null,
"id": "V-36091",
"ruleID": "SV-47482r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable device unlock password.\n",
"version": "SRG-APP-135-MDM-091-MDM"
},
"V-36092": {
"checkid": "C-44332r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the maximum password age (e.g., 30 days, 90 days, 180 days). If this function is not configured, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40622r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the maximum password age.\n",
"iacontrols": null,
"id": "V-36092",
"ruleID": "SV-47483r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Maximum password age (e.g., 30 days, 90 days, 180 days).\n",
"version": "SRG-APP-135-MDM-092-MDM"
},
"V-36093": {
"checkid": "C-44333r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the minimum password length for the device unlock password is configured to the organizationally defined value when DoD sensitive data is being protected. The current DoD minimum value is 8. If this function is not configured, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40623r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the minimum password length for the device unlock password is configured to the organizationally defined value when DoD sensitive data is being protected.\n",
"iacontrols": null,
"id": "V-36093",
"ruleID": "SV-47484r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Minimum password length for the device unlock password is configured to the organizationally defined value when DoD sensitive data is being protected.\n",
"version": "SRG-APP-135-MDM-093-MDM"
},
"V-36094": {
"checkid": "C-44334r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the maximum password history. If this function is not configured, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. \n\nThis security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. This policy enables administrators to enhance security by ensuring that old passwords are not reused continually.",
"fixid": "F-40624r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the maximum password history.\n",
"iacontrols": null,
"id": "V-36094",
"ruleID": "SV-47485r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Maximum password history.\n",
"version": "SRG-APP-135-MDM-094-MDM"
},
"V-36095": {
"checkid": "C-44335r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the device inactivity timeout whereby the user must reenter their user password or Smart Card PIN to unlock the device. If this function is not configured, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40625r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the device inactivity timeout whereby the user must reenter their user password or Smart Card PIN to unlock the device.\n",
"iacontrols": null,
"id": "V-36095",
"ruleID": "SV-47486r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Device inactivity timeout whereby the user must reenter their user password or Smart Card PIN to unlock the device. \n",
"version": "SRG-APP-135-MDM-095-MDM"
},
"V-36096": {
"checkid": "C-44336r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the device inactivity timeout (the following settings must be available, at a minimum: Disable (no timeout), 15 minutes, and 60 minutes). If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40626r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the device inactivity timeout.\n",
"iacontrols": null,
"id": "V-36096",
"ruleID": "SV-47487r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the device inactivity timeout (the following settings must be available, at a minimum: Disable (no timeout), 15 minutes, and 60 minutes).\n",
"version": "SRG-APP-135-MDM-096-MDM"
},
"V-36097": {
"checkid": "C-44337r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the mobile device Bluetooth stack. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40627r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable the mobile device Bluetooth stack.\n",
"iacontrols": null,
"id": "V-36097",
"ruleID": "SV-47488r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the mobile device Bluetooth stack.\n",
"version": "SRG-APP-135-MDM-097-MDM"
},
"V-36098": {
"checkid": "C-44338r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable any supported Bluetooth profile. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40628r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable any supported Bluetooth profile.\n",
"iacontrols": null,
"id": "V-36098",
"ruleID": "SV-47489r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable any supported Bluetooth profile. \n",
"version": "SRG-APP-135-MDM-098-MDM"
},
"V-36099": {
"checkid": "C-44339r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable Bluetooth. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40629r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable Bluetooth.\n",
"iacontrols": null,
"id": "V-36099",
"ruleID": "SV-47490r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable Bluetooth.\n",
"version": "SRG-APP-135-MDM-099-MDM"
},
"V-36100": {
"checkid": "C-44340r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable Bluetooth discovering mode. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40630r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable Bluetooth discovering mode.\n",
"iacontrols": null,
"id": "V-36100",
"ruleID": "SV-47491r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the Bluetooth discoverable mode.\n",
"version": "SRG-APP-135-MDM-100-MDM"
},
"V-36101": {
"checkid": "C-44341r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable Bluetooth pairing using a randomly generated passkey size of at least 8 digits. If this function is not configured, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40631r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable Bluetooth pairing using a randomly generated passkey size of at least 8 digits.\n",
"iacontrols": null,
"id": "V-36101",
"ruleID": "SV-47492r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Bluetooth pairing using a randomly generated passkey size of at least 8 digits.\n",
"version": "SRG-APP-135-MDM-101-MDM"
},
"V-36102": {
"checkid": "C-44342r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable Bluetooth mutual authentication immediately after the initial establishment of any Bluetooth connection between the mobile device and the smart card reader or hands free headset. If this function is not configured, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40632r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable Bluetooth mutual authentication immediately after the initial establishment of any Bluetooth connection between the mobile device and the smart card reader or hands free headset.\n",
"iacontrols": null,
"id": "V-36102",
"ruleID": "SV-47493r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Bluetooth mutual authentication immediately after the initial establishment of any Bluetooth connection between the mobile device and the smart card reader or hands free headset.\n",
"version": "SRG-APP-135-MDM-102-MDM"
},
"V-36103": {
"checkid": "C-44343r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable Bluetooth 128 bit encryption. If this function is not configured, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40633r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable Bluetooth 128 bit encryption.\n",
"iacontrols": null,
"id": "V-36103",
"ruleID": "SV-47494r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Bluetooth 128 bit encryption.\n",
"version": "SRG-APP-135-MDM-103-MDM"
},
"V-36104": {
"checkid": "C-44344r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set up a white list of Bluetooth devices that are authorized to pair to the mobile device (white list filters based on device Friendly Name). If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40634r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set up a white list of Bluetooth devices that are authorized to pair to the mobile device.\n",
"iacontrols": null,
"id": "V-36104",
"ruleID": "SV-47495r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set up a white list of Bluetooth devices that are authorized to pair to the mobile device (white list filters based on device Friendly Name).\n",
"version": "SRG-APP-135-MDM-104-MDM"
},
"V-36105": {
"checkid": "C-44345r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable MMS messaging. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40635r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable MMS messaging.\n",
"iacontrols": null,
"id": "V-36105",
"ruleID": "SV-47496r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable MMS messaging.\n",
"version": "SRG-APP-135-MDM-105-MDM"
},
"V-36106": {
"checkid": "C-44346r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the IR port. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40636r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable the IR port.\n",
"iacontrols": null,
"id": "V-36106",
"ruleID": "SV-47497r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the IR port.\n",
"version": "SRG-APP-135-MDM-106-MDM"
},
"V-36107": {
"checkid": "C-44347r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable Wi-Fi. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40637r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable Wi-Fi.\n",
"iacontrols": null,
"id": "V-36107",
"ruleID": "SV-47498r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable Wi-Fi.\n",
"version": "SRG-APP-135-MDM-107-MDM"
},
"V-36108": {
"checkid": "C-44348r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the voice recorder. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40638r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable the voice recorder.\n",
"iacontrols": null,
"id": "V-36108",
"ruleID": "SV-47499r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the Voice recorder.\n",
"version": "SRG-APP-135-MDM-108-MDM"
},
"V-36109": {
"checkid": "C-44349r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the microphone. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40639r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable the microphone.\n",
"iacontrols": null,
"id": "V-36109",
"ruleID": "SV-47500r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the Microphone.\n",
"version": "SRG-APP-135-MDM-109-MDM"
},
"V-36110": {
"checkid": "C-44350r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the GPS receiver. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40640r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable the GPS receiver.\n",
"iacontrols": null,
"id": "V-36110",
"ruleID": "SV-47503r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the GPS receiver.\n",
"version": "SRG-APP-135-MDM-110-MDM"
},
"V-36111": {
"checkid": "C-44351r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the near-field communications (NFC) radio. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40641r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable the near-field communications (NFC) radio.\n",
"iacontrols": null,
"id": "V-36111",
"ruleID": "SV-47504r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the near-field communications (NFC) radio.\n",
"version": "SRG-APP-135-MDM-111-MDM"
},
"V-36112": {
"checkid": "C-44352r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable all cameras. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40642r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable all cameras.\n",
"iacontrols": null,
"id": "V-36112",
"ruleID": "SV-47505r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the all cameras.\n",
"version": "SRG-APP-135-MDM-112-MDM"
},
"V-36113": {
"checkid": "C-44353r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the memory card port. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40643r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable the memory card port.\n",
"iacontrols": null,
"id": "V-36113",
"ruleID": "SV-47506r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the memory card port.\n",
"version": "SRG-APP-135-MDM-113-MDM"
},
"V-36114": {
"checkid": "C-44354r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the user\u2019s ability to switch devices. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40644r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable the user\u2019s ability to switch devices.\n",
"iacontrols": null,
"id": "V-36114",
"ruleID": "SV-47507r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the user's ability to switch devices.\n",
"version": "SRG-APP-135-MDM-114-MDM"
},
"V-36115": {
"checkid": "C-44355r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the mobile device user's access to an application store or repository. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40645r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable the mobile device user's access to an application store or repository.\n",
"iacontrols": null,
"id": "V-36115",
"ruleID": "SV-47508r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the mobile device users access to an application store or repository.\n",
"version": "SRG-APP-135-MDM-115-MDM"
},
"V-36116": {
"checkid": "C-44356r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to block access to specific web sites. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40646r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to block access to specific web sites.\n",
"iacontrols": null,
"id": "V-36116",
"ruleID": "SV-47509r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Block access to specific web sites.\n",
"version": "SRG-APP-135-MDM-116-MDM"
},
"V-36117": {
"checkid": "C-44357r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the mobile device user modification of the security configuration file, policy, or profile on the mobile device. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40647r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable the mobile device user modification of the security configuration file, policy, or profile on the mobile device.\n",
"iacontrols": null,
"id": "V-36117",
"ruleID": "SV-47510r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the mobile device user modification of the security configuration file, policy, or profile on the mobile device. \n",
"version": "SRG-APP-135-MDM-117-MDM"
},
"V-36118": {
"checkid": "C-44358r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the security policy refresh interval (at least every 1, 6, 12, 24 hours should be supported). If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40648r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the security policy refresh interval (at least every 1, 6, 12, 24 hours should be supported).\n",
"iacontrols": null,
"id": "V-36118",
"ruleID": "SV-47511r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set security policy refresh interval (at least every 1, 6, 12, 24 hours should be supported).\n",
"version": "SRG-APP-135-MDM-118-MDM"
},
"V-36119": {
"checkid": "C-44359r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable location services. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40649r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable location services.\n",
"iacontrols": null,
"id": "V-36119",
"ruleID": "SV-47512r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable location services. \n",
"version": "SRG-APP-135-MDM-119-MDM"
},
"V-36120": {
"checkid": "C-44360r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the video recorder. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40650r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable the video recorder. \n",
"iacontrols": null,
"id": "V-36120",
"ruleID": "SV-47513r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the video recorder.\n",
"version": "SRG-APP-135-MDM-120-MDM"
},
"V-36121": {
"checkid": "C-44361r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the USB Port mass storage mode. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40651r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable the USB Port mass storage mode.\n",
"iacontrols": null,
"id": "V-36121",
"ruleID": "SV-47514r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the USB Port mass storage mode.\n",
"version": "SRG-APP-135-MDM-121-MDM"
},
"V-36122": {
"checkid": "C-44362r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable tethering (Wi-Fi, Bluetooth, or USB). If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40652r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable or disable tethering (Wi-Fi, Bluetooth, or USB).\n",
"iacontrols": null,
"id": "V-36122",
"ruleID": "SV-47515r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable tethering (Wi-Fi, Bluetooth, or USB).\n",
"version": "SRG-APP-135-MDM-122-MDM"
},
"V-36123": {
"checkid": "C-44363r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to force the display of a warning banner on the mobile device. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. \nThe warning banner must be displayed before or immediately after the user successfully unlocks the mobile device or unlocks a secure application where sensitive DoD data is stored: \u201cI\u2019ve read & consent to terms in IS user agreement.\u201d (Wording must be exactly as specified.)",
"fixid": "F-40653r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to force the display of a warning banner on the mobile device. \n",
"iacontrols": null,
"id": "V-36123",
"ruleID": "SV-47516r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Force the display of a warning banner on the mobile device. \n",
"version": "SRG-APP-135-MDM-123-MDM"
},
"V-36124": {
"checkid": "C-44364r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to disable any mobile OS service that connects to a non-DoD server. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40654r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to disable any mobile OS service that connects to a non-DoD server.\n",
"iacontrols": null,
"id": "V-36124",
"ruleID": "SV-47517r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disable any mobile OS service that connects to a non-DoD server.\n",
"version": "SRG-APP-135-MDM-124-MDM"
},
"V-36125": {
"checkid": "C-44365r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the number of allowed repeated characters in the mobile device unlock password. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40655r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the number of allowed repeated characters in the mobile device unlock password. \n",
"iacontrols": null,
"id": "V-36125",
"ruleID": "SV-47518r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of allowed repeated characters in the mobile device unlock password.\n",
"version": "SRG-APP-135-MDM-125-MDM"
},
"V-36126": {
"checkid": "C-44366r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow sequential numbers in the mobile device unlock password. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40656r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to disallow sequential numbers in the mobile device unlock password.\n",
"iacontrols": null,
"id": "V-36126",
"ruleID": "SV-47519r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow sequential numbers in the mobile device unlock password.\n",
"version": "SRG-APP-135-MDM-126-MDM"
},
"V-36127": {
"checkid": "C-44367r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the number of upper case letters in the device unlock password. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40657r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the number of upper case letters in the device unlock password.\n",
"iacontrols": null,
"id": "V-36127",
"ruleID": "SV-47520r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of upper case letters in the device unlock password.\n",
"version": "SRG-APP-135-MDM-127-MDM"
},
"V-36128": {
"checkid": "C-44368r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the number of special characters in the device unlock password. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40658r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the number of special characters in the device unlock password.\n",
"iacontrols": null,
"id": "V-36128",
"ruleID": "SV-47521r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of special characters in the device unlock password.\n",
"version": "SRG-APP-135-MDM-128-MDM"
},
"V-36129": {
"checkid": "C-44369r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the number of lower case letters in the device unlock password. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40659r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the number of lower case letters in the device unlock password.\n",
"iacontrols": null,
"id": "V-36129",
"ruleID": "SV-47522r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of lower case letters in the device unlock password.\n",
"version": "SRG-APP-135-MDM-129-MDM"
},
"V-36130": {
"checkid": "C-44370r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the number of numbers in the device unlock password. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40660r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the number of numbers in the device unlock password.\n",
"iacontrols": null,
"id": "V-36130",
"ruleID": "SV-47523r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of numbers in the device unlock password.\n",
"version": "SRG-APP-135-MDM-130-MDM"
},
"V-36131": {
"checkid": "C-44371r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to perform a \u201cData Wipe\u201d function whereby all data stored in the security container is erased when the maximum number of incorrect passwords for the security container application has been reached. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40661r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to perform a \u201cData Wipe\u201d function whereby all data stored in the security container is erased when the maximum number of incorrect passwords for the security container application has been reached.\n",
"iacontrols": null,
"id": "V-36131",
"ruleID": "SV-47524r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Perform a Data Wipe function whereby all data stored in the security container is erased when the maximum number of incorrect passwords for the security container application has been reached.\n",
"version": "SRG-APP-135-MDM-131-MDM"
},
"V-36132": {
"checkid": "C-44372r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the number of incorrect password attempts before a data wipe procedure is initiated (minimum requirement is 3-10). If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40662r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the number of incorrect password attempts before a data wipe procedure is initiated.\n",
"iacontrols": null,
"id": "V-36132",
"ruleID": "SV-47525r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of incorrect password attempts before a data wipe procedure is initiated (minimum requirement is 3-10).\n",
"version": "SRG-APP-135-MDM-132-MDM"
},
"V-36133": {
"checkid": "C-44373r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule so that when a mobile device lock occurs (user initiated or due to an inactivity timeout) all data must be re-encrypted. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40663r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule so when a mobile device lock occurs all data must be re-encrypted.\n",
"iacontrols": null,
"id": "V-36133",
"ruleID": "SV-47526r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: When a mobile device lock occurs (user initiated or due to an inactivity timeout) all data must be re-encrypted.\n",
"version": "SRG-APP-135-MDM-133-MDM"
},
"V-36134": {
"checkid": "C-44374r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule so all data-at-rest inside the MDM server agent must be encrypted. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40664r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule so all data-at-rest inside the MDM server agent must be encrypted.\n",
"iacontrols": null,
"id": "V-36134",
"ruleID": "SV-47527r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: All data-at-rest inside the MDM server agent must be encrypted. \n",
"version": "SRG-APP-135-MDM-134-MDM"
},
"V-36135": {
"checkid": "C-44375r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable an MDM server agent password. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40665r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to enable an MDM server agent password.\n",
"iacontrols": null,
"id": "V-36135",
"ruleID": "SV-47528r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable an MDM server agent password.\n",
"version": "SRG-APP-135-MDM-135-MDM"
},
"V-36136": {
"checkid": "C-44376r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to disallow sequential numbers in the MDM server agent password. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40666r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to disallow sequential numbers in the MDM server agent password.\n",
"iacontrols": null,
"id": "V-36136",
"ruleID": "SV-47529r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow sequential numbers in the MDM server agent password.\n",
"version": "SRG-APP-135-MDM-136-MDM"
},
"V-36137": {
"checkid": "C-44377r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to disallow common password patterns for the MDM server agent password (e.g., letters in order from the top row of the keypad). If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40667r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to disallow common password patterns for the MDM server agent password\n",
"iacontrols": null,
"id": "V-36137",
"ruleID": "SV-47530r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow common password patterns for the MDM server agent password (e.g., letters in order from the top row of the keypad).\n",
"version": "SRG-APP-135-MDM-137-MDM"
},
"V-36138": {
"checkid": "C-44378r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the number of upper case letters in the MDM server agent password. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. \n",
"fixid": "F-40668r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the number of upper case letters in the MDM server agent password. \n",
"iacontrols": null,
"id": "V-36138",
"ruleID": "SV-47531r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of upper case letters in the MDM server agent password.\n",
"version": "SRG-APP-135-MDM-138-MDM"
},
"V-36139": {
"checkid": "C-44379r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the number of numbers in the MDM server agent password. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40669r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the number of numbers in the MDM server agent password. \n",
"iacontrols": null,
"id": "V-36139",
"ruleID": "SV-47532r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of numbers in the MDM server agent password.\n",
"version": "SRG-APP-135-MDM-139-MDM"
},
"V-36140": {
"checkid": "C-44380r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the number of special characters in the MDM server agent password. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. \n",
"fixid": "F-40670r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the number of special characters in the MDM server agent password.\n",
"iacontrols": null,
"id": "V-36140",
"ruleID": "SV-47533r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of special characters in the MDM server agent password.\n",
"version": "SRG-APP-135-MDM-140-MDM"
},
"V-36141": {
"checkid": "C-44381r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the maximum MDM server agent password age (e.g., 30 days, 90 days, 180 days). If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40671r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the maximum MDM server agent password age.\n",
"iacontrols": null,
"id": "V-36141",
"ruleID": "SV-47534r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Maximum MDM server agent password age (e.g., 30 days, 90 days, 180 days).\n",
"version": "SRG-APP-135-MDM-141-MDM"
},
"V-36142": {
"checkid": "C-44382r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the minimum MDM server agent password length of eight or more characters. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40672r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the minimum MDM server agent password length of eight or more characters.\n",
"iacontrols": null,
"id": "V-36142",
"ruleID": "SV-47535r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Minimum MDM server agent password length of eight or more characters.\n",
"version": "SRG-APP-135-MDM-142-MDM"
},
"V-36143": {
"checkid": "C-44383r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the maximum MDM server agent password history (3 previous passwords checked is the recommended setting). If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40673r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the maximum MDM server agent password history.\n",
"iacontrols": null,
"id": "V-36143",
"ruleID": "SV-47547r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Maximum MDM server agent password history (3 previous passwords checked is the recommended setting).\n",
"version": "SRG-APP-135-MDM-143-MDM"
},
"V-36144": {
"checkid": "C-44384r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the MDM server agent inactivity timeout (the following settings must be available, at a minimum: Disable (no timeout), 15 minutes, and 60 minutes). If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. ",
"fixid": "F-40674r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the MDM server agent inactivity timeout.\n",
"iacontrols": null,
"id": "V-36144",
"ruleID": "SV-47548r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the MDM server agent inactivity timeout (the following settings must be available, at a minimum: Disable (no timeout), 15 minutes, and 60 minutes).\n",
"version": "SRG-APP-135-MDM-144-MDM"
},
"V-36145": {
"checkid": "C-44385r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set approved IP address ranges, ports, and protocols on a managed mobile device firewall. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. \n",
"fixid": "F-40675r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set approved IP address ranges, ports, and protocols on a managed mobile device firewall.\n",
"iacontrols": null,
"id": "V-36145",
"ruleID": "SV-47549r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set approved IP address ranges, ports, and protocols on a managed mobile device firewall.\n",
"version": "SRG-APP-135-MDM-145-MDM"
},
"V-36146": {
"checkid": "C-44386r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server can configure the mobile agent to prohibit the download of applications on mobile operating system devices without administrator control. If this function is not present, this is a finding.\n",
"description": "The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. If the system administrator has control over what applications are downloaded, then the system administrator can check that only known good programs are installed, which significantly mitigates the risk posed by malicious software.\n",
"fixid": "F-40676r1_fix",
"fixtext": "Configure the MDM server so the mobile device agent is configured to prohibit the download of applications on mobile operating system devices without system administrator control. \n",
"iacontrols": null,
"id": "V-36146",
"ruleID": "SV-47550r1_rule",
"severity": "medium",
"title": "The MDM server must configure the mobile device agent to prohibit the download of applications on mobile operating system devices without system administrator control (i.e., the SA either downloads and installs the application or enables the user to download/install the application).\n",
"version": "SRG-APP-135-MDM-146-MAM"
},
"V-36147": {
"checkid": "C-44387r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server application white list for managed mobile devices is set to \"Deny All\" by default when no applications are listed. If configuration is set to other than \"Deny All,\" or if the MDM server does not have an application whitelist, this is a finding.\n",
"description": "The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. If the system administrator has control over what applications are downloaded, then the system administrator can check that only known good programs are installed, which significantly mitigates the risk posed by malicious software.\n",
"fixid": "F-40677r1_fix",
"fixtext": "Configure the MDM server application white list for managed mobile devices to \"Deny All\" by default when no applications are listed.\n",
"iacontrols": null,
"id": "V-36147",
"ruleID": "SV-47551r1_rule",
"severity": "high",
"title": "The MDM server application white list for managed mobile devices must be set to Deny All by default when no applications are listed.\n",
"version": "SRG-APP-135-MDM-147-MAM"
},
"V-36148": {
"checkid": "C-44388r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server can configure the mobile device to prohibit the mobile device user from installing unapproved applications. If this function is not present, this is a finding.\n",
"description": "The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. Preventing a user from installing unapproved applications mitigates this risk. All OS core applications, third-party applications, and carrier installed applications must be approved. In this case, applications include any applets, browse channel apps, and icon apps.\n",
"fixid": "F-40678r1_fix",
"fixtext": "Configure the MDM server so the mobile device is configured to prohibit the mobile device user from installing unapproved applications. \n",
"iacontrols": null,
"id": "V-36148",
"ruleID": "SV-47552r1_rule",
"severity": "medium",
"title": "The MDM server must configure the mobile device to prohibit the mobile device user from installing unapproved applications.\n",
"version": "SRG-APP-135-MDM-148-MAM"
},
"V-36149": {
"checkid": "C-44389r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server can configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or MDM server). If this function is not present, this is a finding.\n",
"description": "DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system in most cases can be configured to disable user access to public application stores.\n",
"fixid": "F-40679r1_fix",
"fixtext": "Configure the MDM server so the mobile device agent is configured to prohibit the download of software from a DoD non-approved source. \n",
"iacontrols": null,
"id": "V-36149",
"ruleID": "SV-47553r1_rule",
"severity": "medium",
"title": "The MDM server must configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or MDM server).\n",
"version": "SRG-APP-135-MDM-149-MDM"
},
"V-36150": {
"checkid": "C-44390r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. If this function is not present, this is a finding.\n",
"description": "DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system in most cases can be configured to disable user access to public application stores. In some cases, some applications are required for secure operation of the mobile devices controlled by the MDM server. In these cases, the ability for users to remove the application is needed as to ensure proper secure operations of the device.\n",
"fixid": "F-40680r1_fix",
"fixtext": "Configure the MDM server so it has the administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user.\n",
"iacontrols": null,
"id": "V-36150",
"ruleID": "SV-47554r1_rule",
"severity": "medium",
"title": "The MDM server must provide the administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user.\n",
"version": "SRG-APP-135-MDM-150-MDM"
},
"V-36151": {
"checkid": "C-44391r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the capability to disable the copying of data stored inside the security container to an unsecured area outside the container. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to Security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. If this control is not available, sensitive DoD data stored inside the security container could be exposed if it is copied to a non-secure area on the device.",
"fixid": "F-40681r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to set the maximum MDM server agent password history.\n",
"iacontrols": null,
"id": "V-36151",
"ruleID": "SV-47555r1_rule",
"severity": "medium",
"title": "The MDM server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disable copying data from inside a security container to a non-secure data area on a mobile device. \n",
"version": "SRG-APP-135-MDM-151-MDM"
},
"V-36152": {
"checkid": "C-44392r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server can detect if the security policy has been modified, disabled, or bypassed on managed mobile devices. If this function is not present, this is a finding.\n",
"description": "If the security policy has been modified in an unauthorized manner, IA is severely degraded and a variety of further attacks are possible. Detecting whether the security policy has been modified or disabled mitigates these risks.\n",
"fixid": "F-40682r1_fix",
"fixtext": "Configure the MDM server to detect if the security policy has been modified, disabled, or bypassed on managed mobile devices. \n",
"iacontrols": null,
"id": "V-36152",
"ruleID": "SV-47556r1_rule",
"severity": "high",
"title": "The MDM server must be able to detect if the security policy has been modified, disabled, or bypassed on managed mobile devices. \n",
"version": "SRG-APP-137-MDM-151-MDM"
},
"V-36153": {
"checkid": "C-44393r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server can employ automated mechanisms to respond to unauthorized changes to the security policy or MDM server agent on managed mobile devices. If this function is not present, this is a finding.\n",
"description": "Uncoordinated or incorrect configuration changes to the MDM server managed components can potentially lead to compromises. Without automated mechanisms to respond to changes, changes can go unnoticed for a significant amount of time which could result in compromise. \n",
"fixid": "F-40683r1_fix",
"fixtext": "Configure the MDM server to automatically respond to unauthorized changes to the security policy or MDM server agent on managed mobile devices. \n",
"iacontrols": null,
"id": "V-36153",
"ruleID": "SV-47557r1_rule",
"severity": "medium",
"title": "The MDM server must employ automated mechanisms to respond to unauthorized changes to the security policy or MDM server agent on managed mobile devices.",
"version": "SRG-APP-138-MDM-152-MDM"
},
"V-36154": {
"checkid": "C-44394r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server can uniquely identify mobile devices managed by the server prior to connecting to the device. If this function is not present, this is a finding.\n",
"description": "When managed mobile devices connect to the MDM server the security policy and possible sensitive DoD data will be pushed to the device. In addition, the device may be provided access to application and web servers on the DoD network. Therefore, strong authentication of the user on the device is required to ensure sensitive DoD data is not exposed and unauthorized access to the DoD network is not granted, exposing the network to malware and attack.\n",
"fixid": "F-40684r1_fix",
"fixtext": "Configure the MDM server to uniquely identify mobile devices managed by the server prior to connecting to the device. \n",
"iacontrols": null,
"id": "V-36154",
"ruleID": "SV-47558r1_rule",
"severity": "medium",
"title": "The MDM server must uniquely identify mobile devices managed by the server prior to connecting to the device.\n",
"version": "SRG-APP-158-MDM-153-MDM"
},
"V-36155": {
"checkid": "C-44395r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server authenticates devices before establishing remote network connections using bidirectional cryptographically based authentication between devices. If this function is not performed, this is a finding.\n",
"description": "Device authentication is a solution enabling an organization to manage devices. Without the authentication, there is risk of a rogue device being serviced by an MDM server.\n",
"fixid": "F-40685r1_fix",
"fixtext": "Configure the MDM server to authenticate devices before establishing remote network connections using bidirectional cryptographically based authentication between devices.\n",
"iacontrols": null,
"id": "V-36155",
"ruleID": "SV-47559r1_rule",
"severity": "medium",
"title": "The MDM server must authenticate devices before establishing remote network connections using bidirectional cryptographically based authentication between devices.\n",
"version": "SRG-APP-159-MDM-154-MDM"
},
"V-36156": {
"checkid": "C-44396r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server denies all connections to DoD network servers by managed mobile devices except for network servers that have the capability to support PKI based mutual authentication between the network server and the mobile device user. If this function is not performed, this is a finding.\n",
"description": "Device authentication is a solution enabling an organization to manage both users and devices. This requirement applies to MDM servers that provide mobile device and user access to network shares, web servers, and other network resources located on the internal enclave (back-office servers, etc.). This connection bypasses user network authentication mechanisms (i.e., CAC authentication). Therefore, the MDM server must allow connections to only back-office network resources that support CAC authentication with the mobile device user.\n",
"fixid": "F-40686r1_fix",
"fixtext": "Configure the MDM server to deny all connections to DoD network servers by managed mobile devices except for network servers that have the capability to support PKI based mutual authentication between the network server and the mobile device user. \n",
"iacontrols": null,
"id": "V-36156",
"ruleID": "SV-47560r1_rule",
"severity": "high",
"title": "The MDM server must deny all connections to DoD network servers by managed mobile devices except for network servers that have the capability to support PKI based mutual authentication between the network server and the mobile device user.\n",
"version": "SRG-APP-161-MDM-156-MDM"
},
"V-36157": {
"checkid": "C-44397r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server is configured to accept only trusted connections to resources from managed mobile devices to back-office servers and network shares. If this is not configured, this is a finding.\n",
"description": "Device authentication is a solution enabling an organization to manage both users and devices. This requirement applies to MDM servers that provide mobile device and user access to network shares, web servers, and other network resources located on the internal enclave (back-office servers, etc.). This connection bypasses user network authentication mechanisms (i.e., CAC authentication). Therefore, the MDM server must allow connections to only back-office network resources that support CAC authentication with the mobile device user. In this case, a trusted connection refers to mutual PKI based authentication between the MDM server and the network server.\n",
"fixid": "F-40687r1_fix",
"fixtext": "If the MDM server is configured to allow connections from managed mobile devices to back-office servers and network shares, configure the MDM server to accept only trusted connections to those resources. \n",
"iacontrols": null,
"id": "V-36157",
"ruleID": "SV-47561r1_rule",
"severity": "medium",
"title": "When the MDM server is configured to allow connections from managed mobile devices to back-office servers and network shares, the server must be configured to accept only trusted connections to those resources.\n",
"version": "SRG-APP-161-MDM-157-MDM"
},
"V-36158": {
"checkid": "C-44398r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server denies all connections to DoD network servers by managed mobile devices unless the MDM server can support PKI based mutual authentication between the network server and the mobile device user. If this function is not configured, this is a finding.\n",
"description": "Device authentication is a solution enabling an organization to manage both users and devices. This requirement applies to MDM servers that provide mobile device and user access to network shares, web servers, and other network resources located on the internal enclave (back-office servers, etc.). This connection bypasses user network authentication mechanisms (i.e., CAC authentication). Therefore, the MDM server must support CAC authentication of the user to back-office network resources, or disable access.\n",
"fixid": "F-40688r1_fix",
"fixtext": "If the MDM server cannot support PKI based mutual authentication between the network server and the mobile device user, configure the MDM server to deny all connections to DoD network servers by managed mobile devices. \n",
"iacontrols": null,
"id": "V-36158",
"ruleID": "SV-47562r1_rule",
"severity": "medium",
"title": "The MDM server must deny all connections to DoD network servers by managed mobile devices unless the MDM server can support PKI based mutual authentication between the network server and the mobile device user.\n",
"version": "SRG-APP-161-MDM-158-MDM"
},
"V-36159": {
"checkid": "C-44399r1_chk",
"checktext": "Review the MDM server configuration to ensure the cryptographic module supporting encryption of data in transit (including email and attachments) is FIPS 140-2 validated. If it is not, this is a finding.\n",
"description": "The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140 validation provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government. This requirement applies to any secure connection between the server and other IT resource, including the secure communications tunnel between the MDM server and managed mobile devices.\n",
"fixid": "F-40689r1_fix",
"fixtext": "Configure the MDM server cryptographic module supporting encryption of data in transit (including email and attachments) to be FIPS 140-2 validated.\n",
"iacontrols": null,
"id": "V-36159",
"ruleID": "SV-47563r1_rule",
"severity": "medium",
"title": "The cryptographic module supporting encryption of data in transit (including email and attachments) must be FIPS 140-2 validated.\n",
"version": "SRG-APP-197-MDM-159-MDM"
},
"V-36160": {
"checkid": "C-44400r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. \n\nRemote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the public Internet or the Public Switched Telephone Network (PSTN). Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Cryptography provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information traversing the remote connection.\n\nRationale for non-applicability: Remote access into the server is controlled at the network or OS level.",
"fixid": "F-40690r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36160",
"ruleID": "SV-47564r1_rule",
"severity": "medium",
"title": "Applications providing remote access capabilities must utilize approved cryptography to protect the confidentiality of remote access sessions.",
"version": "SRG-APP-301-NA"
},
"V-36161": {
"checkid": "C-44401r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server ensures authentication of both mobile device MDM server agent and server during the entire session. If it does not, this is a finding.\n",
"description": "MDM server can be prone to man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of SSL Mutual Authentication authenticity of the data cannot be guaranteed. \n",
"fixid": "F-40691r1_fix",
"fixtext": "Configure the MDM server to authenticate both the mobile device MDM server agent and server during the entire session.\n",
"iacontrols": null,
"id": "V-36161",
"ruleID": "SV-47565r1_rule",
"severity": "medium",
"title": "The MDM server must ensure authentication of both mobile device MDM server agent and server during the entire session. \n",
"version": "SRG-APP-219-MDM-160-MDM"
},
"V-36162": {
"checkid": "C-44402r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server is configured to support organizational requirements to install software update automatically on managed mobile devices. If this function is not configured, this is a finding.\n",
"description": "Security faults with software applications and operating systems are discovered daily and vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, must also be addressed expeditiously. By having the MDM server installing software updates automatically, devices stay current and are less prone to zero day attacks.\n\nAutomatic software installation could be performed during a wired or over-the-air (OTA) session.",
"fixid": "F-40692r1_fix",
"fixtext": "Configure the MDM server to install software updates automatically on managed mobile devices. \n",
"iacontrols": null,
"id": "V-36162",
"ruleID": "SV-47566r1_rule",
"severity": "medium",
"title": "The MDM server must support organizational requirements to install software updates automatically on managed mobile devices.\n",
"version": "SRG-APP-269-MDM-161-MAM"
},
"V-36163": {
"checkid": "C-44403r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will occur over the public Internet. \n\nRemote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. \n\nAutomated monitoring of remote access sessions allows organizations to audit user activities on a variety of information system components (e.g., servers, workstations, notebook/laptop computers) and to ensure compliance with remote access policy.\n\nRemote access applications such as those providing remote access to network devices and information systems and are individually configured with no monitoring or automation capabilities increase risk and makes remote user access management difficult at best.\n\nApplications providing remote access capability need to provide the ability to automatically monitor and control remote user sessions. This includes the capability to directly trigger actions based on user activity or pass information and or data to a separate application or entity that can then perform automated tasks based on the information. \n\nRationale for non-applicability: Remote access into the server is controlled at the network or OS level.",
"fixid": "F-40693r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36163",
"ruleID": "SV-47567r1_rule",
"severity": "medium",
"title": "The application must employ automated mechanisms to facilitate the monitoring and control of remote access methods.",
"version": "SRG-APP-300-NA"
},
"V-36164": {
"checkid": "C-44404r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server detects and reports the version of the operating system, device drivers, and application software for managed mobile devices. If this function is not configured, this is a finding.\n",
"description": "Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report this information to designated organizational officials with information security responsibilities (e.g., senior information security officers, information system security managers, information systems security officers). To support this requirement, an automated process or mechanism is required. This mechanism also ensures the network configuration is known for risk mitigation when known issues are found with certain versions of the operating system or applications.\n",
"fixid": "F-40694r1_fix",
"fixtext": "Configure the MDM server to detect and report the version of the operating system, device drivers, and application software for managed mobile devices.\n",
"iacontrols": null,
"id": "V-36164",
"ruleID": "SV-47568r1_rule",
"severity": "high",
"title": "The MDM server must detect and report the version of the operating system, device drivers, and application software for managed mobile devices. \n",
"version": "SRG-APP-270-MDM-162-MDM"
},
"V-36165": {
"checkid": "C-44405r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server notifies when it detects unauthorized changes to security configuration of managed mobile devices. If the MDM server does not notify in this case, this is a finding. \n",
"description": "Incident response functions are intended to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is accurate and timely notification of events. Notifications can be made more efficient by the creation of notification groups containing members who would be responding to a particular alarm or event. \n",
"fixid": "F-40695r1_fix",
"fixtext": "Configure the MDM server to notify when it detects unauthorized changes to security configuration of managed mobile devices.\n",
"iacontrols": null,
"id": "V-36165",
"ruleID": "SV-47569r1_rule",
"severity": "high",
"title": "The MDM server must notify when it detects unauthorized changes to security configuration of managed mobile devices.\n",
"version": "SRG-APP-286-MDM-163-MDM"
},
"V-36166": {
"checkid": "C-44406r1_chk",
"checktext": "Review the MDM server configuration to determine if it has the capability to perform required actions after receiving a security related alert. If the MDM server cannot perform required actions after receiving a security related alert, this is a finding. \n",
"description": "Incident response functions are intended to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is accurate and timely notification of events. Notifications can be made more efficient by the creation of notification groups containing members who would be responding to a particular alarm or event. Types of actions the MDM server must be able to perform after a security alert include: log the alert, send email to a system administrator, wipe the managed mobile device, lock the mobile device account on the MDM server, disable the security container, wipe the security container, and delete an unapproved application. Security alerts include any alert from the MDIS or MAM component of the MDM server.\n",
"fixid": "F-40696r1_fix",
"fixtext": "Use a MDM server that can perform required actions after receiving security related alerts.\n",
"iacontrols": null,
"id": "V-36166",
"ruleID": "SV-47570r1_rule",
"severity": "high",
"title": "The MDM server must perform required actions when a security related alert is received.\n",
"version": "SRG-APP-286-MDM-164-MDM"
},
"V-36167": {
"checkid": "C-44407r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server provides automated support for the management of distributed security testing on managed mobile devices. If this function is not configured, this is a finding.\n",
"description": "The need to verify security functionality is necessary to ensure the MDM server is behaving as expected and the defenses are enabled. To scale the deployment of the verification process, the MDM server systems must provide automated support for the management of distributed security testing. Without testing of the security controls across the architecture, the MDM server infrastructure could be compromised without knowledge of the administrators. \n",
"fixid": "F-40697r1_fix",
"fixtext": "Configure the MDM server to provide automated support for the management of distributed security testing on managed mobile devices. \n",
"iacontrols": null,
"id": "V-36167",
"ruleID": "SV-47571r1_rule",
"severity": "medium",
"title": "The MDM server must provide automated support for the management of distributed security testing on managed mobile devices.\n",
"version": "SRG-APP-263-MDM-164-MDM"
},
"V-36168": {
"checkid": "C-44409r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server can use cryptography to protect the integrity of remote access sessions with managed mobile devices. If remote access is not enabled this rule is N/A, and does not apply. If remote access is enabled, and this function is not present, this is a finding.\n",
"description": "Encryption is critical for the protection of the remote access sessions. If the encryption is not being used for integrity, malicious users may gain the ability to modify the MDM server. The use of cryptography for integrity of remote access session to the MDM server mitigates that risk.\n",
"fixid": "F-40698r1_fix",
"fixtext": "Configure the MDM server to use cryptography to protect the integrity of remote access sessions with managed mobile devices.\n",
"iacontrols": null,
"id": "V-36168",
"ruleID": "SV-47572r1_rule",
"severity": "medium",
"title": "The MDM server must use cryptography to protect the integrity of remote access sessions with managed mobile devices.\n",
"version": "SRG-APP-015-MDM-165-MDM"
},
"V-36169": {
"checkid": "C-44408r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Device authentication is a solution enabling an organization to manage both users and devices. \n\nRationale for non-applicability: This requirement is included in SRG-APP-197-MDM server-159-MDM server\n",
"fixid": "F-40699r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36169",
"ruleID": "SV-47573r1_rule",
"severity": "medium",
"title": "Applications managing network connectivity must have the capability to authenticate devices before establishing network connections by using bidirectional authentication that is cryptographically based.",
"version": "SRG-APP-299-NA"
},
"V-36170": {
"checkid": "C-44410r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server can enable and disable a managed mobile device. If this function is not present, this is a finding.\n",
"description": "Under some conditions, a compromised device represents a threat to other computing resources on the network. For example, a compromised device may attempt to conduct a denial of service attack on other devices, or may be executing a mechanism to spread malware before a countermeasure has been put in place. In these situations, it is critical that an MDM server be able to disable the device to protect other network resources.\n",
"fixid": "F-40700r1_fix",
"fixtext": "Configure the MDM server so it can enable and disable a managed mobile device.\n",
"iacontrols": null,
"id": "V-36170",
"ruleID": "SV-47574r1_rule",
"severity": "high",
"title": "The MDM server must have the capability to enable and disable a managed mobile device.\n",
"version": "SRG-APP-134-MDM-166-MDM"
},
"V-36171": {
"checkid": "C-44411r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server records an event in the server audit log if a success acknowledgement is not received from the MDM server agent after a device security policy has been pushed to a managed mobile device. If this function is not configured, this is a finding.\n",
"description": "When the MDM server transfers policies, there is the chance an error or problem with the data transfer may occur. The MDM server needs to track failures and any problems encountered when performing data transfers, so problems can be identified and remediated. Since policies are the enforcement mechanism that so many of the mobile device operating system security controls depend upon, this tracking is critical to remediate the situation quickly.",
"fixid": "F-40701r2_fix",
"fixtext": "Configure the MDM server to record an event in the server audit log if a success acknowledgement is not received from the MDM server agent after a device security policy has been pushed to a managed mobile device. \n",
"iacontrols": null,
"id": "V-36171",
"ruleID": "SV-47575r1_rule",
"severity": "medium",
"title": "The MDM server must record an event in the server audit log if a success acknowledgement is not received from the MDM server agent after a device security policy has been pushed to a managed mobile device.\n",
"version": "SRG-APP-061-MDM-167-MDM"
},
"V-36172": {
"checkid": "C-44412r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component can detect the presence of unauthorized software on managed mobile devices and notify designated organizational officials. If this function is not present, this is a finding.\n",
"description": "Unauthorized software poses a risk to the device because it could potentially perform malicious functions, including but not limited to gathering sensitive information, searching for other system vulnerabilities, or modifying log entries. A mechanism to detect unauthorized software and notify officials of its presence assists in the task of removing such software to eliminate the risks it poses to the device and the networks to which the device attaches. \n",
"fixid": "F-40702r1_fix",
"fixtext": "Configure the MDM server device integrity validation component to detect and report the presence of unauthorized software.\n",
"iacontrols": null,
"id": "V-36172",
"ruleID": "SV-47576r1_rule",
"severity": "high",
"title": "The MDM server device integrity validation component must employ automated mechanisms to detect the presence of unauthorized software on managed mobile devices and notify designated organizational officials in accordance with the organization defined frequency.\n",
"version": "SRG-APP-189-MDM-168-MDIS"
},
"V-36173": {
"checkid": "C-44413r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component implements detection and inspection mechanisms to identify unauthorized mobile code on managed mobile devices. If this function is not configured, this is a finding.\n",
"description": "Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code can contain malicious code and be executed without the user's consent. When the MDM server scans and detects mobile code, this risk can be mitigated.\n",
"fixid": "F-40703r1_fix",
"fixtext": "Configure the MDM server device integrity validation component to implement detection and inspection mechanisms to identify unauthorized mobile code on managed mobile devices.\n",
"iacontrols": null,
"id": "V-36173",
"ruleID": "SV-47577r1_rule",
"severity": "high",
"title": "The MDM server device integrity scanning component must implement detection and inspection mechanisms to identify unauthorized mobile code on managed mobile devices.\n",
"version": "SRG-APP-206-MDM-169-MDIS"
},
"V-36174": {
"checkid": "C-44414r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component scans for malicious code on managed mobile devices on an organization defined frequency. If this scanning is not being performed, this is a finding.\n",
"description": "Malicious code protection mechanisms include but are not limited to anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n",
"fixid": "F-40704r1_fix",
"fixtext": "Configure the MDM server device integrity validation component to scan for malicious code on managed mobile devices on an organization defined frequency.\n",
"iacontrols": null,
"id": "V-36174",
"ruleID": "SV-47578r1_rule",
"severity": "high",
"title": "The MDM server device integrity validation component must scan for malicious code on managed mobile devices on an organization defined frequency.\n",
"version": "SRG-APP-277-MDM-170-MDIS"
},
"V-36175": {
"checkid": "C-44415r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component alerts when it identifies malicious code on managed mobile devices. If alerting is not configured, this is a finding.\n",
"description": "Malicious code protection mechanisms include but are not limited to anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n",
"fixid": "F-40705r1_fix",
"fixtext": "Configure the MDM server device integrity validation component to alert when it identifies malicious code on managed mobile devices.\n",
"iacontrols": null,
"id": "V-36175",
"ruleID": "SV-47579r1_rule",
"severity": "high",
"title": "The MDM server device integrity validation component must alert when it identifies malicious code on managed mobile devices.\n",
"version": "SRG-APP-279-MDM-171-MDIS"
},
"V-36176": {
"checkid": "C-44416r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Decisions regarding the utilization of mobile code within organizational information systems needs to include evaluations which help determine the potential for the code to cause damage to the system if used maliciously. \n\nRationale for non-applicability: An MDM server does not enforce mobile code policies.",
"fixid": "F-40706r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36176",
"ruleID": "SV-47580r1_rule",
"severity": "medium",
"title": "The application must prevent the execution of prohibited mobile code.",
"version": "SRG-APP-298-NA"
},
"V-36177": {
"checkid": "C-44417r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component supports organizational requirements to address the receipt of false positives during malicious code detection. If this function is not present, this is a finding.\n",
"description": "In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Malicious code includes viruses, worms, Trojan horses, and Spyware. The MDM server must have an ability to address the issue of false alerts. False alerts can overwhelm reporting and administrative interfaces making it difficult to identify the true threat. A filtering capability that serves to identify and remove false positives is often employed to address this issue.\n",
"fixid": "F-40707r1_fix",
"fixtext": "Configure the MDM server device integrity validation component to support organizational requirements to address the receipt of false positives during malicious code detection.\n",
"iacontrols": null,
"id": "V-36177",
"ruleID": "SV-47581r1_rule",
"severity": "medium",
"title": "The MDM server device integrity validation component must support organizational requirements to address the receipt of false positives during malicious code detection.\n",
"version": "SRG-APP-280-MDM-172-MDIS"
},
"V-36178": {
"checkid": "C-44418r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component provides a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. If this function is not configured, this is a finding.\n",
"description": "When an intrusion detection security event occurs it is imperative the operating system that has detected the event immediately notify the appropriate support personnel so they can respond accordingly. The ability of an MDM server to alert on compromises to the managed mobile devices mitigates the potential for these compromises to have further consequences to the enterprise.\n",
"fixid": "F-40708r1_fix",
"fixtext": "Configure the MDM server to provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.\n",
"iacontrols": null,
"id": "V-36178",
"ruleID": "SV-47582r1_rule",
"severity": "high",
"title": "The MDM server device integrity validation component must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. \n",
"version": "SRG-APP-284-MDM-173-MDIS"
},
"V-36179": {
"checkid": "C-44419r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component includes the capability to notify an organization defined list of response personnel who are identified by name and/or by role notifications of suspicious events. If this function is not configured, this is a finding.\n",
"description": "Integrity checking applications are by their nature designed to monitor and detect defined events occurring on the system. When the integrity checking mechanism finds an anomaly, it must notify personnel in order to ensure the proper action is taken based upon the integrity issues found. If notification is not performed, the issue may continue or worsen to allow intruders into the system.\n",
"fixid": "F-40709r1_fix",
"fixtext": "Configure the MDM server device integrity validation component to provide the capability to notify an organization defined list of response personnel who are identified by name and/or by role notifications of suspicious events.\n",
"iacontrols": null,
"id": "V-36179",
"ruleID": "SV-47583r1_rule",
"severity": "high",
"title": "The MDM server device integrity validation component must include the capability to notify an organization defined list of response personnel who are identified by name and/or by role notifications of suspicious events.\n",
"version": "SRG-APP-286-MDM-174-MDIS"
},
"V-36180": {
"checkid": "C-44420r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "DAC is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment.\nRationale for non-applicability: This control primarily applies to the discretionary sharing of information resources by data owners. This type of service is unrelated to MDM server functionality.",
"fixid": "F-40710r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36180",
"ruleID": "SV-47584r1_rule",
"severity": "medium",
"title": "Applications that utilize Discretionary Access Control (DAC) must enforce a policy that Includes or excludes access to the granularity of a single user.",
"version": "SRG-APP-297-NA"
},
"V-36181": {
"checkid": "C-44421r2_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component uses automated mechanisms to alert security personnel when the device has been \"jailbroken\" or rooted. If this function is not configured, this is a finding.",
"description": "Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. The ability of an MDM server to detect \"jailbreaking\" or rooting of the device mitigates the potential for these breaches to have further consequences to the enterprise.\n\nJailbroken/rooting refers to a mobile device where the security mechanisms of the hardware and OS of the device have been bypassed so the user has root access.",
"fixid": "F-40711r2_fix",
"fixtext": "Configure the MDM server device integrity validation component to use automated mechanisms to alert security personnel when the device has been \"jailbroken\" or rooted.\n",
"iacontrols": null,
"id": "V-36181",
"ruleID": "SV-47585r1_rule",
"severity": "high",
"title": "The MDM server device integrity validation component must use automated mechanisms to alert security personnel when the device has been jailbroken or rooted.",
"version": "SRG-APP-237-MDM-175-MDIS"
},
"V-36182": {
"checkid": "C-44423r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server accept alerts from the mobile operating system when the mobile OS has detected integrity check failures. If alerts are not being accepted, this is a finding.\n",
"description": "Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. Alerting an MDM server mitigates the potential for attacks triggering integrity failures to have further consequences to the enterprise.\n",
"fixid": "F-40712r1_fix",
"fixtext": "Configure the MDM server device integrity validation component to accept alerts from the mobile operating system when the mobile OS has detected integrity check failures.\n",
"iacontrols": null,
"id": "V-36182",
"ruleID": "SV-47586r1_rule",
"severity": "high",
"title": "The MDM server must accept alerts from the mobile operating system when the mobile OS has detected integrity check failures. \n",
"version": "SRG-APP-237-MDM-176-MDIS"
},
"V-36183": {
"checkid": "C-44422r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Discretionary Access Control (DAC) is based on the premise that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment.\nRationale for non-applicability: This control primarily applies to the discretionary sharing of information resources by data owners. This type of service is unrelated to MDM server functionality.",
"fixid": "F-40713r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36183",
"ruleID": "SV-47587r1_rule",
"severity": "medium",
"title": "Applications utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.",
"version": "SRG-APP-296-NA"
},
"V-36184": {
"checkid": "C-44424r2_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component can configure the device integrity validation scan interval (Desired setting is 6 hours or less). If this function is not present, this is a finding.",
"description": "Unauthorized changes to the operating system software or information on the system can possibly result in integrity or availability concerns. In order to quickly react to this situation, the operating system must detect these changes. One aspect of detection is the frequency at which the scans occur. The ability to set an appropriate frequency mitigates the risk that an attack will go without detection longer than the scanning interval.\n",
"fixid": "F-40714r2_fix",
"fixtext": "Configure the MDM server device integrity validation component device integrity validation scan interval to 6 hours or less. ",
"iacontrols": null,
"id": "V-36184",
"ruleID": "SV-47588r1_rule",
"severity": "high",
"title": "The MDM server device integrity validation component device integrity validation scan interval must be configurable (desired setting is 6 hours or less). \n",
"version": "SRG-APP-262-MDM-177-MDIS"
},
"V-36185": {
"checkid": "C-44425r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Decisions regarding the deployment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. \nRationale for non-applicability: The MDM server has no mobile code protection features.",
"fixid": "F-40715r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36185",
"ruleID": "SV-47589r1_rule",
"severity": "medium",
"title": "Applications utilizing mobile code must meet DoD-defined mobile code requirements.",
"version": "SRG-APP-295-NA"
},
"V-36186": {
"checkid": "C-44426r2_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component verifies the integrity of all operating system files, device drivers, and security enforcement mechanisms at startup and at least every six hours thereafter using one or more DoD approved cryptographic mechanisms that compare attributes of the operating system configuration to a known good baseline. If this verification is not being performed, this is a finding.",
"description": "One of the most significant indicators of an IA attack is modification of operating system files, device drivers, or security enforcement mechanisms. An integrity verification capability or tool detects unauthorized modifications to files or permissions and either prevents further operation or reports its findings so an appropriate response can occur. ",
"fixid": "F-40716r2_fix",
"fixtext": "Configure the MDM server device integrity validation component to verify the integrity of all operating system files, device drivers, and security enforcement mechanisms at startup and at least every six hours thereafter using one or more DoD approved cryptographic mechanisms that compare attributes of the operating system configuration to a known good baseline.",
"iacontrols": null,
"id": "V-36186",
"ruleID": "SV-47590r1_rule",
"severity": "high",
"title": "The MDM server device integrity validation component must verify the integrity of all operating system files, device drivers, and security enforcement mechanisms at startup and at least every six hours thereafter using one or more DoD approved cryptographic mechanisms that compare attributes of the operating system configuration to a known good baseline. \n",
"version": "SRG-APP-262-MDM-178-MDIS"
},
"V-36187": {
"checkid": "C-44428r2_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component is not capable of being disabled or controlled by the user or a mobile device application. If this function is not present, this is a finding.",
"description": "One of the most significant indicators of an IA attack is modification of operating system files, device drivers, or security enforcement mechanisms. An integrity verification capability or tool detects unauthorized modifications to files or permissions and either prevents further operation or reports its findings so an appropriate response can occur. \n",
"fixid": "F-40717r1_fix",
"fixtext": "Configure the MDM server device integrity validation component so it cannot be disabled or controlled by the user or a mobile device application.\n",
"iacontrols": null,
"id": "V-36187",
"ruleID": "SV-47591r1_rule",
"severity": "high",
"title": "The MDM server device integrity validation component must not be capable of being disabled or controlled by the user or a mobile device application.\n",
"version": "SRG-APP-262-MDM-179-MDIS"
},
"V-36188": {
"checkid": "C-44427r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Emergency application accounts are typically created due to an unforeseen operational event or could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic testing or conduct some other support related activity. When these types of accounts are created, there is a risk that the temporary account may remain in place and active after the support representative has left. \nRationale for non-applicability: The MDM server will leverage Enterprise Authentication Mechanism accounts. Therefore, the Enterprise Authentication Mechanism is expected to implement this control in lieu of local monitoring.",
"fixid": "F-40718r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36188",
"ruleID": "SV-47592r1_rule",
"severity": "medium",
"title": "The information system automatically terminates emergency accounts after an organization defined time period for each type of account.",
"version": "SRG-APP-234-NA"
},
"V-36189": {
"checkid": "C-44429r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component identifies the affected mobile device, severity of the finding, and provide a recommended mitigation. If this function is not configured, this is a finding.\n",
"description": "One of the most significant indicators of an IA attack is modification of operating system files, device drivers, or security enforcement mechanisms. An integrity verification capability or tool detects unauthorized modifications to files or permissions and either prevents further operation or reports its findings so an appropriate response can occur. \n",
"fixid": "F-40719r1_fix",
"fixtext": "Configure the MDM server device integrity validation component to identify the affected mobile device, severity of the finding, and provide a recommended mitigation.\n",
"iacontrols": null,
"id": "V-36189",
"ruleID": "SV-47593r1_rule",
"severity": "high",
"title": "The MDM server device integrity validation component must identify the affected mobile device, severity of the finding, and provide a recommended mitigation.\n",
"version": "SRG-APP-262-MDM-180-MDIS"
},
"V-36190": {
"checkid": "C-44430r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component bases recommended mitigations for findings on the identified risk level of the finding. If this function is not configured, this is a finding.\n",
"description": "One of the most significant indicators of an IA attack is modification of operating system files, device drivers, or security enforcement mechanisms. An integrity verification capability or tool detects unauthorized modifications to files or permissions and either prevents further operation or reports its findings so an appropriate response can occur. \n",
"fixid": "F-40720r1_fix",
"fixtext": "Configure the MDM server device integrity validation component to base recommended mitigations for findings on the identified risk level of the finding.\n",
"iacontrols": null,
"id": "V-36190",
"ruleID": "SV-47594r1_rule",
"severity": "high",
"title": "The MDM server device integrity validation component must base recommended mitigations for findings on the identified risk level of the finding.\n",
"version": "SRG-APP-262-MDM-181-MDIS"
},
"V-36191": {
"checkid": "C-44431r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "A recursive resolving or caching Domain Name System (DNS) server is an example of an information system providing name/address resolution service for local clients. \nRationale for non-applicability: The MDM server does not support name/address resolution queries.",
"fixid": "F-40721r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36191",
"ruleID": "SV-47595r1_rule",
"severity": "medium",
"title": "The application must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.",
"version": "SRG-APP-215-NA"
},
"V-36192": {
"checkid": "C-44432r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component operates separate and independent of the management of the mobile devices security policy. If this is not the case, this is a finding.\n",
"description": "One of the most significant indicators of an IA attack is modification of operating system files, device drivers, or security enforcement mechanisms. An integrity verification capability or tool detects unauthorized modifications to files or permissions and either prevents further operation or reports its findings so an appropriate response can occur. \n",
"fixid": "F-40722r1_fix",
"fixtext": "Configure the MDM server device integrity validation component to operate separate and independent of the management of the mobile devices security policy.\n",
"iacontrols": null,
"id": "V-36192",
"ruleID": "SV-47596r1_rule",
"severity": "high",
"title": "The MDM server device integrity validation component must operate separate and independent of the management of the mobile devices security policy.\n",
"version": "SRG-APP-262-MDM-182-MDIS"
},
"V-36193": {
"checkid": "C-44433r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. \nRationale for non-applicability: An MDM server is not designed to enforce policy pertaining to use of mobile code.",
"fixid": "F-40723r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36193",
"ruleID": "SV-47597r1_rule",
"severity": "medium",
"title": "Applications designed to address malware issues and/or enforce policy pertaining to organizational use of mobile code must take corrective actions, when unauthorized mobile code is identified.",
"version": "SRG-APP-207-NA"
},
"V-36194": {
"checkid": "C-44434r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component identifies changes in file structure and files on the mobile device. If this identification is not performed, this is a finding.\n",
"description": "One of the most significant indicators of an IA attack is modification of operating system files, device drivers, or security enforcement mechanisms. An integrity verification capability or tool detects unauthorized modifications to files or permissions and either prevents further operation or reports its findings so an appropriate response can occur. \n",
"fixid": "F-40724r1_fix",
"fixtext": "Configure the MDM server device integrity validation component to identify changes in file structure and files on the mobile device.\n",
"iacontrols": null,
"id": "V-36194",
"ruleID": "SV-47598r1_rule",
"severity": "high",
"title": "The MDM server device integrity validation component must identify changes in file structure and files on the mobile device.\n",
"version": "SRG-APP-262-MDM-183-MDIS"
},
"V-36195": {
"checkid": "C-44435r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component identifies unexpected changes in applications installed on the mobile device. If this identification is not being performed, this is a finding.\n",
"description": "One of the most significant indicators of an IA attack is modification of operating system files, device drivers, or security enforcement mechanisms. An integrity verification capability or tool detects unauthorized modifications to files or permissions and either prevents further operation or reports its findings so an appropriate response can occur. \n",
"fixid": "F-40725r1_fix",
"fixtext": "Configure the MDM server device integrity validation component to identify unexpected changes in applications installed on the mobile device.\n",
"iacontrols": null,
"id": "V-36195",
"ruleID": "SV-47599r1_rule",
"severity": "high",
"title": "The MDM server device integrity validation component must identify unexpected changes in applications installed on the mobile device.\n",
"version": "SRG-APP-262-MDM-184-MDIS"
},
"V-36196": {
"checkid": "C-44437r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component has the capability to maintain change history of individual devices. If change history is not being maintained, this is a finding.\n",
"description": "One of the most significant indicators of an IA attack is modification of operating system files, device drivers, or security enforcement mechanisms. An integrity verification capability or tool detects unauthorized modifications to files or permissions and either prevents further operation or reports its findings so an appropriate response can occur. \n",
"fixid": "F-40726r1_fix",
"fixtext": "Configure the MDM server device integrity validation component to maintain change history of individual devices.\n",
"iacontrols": null,
"id": "V-36196",
"ruleID": "SV-47600r1_rule",
"severity": "high",
"title": "The MDM server device integrity validation component must have the capability to maintain change history of individual devices.\n",
"version": "SRG-APP-262-MDM-185-MDIS"
},
"V-36197": {
"checkid": "C-44436r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \nRationale for non-applicability: The MDM server will leverage Enterprise Authentication Mechanism accounts. Therefore, the Enterprise Authentication Mechanism is expected to implement this control in lieu of local monitoring.",
"fixid": "F-40727r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36197",
"ruleID": "SV-47601r1_rule",
"severity": "medium",
"title": "The application must support organizational requirements to enforce password complexity by the number of special characters used.",
"version": "SRG-APP-169-NA"
},
"V-36198": {
"checkid": "C-44438r1_chk",
"checktext": "Review the MDM server configuration to ensure the MDM server device integrity validation component can provide the capability for the site administrator to amend information on mitigation actions that have taken place (e.g., wipe the device) to the scan report before the report is archived. If this function is not present, this is a finding.\n",
"description": "One of the most significant indicators of an IA attack is modification of operating system files, device drivers, or security enforcement mechanisms. An integrity verification capability or tool detects unauthorized modifications to files or permissions and either prevents further operation or reports its findings so an appropriate response can occur. \n",
"fixid": "F-40728r1_fix",
"fixtext": "Configure the MDM server device integrity validation component to allow the site administrator to amend information on mitigation actions that have taken place (e.g., wipe the device) to the scan report before the report is archived.\n",
"iacontrols": null,
"id": "V-36198",
"ruleID": "SV-47602r1_rule",
"severity": "high",
"title": "The MDM server device integrity validation component must provide the capability for the site administrator to amend information on mitigation actions that have taken place (e.g., wipe the device) to the scan report before the report is archived.\n",
"version": "SRG-APP-262-MDM-186-MDIS"
},
"V-36199": {
"checkid": "C-44440r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client notifies the user if it cannot verify the revocation status of the certificate. Talk to the site system administrator and have them confirm that this capability exists in the email management client. Also, review the MDM server configuration. If the mobile email client does not notify the user it cannot verify the revocation status of the certificate, this is a finding.",
"description": "If the user is aware that the revocation status of a certificate could not be verified, the user is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can use revoked certificates without detection. \n",
"fixid": "F-40729r1_fix",
"fixtext": "Configure the MDM server to give the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status, if this capability exists. \n",
"iacontrols": null,
"id": "V-36199",
"ruleID": "SV-47603r1_rule",
"severity": "low",
"title": "If the MDM server includes a mobile email management capability, the email client must notify the user if it cannot verify the revocation status of the certificate.\n",
"version": "SRG-APP-175-MDM-187-MEM"
},
"V-36200": {
"checkid": "C-44439r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "It is critical when a system is at risk of failing to process audit logs as required; actions are automatically taken to mitigate the failure or risk of failure. \n\nOne method used to thwart the auditing system is for an attacker to attempt to overwhelm the auditing system with large amounts of irrelevant data. The end result being audit logs that are either overwritten and activity thereby erased or disk space that is exhausted and any future activity is no longer logged. \n\nIn many system configurations, the disk space allocated to the auditing system is separate from the disks allocated for the operating system; therefore, this may not result in a system outage.\nRationale for non-applicability: MDM server functionality involves the transfer of small policy and configuration files and other commands, none of which are expected to trigger network volume thresholds. If such protection is desired, it is better performed by the operating system or a network firewall.",
"fixid": "F-40730r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36200",
"ruleID": "SV-47604r1_rule",
"severity": "medium",
"title": "The application must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds.\n",
"version": "SRG-APP-106-NA"
},
"V-36201": {
"checkid": "C-44441r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client gives the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status. Talk to the site system administrator and have them confirm this capability exists in the email management client. Also, review the MDM server configuration. If the mobile email client does not give the user the option to deny acceptance of a certificate, or it cannot verify the certificate's revocation status, this is a finding.\n",
"description": "When additional assurance is required, the system should deny acceptance of a certificate if it cannot verify its revocation status. Otherwise, there is the potential that it is accepting the credentials of an unauthorized system. Allowing the operating system or user to deny certificates with unverified revocation status mitigates the risk associated with the acceptance of such certificates. \n",
"fixid": "F-40731r1_fix",
"fixtext": "Configure the MDM server to give the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status, if this capability exists. \n",
"iacontrols": null,
"id": "V-36201",
"ruleID": "SV-47605r1_rule",
"severity": "low",
"title": "If the MDM server includes a mobile email management capability, the email client must give the user the option to deny acceptance of a certificate if it cannot verify the certificates revocation status.\n",
"version": "SRG-APP-175-MDM-188-MEM"
},
"V-36202": {
"checkid": "C-44442r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client alerts the user if it receives a public-key certificate issued from an untrusted certificate authority. Talk to the site system administrator and have them confirm this capability exists in the email management client. Also, review the MDM server configuration. If the mobile email client does not alert the user if it receives a public-key certificate issued from an untrusted certificate authority, this is a finding.\n",
"description": "If the user is aware that a certificate has been issued from an untrusted certificate authority, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.\n",
"fixid": "F-40732r1_fix",
"fixtext": "Configure the MDM server to alert the user if it receives a public-key certificate issued from an untrusted certificate authority, if this capability exists. \n",
"iacontrols": null,
"id": "V-36202",
"ruleID": "SV-47606r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must alert the user if it receives a public-key certificate issued from an untrusted certificate authority. \n",
"version": "SRG-APP-175-MDM-189-MEM"
},
"V-36203": {
"checkid": "C-44443r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \nRationale for non-applicability: Information flow control only applies to a CDS. The MDM server is not a CDS.",
"fixid": "F-40733r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36203",
"ruleID": "SV-47607r1_rule",
"severity": "medium",
"title": "Applications providing information flow control must uniquely authenticate destination domains when transferring information.",
"version": "SRG-APP-060-NA"
},
"V-36204": {
"checkid": "C-44444r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the email client provides users with the option to deny acceptance of a certificate when the certificate was issued by an untrusted certificate authority. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the email client does not provide users with the option to deny acceptance of a certificate when the certificate was issued by an untrusted certificate authority, this is a finding.",
"description": "When the operating system accepts the use of certificates issued from untrusted certificate authorities, there is the potential that the system or object presenting the certificate is malicious, and can compromise sensitive information or system integrity. When additional assurance is required, the system must deny acceptance of a certificate if it was issued by an untrusted certificate authority. \n",
"fixid": "F-40734r1_fix",
"fixtext": "Configure the MDM server to provide users with the option to deny acceptance of a certificate when the certificate was issued by an untrusted certificate authority. \n",
"iacontrols": null,
"id": "V-36204",
"ruleID": "SV-47608r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must give the user the option to deny acceptance of a certificate if the certificate was issued by an untrusted certificate authority.\n",
"version": "SRG-APP-175-MDM-190-MEM"
},
"V-36205": {
"checkid": "C-44446r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "The application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. \nRationale for non-applicability: There is only one domain on the MDM server.",
"fixid": "F-40736r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36205",
"ruleID": "SV-47609r1_rule",
"severity": "medium",
"title": "Applications must uniquely identify destination domains for information transfer.",
"version": "SRG-APP-051-NA"
},
"V-36206": {
"checkid": "C-44445r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client alerts the user if it receives an invalid public-key certificate. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not alert the user if it receives an invalid public-key certificate, this is a finding.",
"description": "If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.\n",
"fixid": "F-40735r1_fix",
"fixtext": "Configure the MDM server to alert the user if it receives an invalid public-key certificate. \n",
"iacontrols": null,
"id": "V-36206",
"ruleID": "SV-47610r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must alert the user if it receives an invalid public-key certificate. \n",
"version": "SRG-APP-175-MDM-191-MEM"
},
"V-36207": {
"checkid": "C-44447r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "While a great deal of effort is made to secure applications so as to prevent unauthorized access, in certain instances there can be valid requirements to listen/hear or view all content related to a particular user's application session in real time as it occurs. \nRationale for non-applicability: All user sessions are administrative whether local or remote.",
"fixid": "F-40737r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36207",
"ruleID": "SV-47611r1_rule",
"severity": "medium",
"title": "The application must provide the capability to remotely view/hear all content related to an established user session in real time.",
"version": "SRG-APP-094-NA"
},
"V-36208": {
"checkid": "C-44448r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the email client gives the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the email client does not give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid, this is a finding.",
"description": "When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious, and can compromise sensitive information or system integrity. When additional assurance is required, the system must deny acceptance of invalid certificates. \n",
"fixid": "F-40738r1_fix",
"fixtext": "Configure the MDM server to give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid. \n",
"iacontrols": null,
"id": "V-36208",
"ruleID": "SV-47612r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid.\n",
"version": "SRG-APP-175-MDM-192-MEM"
},
"V-36209": {
"checkid": "C-44449r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client does not accept certificate revocation information without verifying its authenticity. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client accepts certificate revocation information without verifying its authenticity, this is a finding.",
"description": "If the operating system does not verify the authenticity of revocation information, there is the potential that an authorized system is providing false information. Acceptance of the false information could result in the installation of unauthorized software or connection to rogue networks, depending on the use for which the certificate is intended. Verifying the authenticity of revocation information mitigates this risk.\n",
"fixid": "F-40739r1_fix",
"fixtext": "Configure the MDM server to not accept certificate revocation information without verifying its authenticity. \n",
"iacontrols": null,
"id": "V-36209",
"ruleID": "SV-47613r1_rule",
"severity": "low",
"title": "If the MDM server includes a mobile email management capability, the email client must not accept certificate revocation information without verifying its authenticity. \n",
"version": "SRG-APP-175-MDM-193-MEM"
},
"V-36210": {
"checkid": "C-44450r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client verifies all digital certificates in the certificate chain (user, intermediate, and root) when performing PKI transactions. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not verify all digital certificates in the certificate chain (user, intermediate, and root) when performing PKI transactions, this is a finding.\n",
"description": "If an adversary is able to compromise one of the certificates in the certificate chain, the adversary may be able to sign lower level certificates in the chain. This would enable the adversary to masquerade as other users or systems. By providing the mobile user with such false assurance, the adversary may be able obtain DoD information, capture authentication credentials, and perform other unauthorized functions. Verifying all digital certificates in the chain mitigates this risk.\n",
"fixid": "F-40740r1_fix",
"fixtext": "Configure the MDM server verifies all digital certificates in the certificate chain (user, intermediate, and root) when performing PKI transactions. \n",
"iacontrols": null,
"id": "V-36210",
"ruleID": "SV-47614r1_rule",
"severity": "low",
"title": "If the MDM server includes a mobile email management capability, the email client must verify all digital certificates in the certificate chain when performing PKI transactions.\n",
"version": "SRG-APP-175-MDM-194-MEM"
},
"V-36211": {
"checkid": "C-44451r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client gives the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified, this is a finding.",
"description": "When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious, and can compromise sensitive information or system integrity. When additional assurance is required, the system must deny acceptance of invalid certificates. \n",
"fixid": "F-40741r1_fix",
"fixtext": "Configure the MDM server to give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified. \n",
"iacontrols": null,
"id": "V-36211",
"ruleID": "SV-47615r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified.\n",
"version": "SRG-APP-175-MDM-195-MEM"
},
"V-36212": {
"checkid": "C-44452r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client alerts the user if it receives a public-key certificate with a non-FIPS approved algorithm. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not that alert the user if it receives a public-key certificate with a non-FIPS approved algorithm, this is a finding.",
"description": "If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.\n",
"fixid": "F-40742r1_fix",
"fixtext": "Configure the MDM server to alert the user if it receives a public-key certificate with a non-FIPS approved algorithm. \n",
"iacontrols": null,
"id": "V-36212",
"ruleID": "SV-47616r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must alert the user if it receives a public-key certificate with a non-FIPS approved algorithm. \n",
"version": "SRG-APP-175-MDM-196-MEM"
},
"V-36213": {
"checkid": "C-44454r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. \nRationale for non-applicability: The only security attribute managed by the system is digital signatures.",
"fixid": "F-40743r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36213",
"ruleID": "SV-47617r1_rule",
"severity": "medium",
"title": "The application must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.",
"version": "SRG-APP-009-NA"
},
"V-36214": {
"checkid": "C-44453r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client gives the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm, this is a finding. ",
"description": "When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious, and can compromise sensitive information or system integrity. When additional assurance is required, the system must deny acceptance of invalid certificates. \n",
"fixid": "F-40744r1_fix",
"fixtext": "Configure the MDM server to give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm. \n",
"iacontrols": null,
"id": "V-36214",
"ruleID": "SV-47618r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm. \n",
"version": "SRG-APP-175-MDM-197-MEM"
},
"V-36215": {
"checkid": "C-44455r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client alerts the user if the certificate uses an unverified CRL. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not alert the user if the certificate uses an unverified CRL, this is a finding.",
"description": "If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.\n",
"fixid": "F-40745r1_fix",
"fixtext": "Configure the MDM server to alert the user if the certificate uses an unverified CRL. \n",
"iacontrols": null,
"id": "V-36215",
"ruleID": "SV-47619r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must alert the user if the certificate uses an unverified CRL. \n",
"version": "SRG-APP-175-MDM-198-MEM"
},
"V-36216": {
"checkid": "C-44456r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client gives the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not give the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified, this is a finding.",
"description": "If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system. \n",
"fixid": "F-40746r1_fix",
"fixtext": "Configure the MDM server to give the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified. \n",
"iacontrols": null,
"id": "V-36216",
"ruleID": "SV-47620r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must give the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified.\n",
"version": "SRG-APP-175-MDM-199-MEM"
},
"V-36217": {
"checkid": "C-44457r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client alerts the user if it receives an unverified public-key certificate. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the MDM server client does not alert the user if it receives an unverified public-key certificate, this is a finding. ",
"description": "If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.\n",
"fixid": "F-40747r1_fix",
"fixtext": "Configure the MDM server to alert the user if it receives an unverified public-key certificate. \n",
"iacontrols": null,
"id": "V-36217",
"ruleID": "SV-47621r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must alert the user if it receives an unverified public-key certificate. \n",
"version": "SRG-APP-175-MDM-200-MEM"
},
"V-36218": {
"checkid": "C-44458r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client supports sending all email (including email attachments) sent over the wireless link between the mobile email client and MDM server located on the DoD network using AES. Verify the AES encryption key length is at least 128 bit (AES 128 bit encryption key length is the minimum requirement; AES 256 desired.). Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not send all email (including email attachments) sent over the wireless link between the mobile email client and MDM server located on the DoD network using AES 128 (or larger bit size), this is a finding.",
"description": "If an adversary can access the key store, it may be able to use the keys to perform a variety of unauthorized transactions. It may also be able to modify public-keys in a way that it can trick the operating system into accepting invalid certificates. Encrypting the key store protects the integrity and confidentiality of keys. AES encryption with adequate key lengths provides assurance that the protection is strong.\n",
"fixid": "F-40748r1_fix",
"fixtext": "Configure the MDM server to supports sending all email (including email attachments) sent over the wireless link between the mobile email client and MEM server located on the DoD network using AES 128 (or larger bit size). \n",
"iacontrols": null,
"id": "V-36218",
"ruleID": "SV-47622r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, all email (including email attachments) sent over the wireless link from the mobile email client MDM server mobile email management component located on the DoD network must be encrypted using AES. AES 128 bit encryption key length is the minimum requirement; AES 256 desired. \n",
"version": "SRG-APP-194-MDM-201-MEM"
},
"V-36219": {
"checkid": "C-44459r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client encrypts all email using a FIPS 140-2 validated encryption algorithm. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not encrypt all email using a FIPS 140-2 validated encryption algorithm, this is a finding.",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement is that the email client must utilize FIPS 140-2 encryption.\n",
"fixid": "F-40749r1_fix",
"fixtext": "Configure the MDM server to encrypt all email using a FIPS 140-2 validated encryption algorithm. \n",
"iacontrols": null,
"id": "V-36219",
"ruleID": "SV-47623r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must encrypt all email using a FIPS 140-2 validated encryption algorithm. \n",
"version": "SRG-APP-194-MDM-202-MEM"
},
"V-36220": {
"checkid": "C-44460r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client is capable of providing S/MIME v3 (or later version) encryption of email. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client is not capable of providing S/MIME v3 (or later version) encryption of email, this is a finding.",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case S/MIME is the required mechanism for encryption of email.\n",
"fixid": "F-40750r1_fix",
"fixtext": "Configure the MDM server to provide S/MIME v3 (or later version) encryption of email. \n",
"iacontrols": null,
"id": "V-36220",
"ruleID": "SV-47624r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must be capable of providing S/MIME v3 (or later version) encryption of email. \n",
"version": "SRG-APP-196-MDM-203-MEM"
},
"V-36221": {
"checkid": "C-44461r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \nRationale for non-applicability: This control maps to NIST SP 800-53 AC-4, which has been determined to apply to cross-domain solutions not within the scope of this SRG.\n",
"fixid": "F-40751r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36221",
"ruleID": "SV-47625r1_rule",
"severity": "medium",
"title": "Applications providing information flow control must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.",
"version": "SRG-APP-039-NA"
},
"V-36222": {
"checkid": "C-44462r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Some organizations may define certain security events as events requiring user notification. An organization may define an event such as a password change to a user's account occurring outside of normal business hours as a security-related event requiring that the application user be notified. In those instances, where organizations define such events, the application must notify the affected user or users.\nRationale for non-applicability: The MDM server has no user accounts, only administrators.",
"fixid": "F-40752r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36222",
"ruleID": "SV-47626r1_rule",
"severity": "medium",
"title": "Applications must notify users of organization defined security-related changes to the user's account occurring during the organization defined time period.\n",
"version": "SRG-APP-079-NA"
},
"V-36223": {
"checkid": "C-44463r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client S/MIME feature is fully interoperable with DoD PKI and CAC/PIV. CAC/PIV (hard token) and PKCS#12 (soft token) certificate stores must be supported. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client S/MIME feature is not fully interoperable with DoD PKI and CAC/PIV and CAC/PIV (hard token) and PKCS#12 (soft token) certificate stores are not supported, this is a finding.",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the CAC is the required mechanism for that protection.\n",
"fixid": "F-40753r1_fix",
"fixtext": "Configure the MDM server so the email client on the mobile device is configured to utilize DoD PKI and CAC/PIV.\n",
"iacontrols": null,
"id": "V-36223",
"ruleID": "SV-47627r1_rule",
"severity": "low",
"title": "If the MDM server includes a mobile email management capability, the email client S/MIME must be fully interoperable with DoD PKI and CAC/PIV. CAC/PIV (hard token) and PKCS#12 (soft token) certificate stores must be supported. \n",
"version": "SRG-APP-196-MDM-204-MEM"
},
"V-36224": {
"checkid": "C-44464r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client is capable of providing S/MIME v3 (or later version) encryption of email. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client is not capable of providing S/MIME v3 (or later version) encryption of email with a 3DES or AES algorithm, this is a finding.\n",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement states that S/MIME must utilize a 3DES or AES encryption algorithm.\n",
"fixid": "F-40754r1_fix",
"fixtext": "Configure the MDM server so the email client on the mobile device is configured to utilize S/MIME encryption with a 3DES or AES algorithm.\n",
"iacontrols": null,
"id": "V-36224",
"ruleID": "SV-47628r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client S/MIME encryption algorithm must be 3DES or AES. When AES is used, AES 128 bit encryption key length is the minimum requirement; AES 256 desired.\n",
"version": "SRG-APP-196-MDM-205-MEM"
},
"V-36225": {
"checkid": "C-44465r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client S/MIME cryptographic module is FIPS 140-2 validated. Talk to the site system administrator and have them show you that this capability exists in the MDM server. Also Review the MDM server configuration. If the mobile email client S/MIME cryptographic module is not FIPS 140-2 validated, this is a finding.",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement states that the S/MIME cryptographic module must be FIPS 140-2 validated.\n",
"fixid": "F-40755r1_fix",
"fixtext": "Configure the MDM server so the email client on the mobile device utilizes a FIPS-140-2 validated cryptographic module.\n",
"iacontrols": null,
"id": "V-36225",
"ruleID": "SV-47629r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client S/MIME cryptographic module must be FIPS 140-2 validated.\n",
"version": "SRG-APP-196-MDM-206-MEM"
},
"V-36226": {
"checkid": "C-44466r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email server/client saves public certificates of contacts in the contact object by one or both of the following methods: 1. By saving public PKI certificates that were attached to a received email message to the contacts object. 2. By downloading the certificates via an external partner PKI lookup from the mobile device. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email server/client does not save public certificates of contacts in the contact object by one of the two acceptable methods, this is a finding.",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement states that the user must be given the capability to save public certificates of contacts.",
"fixid": "F-40756r1_fix",
"fixtext": "Configure the MDM server to save public certificates of contacts in the contact object by either of the following acceptable methods: 1. By saving public PKI certificates that were attached to a received email message to the contacts object. 2. By downloading the certificates via an external partner PKI lookup from the mobile device.\n",
"iacontrols": null,
"id": "V-36226",
"ruleID": "SV-47630r1_rule",
"severity": "low",
"title": "If the MDM server includes a mobile email management capability, the email client must provide the mobile device user the capability to save public certificates of contacts in the contact object.\n",
"version": "SRG-APP-196-MDM-208-MEM"
},
"V-36227": {
"checkid": "C-44467r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Determine if the mobile email client caches the certificate status of an email recipient's PKI certificate. If yes, verify the certificate status is purged from cache within 7 days after being saved. Seven days is considered the default value for the expiration period. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client saves the certificate status of an email recipient's PKI certificate and does not purge the certificate status within 7 days after being saved, this is a finding.",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement is to cache the certificate status of signed emails on the mobile device.\n",
"fixid": "F-40757r1_fix",
"fixtext": "If the MDM server saves the certificate status of an email recipient's PKI certificate, configure the MDM server to purge the certificate status within a period not extending beyond the expiration period of the revocation data. \n",
"iacontrols": null,
"id": "V-36227",
"ruleID": "SV-47631r1_rule",
"severity": "low",
"title": "If the MDM server includes a mobile email management capability, the email client must cache the certificate status of signed emails that have been received on the handheld device for a period not extending beyond the expiration period of the revocation data. \n",
"version": "SRG-APP-196-MDM-209-MEM"
},
"V-36228": {
"checkid": "C-44468r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client sets the Smart Card or Certificate Store Password caching timeout period from at least 15 to 120 minutes, if Smart Card or Certificate Store Password caching is available. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not set the Smart Card or Certificate Store Password caching timeout period from at least 15 to 120 minutes, if Smart Card or Certificate Store Password caching is available, this is a finding.\n",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement states that Smart Card/Certificate Store password caching must time out.\n",
"fixid": "F-40758r1_fix",
"fixtext": "Configure the MDM server to set the Smart Card or Certificate Store Password caching timeout period from at least 15 to 120 minutes, if Smart Card or Certificate Store Password caching is available.\n",
"iacontrols": null,
"id": "V-36228",
"ruleID": "SV-47632r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must set the Smart Card or Certificate Store Password caching timeout period from at least 15 to 120 minutes, if Smart Card or Certificate Store Password caching is available.\n",
"version": "SRG-APP-196-MDM-210-MEM"
},
"V-36229": {
"checkid": "C-44469r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client provides the mobile device user the capability to digitally sign and/or encrypt outgoing email messages using software or hardware based digital certificates. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not provide the mobile device user the capability to digitally sign and/or encrypt outgoing email messages using software or hardware based digital certificates, this is a finding.",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement states that the email client must be able to sign and/or encrypt outgoing messages.",
"fixid": "F-40759r1_fix",
"fixtext": "Configure the MDM server to provide the mobile device user the capability to digitally sign and/or encrypt outgoing email messages using software or hardware based digital certificates. \n",
"iacontrols": null,
"id": "V-36229",
"ruleID": "SV-47633r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must provide the mobile device user the capability to digitally sign and/or encrypt outgoing email messages using software or hardware based digital certificates. \n",
"version": "SRG-APP-196-MDM-211-MEM"
},
"V-36230": {
"checkid": "C-44470r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client that provides the mobile device user the capability to decrypt incoming email messages using software or hardware based digital certificates. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not provide the mobile device user the capability to decrypt incoming email messages using software or hardware based digital certificates, this is a finding.",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement states that the email client must be able to decrypt incoming email messages.\n",
"fixid": "F-40760r1_fix",
"fixtext": "Configure the MDM server to provide the mobile device user the capability to decrypt incoming email messages using software or hardware based digital certificates. \n",
"iacontrols": null,
"id": "V-36230",
"ruleID": "SV-47634r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must provide the mobile device user the capability to decrypt incoming email messages using software or hardware based digital certificates. \n",
"version": "SRG-APP-196-MDM-212-MEM"
},
"V-36231": {
"checkid": "C-44471r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client provides a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP, this is a finding.\n",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement states that the email client must validate certificates through a trusted OCSP, CRL, or SCVP.",
"fixid": "F-40761r1_fix",
"fixtext": "Configure the MDM server to provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP. \n",
"iacontrols": null,
"id": "V-36231",
"ruleID": "SV-47635r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP.\n",
"version": "SRG-APP-196-MDM-213-MEM"
},
"V-36232": {
"checkid": "C-44472r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client provides a noticeable warning to the user if the CRL, SCVP, or OCSP server cannot be contacted or the revocation data provided cannot be verified. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not provide a noticeable warning to the user if the CRL, SCVP, or OCSP server cannot be contacted or the revocation data provided cannot be verified, this is a finding.",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement states that the user must be notified if the CRL/SCVP/OCSP server cannot be contacted.",
"fixid": "F-40762r1_fix",
"fixtext": "Configure the MDM server to provide a noticeable warning to the user if the CRL, SCVP, or OCSP server cannot be contacted or the revocation data provided cannot be verified. \n",
"iacontrols": null,
"id": "V-36232",
"ruleID": "SV-47636r1_rule",
"severity": "low",
"title": "If the MDM server includes a mobile email management capability, the email client must provide a noticeable warning to the user if the CRL, SCVP, or OCSP server cannot be contacted or the revocation data provided cannot be verified \n",
"version": "SRG-APP-196-MDM-214-MEM"
},
"V-36233": {
"checkid": "C-44473r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client that supports retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not support retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes, this is a finding.\n",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement stated that the email client must support retrieving certificates not stored in the local trust anchor store.\n",
"fixid": "F-40763r1_fix",
"fixtext": "Configure the MDM server to retrieve encryption certificates not stored in the local trust anchor store for S/MIME purposes. \n",
"iacontrols": null,
"id": "V-36233",
"ruleID": "SV-47637r1_rule",
"severity": "low",
"title": "If the MDM server includes a mobile email management capability, the email client must support retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes.\n",
"version": "SRG-APP-196-MDM-215-MEM"
},
"V-36234": {
"checkid": "C-44474r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client supports SHA2 or later signing operations. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not support SHA2 or later signing operations, this is a finding.\n",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement states the email client must support SHA2 signing.\n",
"fixid": "F-40764r1_fix",
"fixtext": "Configure the MDM server to support SHA2 or later signing operations. \n",
"iacontrols": null,
"id": "V-36234",
"ruleID": "SV-47638r1_rule",
"severity": "medium",
"title": "If the MDM server includes a mobile email management capability, the email client must support SHA2 signing operations.\n",
"version": "SRG-APP-196-MDM-216-MEM"
},
"V-36235": {
"checkid": "C-44475r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email server/client either blocks or converts all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device, this is a finding.\n",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. Requiring that all emails are viewed in plain text helps remediate phishing attempts.\n",
"fixid": "F-40765r1_fix",
"fixtext": "Configure the MDM server to either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. \n",
"iacontrols": null,
"id": "V-36235",
"ruleID": "SV-47639r1_rule",
"severity": "low",
"title": "If the MDM server includes a mobile email management capability, the email client must either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device.\n",
"version": "SRG-APP-196-MDM-217-MEM"
},
"V-36236": {
"checkid": "C-44476r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client supports SHA2 signature verification. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not support SHA2 signature verification, this is a finding.\n",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data and must be supported on signature verification. In this case the requirement is that the email client must support SHA2 signature verification.\n",
"fixid": "F-40766r1_fix",
"fixtext": "Configure the MDM server to support SHA2 signature verification. \n",
"iacontrols": null,
"id": "V-36236",
"ruleID": "SV-47640r1_rule",
"severity": "low",
"title": "If the MDM server includes a mobile email management capability, the email client must support SHA2 signature verification.\n",
"version": "SRG-APP-196-MDM-218-MEM"
},
"V-36237": {
"checkid": "C-44477r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the MDM server manages all email by a mobile email management server. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not manage all email by a mobile email management server, this is a finding.",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data and must be supported on signature verification. In this case the requirement is that the email client must interface directly with the MDM server.",
"fixid": "F-40767r1_fix",
"fixtext": "Configure the MDM server email component to manage all email sent to the mobile device.\n",
"iacontrols": null,
"id": "V-36237",
"ruleID": "SV-47641r1_rule",
"severity": "low",
"title": "If the MDM server includes a mobile email management capability, all email sent to the mobile device must be managed by the MDM server mobile email component. Desktop or Internet controlled email redirection are not authorized.\n",
"version": "SRG-APP-197-MDM-219-MEM"
},
"V-36238": {
"checkid": "C-44478r1_chk",
"checktext": "Review product configuration to determine whether there are appropriate controls to protect key material. If available, use scanning tools to determine whether keys can be modified by non-privileged users and processes. If such key material can be modified, this is a finding.\n",
"description": "Secure, non-operable system states are states in which the information system is not performing mission/business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). If an adversary is able to modify key material, then the adversary may be able to compromise sensitive DoD information. The adversary may also be able to bypass authentication controls on downloaded applications, websites, and network access points depending on the keys modified. This attack could enable the adversary to install unauthorized applications and stage subsequent attacks on other systems. Preventing modification of key material mitigates the risk of this attack.\n\nKey material general refers to cryptographic keys and algorithms. There are operations were key material must be modified for proper operation of the cryptographic system.",
"fixid": "F-40768r1_fix",
"fixtext": "Configure the MDM server to prevent modification of key material except during secure, non-operable system states.\n",
"iacontrols": null,
"id": "V-36238",
"ruleID": "SV-47642r1_rule",
"severity": "high",
"title": "The MDM server must prevent modification of key material except during secure, non-operable system states.\n",
"version": "SRG-APP-037-MDM-220-SRV"
},
"V-36239": {
"checkid": "C-44479r1_chk",
"checktext": "Review MDM server documentation to determine the expected behavior of the system. Inspect readily available configuration settings if these are available. Otherwise, test the MDM server with a known revoked certificate to determine whether the server properly rejects further transactions with the system or object presenting the revoked certificate. If the MDM server accepts a revoked certificate or is configured not to check for certificate revocation, this is a finding.\n",
"description": "Failure to verify a certificate\u2019s revocation status can result in the system accepting a revoked and therefore authorized certificate. This could result in the installation of unauthorized software or connection for rogue networks, depending on the use for which the certificate is intended. Querying for certificate revocation mitigates the risk that the system will accept an unauthorized certificate.\n",
"fixid": "F-40769r1_fix",
"fixtext": "Configure the MDM server to query the certification authority to determine whether a public-key certificate has been revoked before accepting the certificate for authentication purposes. \n",
"iacontrols": null,
"id": "V-36239",
"ruleID": "SV-47643r1_rule",
"severity": "low",
"title": "The MDM server must query the certification authority to determine whether a public-key certificate has been revoked before accepting the certificate for authentication purposes.\n",
"version": "SRG-APP-175-MDM-221-SRV"
},
"V-36240": {
"checkid": "C-44480r1_chk",
"checktext": "Review MDM server configuration to validate the MDM server is verifying all digital certificates in the certificate chain when performing PKI transactions. If higher assurance is required, the reviewer should attempt to perform a transaction using a falsely signed certificate. If the certificate is accepted, the operating system is likely not performing the required check of root and intermediate certificates. If all digital certificates in the chain are not being verified during PKI transactions, this is a finding.\n",
"description": "If an adversary is able to compromise one of the certificates in the certificate chain, the adversary may be able to sign lower level certificates in the chain. This would enable the adversary to masquerade as other users or systems. By providing the mobile user with such false assurance, the adversary may be able obtain DoD information, capture authentication credentials, and perform other unauthorized functions. Verifying all digital certificates in the chain mitigates this risk.\n",
"fixid": "F-40770r1_fix",
"fixtext": "Configure the MDM server to check all digital certificates in the certificate chain when performing PKI transactions. \n",
"iacontrols": null,
"id": "V-36240",
"ruleID": "SV-47644r1_rule",
"severity": "low",
"title": "The MDM server must verify all digital certificates in the certificate chain when performing PKI transactions.\n",
"version": "SRG-APP-175-MDM-222-SRV"
},
"V-36241": {
"checkid": "C-44481r1_chk",
"checktext": "Direct the MDM server system administrator log into the MDM server using their CAC or Administrator Smartcard to verify the server supports PKI-based authentication. If a user cannot authenticate using their CAC or Administrator Smartcard, this is a finding.\n",
"description": "The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information. The authenticated identity must be mapped to an account for access and authorization decisions. This capability strengthens authentication to remote information systems and thus makes it less likely that such systems will be compromised.\n",
"fixid": "F-40771r1_fix",
"fixtext": "Configure the MDM server to support public-key certificate-based authentication. \n",
"iacontrols": null,
"id": "V-36241",
"ruleID": "SV-47645r1_rule",
"severity": "low",
"title": "The MDM server must ensure that PKI-based authentication maps the authenticated identity to the user account.\n",
"version": "SRG-APP-177-MDM-223-MDM"
},
"V-36242": {
"checkid": "C-44482r1_chk",
"checktext": "Review MDM server configuration, and NIST FIPS certificate to validate the server supports AES encryption for data in transit. Confirm that at least AES 128 bit encryption is used. If the MDM server does not support AES encryption for data in transit, this is a finding.\n",
"description": "If data in transit is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. AES encryption with appropriate key lengths provides assurance that the cryptography is adequate. This requirement applies to data transmitted to managed mobile devices and to another enterprise network management application.\n",
"fixid": "F-40772r1_fix",
"fixtext": "Configure the MDM server to use AES 128 or AES 256 encryption for data in transit. \n",
"iacontrols": null,
"id": "V-36242",
"ruleID": "SV-47646r1_rule",
"severity": "medium",
"title": "The MDM server must encrypt all data in transit (e.g., mobile device encryption keys, server PKI certificates, mobile device data bases) using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired). \n",
"version": "SRG-APP-264-MDM-224-SRV"
},
"V-36243": {
"checkid": "C-44483r1_chk",
"checktext": "Review MDM server configuration, and NIST FIPS certificate to validate the server produces, controls, and distributes symmetric cryptographic keys using NIST-approved or NSA approved key management technology and processes. If the MDM server does not produce, control, and distribute symmetric cryptographic keys using NIST-approved or NSA approved key management technology and processes, this is a finding.\n",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data.\n",
"fixid": "F-40773r1_fix",
"fixtext": "Configure the MDM server to produce, control, and distribute symmetric cryptographic keys using NIST-approved or NSA approved key management technology and processes. \n",
"iacontrols": null,
"id": "V-36243",
"ruleID": "SV-47647r1_rule",
"severity": "medium",
"title": "The MDM server must produce, control, and distribute symmetric cryptographic keys using NIST-approved or NSA approved key management technology and processes.\n",
"version": "SRG-APP-192-MDM-225-SRV"
},
"V-36244": {
"checkid": "C-44484r1_chk",
"checktext": "Review MDM server configuration, and NIST FIPS certificate to validate the server produces, controls, and distributes asymmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes. If the MDM server does not produce, control, and distribute asymmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes, this is a finding.\n",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data.\n",
"fixid": "F-40774r1_fix",
"fixtext": "Configure the MDM server to produce, control, and distribute asymmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes. \n",
"iacontrols": null,
"id": "V-36244",
"ruleID": "SV-47648r1_rule",
"severity": "medium",
"title": "The MDM server must produce, control, and distribute asymmetric cryptographic keys using NSA-approved or NIST-approved key management technology and processes.\n",
"version": "SRG-APP-193-MDM-226-SRV"
},
"V-36245": {
"checkid": "C-44485r1_chk",
"checktext": "Review the MDM server configuration to determine whether the root and intermediate certificates are present. In some cases, their presence may not be detected by user inspection, in which case the reviewer should review MDM server documentation to determine whether they are present. If higher assurance is required, the reviewer should attempt to perform a transaction using a falsely signed certificate. If the certificate is accepted, the operating system is likely not performing the required check of root and intermediate certificates. If the DoD root and intermediate certificates are not present, this is a finding.\n",
"description": "DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an adversary could falsely sign a certificate in such a way that it could not be detected. Providing access to the DoD root and intermediate PKI certificates greatly diminishes the risk of this attack.\n",
"fixid": "F-40775r1_fix",
"fixtext": "Install DoD root and intermediate certificates on the MDM server.\n",
"iacontrols": null,
"id": "V-36245",
"ruleID": "SV-47649r1_rule",
"severity": "medium",
"title": "The MDM server must have access to DoD root and intermediate PKI certificates when performing DoD PKI related transactions.\n",
"version": "SRG-APP-194-MDM-227-SRV"
},
"V-36246": {
"checkid": "C-44486r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Users need to be aware of activity that occurs regarding their application account. Providing users with information regarding the number of unsuccessful attempts made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.\nRationale for non-applicability: The MDM server will leverage Enterprise Authentication Mechanism accounts. Therefore, the Enterprise Authentication Mechanism is expected to implement this control in lieu of local monitoring.",
"fixid": "F-40776r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36246",
"ruleID": "SV-47650r1_rule",
"severity": "medium",
"title": "The application must notify the user of the number of unsuccessful login/access attempts occurring during an organization defined time period.",
"version": "SRG-APP-078-NA"
},
"V-36247": {
"checkid": "C-44487r1_chk",
"checktext": "Review MDM server configuration, and NIST FIPS certificate to validate the server uses AES encryption for the certificate store. Confirm that at least AES 128 bit encryption is used. If the MDM server does not use AES 128 or AES 256 encryption for the certificate store, this is a finding.\n",
"description": "If an adversary can access the key store, it may be able to use the keys to perform a variety of unauthorized transactions. It may also be able to modify public-keys in a way that it can trick the operating system into accepting invalid certificates. Encrypting the key store protects the integrity and confidentiality of keys. AES encryption with adequate key lengths provides assurance that the protection is strong.\n",
"fixid": "F-40777r1_fix",
"fixtext": "Configure the MDM server to use AES 128 or AES 256 encryption for the certificate store. \n",
"iacontrols": null,
"id": "V-36247",
"ruleID": "SV-47651r1_rule",
"severity": "medium",
"title": "The MDM server PKI certificate store must encrypt contents using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired).\n",
"version": "SRG-APP-194-MDM-228-SRV"
},
"V-36248": {
"checkid": "C-44488r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Users need to be aware of activity that occurs regarding their application account. Providing users with information regarding the number of successful attempts made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. \nRationale for non-applicability: The MDM server will leverage Enterprise Authentication Mechanism accounts. Therefore, the Enterprise Authentication Mechanism is expected to implement this control in lieu of local monitoring.",
"fixid": "F-40778r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36248",
"ruleID": "SV-47652r1_rule",
"severity": "medium",
"title": "In order to inform the user of the number of successful login attempts made with the user's account, the application must notify the user of the number of successful logins/accesses occurring during an organization defined time period.",
"version": "SRG-APP-077-NA"
},
"V-36249": {
"checkid": "C-44489r1_chk",
"checktext": "Review MDM server configuration, and NIST FIPS certificate to validate the server implements required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. If the MDM server does not implement required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, this is a finding.\n",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. Data at rest on the phone and memory storage devices, data in transit, and critical data in memory could be applicable.",
"fixid": "F-40779r1_fix",
"fixtext": "Configure the MDM server to implement required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n",
"iacontrols": null,
"id": "V-36249",
"ruleID": "SV-47653r1_rule",
"severity": "low",
"title": "The MDM server must implement required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n",
"version": "SRG-APP-196-MDM-229-SRV"
},
"V-36250": {
"checkid": "C-44490r1_chk",
"checktext": "Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, verify the mobile email server supports the capability to limit what fields in the email client contacts list can be exported to the mobile device contacts list. This feature is usually implemented via a security policy pushed from the MDM server to the email client. Transferred email contact information should be limited to contact name and telephone numbers. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not support the capability to limit what fields in the email client contacts list can be exported to the mobile device contacts list, if email management capability is supported, this is a finding.",
"description": "The contact list data elements may contain sensitive or PII information, therefore, the data elements accessed outside the security container must be limited so sensitive data is not exposed.\n",
"fixid": "F-40781r1_fix",
"fixtext": "Configure the MDM server to limit the fields in the email client contacts list can be exported to the mobile device contacts list, if this capability is supported.\n",
"iacontrols": null,
"id": "V-36250",
"ruleID": "SV-47654r1_rule",
"severity": "low",
"title": "If the MDM server includes a mobile email management capability, the email client must support the capability to enable or disable contact list data elements transferred to the phone application.\n",
"version": "SRG-APP-243-MDM-230-MEM"
},
"V-36251": {
"checkid": "C-44491r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. \nRationale for non-applicability: Information flow control only applies to a CDS. An MDM server is not a cross domain solution.",
"fixid": "F-40780r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36251",
"ruleID": "SV-47655r1_rule",
"severity": "medium",
"title": "Applications must uniquely authenticate source domains for information transfer.",
"version": "SRG-APP-050-NA"
},
"V-36252": {
"checkid": "C-44492r1_chk",
"checktext": "Review MDM server documentation to validate the MDM server associates digital certificates used to sign applications, security policies, etc., with information exchanged between information systems. If the MDM server does not associate digital certificates used to sign applications, security policies, etc., with information exchanged between information systems, this is a finding.\n",
"description": "When data is exchanged between information systems, the security attributes associated with said data needs to be maintained. If the associated keys are disrupted application integrity is lost.\n",
"fixid": "F-40782r1_fix",
"fixtext": "Configure the MDM server to associate digital certificates used to sign applications, security policies, etc., with information exchanged between information systems. \n",
"iacontrols": null,
"id": "V-36252",
"ruleID": "SV-47656r1_rule",
"severity": "low",
"title": "The MDM server must associate digital certificates used to sign applications, security policies, etc., with information exchanged between information systems.\n",
"version": "SRG-APP-203-MDM-231-MDM"
},
"V-36253": {
"checkid": "C-44493r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "The application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. \nRationale for non-applicability: The MDM server does not support multiple security domains.",
"fixid": "F-40783r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36253",
"ruleID": "SV-47657r1_rule",
"severity": "medium",
"title": "Applications must uniquely identify source domains for information transfer.",
"version": "SRG-APP-049-NA"
},
"V-36254": {
"checkid": "C-44494r1_chk",
"checktext": "Review MDM server configuration to determine the MDM server validates the integrity of digital certificates exchanged between systems. If the MDM server does not validate the integrity of digital certificates exchanged between systems, this is a finding.\n",
"description": "When data is exchanged between information systems, the security attributes associated with said data needs to be maintained. If the associated keys are disrupted application integrity is lost.\n",
"fixid": "F-40784r1_fix",
"fixtext": "Configure the MDM server to validate the integrity of digital certificates exchanged between systems. \n",
"iacontrols": null,
"id": "V-36254",
"ruleID": "SV-47658r1_rule",
"severity": "low",
"title": "The MDM server must validate the integrity of digital certificates exchanged between systems.\n",
"version": "SRG-APP-204-MDM-232-SRV"
},
"V-36255": {
"checkid": "C-44495r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server issues public-key certificates. If no, this requirement is not applicable. If yes, verify the server issues certificates that are compliant with the DoD PKI and DoD certificate policy. If the MDM server issues certificates that are not compliant with the DoD PKI and DoD certificate policy, this is a finding.\n",
"description": "Only DoD PKI issued or approved software authentication certificates must be installed on DoD mobile operating system devices. Without this trust paths would be broken which could lead to unapproved certificates being used.\n",
"fixid": "F-40785r1_fix",
"fixtext": "Configure the MDM server to issue only DoD approved certificates, if this feature is supported.\n",
"iacontrols": null,
"id": "V-36255",
"ruleID": "SV-47659r1_rule",
"severity": "medium",
"title": "The MDM server must support organizational requirements to issue public-key certificates under an appropriate certificate policy or obtain public-key certificates under an appropriate certificate policy from an approved service provider.\n",
"version": "SRG-APP-205-MDM-233-SRV"
},
"V-36256": {
"checkid": "C-44496r1_chk",
"checktext": "Review MDM server documentation and configuration to verify the MDM server encrypts all data using AES encryption. If the MDM server does not encrypt data at rest, or does so only selectively, or does so using an encryption algorithm other than AES (for unclassified data), this is a finding. \n",
"description": "If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. AES encryption with appropriate key lengths provides assurance that the cryptography is adequate.\n",
"fixid": "F-40786r1_fix",
"fixtext": "Configure the MDM server to encrypt all data on the mobile device using AES encryption.\n",
"iacontrols": null,
"id": "V-36256",
"ruleID": "SV-47660r1_rule",
"severity": "medium",
"title": "The MDM server must encrypt all key data items (e.g., mobile device encryption keys, server PKI certificates, mobile device data bases) saved in memory using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired). \n",
"version": "SRG-APP-232-MDM-234-SRV"
},
"V-36257": {
"checkid": "C-44497r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "The application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. \nRationale for non-applicability: The MDM server does not support the concept of sanctioned or unsanctioned information.",
"fixid": "F-40787r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36257",
"ruleID": "SV-47661r1_rule",
"severity": "medium",
"title": "Applications must provide the ability to prohibit the transfer of unsanctioned information in accordance with security policy.",
"version": "SRG-APP-047-NA"
},
"V-36258": {
"checkid": "C-44498r1_chk",
"checktext": "Review system configuration to determine whether the MDM server maintains the binding of digital signatures to software objects when those objects are stored after installation. If these bindings are not maintained, this is a finding.\n",
"description": "Digital signatures enable the system to verify the integrity of the signed object and authenticate the object\u2019s signatory. Failure to maintain the binding of digital signatures on software components and applications in storage makes it more likely that an adversary could modify or replace those objects. Conversely, the bindings enable the operating system to verify the software\u2019s integrity and source with a high degree of assurance whenever necessary. \n",
"fixid": "F-40788r1_fix",
"fixtext": "Configure the MDM server to maintain the binding of digital signatures to software objects when those objects are stored after installation.\n",
"iacontrols": null,
"id": "V-36258",
"ruleID": "SV-47662r1_rule",
"severity": "high",
"title": "The MDM server must support and maintain the binding of digital signatures on software components and applications in storage.\n",
"version": "SRG-APP-006-MDM-235-SRV"
},
"V-36259": {
"checkid": "C-44499r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \nRationale for non-applicability: The scope of this SRG concerns MDM server systems that support a single security domain.",
"fixid": "F-40789r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36259",
"ruleID": "SV-47663r1_rule",
"severity": "medium",
"title": "Applications designed to control information flow must provide the ability to detect unsanctioned information being transmitted across security domains.",
"version": "SRG-APP-046-NA"
},
"V-36260": {
"checkid": "C-44500r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \nRationale for non-applicability: The MDM server does not support multiple security domains.",
"fixid": "F-40790r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36260",
"ruleID": "SV-47664r1_rule",
"severity": "medium",
"title": "Applications, when transferring information between different security domains, must implement or incorporate policy filters that constrain data object and structure attributes according to organizational security policy requirements.",
"version": "SRG-APP-045-NA"
},
"V-36261": {
"checkid": "C-44501r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Information flow control regulates where information is allowed to travel within an information system, and between information systems (as opposed to who is allowed to access the information), and without explicit regard to subsequent accesses to that information. \nRationale for non-applicability: This control maps to NIST SP 800-53 AC-4, which has been determined to apply to cross-domain solutions not within the scope of this SRG.\n",
"fixid": "F-40791r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36261",
"ruleID": "SV-47665r1_rule",
"severity": "medium",
"title": "Applications providing information flow control must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy.",
"version": "SRG-APP-038-NA"
},
"V-36262": {
"checkid": "C-44502r1_chk",
"checktext": "Review system configuration to determine whether the MDM server maintains the binding of digital signatures on software components and applications in process. If these bindings are not maintained, this is a finding.\n",
"description": "Digital signatures enable the system to verify the integrity of the signed object and authenticate the object\u2019s signatory. Failure to maintain the binding of digital signatures on software components and applications in process makes it more likely that an adversary could modify or replace those objects when the software is executed. The bindings enable the operating system to verify the software\u2019s integrity and source just before the execution process. \n",
"fixid": "F-40792r1_fix",
"fixtext": "Configure the MDM server to maintain the binding of digital signatures on software components and applications in process.\n",
"iacontrols": null,
"id": "V-36262",
"ruleID": "SV-47666r1_rule",
"severity": "high",
"title": "The MDM server must support and maintain the binding of digital signatures on software components and applications in process.\n",
"version": "SRG-APP-007-MDM-236-SRV"
},
"V-36263": {
"checkid": "C-44503r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains). \nRationale for non-applicability: This control primarily applies to the discretionary sharing of information resources by data owners. This type of service is unrelated to MDM server functionality.",
"fixid": "F-40793r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36263",
"ruleID": "SV-47667r1_rule",
"severity": "medium",
"title": "The application must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and includes or excludes access to the granularity of a single user.",
"version": "SRG-APP-036-NA"
},
"V-36264": {
"checkid": "C-44504r1_chk",
"checktext": "Review system configuration to determine whether the MDM server maintains the binding of digital signatures on information in transmission. If these bindings are not maintained, this is a finding.\n",
"description": "Digital signatures enable the system to verify the integrity of the signed object and authenticate the object\u2019s signatory. Failure to maintain the binding of digital signatures on software components and applications in process makes it more likely that an adversary could modify or replace those objects when the software is executed. The bindings enable the operating system to verify the software\u2019s integrity and source just before the execution process. In order for the signature to be present at execution, it must be bound during transmission.",
"fixid": "F-40794r1_fix",
"fixtext": "Configure the MDM server to maintain the binding of digital signatures on information in transmission.\n",
"iacontrols": null,
"id": "V-36264",
"ruleID": "SV-47668r1_rule",
"severity": "high",
"title": "The MDM server must support and maintain the binding of digital signatures on information in transmission.\n",
"version": "SRG-APP-008-MDM-237-SRV"
},
"V-36265": {
"checkid": "C-44505r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Atypical account usage is behavior that is not part of normal usage cycles. For example, user account activity occurring after hours or on weekends. \nRationale for non-applicability: The MDM server will leverage Enterprise Authentication Mechanism accounts. Therefore, the Enterprise Authentication Mechanism is expected to implement this control in lieu of local monitoring.",
"fixid": "F-40795r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36265",
"ruleID": "SV-47669r1_rule",
"severity": "medium",
"title": "Applications must support the organizational requirement to automatically monitor on atypical usage of accounts.",
"version": "SRG-APP-030-NA"
},
"V-36266": {
"checkid": "C-44506r1_chk",
"checktext": "Review system documentation to determine whether the MDM server maintains the binding of digital credentials to information with sufficient assurance that the information/credential association can be used as the basis for automated policy actions. If these bindings are not maintained, this is a finding.\n",
"description": "Without the assurance of credential association with the information, policy decisions based on that association become faulty and potentially allow for authorization decisions that are applied incorrectly.\n\nSufficient assurance: assurance that the digital credential has not been removed, replaced or modified.",
"fixid": "F-40796r1_fix",
"fixtext": "Configure the MDM server to maintain the binding of digital credentials to information with sufficient assurance that the information/credential association can be used as the basis for automated policy actions.\n",
"iacontrols": null,
"id": "V-36266",
"ruleID": "SV-47670r1_rule",
"severity": "high",
"title": "The MDM server must maintain the binding of digital credentials to information with sufficient assurance that the information/credential association can be used as the basis for automated policy actions.\n",
"version": "SRG-APP-011-MDM-238-SRV"
},
"V-36267": {
"checkid": "C-44507r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Protection of audit records and audit data is of critical importance. Cryptographic mechanisms are the industry established standard used to protect the integrity of audit data. An example of a cryptographic mechanism is the computation and application of a cryptographic-signed hash using asymmetric cryptography. \nRationale for non-applicability: This requirement is better allocated to a central audit management system.",
"fixid": "F-40797r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36267",
"ruleID": "SV-47671r1_rule",
"severity": "medium",
"title": "The application must protect audit data records and integrity by using cryptographic mechanisms.",
"version": "SRG-APP-126-NA"
},
"V-36268": {
"checkid": "C-44508r1_chk",
"checktext": "Review MDM server configuration to determine whether the MDM server only allows authorized administrators to associate PKI credentials with information. If the MDM server allows individuals other than authorized administrators to associate PKI credentials with information, this is a finding.\n",
"description": "Without the assurance of credential association with the information, policy decisions based on that association become faulty and potentially allow for authorization decisions that are applied incorrectly. \n",
"fixid": "F-40798r1_fix",
"fixtext": "Configure MDM server administrator accounts so only authorized administrators can associate PKI credentials with information. \n",
"iacontrols": null,
"id": "V-36268",
"ruleID": "SV-47672r1_rule",
"severity": "high",
"title": "The MDM server must only allow authorized administrators to associate PKI credentials with information.\n",
"version": "SRG-APP-012-MDM-239-SRV"
},
"V-36269": {
"checkid": "C-44510r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "It is critical when a system is at risk of failing to process audit logs as required; it takes action to mitigate the failure. If the system were to continue processing without auditing enabled, actions can be taken on the system that cannot be tracked and recorded for later forensic analysis. \nRationale for non-applicability: This requirement is better handled by the operating system or the audit system handling this capability.",
"fixid": "F-40800r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36269",
"ruleID": "SV-47673r1_rule",
"severity": "medium",
"title": "The application must invoke a system shutdown in the event of an audit failure, unless an alternative audit capability exists.",
"version": "SRG-APP-107-NA"
},
"V-36270": {
"checkid": "C-44509r1_chk",
"checktext": "Review MDM server documentation and audit configuration to verify the MDM server creates an audit record automatically on administrator account creation. If MDM server does not create an audit record automatically on administrator account creation, this is a finding.\n",
"description": "Auditing of account creation is a method and best practice for mitigating the risk of an attacker creating a persistent method of re-establishing access. A comprehensive account management process will ensure an audit trail which documents the creation of accounts and, if required, notifies administrators. Such a process greatly reduces the risk of accounts being created outside the normal approval process and provides logging that can be used for forensic purposes. Additionally, the audit records of account creation can be compared to the known approved account creation list.",
"fixid": "F-40799r1_fix",
"fixtext": "Configure the MDM server to create an audit record automatically on administrator account creation.\n",
"iacontrols": null,
"id": "V-36270",
"ruleID": "SV-47674r1_rule",
"severity": "medium",
"title": "The MDM server must automatically audit on administrator account creation.\n",
"version": "SRG-APP-026-MDM-240-SRV"
},
"V-36271": {
"checkid": "C-44511r1_chk",
"checktext": "Review MDM server documentation and audit configuration to verify the MDM server audits any use of privileged accounts, or roles, with access to organization defined security functions or security relevant information, when accessing other system functions. If auditing is not being performed, this is a finding.\n",
"description": "This requirement is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. An audit trail pertaining to the access of security functions or security relevant information is imperative for forensic analysis in the event a non-privileged account becomes a part of a role it should not be a part of.",
"fixid": "F-40801r1_fix",
"fixtext": "Configure the MDM server to audit any use of privileged accounts, or roles, with access to organization defined security functions or security relevant information, when accessing other system functions.\n",
"iacontrols": null,
"id": "V-36271",
"ruleID": "SV-47675r1_rule",
"severity": "medium",
"title": "The MDM server must audit any use of privileged accounts, or roles, with access to organization defined security functions or security relevant information, when accessing other system functions.\n",
"version": "SRG-APP-063-MDM-241-SRV"
},
"V-36272": {
"checkid": "C-44512r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "This non-repudiation control enhancement is intended to mitigate the risk that information could be modified between review and transfer/release particularly when transfer is occurring between security domains. \nRationale for non-applicability: The MDM server is not intended to store user data and therefore would not employ notions of chain of custody.",
"fixid": "F-40802r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36272",
"ruleID": "SV-47676r1_rule",
"severity": "medium",
"title": "The application must validate the binding of the reviewers identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.",
"version": "SRG-APP-084-NA"
},
"V-36273": {
"checkid": "C-44513r1_chk",
"checktext": "On the MDM server, review the audit logs to determine whether they contain entries with the severity level of each recorded event. If any event in the log does not have an event severity level, this is a finding.\n",
"description": "MDM server auditing capability is critical for accurate forensic analysis. Event severity levels allow system administrators and IA personnel to more easily identify critical system issues and debug software.\n",
"fixid": "F-40803r1_fix",
"fixtext": "Modify the audit configuration to include the severity level of events in audit records.\n",
"iacontrols": null,
"id": "V-36273",
"ruleID": "SV-47677r1_rule",
"severity": "low",
"title": "The MDM server must produce audit records containing the severity level of each recorded event.\n",
"version": "SRG-APP-095-MDM-242-SRV"
},
"V-36274": {
"checkid": "C-44514r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Non-repudiation services can be used to determine if information originated from an individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Non-repudiation services are obtained by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts).\nRationale for non-applicability: The MDM server is not intended to store user data and therefore would not employ notions of chain of custody.",
"fixid": "F-40805r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36274",
"ruleID": "SV-47678r1_rule",
"severity": "medium",
"title": "Applications must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.",
"version": "SRG-APP-083-NA"
},
"V-36275": {
"checkid": "C-44515r1_chk",
"checktext": "On the MDM server, review the audit logs to determine whether the entries have timestamps with a resolution of at least one second (i.e., the entry shows the second it occurred). If any log entry does not have a timestamp with a resolution of at least one second, this is a finding.\n",
"description": "MDM server auditing capability is critical for accurate forensic analysis. The inclusion of timestamps better enables for correlation of events across disparate systems, which can be critical to isolating IA incidents and developing appropriate countermeasures. \n",
"fixid": "F-40804r1_fix",
"fixtext": "Modify the audit configuration to include timestamps for audit entries.\n",
"iacontrols": null,
"id": "V-36275",
"ruleID": "SV-47679r1_rule",
"severity": "low",
"title": "The MDM server must include date and timestamps in each event recorded in audit logs.\n",
"version": "SRG-APP-096-MDM-243-SRV"
},
"V-36276": {
"checkid": "C-44516r1_chk",
"checktext": "On the MDM server, review the audit logs to determine whether the entries include the software component that generated the event. If an entry does not provide information regarding the source of the event, this is a finding.\n",
"description": "MDM server auditing capability is critical for accurate forensic analysis. The inclusion of software component that generated each event in the audit logs enables system administrators and IA personnel to identify the source of problems and incidents. Without this data, the component information may not be known.\n",
"fixid": "F-40806r1_fix",
"fixtext": "Modify the audit configuration to include the software component that generated the event for each entry in the audit logs.\n",
"iacontrols": null,
"id": "V-36276",
"ruleID": "SV-47680r1_rule",
"severity": "low",
"title": "The MDM server must include the software component (e.g., administration module, mobile device security policy module, etc.) that generated each event recorded in audit logs.\n",
"version": "SRG-APP-097-MDM-244-SRV"
},
"V-36277": {
"checkid": "C-44517r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Non-repudiation supports audit requirements to provide the appropriate organizational officials the means to identify who produced specific information in the event of an information transfer. \nRationale for non-applicability: This requirement is better allocated to the operating system.",
"fixid": "F-40807r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36277",
"ruleID": "SV-47681r1_rule",
"severity": "medium",
"title": "The application must associate the identity of the information producer with the information.",
"version": "SRG-APP-081-NA"
},
"V-36278": {
"checkid": "C-44518r1_chk",
"checktext": "On the MDM server, review the audit logs to determine whether the entries include sufficient information to establish the sources of the events. If an entry does not provide information to establish the sources of events, this is a finding.\n",
"description": "MDM server auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, for example, timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, IP addresses, and access control or flow control rules invoked.",
"fixid": "F-40808r1_fix",
"fixtext": "Modify the audit configuration to include sufficient information to establish the sources of the events.\n",
"iacontrols": null,
"id": "V-36278",
"ruleID": "SV-47682r1_rule",
"severity": "low",
"title": "The MDM server must produce audit records containing sufficient information to establish the sources of the events.\n",
"version": "SRG-APP-098-MDM-245-SRV"
},
"V-36279": {
"checkid": "C-44519r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. \nRationale for non-applicability: This requirement is better specified by other audit related CCIs. CCI-001314 ensures that only the MDM server Administrator has access to error messages.",
"fixid": "F-40809r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36279",
"ruleID": "SV-47683r1_rule",
"severity": "medium",
"title": "The application must only generate error messages that provide information necessary for corrective actions without revealing organization defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.",
"version": "SRG-APP-266-NA"
},
"V-36280": {
"checkid": "C-44520r1_chk",
"checktext": "On the MDM server, review the audit logs to determine whether the entries include sufficient information to establish the outcome (success or failure) of the events. If an entry does not provide information to establish the outcome (success or failure) of the events, this is a finding.\n",
"description": "MDM server auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, for example, timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. Success or failure indicators allow recreation of the processes that led up to events in question.",
"fixid": "F-40810r1_fix",
"fixtext": "Modify the audit configuration to include sufficient information to establish the outcome (success or failure) of the events.\n",
"iacontrols": null,
"id": "V-36280",
"ruleID": "SV-47684r1_rule",
"severity": "low",
"title": "The MDM server must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.\n",
"version": "SRG-APP-099-MDM-246-SRV"
},
"V-36281": {
"checkid": "C-44521r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Originators of SPAM emails are constantly changing their source email addresses in order to defeat SPAM countermeasures; therefore, SPAM software must be constantly updated to address the changing threat. A manual update procedure is labor intensive and does not scale well in an enterprise environment which necessitates an automatic update capability.\nRationale for non-applicability: The MDM server does not perform SPAM protection.",
"fixid": "F-40811r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36281",
"ruleID": "SV-47685r1_rule",
"severity": "medium",
"title": "Applications that are utilized to address the issue of SPAM and provide protection from SPAM must automatically update any and all SPAM protection measures including signature definitions.",
"version": "SRG-APP-261-NA"
},
"V-36282": {
"checkid": "C-44522r1_chk",
"checktext": "Verify the audit logs can be transferred from the MDM server to a storage location other than the MDM server itself. The systems administrator of the device may demonstrate this capability using an audit management application or other means. Audit records will be logged on the device for various actions especially those related to sensitive or potentially suspicious activities. The specific events to log and the information recorded for each will be a function of policy. If audit logs cannot be transferred on request or on a periodic schedule, this is a finding.\n",
"description": "MDM server auditing capability is critical for accurate forensic analysis. The ability to transfer audit logs often is necessary to quickly isolate them, protect their integrity, and analyze their contents. An important aspect of security is maintaining awareness of what users have tried to do to with their devices.\n",
"fixid": "F-40812r1_fix",
"fixtext": "Configure the MDM server to support the transfer of audit logs to remote log or management servers.\n",
"iacontrols": null,
"id": "V-36282",
"ruleID": "SV-47686r1_rule",
"severity": "high",
"title": "The MDM server must support the transfer of audit logs to remote log or management servers.\n",
"version": "SRG-APP-102-MDM-247-SRV"
},
"V-36283": {
"checkid": "C-44523r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Senders of SPAM messages are continually modifying their tactics and source email addresses in order to elude protection mechanisms. To stay up-to-date with the changing threat and to identify SPAM messages, it is critical that SPAM protection mechanisms are kept current.\nRationale for non-applicability: The MDM server does not perform SPAM protection.",
"fixid": "F-40813r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36283",
"ruleID": "SV-47687r1_rule",
"severity": "medium",
"title": "Applications that serve to protect organizations and individuals from SPAM messages must incorporate update mechanisms updating protection mechanisms and signature updates when new application releases are available in accordance with organizational configuration management policy and procedures.\n",
"version": "SRG-APP-260-NA"
},
"V-36284": {
"checkid": "C-44524r1_chk",
"checktext": "Verify the audit logs can be transferred from managed mobile devices to the MDM server. Review the MDM server mobile device account configuration and have the system administrator show logs of managed mobile devices on the MDM server. If audit logs are not being transferred on request or on a period schedule, this is a finding.\n",
"description": "MDM server auditing capability is critical for accurate forensic analysis. The ability to transfer audit logs often is necessary to quickly isolate them, protect their integrity, and analyze their contents.\n",
"fixid": "F-40814r1_fix",
"fixtext": "Configure the MDM server to transfer audit logs from managed mobile devices to the MDM server.\n",
"iacontrols": null,
"id": "V-36284",
"ruleID": "SV-47688r1_rule",
"severity": "high",
"title": "The MDM server must transfer audit logs from managed mobile devices to the MDM server.\n",
"version": "SRG-APP-102-MDM-248-MDM"
},
"V-36285": {
"checkid": "C-44525r1_chk",
"checktext": "Verify the MDM server can provide designated alerts to another enterprise network management application using SNMPv3. The systems administrator of the device may demonstrate this capability using an audit management application or other means. If designated alerts cannot be transferred to another enterprise network management application using SNMPv3, this is a finding.\n",
"description": "Distributing designated alerts via SNMP will ensure appropriate management personnel and/or management applications receive the alerts.\n",
"fixid": "F-40815r1_fix",
"fixtext": "Configure the MDM server to provide designated alerts to another enterprise network management application using SNMPv3.\n",
"iacontrols": null,
"id": "V-36285",
"ruleID": "SV-47689r1_rule",
"severity": "high",
"title": "The MDM server must provide designated alerts to another enterprise network management application using SNMPv3.\n",
"version": "SRG-APP-102-MDM-249-SRV"
},
"V-36286": {
"checkid": "C-44526r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "There is a recognized need to balance encrypting traffic versus the need to have insight into the traffic from a monitoring perspective. \nRationale for non-applicability: The MDM server traffic between the server and mobile device cannot be monitored. This is a feature of an MDM server.",
"fixid": "F-40816r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36286",
"ruleID": "SV-47690r1_rule",
"severity": "medium",
"title": "For those instances where the organization requires encrypted traffic to be visible to information system monitoring tools, the application transmitting the encrypted traffic must make provisions to allow that traffic to be visible to specific system monitoring.",
"version": "SRG-APP-282-NA"
},
"V-36287": {
"checkid": "C-44527r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Intrusion monitoring applications are by their nature designed to monitor and record network and system traffic and activity. They can accumulate a significant amount of sensitive data, examples of which could include user account information and application data not related to the intrusion monitoring application itself. \nRationale for non-applicability: The MDM server is not an IDS.",
"fixid": "F-40817r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36287",
"ruleID": "SV-47691r1_rule",
"severity": "medium",
"title": "The application must enforce organizational requirements to protect information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion.",
"version": "SRG-APP-288-NA"
},
"V-36288": {
"checkid": "C-44528r3_chk",
"checktext": "Verify the MDM server can provide designated alerts to another enterprise network management application using an IPSec, TLS, or SSL encrypted secure connection. The systems administrator of the device may demonstrate this capability using an audit management application or other means. If designated alerts cannot be transferred to another enterprise network management application using an IPSec, TLS, or SSL encrypted secure connection, this is a finding.",
"description": "Auditing and logging are key components of any security architecture. Centrally managing audit data provides for easier management of mobility events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of audit data can facilitate troubleshooting when problems are encountered and can assist in performing root cause analysis. A repository of audit data can also be correlated in real time to identify suspicious behavior or be archived for review at a later time for research and analysis.\n",
"fixid": "F-40818r2_fix",
"fixtext": "Configure the MDM server to provide designated alerts to another enterprise network management application using an IPSec, TLS, or SSL encrypted secure connection.",
"iacontrols": null,
"id": "V-36288",
"ruleID": "SV-47692r1_rule",
"severity": "high",
"title": "The MDM server must provide designated alerts to another enterprise network management application using an IPSec, TLS, or SSL encrypted secure connection.",
"version": "SRG-APP-102-MDM-250-SRV"
},
"V-36289": {
"checkid": "C-44529r1_chk",
"checktext": "On the MDM server, review the audit logs to verify 7 days of audit logs can be stored on the server. If the reserved storage for the audit records is less than 7 days, this is a finding.\n",
"description": "Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. If auditing is not comprehensive and managed effectively, including adequate capacity, it will not be useful for intrusion monitoring, security investigations, and forensic analysis. \n",
"fixid": "F-40819r1_fix",
"fixtext": "Allocate additional operating system audit log storage capacity for 7 days of operation.\n",
"iacontrols": null,
"id": "V-36289",
"ruleID": "SV-47693r1_rule",
"severity": "medium",
"title": "The MDM server must allocate sufficient audit record storage capacity for 7 days of operation.\n",
"version": "SRG-APP-072-MDM-251-SRV"
},
"V-36290": {
"checkid": "C-44530r1_chk",
"checktext": "Verify the MDM server sends alerts to the administrator or organization's central audit management system when the audit log size reaches an organization defined critical percentage of capacity. Review audit logs and MDM server configuration. If designated alerts are not sent, this is a finding.\n",
"description": "MDM server auditing capability is critical for accurate forensic analysis. Alerting administrators when audit log size thresholds are exceeded helps ensure the administrators can respond to heavy activity in a timely manner. Failure to alert increases the probability that an adversary\u2019s actions will go undetected.\n",
"fixid": "F-40820r1_fix",
"fixtext": "Configure the MDM server audit feature to alert the administrator or organization's central audit management system when the audit log size reaches an organization defined critical percentage of capacity and full capacity.\n",
"iacontrols": null,
"id": "V-36290",
"ruleID": "SV-47694r1_rule",
"severity": "low",
"title": "The MDM server must send alerts to the administrator or organizations central audit management system when the audit log size reaches an organization defined critical percentage of capacity and full capacity.\n",
"version": "SRG-APP-071-MDM-252-SRV"
},
"V-36291": {
"checkid": "C-44531r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Any application providing intrusion detection and prevention capabilities must be architected and implemented so as to prevent non-privileged users from circumventing such protections. This can be accomplished through the use of user roles, use of proper systems permissions, auditing, logging, etc.\nRationale for non-applicability: The MDM server is not an IDS.",
"fixid": "F-40821r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36291",
"ruleID": "SV-47695r1_rule",
"severity": "medium",
"title": "Applications providing IDS and prevention capabilities must prevent non-privileged users from circumventing intrusion detection and prevention capabilities.",
"version": "SRG-APP-285-NA"
},
"V-36292": {
"checkid": "C-44532r1_chk",
"checktext": "Verify the MDM server sends alerts to designated organizational officials in the event of an audit processing failure. If designated alerts are not sent, this is a finding.\n",
"description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. If audit processing failure occurs, forensic analysis or detection may not be possible. ",
"fixid": "F-40822r1_fix",
"fixtext": "Configure the MDM server audit feature to alert designated organizational officials in the event of an audit processing failure.\n",
"iacontrols": null,
"id": "V-36292",
"ruleID": "SV-47696r1_rule",
"severity": "low",
"title": "The MDM server Sever must alert designated organizational officials in the event of an audit processing failure.\n",
"version": "SRG-APP-108-MDM-253-SRV"
},
"V-36293": {
"checkid": "C-44533r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Unusual/unauthorized activities or conditions include internal traffic indicating the presence of malicious code within an information system or propagating among system components, the unauthorized export of information, or signaling to an external information system. \nRationale for non-applicability: The MDM server is not a firewall.",
"fixid": "F-40823r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36293",
"ruleID": "SV-47697r1_rule",
"severity": "medium",
"title": "Applications providing malware and/or firewall protection must monitor inbound and outbound communications for unauthorized activities or conditions.",
"version": "SRG-APP-283-NA"
},
"V-36294": {
"checkid": "C-44535r1_chk",
"checktext": "Review the configuration settings to determine whether the audit system is configured to overwrite the oldest audit log entries when audit logs reach capacity. If this capability is not apparent from the configuration files or vendor documentation, then take actions to fill the audit logs and verify the oldest entries are overwritten when the log is full. If the oldest entries are not overwritten, this is a finding.\n",
"description": "It is critical that when a system is at risk of failing to process audit logs as required, it detects and takes action to mitigate the failure. Overwriting the oldest audit log entries is the safest course of action in the context of the limited resources available on a mobile device that may not have network connectivity.\n",
"fixid": "F-40825r1_fix",
"fixtext": "Configure the MDM server to overwrite the oldest audit log entries when audit logs reach capacity.\n",
"iacontrols": null,
"id": "V-36294",
"ruleID": "SV-47698r1_rule",
"severity": "low",
"title": "The MDM server must overwrite the oldest audit log entries when audit logs reach capacity.\n",
"version": "SRG-APP-109-MDM-254-SRV"
},
"V-36295": {
"checkid": "C-44536r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "When utilizing intrusion detection software, monitoring components are usually dispersed throughout the network, such as, when utilizing HIDS and multiple NIDS sensors. In order to leverage the capabilities of intrusion detection systems to get a complete overall view of network and host activity, these separate components must be able to report and react to activity they detect. \nRationale for non-applicability: The MDM server is not an IDS.",
"fixid": "F-40826r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36295",
"ruleID": "SV-47699r1_rule",
"severity": "medium",
"title": "Intrusion detection software must be able to interconnect using standard protocols to create a system wide intrusion detection system.",
"version": "SRG-APP-281-NA"
},
"V-36296": {
"checkid": "C-44537r1_chk",
"checktext": "Review the configuration settings to determine whether the MDM server audit system provides a warning when allocated audit record storage volume reaches an organization defined percentage of maximum audit record storage capacity. If designated alerts are not sent, this is a finding.\n",
"description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs when storage capacity is reached. Notification of the storage condition will allow administrators to take actions so that logs are not lost.",
"fixid": "F-40827r1_fix",
"fixtext": "Configure the MDM server to provide a warning when allocated audit record storage volume reaches an organization defined percentage of maximum audit record storage capacity.\n",
"iacontrols": null,
"id": "V-36296",
"ruleID": "SV-47700r1_rule",
"severity": "low",
"title": "The MDM server must provide a warning when allocated audit record storage volume reaches an organization defined percentage of maximum audit record storage capacity.\n",
"version": "SRG-APP-103-MDM-255-SRV"
},
"V-36297": {
"checkid": "C-44538r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Malicious code protection software must be protected to prevent a non-privileged user or malicious piece of software from manipulating the protection update mechanism. \nRationale for non-applicability: The MDM server does not perform traditional signature based malware scanning.",
"fixid": "F-40828r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36297",
"ruleID": "SV-47701r1_rule",
"severity": "medium",
"title": "Malicious code protection applications must update malicious code protection mechanisms only when directed by a privileged user.",
"version": "SRG-APP-274-NA"
},
"V-36298": {
"checkid": "C-44539r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Malicious code protection software must be protected so as to prevent a non-privileged user or malicious piece of software from disabling the protection mechanism. A common tactic of malware is to identify the type of malicious code protection software running on the system and deactivate it. Malicious code includes viruses, worms, Trojan horses, and Spyware. \nRationale for non-applicability: The MDM server should only be accessed by authorized administrators, which means that non-privileged accounts will not be present.",
"fixid": "F-40829r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36298",
"ruleID": "SV-47702r1_rule",
"severity": "medium",
"title": "The application must prevent non-privileged users from circumventing malicious code protection capabilities.",
"version": "SRG-APP-273-NA"
},
"V-36299": {
"checkid": "C-44540r1_chk",
"checktext": "Review the configuration settings to determine whether the MDM server audit system provides a real-time alert when organization defined audit failure events occur. Review MDM server documentation. If designated alerts are not sent, this is a finding.\n",
"description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing due to an audit failure event. Notification of the event will allow administrators to take actions so logs are not lost.",
"fixid": "F-40830r1_fix",
"fixtext": "Configure the MDM server to provide a real-time alert when organization defined audit failure events occur.\n",
"iacontrols": null,
"id": "V-36299",
"ruleID": "SV-47703r1_rule",
"severity": "low",
"title": "The MDM server must provide a real-time alert when organization defined audit failure events occur.\n",
"version": "SRG-APP-104-MDM-256-SRV"
},
"V-36300": {
"checkid": "C-44541r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Anti-virus and malicious software detection applications utilize signature definitions in order to identify viruses and other malicious software. These signature definitions need to be constantly updated in order to identify the new threats that are discovered every day. All anti-virus and malware software shall come with an update mechanism that automatically updates these signatures. The organization (including any contractor to the organization) is required to promptly install security-relevant malicious code protection software updates (e.g., anti-virus signature updates and hot fixes). Malicious code includes, viruses, worms, Trojan horses, and Spyware. \nRationale for non-applicability: The MDM server does not perform traditional signature based malware scanning.",
"fixid": "F-40831r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36300",
"ruleID": "SV-47704r1_rule",
"severity": "medium",
"title": "The application must automatically update malicious code protection mechanisms, including signature definitions. Examples include anti-virus signatures and malware data files employed to identify and/or block malicious software from executing.",
"version": "SRG-APP-272-NA"
},
"V-36301": {
"checkid": "C-44542r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Malicious code protection mechanisms include but are not limited to anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \nRationale for non-applicability: The MDM server does not perform malware scanning of downloaded files on managed mobile devices.",
"fixid": "F-40832r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36301",
"ruleID": "SV-47705r1_rule",
"severity": "medium",
"title": "Applications providing malicious code protection must support organizational requirements to configure malicious code protection mechanisms to perform real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy.\n",
"version": "SRG-APP-278-NA"
},
"V-36302": {
"checkid": "C-44543r1_chk",
"checktext": "Review the configuration settings to determine whether the MDM server audit system supports the integration of audit review, analysis, and reporting processes by an organization's central audit management system to support organizational processes for investigation and response to suspicious activities. Review MDM server documentation and have the system administrator demonstrate the capability on the MDM server to transfer audit logs to a central audit system. If audit log information is not being transferred to a central audit management system, this is a finding.\n",
"description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate collection of data for troubleshooting, forensics, etc. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple network elements to acquire a clear understanding as to what happened or is happening. Collecting log data and presenting that data in a single, consolidated view achieves this objective.",
"fixid": "F-40833r1_fix",
"fixtext": "Configure the MDM server to provide audit log information to a central audit management system.\n",
"iacontrols": null,
"id": "V-36302",
"ruleID": "SV-47706r1_rule",
"severity": "low",
"title": "The MDM server must utilize the integration of audit review, analysis, and reporting processes by an organizations central audit management system to support organizational processes for investigation and response to suspicious activities.\n",
"version": "SRG-APP-110-MDM-257-SRV"
},
"V-36303": {
"checkid": "C-44545r1_chk",
"checktext": "Review the configuration settings to determine whether the MDM server audit system centralizes the review and analysis of audit records from multiple components within the server. If the MDM server cannot support the capability to centralize the review and analysis of audit records from multiple components within the server, this is a finding.\n",
"description": "Due to the numerous functions a MDM server implementation processes, log files can become extremely large because of the volume of data. The more processes that are logged, more log data is collected. This can become very difficult to analyze manually; therefore, it is important to process them automatically and tailor the views of the data to only those events of interest based upon selectable criteria. Without the automation of log processing, based upon events of interest to security personnel, log files will not be viewed accurately and actions will not be taken when a significant event occurs on the system because it can be too overwhelming. Significant or meaningful events may be missed due to the sheer volume of data if logs are reviewed manually. Reducing the auditing capability to only those events that are significant aids in supporting near real-time audit review and analysis requirements and after-the-fact investigations of security incidents. ",
"fixid": "F-40835r1_fix",
"fixtext": "Configure the MDM server to centralize the review and analysis of audit records from multiple components within the server.\n",
"iacontrols": null,
"id": "V-36303",
"ruleID": "SV-47707r1_rule",
"severity": "medium",
"title": "The MDM server must centralize the review and analysis of audit records from multiple components within the server.\n",
"version": "SRG-APP-111-MDM-258-SRV"
},
"V-36304": {
"checkid": "C-44544r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Malicious code protection mechanisms include, but are not limited to, anti-virus and malware detection software. In order to minimize potential negative impact to the organization caused by malicious code, it is imperative that malicious code is identified and eradicated. \nRationale for non-applicability: The MDM server does not perform traditional signature based malware scanning.",
"fixid": "F-40834r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36304",
"ruleID": "SV-47708r1_rule",
"severity": "medium",
"title": "Applications providing malicious code protection must support organizational requirements to update malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures.",
"version": "SRG-APP-276-NA"
},
"V-36305": {
"checkid": "C-44546r1_chk",
"checktext": "Review the configuration settings to determine whether the MDM server audit system supports an audit reduction capability. Review MDM server documentation and audit records. If the MDM server cannot support an audit reduction capability, this is a finding.\n",
"description": "Audit reduction is used to reduce the volume of audit records in order to facilitate manual review. Before a security review information systems and/or applications with an audit reduction capability may remove many audit records known to have little security significance. \n",
"fixid": "F-40836r1_fix",
"fixtext": "Configure the MDM server to support an audit reduction capability.\n",
"iacontrols": null,
"id": "V-36305",
"ruleID": "SV-47709r1_rule",
"severity": "low",
"title": "The MDM server must support an audit reduction capability.\n",
"version": "SRG-APP-113-MDM-259-SRV"
},
"V-36306": {
"checkid": "C-44547r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Organizations may require applications or application components to be non-modifiable or to be stored and executed on non-writeable storage. Use of non-modifiable storage ensures the integrity of the software program from the point of creation of the read-only image and eliminates the possibility of malicious code insertion. \nRationale for non-applicability: The MDM server must be capable of being updated with patches at any time, and therefore must be modifiable.",
"fixid": "F-40837r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36306",
"ruleID": "SV-47710r1_rule",
"severity": "medium",
"title": "Applications required to be non-modifiable must support organizational requirements to provide components that contain no writeable storage capability. These components must be persistent across restart and/or power on/off.",
"version": "SRG-APP-240-NA"
},
"V-36307": {
"checkid": "C-44548r1_chk",
"checktext": "Review the configuration settings to determine whether the MDM server audit records can be used by a report generation capability. Review MDM server documentation and audit records. If the MDM server audit records cannot be used by a report generation capability, this is a finding.\n",
"description": "Due to the numerous functions a MDM server implementation processes, log files can become extremely large because of the volume of data. The more processes that are logged, more log data is collected. This can become very difficult to analyze manually; therefore, it is important to process them automatically, tailor the views of the data to only those events of interest based upon selectable criteria, and provide a report generation capability. Without the automation of log processing, based upon events of interest to security personnel, log files will not be viewed accurately and actions will not be taken when a significant event occurs on the system because it can be too overwhelming. Significant or meaningful events may be missed due to the sheer volume of data if logs are reviewed or generated manually. Reducing the auditing capability to only those events that are significant and providing a report generation capability, aids in supporting near real-time audit review and analysis requirements and after-the-fact investigations of security incidents. \n\nIn order to identify and report on what (repetitive) data has been removed via the use of audit reduction, the MDM server implementation must provide a capability to generate reports containing what values were removed by the audit reduction. This capability within the MDM server implementation may utilize a component outside of the MDM server itself.",
"fixid": "F-40838r1_fix",
"fixtext": "Configure the MDM server audit records to be used by a report generation capability.\n",
"iacontrols": null,
"id": "V-36307",
"ruleID": "SV-47711r1_rule",
"severity": "low",
"title": "The MDM server audit records must be able to be used by a report generation capability.\n",
"version": "SRG-APP-114-MDM-260-SRV"
},
"V-36308": {
"checkid": "C-44549r1_chk",
"checktext": "Review the configuration settings to determine whether the MDM server audit feature automatically processes audit records for events of interest based upon selectable, event criteria. Review MDM server documentation and audit configuration. If the MDM server does not automatically process audit records for events of interest based upon selectable, event criteria, this is a finding.\n",
"description": "Due to the numerous functions a MDM server implementation processes, log files can become extremely large because of the volume of data. The more processes that are logged, more log data is collected. This can become very difficult to analyze manually; therefore, it is important to process them automatically and tailor the views of the data to only those events of interest based upon selectable criteria. Without the automation of log processing, based upon events of interest to security personnel, log files will not be viewed accurately and actions will not be taken when a significant event occurs on the system because it can be too overwhelming. Significant or meaningful events may be missed due to the sheer volume of data if logs are reviewed manually.",
"fixid": "F-40839r1_fix",
"fixtext": "Configure the MDM server to automatically process audit records for events of interest based upon selectable, event criteria audit records to be used by a report generation capability.\n",
"iacontrols": null,
"id": "V-36308",
"ruleID": "SV-47712r1_rule",
"severity": "low",
"title": "The MDM server must automatically process audit records for events of interest based upon selectable, event criteria.\n",
"version": "SRG-APP-115-MDM-261-SRV"
},
"V-36309": {
"checkid": "C-44550r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Use of non-modifiable storage ensures the integrity of the software program from the point of creation of the read-only image. Organizations may require the information system to load specified applications from hardware enforced read-only media. Hardware-enforced, read-only media include, CD-R/DVD-R disk drives. \nRationale for non-applicability: This requirement is better covered by the operating system.",
"fixid": "F-40840r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36309",
"ruleID": "SV-47713r1_rule",
"severity": "medium",
"title": "Applications must support organizationally-defined requirements to load and execute from hardware-enforced, read-only media.",
"version": "SRG-APP-242-NA"
},
"V-36310": {
"checkid": "C-44551r1_chk",
"checktext": "If the MDM server uses configuration files for this capability, review the MDM server configuration files to determine whether the internal system clock is used for timestamps. If this is not feasible, an alternative workaround is to take an action that generates an entry in the audit log and then immediately query the operating system for the current time. A reasonable match between the two times will suffice as evidence that the system is using the internal clock for timestamps. If it is apparent that the MDM server does not use the internal system clock to generate timestamps, this is a finding.\n",
"description": "Determining the correct time a particular event occurred within the MDM server architecture is critical when conducting forensic analysis and investigating system events. Without the use of an approved and synchronized time source, configured on the systems, events cannot be accurately correlated and analyzed to determine what is transpiring within the MDM server. If an event has been triggered on the network, and the MDM server is not configured with the correct time, the event may be seen as insignificant, when in reality the events are related and may have a larger impact across the network. Synchronization of system clocks is needed in order to correctly correlate the timing of events that occur across multiple systems. Determining the correct time a particular event occurred on a system, via timestamps, is critical when conducting forensic analysis and investigating system events. ",
"fixid": "F-40841r1_fix",
"fixtext": "Configure the MDM server to use internal system clocks to generate timestamps for audit records.\n",
"iacontrols": null,
"id": "V-36310",
"ruleID": "SV-47714r1_rule",
"severity": "low",
"title": "The MDM server must use internal system clocks to generate timestamps for audit records.\n",
"version": "SRG-APP-116-MDM-262-SRV"
},
"V-36311": {
"checkid": "C-44552r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Organizations may require the information system to load the operating environment from hardware enforced read-only media. The term operating environment is defined as the code upon which applications are hosted, for example, a monitor, executive, operating system, or application running directly on the hardware platform. \nRationale for non-applicability: This requirement is better covered by the operating system.",
"fixid": "F-40842r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36311",
"ruleID": "SV-47715r1_rule",
"severity": "medium",
"title": "Applications must, for organization defined information system components, load and execute the operating environment from hardware-enforced, read-only media.",
"version": "SRG-APP-241-NA"
},
"V-36312": {
"checkid": "C-44553r1_chk",
"checktext": "If the MDM server uses configuration files for this capability, review the MDM server configuration files to determine whether the operating system synchronizes its clock to an authoritative time source. Verify the configured authoritative time sources are the ones intended. The USNO time servers and are recommended, but if they are not available in the environment in which the device is used, then other DoD approved time servers are acceptable. If the MDM server relies on any non-DoD approved source for time, this is a finding.\n",
"description": "Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Periodically synchronizing internal clocks with an authoritative time source helps ensure time is synchronized across the enterprise. The USNO time servers provide accurate time and are recommended. This synchronization facilitates event correlation and increases the likelihood that the scope and severity of an IA incident will be fully understood, thereby enabling an effective response to the incident. \n",
"fixid": "F-40843r1_fix",
"fixtext": "Configure the MDM server to synchronize internal information system clocks on an organization defined frequency with an organization defined authoritative time source.\n",
"iacontrols": null,
"id": "V-36312",
"ruleID": "SV-47716r1_rule",
"severity": "low",
"title": "The MDM server must synchronize internal information system clocks with United States Naval Observatory (USNO or other DoD-approved) time servers at least once every 24 hours.\n",
"version": "SRG-APP-117-MDM-263-SRV"
},
"V-36313": {
"checkid": "C-44554r1_chk",
"checktext": "Review the configuration settings to determine whether the MDM server audit feature protects audit information from unauthorized read access. If the MDM server does not protect audit information from unauthorized read access, this is a finding.\n",
"description": "Audit data is considered sensitive, and is intended to be read by the System Administrator only. Allowing non-administrators access to this data could expose vulnerabilities in the system.",
"fixid": "F-40844r1_fix",
"fixtext": "Configure the MDM server to protect audit information from unauthorized read access.\n",
"iacontrols": null,
"id": "V-36313",
"ruleID": "SV-47717r1_rule",
"severity": "low",
"title": "The MDM server must protect audit information from unauthorized read access.\n",
"version": "SRG-APP-118-MDM-264-SRV"
},
"V-36314": {
"checkid": "C-44556r1_chk",
"checktext": "Review MDM server documentation and configuration settings to determine whether the MDM server audit feature protects audit information from unauthorized modification. If the MDM server does not protect audit information from unauthorized modification, this is a finding.\n",
"description": "If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. \n",
"fixid": "F-40846r1_fix",
"fixtext": "Configure the MDM server to protect audit information from unauthorized modification.\n",
"iacontrols": null,
"id": "V-36314",
"ruleID": "SV-47718r1_rule",
"severity": "medium",
"title": "The MDM server must protect audit information from unauthorized modification.\n",
"version": "SRG-APP-119-MDM-265-SRV"
},
"V-36315": {
"checkid": "C-44555r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "A Honey Pot is an organization designated information system and/or application that includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks. \nRationale for non-applicability: The MDM server is not a Honey Pot.",
"fixid": "F-40845r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36315",
"ruleID": "SV-47719r1_rule",
"severity": "medium",
"title": "Only a Honey Pot information system and/or application must include components that proactively seek to identify web-based malicious code. Honey Pot systems must be not be shared or used for any other purpose other than described.",
"version": "SRG-APP-229-NA"
},
"V-36316": {
"checkid": "C-44557r1_chk",
"checktext": "Review MDM server documentation and configuration settings to determine whether the MDM server audit feature protects audit information from unauthorized deletion. If the MDM server does not protect audit information from unauthorized deletion, this is a finding.\n",
"description": "If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. \n",
"fixid": "F-40847r1_fix",
"fixtext": "Configure the MDM server to protect audit information from unauthorized deletion.\n",
"iacontrols": null,
"id": "V-36316",
"ruleID": "SV-47720r1_rule",
"severity": "medium",
"title": "The MDM server must protect audit information from unauthorized deletion.\n",
"version": "SRG-APP-120-MDM-266-SRV"
},
"V-36317": {
"checkid": "C-44558r1_chk",
"checktext": "Review MDM server documentation and configuration settings to determine whether the MDM server audit feature provides audit record generation capability for the auditable events defined at the organizational level for the organization defined information system components. If the MDM server does not provide audit record generation capability for the auditable events defined at the organizational level for the organization defined information system components, this is a finding.\n",
"description": "The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events) for example, timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. ",
"fixid": "F-40848r1_fix",
"fixtext": "Configure the MDM server to provide audit record generation capability for the auditable events defined at the organizational level for the organization defined information system components.\n",
"iacontrols": null,
"id": "V-36317",
"ruleID": "SV-47721r1_rule",
"severity": "low",
"title": "The MDM server must provide audit record generation capability for the auditable events defined at the organizational level for defined information system components.\n",
"version": "SRG-APP-089-MDM-267-SRV"
},
"V-36318": {
"checkid": "C-44560r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "A Domain Name System (DNS) server is an example of an information system providing name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are typically at least two authoritative domain name system DNS servers, one configured as primary and the other as secondary. \nRationale for non-applicability: The MDM server does not support name/address resolution queries.",
"fixid": "F-40849r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36318",
"ruleID": "SV-47722r1_rule",
"severity": "medium",
"title": "Applications that collectively provide name/address resolution service for an organization must implement internal/external role separation.",
"version": "SRG-APP-218-NA"
},
"V-36319": {
"checkid": "C-44559r1_chk",
"checktext": "Review MDM server documentation and configuration settings to determine whether the MDM server audit feature allows designated administrators to select which auditable events are to be audited by the server. Required events include system startup and shutdown, successful and unsuccessful device unlock attempts, program execution, and integrity validation failures. Verify a reasonable subset of these events is captured in practice by examining the audit logs. If the MDM server does allow designated administrators to select which auditable events are to be audited by the server, this is a finding.\n",
"description": "The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events). Allowing an administrator to choose the events allows for better coverage of logs for specific activities of interest at a specific time.",
"fixid": "F-40850r1_fix",
"fixtext": "Configure the MDM server to allow designated administrators to select which auditable events are to be audited by the server.\n",
"iacontrols": null,
"id": "V-36319",
"ruleID": "SV-47723r1_rule",
"severity": "low",
"title": "The MDM server must allow designated administrators to select which auditable events are to be audited by the server.\n",
"version": "SRG-APP-090-MDM-268-SRV"
},
"V-36320": {
"checkid": "C-44561r1_chk",
"checktext": "Review product documentation and the system configuration to determine whether the DoD-required auditable events are recorded. Required events include system startup and shutdown, successful and unsuccessful device unlock attempts, program execution, and integrity validation failures. Verify a reasonable subset of these events is captured in practice by examining the audit logs. If the audit logs do not include DoD-required auditable events, this is a finding.\n",
"description": "The DoD-required auditable events are events that assist in intrusion detection and forensic analysis. Failure to capture them increases the likelihood that an adversary can breach the system without detection.\n",
"fixid": "F-40851r1_fix",
"fixtext": "Configure the MDM server to generate audit records for the DoD-required auditable events.\n",
"iacontrols": null,
"id": "V-36320",
"ruleID": "SV-47724r1_rule",
"severity": "low",
"title": "The MDM server must generate audit records for the DoD-required auditable events.\n",
"version": "SRG-APP-091-MDM-269-SRV"
},
"V-36321": {
"checkid": "C-44562r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "A recursive resolving or caching Domain Name System (DNS) server is an example of an information system providing name/address resolution service for local clients. \nRationale for non-applicability: The MDM server does not support name/address resolution queries.",
"fixid": "F-40852r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36321",
"ruleID": "SV-47725r1_rule",
"severity": "medium",
"title": "The application must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.",
"version": "SRG-APP-217-NA"
},
"V-36322": {
"checkid": "C-44563r1_chk",
"checktext": "Review product documentation and the MDM server audit feature configuration to determine whether it supports the capability to compile audit records from multiple components within the server into a system-wide (logical or physical) audit trail that is time-correlated to within an organization defined level of tolerance. If the MDM server does not support compiling audit records from multiple components within the server into a system-wide (logical or physical) audit trail that is time-correlated to within an organization defined level of tolerance, this is a finding.\n",
"description": "Audit generation and audit records can be generated from various components within the MDM server. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events). \n",
"fixid": "F-40853r1_fix",
"fixtext": "Configure the MDM server to compile audit records from multiple components within the server into a system-wide (logical or physical) audit trail that is time-correlated to within an organization defined level of tolerance for the relationship between time stamps of individual records in the audit trail.\n",
"iacontrols": null,
"id": "V-36322",
"ruleID": "SV-47726r1_rule",
"severity": "low",
"title": "The MDM server must support the capability to compile audit records from multiple components within the server into a system-wide (logical or physical) audit trail that is time-correlated to within an organization defined level of tolerance for the relationship between time stamps of individual records in the audit trail.\n",
"version": "SRG-APP-086-MDM-270-SRV"
},
"V-36323": {
"checkid": "C-44565r1_chk",
"checktext": "Inspect the audit logs to determine whether startup events are being recorded. Restart the MDM server and check that this occurrence was recorded in the audit log. If a startup event does not appear in the log, this is a finding.\n",
"description": "Some MDM server system features, including security enforcement, may only be modified when the MDM server applications not running. Logging startup events provides valuable information on system problems and potential MDM server integrity issues.\n",
"fixid": "F-40855r1_fix",
"fixtext": "Configure the MDM server to record an event in the device audit log each time the device operating system is started.\n",
"iacontrols": null,
"id": "V-36323",
"ruleID": "SV-47727r1_rule",
"severity": "low",
"title": "The MDM server must record an event in the device audit log each time the server is started.\n",
"version": "SRG-APP-130-MDM-271-SRV"
},
"V-36324": {
"checkid": "C-44564r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "A recursive resolving or caching Domain Name System (DNS) server is an example of an information system providing name/address resolution service for local clients. ",
"fixid": "F-40854r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36324",
"ruleID": "SV-47728r1_rule",
"severity": "medium",
"title": "The application must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.\n",
"version": "SRG-APP-216-NA"
},
"V-36325": {
"checkid": "C-44566r1_chk",
"checktext": "Inspect the audit logs to determine whether security relevant configuration changes are being recorded. Make several security relevant configuration changes and verify these were recorded in the audit log. If any of the security relevant changes do not appear in the log, this is a finding.\n",
"description": "Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Security-relevant configuration changes, if not authorized, are a breach of system security and might indicate a broader attack is occurring. Recording security-relevant changes in the audit logs mitigates the risk that unauthorized changes will go undetected.\n",
"fixid": "F-40856r1_fix",
"fixtext": "Configure the MDM server to record an event in the device audit log each time there is a security relevant configuration change. \n",
"iacontrols": null,
"id": "V-36325",
"ruleID": "SV-47729r1_rule",
"severity": "medium",
"title": "The MDM server must record an event in audit log each time the server makes a security relevant configuration change on a managed mobile device.\n",
"version": "SRG-APP-130-MDM-272-SRV"
},
"V-36326": {
"checkid": "C-44567r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service.\nRationale for non-applicability: The MDM server does not operate as part of a distributed, hierarchical namespace.",
"fixid": "F-40857r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36326",
"ruleID": "SV-47730r1_rule",
"severity": "medium",
"title": "Applications, when operating as part of a distributed, hierarchical namespace, must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains.\n",
"version": "SRG-APP-214-NA"
},
"V-36327": {
"checkid": "C-44568r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. \nRationale for non-applicability: The MDM server does not support name/address resolution queries.",
"fixid": "F-40859r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36327",
"ruleID": "SV-47731r1_rule",
"severity": "medium",
"title": "The application must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.",
"version": "SRG-APP-213-NA"
},
"V-36328": {
"checkid": "C-44569r1_chk",
"checktext": "Review the MDM server configuration to determine whether cryptographic mechanisms are employed to protect the integrity and confidentiality for all audit logs managed by the server. If the MDM server does not employ cryptographic mechanisms to protect the integrity and confidentiality for all audit logs managed by the server, this is a finding.\n",
"description": "The integrity of server audit logs and managed device audit logs is vital to the security baseline of the server and network. Otherwise, critical audit event information could be compromised.\n",
"fixid": "F-40858r1_fix",
"fixtext": "Configure the MDM server to employee cryptographic mechanisms to protect the integrity and confidentiality for all audit logs managed by the server.\n",
"iacontrols": null,
"id": "V-36328",
"ruleID": "SV-47732r1_rule",
"severity": "medium",
"title": "The MDM server must employ cryptographic mechanisms to protect the integrity and confidentiality for all audit logs managed by the server.\n",
"version": "SRG-APP-184-MDM-273-SRV"
},
"V-36329": {
"checkid": "C-44570r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. \nRationale for non-applicability: An MDM server is not designed to enforce policy pertaining to use of mobile code.",
"fixid": "F-40860r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36329",
"ruleID": "SV-47733r1_rule",
"severity": "medium",
"title": "Applications designed to enforce policy pertaining to the use of mobile code must prevent the automatic execution of mobile code in organization defined software applications and require organization defined actions prior to executing the code.",
"version": "SRG-APP-210-NA"
},
"V-36330": {
"checkid": "C-44571r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server backs up audit records on an organization defined frequency onto a different system or media than the system being audited. If the MDM server does not back up audit records on an organization defined frequency onto a different system or media than the system being audited, this is a finding.\n",
"description": "Protection of log data includes assuring the log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained.\n",
"fixid": "F-40861r1_fix",
"fixtext": "Configure the MDM server to back up audit records on an organization defined frequency onto a different system or media than the system being audited.\n",
"iacontrols": null,
"id": "V-36330",
"ruleID": "SV-47734r1_rule",
"severity": "medium",
"title": "The MDM server must back up audit records on an organization defined frequency onto a different system or media than the system being audited.\n",
"version": "SRG-APP-125-MDM-274-SRV"
},
"V-36331": {
"checkid": "C-44572r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server protects the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions. If the MDM server does not protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions, this is a finding.\n",
"description": "Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place. Auditing might not be reliable when performed by an operating system which the user being audited has privileged access to. The privileged user could inhibit auditing or directly modify audit records. To prevent this from occurring, privileged access shall be further defined between audit-related privileges and other privileges, thus, limiting the users with audit-related privileges.",
"fixid": "F-40862r1_fix",
"fixtext": "Configure the MDM server to protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.\n",
"iacontrols": null,
"id": "V-36331",
"ruleID": "SV-47735r1_rule",
"severity": "medium",
"title": "The MDM server must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.\n",
"version": "SRG-APP-127-MDM-275-SRV"
},
"V-36332": {
"checkid": "C-44573r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. \nRationale for non-applicability: An MDM server is not designed to enforce policy pertaining to use of mobile code.",
"fixid": "F-40863r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36332",
"ruleID": "SV-47736r1_rule",
"severity": "medium",
"title": "Applications designed to enforce policy pertaining to organizational use of mobile code must prevent the download and execution of prohibited mobile code.",
"version": "SRG-APP-209-NA"
},
"V-36333": {
"checkid": "C-44574r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format. If the MDM server does not produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format, this is a finding.\n",
"description": "Audits records can be generated from various components within the MDM server. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events).",
"fixid": "F-40864r1_fix",
"fixtext": "Configure the MDM server to produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.\n",
"iacontrols": null,
"id": "V-36333",
"ruleID": "SV-47737r1_rule",
"severity": "low",
"title": "The MDM server must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.\n",
"version": "SRG-APP-088-MDM-276-SRV"
},
"V-36334": {
"checkid": "C-44575r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server automatically audits administrator account modification. If the MDM server does not automatically audit administrator account modification, this is a finding.\n",
"description": "Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing administrator account modification ensures forensic information is available to track these instances.",
"fixid": "F-40865r1_fix",
"fixtext": "Configure the MDM server to automatically audit administrator account modification.\n",
"iacontrols": null,
"id": "V-36334",
"ruleID": "SV-47738r1_rule",
"severity": "medium",
"title": "The MDM server must automatically audit administrator account modification.\n",
"version": "SRG-APP-027-MDM-277-SRV"
},
"V-36335": {
"checkid": "C-44576r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. \nRationale for non-applicability: An MDM server is not designed to enforce policy pertaining to use of mobile code.",
"fixid": "F-40866r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36335",
"ruleID": "SV-47739r1_rule",
"severity": "medium",
"title": "Applications utilizing mobile code must meet policy requirements regarding the acquisition, development, and/or use of mobile code.",
"version": "SRG-APP-208-NA"
},
"V-36336": {
"checkid": "C-44577r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Collaborative computing devices include, networked white boards, cameras, and microphones. Collaborative software examples include instant messaging or chat clients. \nRationale for non-applicability: The MDM server is not a collaborative computing device.",
"fixid": "F-40868r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36336",
"ruleID": "SV-47740r1_rule",
"severity": "medium",
"title": "Software and/or firmware used for collaborative computing devices must prohibit remote activation excluding the organization defined exceptions where remote activation is to be allowed.",
"version": "SRG-APP-202-NA"
},
"V-36337": {
"checkid": "C-44579r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server automatically audits administrator account termination. If the MDM server does not automatically audit administrator account termination, this is a finding.\n",
"description": "Accounts are utilized for identifying individual application users or for identifying the application processes themselves. When accounts are deleted, a myriad of side effects could occur. The MDM server must audit and notify, as required, to provide a forensic audit trail.\n",
"fixid": "F-40869r1_fix",
"fixtext": "Configure the MDM server to automatically audit administrator account termination.\n",
"iacontrols": null,
"id": "V-36337",
"ruleID": "SV-47741r1_rule",
"severity": "medium",
"title": "The MDM server must automatically audit administrator account termination.\n",
"version": "SRG-APP-029-MDM-278-SRV"
},
"V-36338": {
"checkid": "C-44580r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to protect data. FIPS 140-2 Security Requirements for Cryptographic Modules can be found at the following web site: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf.\nRationale for non-applicability: The MDM server does not manage access to data by clearances of administrators.",
"fixid": "F-40870r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36338",
"ruleID": "SV-47742r1_rule",
"severity": "medium",
"title": "Applications must employ FIPS-validated cryptography to protect unclassified information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.",
"version": "SRG-APP-199-NA"
},
"V-36339": {
"checkid": "C-44581r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server audits remote sessions for accessing the server by an administrator. If the MDM server does not audit remote sessions for accessing the server by an administrator, this is a finding.\n",
"description": "Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations. This allows all aspects of a session to be recreated.\n",
"fixid": "F-40871r1_fix",
"fixtext": "Configure the MDM server to log an audit event for each instance when an administrator accesses the server remotely.\n",
"iacontrols": null,
"id": "V-36339",
"ruleID": "SV-47743r1_rule",
"severity": "high",
"title": "The MDM server must ensure remote sessions for accessing the server by an administrator are audited.\n",
"version": "SRG-APP-019-MDM-279-SRV"
},
"V-36340": {
"checkid": "C-44582r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. \nRationale for non-applicability: The MDM server is not involved in the production, control, and distribution of asymmetric cryptographic keys.",
"fixid": "F-40872r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36340",
"ruleID": "SV-47744r1_rule",
"severity": "medium",
"title": "Applications involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 or class 4 certificates and hardware tokens that protect the users private key.",
"version": "SRG-APP-195-NA"
},
"V-36341": {
"checkid": "C-44583r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server provides the capability to capture/record and log all content related to an administrator session. Have an administrator log into the server and make several security relevant configuration changes and verify these were recorded in the audit log. If any of the security relevant changes does not appear in the log, this is a finding.\n",
"description": "Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations. This allows all aspects of a session to be recreated.\n",
"fixid": "F-40873r1_fix",
"fixtext": "Configure the MDM server to provide to capture/record and log all content related to an administrator session.\n",
"iacontrols": null,
"id": "V-36341",
"ruleID": "SV-47745r1_rule",
"severity": "high",
"title": "The MDM server must capture/record and log all content related to an administrator session.\n",
"version": "SRG-APP-093-MDM-280-SRV"
},
"V-36342": {
"checkid": "C-44585r1_chk",
"checktext": "Shut down and then restart the MDM server. Immediately after the boot process is complete, verify auditing has been initiated. If session auditing is not operational after system startup, this is a finding.\n",
"description": "Without session-level auditing, IA and IT professionals do not have the complete picture, in detail, of what is transpiring on their systems. Without the session-level auditing capability, it is difficult to determine when a specific action was taken on the system and perform forensic analysis if there is an attack, or troubleshoot a problem. \n",
"fixid": "F-40875r1_fix",
"fixtext": "Configure the MDM server to initiate session auditing at system startup.\n",
"iacontrols": null,
"id": "V-36342",
"ruleID": "SV-47746r1_rule",
"severity": "high",
"title": "The MDM server must initiate session auditing upon start up.\n",
"version": "SRG-APP-092-MDM-281-SRV"
},
"V-36343": {
"checkid": "C-44586r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server produces audit records containing sufficient information to establish the identity of any user/subject associated with the event. Have an administrator log into the server and make several security relevant configuration changes and verify these were recorded in the audit log. If the MDM server does not produce audit records containing sufficient information to establish the identity of any user/subject associated with the event, this is a finding.\n",
"description": "MDM server auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. \n\nMDM server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed a given action. If user identification information is not recorded and stored with the audit record, the record itself is of very limited use.",
"fixid": "F-40876r1_fix",
"fixtext": "Configure the MDM server to produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.\n",
"iacontrols": null,
"id": "V-36343",
"ruleID": "SV-47747r1_rule",
"severity": "high",
"title": "The MDM server must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.\n",
"version": "SRG-APP-100-MDM-282-SRV"
},
"V-36344": {
"checkid": "C-44587r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server protects audit tools from unauthorized access. Have a system administrator in a role without access to audit logs log into the server and attempt to access the audit logs. If the MDM server does not protect audit tools from unauthorized access, this is a finding.\n",
"description": "Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized access. If an attacker were to access audit tools he could analyze audit logs for system weaknesses or weaknesses in the auditing itself. An attacker could also manipulate logs to hide evidence of malicious activity.\n",
"fixid": "F-40877r1_fix",
"fixtext": "Configure the MDM server to protect audit tools from unauthorized access.\n",
"iacontrols": null,
"id": "V-36344",
"ruleID": "SV-47748r1_rule",
"severity": "high",
"title": "The MDM server must protect audit tools from unauthorized access.\n",
"version": "SRG-APP-121-MDM-283-SRV"
},
"V-36345": {
"checkid": "C-44584r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Fail secure is a condition achieved by the application of a set of information system mechanisms to ensure that in the event of an operational failure of a boundary protection device at a managed interface (e.g., router, firewall, guard, application gateway residing on a protected sub network commonly referred to as a demilitarized zone), the system does not enter into an unsecure state where intended security properties no longer hold. A failure of a boundary protection device cannot lead to, or cause information external to the boundary protection device to enter the device, nor can a failure permit unauthorized information release.\nRationale for non-applicability: The MDM server is not a boundary protection application.",
"fixid": "F-40874r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36345",
"ruleID": "SV-47749r1_rule",
"severity": "medium",
"title": "Boundary protection applications must fail securely in the event of an operational failure.",
"version": "SRG-APP-254-NA"
},
"V-36346": {
"checkid": "C-44588r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server protects audit tools from unauthorized modification. Have a system administrator in a role without access to audit logs log into the server and attempt to access and modify the audit logs. If the MDM server does not protect audit capability from unauthorized modification, this is a finding.\n",
"description": "Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized modification. If an attacker were to modify audit tools he could analyze audit logs for system weaknesses or weaknesses in the auditing itself. An attacker could also manipulate logs to hide evidence of malicious activity.\n",
"fixid": "F-40878r1_fix",
"fixtext": "Configure the MDM server to protect audit tools from unauthorized modification.\n",
"iacontrols": null,
"id": "V-36346",
"ruleID": "SV-47750r1_rule",
"severity": "high",
"title": "The MDM server must protect audit tools from unauthorized modification.\n",
"version": "SRG-APP-122-MDM-284-SRV"
},
"V-36347": {
"checkid": "C-44590r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server protects audit tools from unauthorized deletion. Have a system administrator in a role without access to audit logs log into the server and attempt to access and delete the audit logs. If the MDM server does not protect audit capability from unauthorized deletion, this is a finding.\n",
"description": "Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized deletion. If an attacker were to delete audit tools MDM server administrator may have no way of managing or viewing the logs.",
"fixid": "F-40880r1_fix",
"fixtext": "Configure the MDM server to protect audit tools from unauthorized deletion.\n",
"iacontrols": null,
"id": "V-36347",
"ruleID": "SV-47751r1_rule",
"severity": "high",
"title": "The MDM server must protect audit tools from unauthorized deletion.\n",
"version": "SRG-APP-123-MDM-285-SRV"
},
"V-36348": {
"checkid": "C-44589r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Automated mechanisms used to enforce protocol formats include, deep packet inspection firewalls and XML gateways. These devices verify adherence to the protocol specification (e.g., IEEE) at the application layer and serve to identify significant vulnerabilities that cannot be detected by devices operating at the network or transport layer. It is impractical to expect protocol format inspection to be conducted manually.\nRationale for non-applicability: The MDM server is not designed to enforce protocol formats. ",
"fixid": "F-40879r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36348",
"ruleID": "SV-47752r1_rule",
"severity": "medium",
"title": "Applications designed to enforce protocol formats must employ automated mechanisms to enforce strict adherence to protocol format.",
"version": "SRG-APP-253-NA"
},
"V-36349": {
"checkid": "C-44591r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server uses cryptographic mechanisms to protect the integrity of audit tools. If the MDM server does not use cryptographic mechanisms to protect the integrity of audit tools, this is a finding.\n",
"description": "Auditing and logging are key components of any security architecture. It is essential security personnel know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Cryptographic mechanisms must be used to protect the integrity of the audit tools used for audit reduction and reporting.\n",
"fixid": "F-40881r1_fix",
"fixtext": "Configure the MDM server to use cryptographic mechanisms to protect the integrity of audit tools.\n",
"iacontrols": null,
"id": "V-36349",
"ruleID": "SV-47753r1_rule",
"severity": "high",
"title": "The MDM server must use cryptographic mechanisms to protect the integrity of audit tools.\n",
"version": "SRG-APP-290-MDM-286-SRV"
},
"V-36350": {
"checkid": "C-44592r1_chk",
"checktext": "Review MDM server documentation and determine if the MDM server provides transaction recovery to avoid disabling the CMD in the event of an incomplete policy push. If the MDM server does not provide transaction recovery to avoid disabling the CMD in the event of an incomplete policy push, this is a finding.\n",
"description": "Since the MDM server controls many mobile devices as well as serving as a gateway into the network infrastructure, the absence of this feature could also enable an adversary to launch an enterprise-wide DoS attack.\n",
"fixid": "F-40882r1_fix",
"fixtext": "Configure the MDM server to provide transaction recovery to avoid disabling the CMD in the event of an incomplete policy push.\n",
"iacontrols": null,
"id": "V-36350",
"ruleID": "SV-47754r1_rule",
"severity": "high",
"title": "The MDM server must provide transaction recovery to avoid disabling the CMD in the event of an incomplete policy push.\n",
"version": "SRG-APP-144-MDM-287-MDIS"
},
"V-36351": {
"checkid": "C-44593r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Firewall control requirement for isolating and preventing the discovery of management interfaces. This control enhancement is intended to protect the network addresses of information system components that are part of the managed interface from discovery through common tools and techniques used to identify devices on a network.\nRationale for non-applicability: The MDM server is not a boundary protection application.",
"fixid": "F-40883r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36351",
"ruleID": "SV-47755r1_rule",
"severity": "medium",
"title": "Boundary protection applications must prevent discovery of specific system components (or devices) composing a managed interface.",
"version": "SRG-APP-252-NA"
},
"V-36352": {
"checkid": "C-44594r1_chk",
"checktext": "Review MDM server documentation and determine if the MDM server separates the security functions between the management of the server itself, and the management of the mobile device. If the MDM server does not separate the security functions between the management of the server itself, and the management of the mobile device, this is a finding.\n",
"description": "Security functions are defined as \"the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.\" If the security functions were to be undermined, the MDM server could be compromised. \n\nMDM server administrators can increase the assurance in security functions by employing well-defined security policy models, structured, disciplined, and rigorous hardware and software development techniques, and sound system/security engineering principles. The MDM server element must isolate security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the integrity of, the hardware, software, and firmware performing those security functions. The MDM server must maintain a separate execution domain (e.g., address space) for each executing process. ",
"fixid": "F-40884r1_fix",
"fixtext": "Configure the MDM server to separate the security functions between the management of the server itself, and the management of the mobile device\n",
"iacontrols": null,
"id": "V-36352",
"ruleID": "SV-47756r1_rule",
"severity": "low",
"title": "The MDM server must separate the security functions between the management of the server itself, and the management of the mobile device.\n",
"version": "SRG-APP-238-MDM-288-SRV"
},
"V-36353": {
"checkid": "C-44595r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "In regards to boundary controls such as routers and firewalls, examples of restricting and prohibiting communications are: restricting external web traffic only to organizational web servers within managed interfaces and prohibiting external traffic that appears to be spoofing an internal address as the source. \nRationale for non-applicability: The MDM server is not a firewall.",
"fixid": "F-40885r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36353",
"ruleID": "SV-47757r1_rule",
"severity": "medium",
"title": "Applications functioning in the capacity of a firewall must check incoming communications to ensure the communications are coming from an authorized source and routed to an authorized destination.",
"version": "SRG-APP-249-NA"
},
"V-36354": {
"checkid": "C-44596r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server establishes a trusted path for an administrator to enter authentication credentials (password or CAC PIN). If the MDM server does not provide a trusted path, this is a finding.\n",
"description": "Without a trusted communication path, the MDM server is vulnerable to a man in the middle attack.\n",
"fixid": "F-40886r1_fix",
"fixtext": "Configure the MDM server to establish a trusted communications path between the Administrator and the systems authentication mechanism.\n",
"iacontrols": null,
"id": "V-36354",
"ruleID": "SV-47758r1_rule",
"severity": "medium",
"title": "The MDM server must establish a trusted communications path between the Administrator and the systems authentication mechanism.\n",
"version": "SRG-APP-191-MDM-289-SRV"
},
"V-36355": {
"checkid": "C-44597r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server generates a unique session identifier for each session. Have an administrator log into the server and view the logs to verify a unique session identifier was assigned to the session. If the MDM server does not generate a unique session identifier for each session, this is a finding.\n",
"description": "This requirement focuses on communications protection at the application session, versus network packet level. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted. This helps prevent a session hijacking attack.\n",
"fixid": "F-40887r1_fix",
"fixtext": "Configure that MDM server to generate a unique session identifier for each session. \n",
"iacontrols": null,
"id": "V-36355",
"ruleID": "SV-47759r1_rule",
"severity": "low",
"title": "The MDM server application must generate a unique session identifier for each session.\n",
"version": "SRG-APP-222-MDM-290-SRV"
},
"V-36356": {
"checkid": "C-44598r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server generate unique session identifiers with organization defined randomness requirements. Determine how the MDM server generates the session identifier. Have an administrator log into the server and view the logs to verify a unique session identifier was assigned to the session. If the MDM server does not generate unique session identifiers with organization defined randomness requirements, this is a finding.\n",
"description": "This requirement focuses on communications protection at the application session, versus network packet level. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted. This helps prevent a session hijacking attack.\n",
"fixid": "F-40888r1_fix",
"fixtext": "Configure that MDM server to generate unique session identifiers with organization defined randomness requirements.\n",
"iacontrols": null,
"id": "V-36356",
"ruleID": "SV-47760r1_rule",
"severity": "low",
"title": "The MDM server application must generate unique session identifiers with organization defined randomness requirements.\n",
"version": "SRG-APP-224-MDM-291-SRV"
},
"V-36357": {
"checkid": "C-44599r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server responds to security function anomalies in accordance with organization defined responses and alternative action(s). At a minimum, the MDM server must log anomalies and alert the administrator. If the MDM server does not respond to security function anomalies in accordance with organization defined responses and alternative action(s), this is a finding.\n",
"description": "The MDM server is the collection point for many of the security function anomalies both for the mobile devices it manages, as well as the MDM server application itself. Without response to anomalies, would be attackers would not be noticed once in the MDM server.\n",
"fixid": "F-40889r1_fix",
"fixtext": "Configure that MDM server to respond to security function anomalies in accordance with organization defined responses and alternative action(s).\n",
"iacontrols": null,
"id": "V-36357",
"ruleID": "SV-47761r1_rule",
"severity": "low",
"title": "The MDM server must respond to security function anomalies in accordance with organization defined responses and alternative action(s).\n",
"version": "SRG-APP-200-MDM-292-SRV"
},
"V-36358": {
"checkid": "C-44600r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Detecting internal actions that may pose a security threat to external information systems is sometimes termed extrusion detection. Extrusion detection at the information system boundary includes the analysis of network traffic (incoming as well as, outgoing) looking for indications of an internal threat to the security of external systems.\nRationale for non-applicability: The MDM server is not an IDS.",
"fixid": "F-40890r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36358",
"ruleID": "SV-47762r1_rule",
"severity": "medium",
"title": "Applications performing extrusion detection must be capable of denying network traffic and auditing internal users (or malicious code) posing a threat to external information systems.",
"version": "SRG-APP-259-NA"
},
"V-36359": {
"checkid": "C-44601r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server recognizes only system-generated session identifiers. If the MDM server does not recognize only system-generated session identifiers, this is a finding.\n",
"description": "This requirement focuses on communications protection at the application session, versus network packet level. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted. Without this, session hijacking attacks could be possible.\n",
"fixid": "F-40891r1_fix",
"fixtext": "Configure that MDM server to recognize only system-generated session identifiers.\n",
"iacontrols": null,
"id": "V-36359",
"ruleID": "SV-47763r1_rule",
"severity": "low",
"title": "The MDM server application must recognize only system-generated session identifiers.\n",
"version": "SRG-APP-223-MDM-293-SRV"
},
"V-36360": {
"checkid": "C-44602r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "External networks are networks outside the control of the organization. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Proxy servers are also configurable with organization defined lists of authorized and unauthorized websites.\nRationale for non-applicability: The MDM server is not an Internet proxy application.",
"fixid": "F-40892r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36360",
"ruleID": "SV-47764r1_rule",
"severity": "medium",
"title": "Proxy applications must support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Proxy applications must also be configurable with organization defined lists of authorized and unauthorized websites.\n",
"version": "SRG-APP-258-NA"
},
"V-36361": {
"checkid": "C-44603r1_chk",
"checktext": "Review the MDM server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to ensure user direction occurs prior to executing code on the mobile device. If this function is not present, this is a finding.\n",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM server allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. Allowing automatic execution of code without user interaction could result in malware executing itself on a CMD.\n",
"fixid": "F-40893r1_fix",
"fixtext": "Configure the centrally managed MDM server security policy rule to ensure user direction occurs prior to executing code on the mobile device.\n",
"iacontrols": null,
"id": "V-36361",
"ruleID": "SV-47765r1_rule",
"severity": "medium",
"title": "The MDM server must not enable information system functionality providing the capability for automatic execution of code on mobile devices without user direction.\n",
"version": "SRG-APP-022-MDM-294-MDM "
},
"V-36362": {
"checkid": "C-44604r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings that are not configurable by the user of that device. An example of a non-remote communications path from a remote device is a virtual private network. When a non-remote connection is established using a virtual private network, the configuration settings prevent split-tunneling. Split-tunneling might otherwise be used by remote users to communicate with the information system as an extension of that system and to communicate with local resources such as, a printer or file server. Since the remote device, when connected by a non-remote connection, becomes an extension of the information system, allowing dual communications paths such as split-tunneling would be, in effect, allowing unauthorized external connections into the system.\nRationale for non-applicability: The MDM server does not allow remote connecting mobile devices to establish non-remote connections.",
"fixid": "F-40894r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36362",
"ruleID": "SV-47766r1_rule",
"severity": "medium",
"title": "Applications providing remote connectivity must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communications path with resources in external networks.",
"version": "SRG-APP-257-NA"
},
"V-36363": {
"checkid": "C-44605r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server can disable services that are not required by site-defined functions. If services cannot be disabled, this is a finding.\n",
"description": "Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Unneeded services and processes provide additional threat vectors and avenues of attack to the information system.",
"fixid": "F-40895r1_fix",
"fixtext": "Configure the MDM server to use only the services required by site defined functions.\n",
"iacontrols": null,
"id": "V-36363",
"ruleID": "SV-47767r1_rule",
"severity": "medium",
"title": "The MDM server must be able to disable services that are not required by site-defined functions.\n",
"version": "SRG-APP-143-MDM-295-SRV"
},
"V-36364": {
"checkid": "C-44606r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "A firewall default deny is a firewall configuration setting that will force the administrator to explicitly allow network or application traffic rather than allowing all traffic by default. The purpose is to prevent unmanaged access into the internal network or in the case of an application firewall, to application content, features, or functionality. \nRationale for non-applicability: The MDM server is not a firewall.",
"fixid": "F-40896r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36364",
"ruleID": "SV-47768r1_rule",
"severity": "medium",
"title": "Any software application designed to function as a firewall must be capable employing a default deny all configuration.",
"version": "SRG-APP-256-NA"
},
"V-36365": {
"checkid": "C-44607r1_chk",
"checktext": "Review the MDM server configuration to determine whether the MDM server is configured to rotate its master AES encryption key. If the master AES encryption key is not configured to rotate, this is a finding.\n",
"description": "There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use a shared secret and the second is to generate the master encryption key based on PKI key generation. When a shared secret is used, if the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be compromised. Limit the compromise to an organizationally defined period is a security best practice. This is typically 30 days or less.\n",
"fixid": "F-40897r1_fix",
"fixtext": "Configure the MDM server to rotate its master AES encryption key.\n",
"iacontrols": null,
"id": "V-36365",
"ruleID": "SV-47769r1_rule",
"severity": "medium",
"title": "The master AES encryption key used to encrypt data between the MDM server and the agent on the mobile device must be rotated. \n",
"version": "SRG-APP-193-MDM-296-SRV"
},
"V-36366": {
"checkid": "C-44608r1_chk",
"checktext": "Review the MDM server configuration to determine whether the system is configured to protect non-local maintenance sessions through the use of a strong authenticator tightly bound to the user. If the system is not configured to protect non-local maintenance sessions through the use of a strong authenticator tightly bound to the user, this is a finding.\n",
"description": "Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network.\n",
"fixid": "F-40898r1_fix",
"fixtext": "Configure the MDM server to protect non-local maintenance sessions through the use of a strong authenticator tightly bound to the user.\n",
"iacontrols": null,
"id": "V-36366",
"ruleID": "SV-47770r1_rule",
"severity": "medium",
"title": "The MDM server, when used for non-local maintenance sessions, must protect those sessions through the use of a strong authenticator tightly bound to the user.\n",
"version": "SRG-APP-183-MDM-297-SRV"
},
"V-36367": {
"checkid": "C-44609r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Access into an organization's internal network and to key internal boundaries must be tightly controlled and managed. Applications monitoring and/or controlling communications at the external boundary of the system and at key internal boundaries must be capable of preventing public access into the organization\u2019s internal networks except as appropriately mediated by managed interfaces. \nRationale for non-applicability: The MDM server is not a boundary protection application.",
"fixid": "F-40899r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36367",
"ruleID": "SV-47771r1_rule",
"severity": "medium",
"title": "Boundary protection applications must be capable of preventing public access into the organizations internal networks except as appropriately mediated by managed interfaces.",
"version": "SRG-APP-255-NA"
},
"V-36368": {
"checkid": "C-44610r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Priority protection helps prevent a lower-priority process from delaying or interfering with the information system servicing any higher-priority process. This control does not apply to components in the information system for which there is only a single user/role. The application must limit the use of resources by priority.\nRationale for non-applicability: This is better addressed through infrastructure design (multiple load balancing servers) rather than SRG application design.",
"fixid": "F-40900r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36368",
"ruleID": "SV-47772r1_rule",
"severity": "medium",
"title": "Applications must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.",
"version": "SRG-APP-248-NA"
},
"V-36370": {
"checkid": "C-44611r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "In the case of application DoS attacks, care must be taken when designing the application so as to ensure that the application makes the best use of system resources. SQL queries have the potential to consume large amounts of CPU cycles if they are not tuned for optimal performance. Web services containing complex calculations requiring large amounts of time to complete can bog down if too many requests for the service are encountered within a short period of time. \nRationale for non-applicability: The MDM server is not responsible for actively protecting against traditional DoS attacks.",
"fixid": "F-40902r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36370",
"ruleID": "SV-47774r1_rule",
"severity": "medium",
"title": "Applications must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.",
"version": "SRG-APP-247-NA"
},
"V-36371": {
"checkid": "C-44613r1_chk",
"checktext": "This requirement is NA for the MDM SRG.\n",
"description": "Web services are web applications providing a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data. \nRationale for non-applicability: The MDM server is not an SOA based application.",
"fixid": "F-40903r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36371",
"ruleID": "SV-47775r1_rule",
"severity": "medium",
"title": "Web services applications establishing identities at run-time for previously unknown entities must dynamically manage identifiers, attributes, and associated access authorizations.\n",
"version": "SRG-APP-162-NA"
},
"V-36372": {
"checkid": "C-44614r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "When it comes to DoS attacks most of the attention is paid to ensuring that systems and applications are not victims of these attacks. \nRationale for non-applicability: This function is better allocated to the operating system.",
"fixid": "F-40904r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36372",
"ruleID": "SV-47776r1_rule",
"severity": "medium",
"title": "Applications must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.",
"version": "SRG-APP-246-NA"
},
"V-36373": {
"checkid": "C-44615r1_chk",
"checktext": "This requirement is NA for the MDM SRG.\n",
"description": "Temporary application accounts could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic testing or conduct some other support related activity. When these types of accounts are created, there is a risk that the temporary account may remain in place and active after the support representative has left. \nRationale for non-applicability: There are no temporary administrator accounts on an MDM server. This feature is handled by the operating system.",
"fixid": "F-40905r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36373",
"ruleID": "SV-47777r1_rule",
"severity": "medium",
"title": "The application must provide a mechanism to automatically terminate accounts designated as temporary or emergency accounts after an organization defined time period.\n",
"version": "SRG-APP-024-NA"
},
"V-36374": {
"checkid": "C-44616r1_chk",
"checktext": "This requirement is NA for the MDM SRG.\n",
"description": "Web services are web applications providing a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data. \nRationale for non-applicability: The MDM server is not an SOA based application.",
"fixid": "F-40906r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36374",
"ruleID": "SV-47778r1_rule",
"severity": "medium",
"title": "Service Oriented Architecture (SOA) based applications must dynamically manage user privileges and associated access authorizations.\n",
"version": "SRG-APP-031-NA"
},
"V-36375": {
"checkid": "C-44617r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "A variety of technologies exist to limit, or in some cases, eliminate the effects of DoS attacks. For example, boundary protection devices can filter certain types of packets to protect devices on an organization\u2019s internal network from being directly affected by DoS attacks. \nRationale for non-applicability: This function is better allocated to the operating system.",
"fixid": "F-40907r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36375",
"ruleID": "SV-47779r1_rule",
"severity": "medium",
"title": "Applications must protect against or limit the effects of the organization defined or referenced types of Denial of Service (DoS) attacks.",
"version": "SRG-APP-245-NA"
},
"V-36376": {
"checkid": "C-44618r1_chk",
"checktext": "This requirement is NA for the MDM SRG.\n",
"description": "Dual authorization requires 2 distinct approving authorities to approve the use of an application command prior to it being invoked. This capability is typically reserved for specific application functionality where the application owner, data owner or organization requires an additional assurance that certain application commands are only invoked under the utmost authority. When a policy is defined stating that certain commands contained within an application require dual-authorization before they may be invoked, or when an organization defines a set of application related privileged commands requiring dual authorization, the application must support those requirements. \nRationale for non-applicability: The IA posture of the MDM server does not warrant dual authorization, and is therefore out of scope for this version of the MDM SRG.",
"fixid": "F-40908r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36376",
"ruleID": "SV-47780r1_rule",
"severity": "medium",
"title": "The application must enforce dual authorization, based on organizational policies and procedures for organization defined privileged commands.\n",
"version": "SRG-APP-034-NA"
},
"V-36377": {
"checkid": "C-44619r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Shared resources include, memory, input/output queues, and network interface cards. \nRationale for non-applicability: Multi-level security is out of the scope of this SRG.",
"fixid": "F-40909r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36377",
"ruleID": "SV-47781r1_rule",
"severity": "medium",
"title": "Applications must not share resources used to interface with systems operating at different security levels.",
"version": "SRG-APP-244-NA"
},
"V-36378": {
"checkid": "C-44620r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains). \nRationale for non-applicability: This control primarily applies to the discretionary sharing of information resources by data owners. This type of service is unrelated to MDM server functionality.",
"fixid": "F-40910r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36378",
"ruleID": "SV-47782r1_rule",
"severity": "medium",
"title": "Applications must enforce non-discretionary access control policies over users and resources where the policy rule set for each policy specifies: access control information (i.e., attributes) employed by the policy rule set (e.g., position, nationality, age, project, time of day).\n",
"version": "SRG-APP-035-NA"
},
"V-36379": {
"checkid": "C-44621r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "The information system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the integrity of, the hardware, software, and firmware that perform those security functions. The information system maintains a separate execution domain (e.g., address space) for each executing process.\nRationale for non-applicability: The MDM server does not have different classes of security functions.",
"fixid": "F-40911r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36379",
"ruleID": "SV-47783r1_rule",
"severity": "medium",
"title": "Applications must meet organizational requirements to implement an information system isolation boundary that minimizes the number of non-security functions included within the boundary containing security functions.",
"version": "SRG-APP-236-NA"
},
"V-36380": {
"checkid": "C-44622r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \nRationale for non-applicability: Information flow control only applies to a CDS. An MDM server is not a cross domain solution.",
"fixid": "F-40912r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36380",
"ruleID": "SV-47784r1_rule",
"severity": "medium",
"title": "Applications providing information flow control must use explicit security attributes on information, source, and destination objects as a basis for flow control decisions.\n",
"version": "SRG-APP-040-NA"
},
"V-36381": {
"checkid": "C-44623r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Application functionality is typically broken down into modules that perform various tasks or roles. Examples of non-privileged application functionality include, but are not limited to, application modules written for displaying data or printing reports. \nRationale for non-applicability: The MDM server does not support non-privileged functions.",
"fixid": "F-40913r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36381",
"ruleID": "SV-47785r1_rule",
"severity": "medium",
"title": "Applications must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.",
"version": "SRG-APP-235-NA"
},
"V-36382": {
"checkid": "C-44624r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \nRationale for non-applicability: Information flow control only applies to a CDS. An MDM server is not a cross domain solution.",
"fixid": "F-40914r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36382",
"ruleID": "SV-47786r1_rule",
"severity": "medium",
"title": "Applications must enforce information flow control using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions.\n",
"version": "SRG-APP-054-NA"
},
"V-36383": {
"checkid": "C-44625r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \nRationale for non-applicability: Information flow control only applies to a CDS. An MDM server is not a cross domain solution.",
"fixid": "F-40915r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36383",
"ruleID": "SV-47787r1_rule",
"severity": "medium",
"title": "Applications must enforce information flow using dynamic control based on policy that allows or disallows information flow based on changing conditions or operational considerations.\n",
"version": "SRG-APP-055-NA"
},
"V-36384": {
"checkid": "C-44626r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \n\nRationale for non-applicability: The MDM server must protect data from being content checked by network mechanisms to comply with requirement SRG-APP-196-MDM server-212-MEM to protect confidentiality of communications.",
"fixid": "F-40916r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36384",
"ruleID": "SV-47788r1_rule",
"severity": "medium",
"title": "Applications must prevent encrypted data from bypassing content-checking mechanisms.\n",
"version": "SRG-APP-056-NA"
},
"V-36385": {
"checkid": "C-44627r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \nRationale for non-applicability: The MDM server does not manage data content.",
"fixid": "F-40917r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36385",
"ruleID": "SV-47789r1_rule",
"severity": "medium",
"title": "Applications must enforce organization defined limitations on the embedding of data types within other data types.\n",
"version": "SRG-APP-057-NA"
},
"V-36386": {
"checkid": "C-44628r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Security functions are defined as \"the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based\". \nRationale for non-applicability: The MDM server does not support multiple domains.",
"fixid": "F-40918r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36386",
"ruleID": "SV-47790r1_rule",
"severity": "medium",
"title": "Applications must isolate security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the integrity of, the hardware, software, and firmware that perform those security functions. The application must isolate security functions from non-security functions.",
"version": "SRG-APP-233-NA"
},
"V-36387": {
"checkid": "C-44629r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will occur over the public Internet. \n\nRemote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. \n\nAutomated monitoring of remote access sessions allows organizations to audit user activities on a variety of information system components (e.g., servers, workstations, notebook/laptop computers) and to ensure compliance with remote access policy.\n\nRemote access applications such as those providing remote access to network devices and information systems and are individually configured with no monitoring or automation capabilities increase risk and makes remote user access management difficult at best.\n\nApplications providing remote access capability need to provide the ability to automatically monitor and control remote user sessions. This includes the capability to directly trigger actions based on user activity or pass information and or data to a separate application or entity that can then perform automated tasks based on the information.\n\nRationale for non-applicability: The MDM server application is not directly administered remotely.",
"fixid": "F-40919r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36387",
"ruleID": "SV-47791r1_rule",
"severity": "medium",
"title": "Applications providing remote access must have capabilities that allow all remote access to be routed through managed access control points.\n",
"version": "SRG-APP-017-NA"
},
"V-36388": {
"checkid": "C-44631r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \nRationale for non-applicability: Information flow control only applies to a CDS. An MDM server is not a cross domain solution.",
"fixid": "F-40920r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36388",
"ruleID": "SV-47792r1_rule",
"severity": "medium",
"title": "Applications must enforce information flow control on metadata.\n",
"version": "SRG-APP-058-NA"
},
"V-36389": {
"checkid": "C-44630r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Information system management functionality includes, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. \nRationale for non-applicability: The MDM server should only be accessed by authorized administrators, which means that non-privileged accounts will not be present.",
"fixid": "F-40921r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36389",
"ruleID": "SV-47793r1_rule",
"severity": "medium",
"title": "The application must prevent the presentation of information system management-related functionality at an interface utilized by general (i.e., non-privileged) users.",
"version": "SRG-APP-212-NA"
},
"V-36390": {
"checkid": "C-44632r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \nRationale for non-applicability: Information flow control only applies to a CDS. An MDM server is not a cross domain solution.",
"fixid": "F-40922r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36390",
"ruleID": "SV-47794r1_rule",
"severity": "medium",
"title": "Applications must use security policy filters as a basis for making information flow control decisions.\n",
"version": "SRG-APP-059-NA"
},
"V-36391": {
"checkid": "C-44633r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Information system management functionality includes, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. \nRationale for non-applicability: There are no users on an MDM server, only administrators.",
"fixid": "F-40923r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36391",
"ruleID": "SV-47795r1_rule",
"severity": "medium",
"title": "The application must separate user functionality (including user interface services) from information system management functionality.",
"version": "SRG-APP-211-NA"
},
"V-36392": {
"checkid": "C-44634r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \nRationale for non-applicability: Information flow control only applies to a CDS. An MDM server is not a cross domain solution.",
"fixid": "F-40924r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36392",
"ruleID": "SV-47796r1_rule",
"severity": "medium",
"title": "Applications providing information flow control must provide the capability for privileged administrators to enable/disable security policy filters.\n",
"version": "SRG-APP-041-NA"
},
"V-36393": {
"checkid": "C-44636r2_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "When data is written to portable digital media such as thumb drives, floppy diskettes, compact disks, magnetic tape etc, there is risk of data loss. \nRationale for non-applicability: MDM server does not write to portable media.",
"fixid": "F-40925r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36393",
"ruleID": "SV-47797r1_rule",
"severity": "medium",
"title": "Applications employed to write data to portable digital media must use cryptographic mechanisms to protect and restrict access to information on portable digital media.",
"version": "SRG-APP-187-NA"
},
"V-36394": {
"checkid": "C-44635r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \n\nFrom an application perspective, flow control is established once application data flow modeling has been completed. Data flow modeling can be described as: the process of identifying, modeling and documenting how data moves around an information system. Data flow modeling examines processes (activities that transform data from one form to another), data stores (the holding areas for data), external entities (what sends data into a system or receives data from a system), and data flows (routes by which data can flow). \n\nOnce the application data flows have been identified, corresponding flow controls can be applied at the appropriate points.\n\nA few examples of flow control restrictions include: keeping export controlled information from being transmitted in the clear to the Internet and blocking information marked as classified but is being transported to an unapproved destination. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path.\n\nApplication specific examples of flow control enforcement can be found in information protection software (e.g., guards, proxies, gateways and cross domain solutions) employing rule sets or establish configuration settings restricting information system services or provide message filtering capability based on content (e.g., using key word searches or document characteristics). \n\nA crucial part of any flow control solution is the ability to create policy filters. Policy filters serve to enact and enforce the organizational policy as it pertains to controlling data flow. \n\nOrganization-defined security policy filters include, file type checking filters, structured data filters, unstructured data filters, metadata content filters, and hidden content filters. \n\n- Structured data permits the interpretation of its content by virtue of atomic elements that are understandable by an application and indivisible. \n- Unstructured data refers to masses of (usually) digital information does not have a data structure or does have a data structure that is not easily readable by a machine. Unstructured data consists of two basic categories: (i) bitmap objects that are inherently non language-based (i.e., image, video, or audio files); and (ii) textual objects based on a written or printed language (i.e., commercial off-the-shelf word processing documents, spreadsheets, or emails).\n\nApplications providing information flow control must provide the capability for privileged administrators to configure security policy filters to support different security policies.\n",
"fixid": "F-40926r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36394",
"ruleID": "SV-47798r1_rule",
"severity": "medium",
"title": "Applications providing information flow controls must provide the capability for privileged administrators to configure security policy filters to support different organizational security policies.\n",
"version": "SRG-APP-042-NA"
},
"V-36395": {
"checkid": "C-44637r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "There are security-related issues arising from software brought into the information system specifically for diagnostic and repair actions. (e.g., a software packet sniffer installed on a system in order to troubleshoot system traffic, or a vendor installing or running a diagnostic application in order to troubleshoot an issue with a vendor supported system).\nRationale for non-applicability: Malicious code scanning is not within the scope of MDM server functionality.",
"fixid": "F-40927r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36395",
"ruleID": "SV-47799r1_rule",
"severity": "medium",
"title": "Applications scanning for malicious code must scan all media used for system maintenance prior to use.",
"version": "SRG-APP-073-NA"
},
"V-36396": {
"checkid": "C-44638r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Organizations need to monitor for unauthorized remote access connections to information systems in order to determine if break-in attempts or other unauthorized activity is occurring. There are already other SRG requirements for applications to generate audit connection logs to record connection activity. It is for the organization to determine which of those audited connections is unauthorized. \nRationale for non-applicability: This requirement is better managed by the operating system.",
"fixid": "F-40928r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36396",
"ruleID": "SV-47800r1_rule",
"severity": "medium",
"title": "The application must monitor for unauthorized remote connections to the information system on an organization defined frequency.\n",
"version": "SRG-APP-018-NA"
},
"V-36397": {
"checkid": "C-44639r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "User based collaboration and information sharing applications present challenges regarding classification and dissemination of information generated and shared among the application users. These types of applications are intended to share information created and stored within the application; however, not all users have a need to view all data created or stored within the collaboration tool. \nRationale for non-applicability: This control primarily applies to the discretionary sharing of information resources by data owners. This type of service is unrelated to MDM server functionality.",
"fixid": "F-40929r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36397",
"ruleID": "SV-47801r1_rule",
"severity": "medium",
"title": "The application must employ automated mechanisms enabling authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.\n",
"version": "SRG-APP-032-NA"
},
"V-36398": {
"checkid": "C-44640r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Incident tracking is a method of monitoring networks and systems for activity indicative of viral infection or system attack. \nRationale for non-applicability: An MDM server is not an incident tracking application.",
"fixid": "F-40930r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36398",
"ruleID": "SV-47802r1_rule",
"severity": "medium",
"title": "Applications related to incident tracking must support organizational requirements to employ automated mechanisms to assist in the tracking of security incidents.",
"version": "SRG-APP-182-NA"
},
"V-36399": {
"checkid": "C-44641r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "System availability is a key tenet of system security. Organizations need to have the flexibility to be able to define the automated actions taken in response to an identified incident. This includes being able to define a least disruptive action that the application takes to terminate suspicious events. A least disruptive action may include initiating a request for human response rather than blocking traffic or disrupting system operation.\n\nRationale for non-applicability: The MDM server is not an IDS.",
"fixid": "F-40931r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36399",
"ruleID": "SV-47803r1_rule",
"severity": "medium",
"title": "The application must support taking organization defined list of least-disruptive actions to terminate suspicious events.\n",
"version": "SRG-APP-287-NA"
},
"V-36400": {
"checkid": "C-44642r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "When responding to a security incident a capability must exist allowing authorized personnel to disable a particular system if the system exhibits a security violation and the organization determines an action is warranted. \nRationale for non-applicability: This requirement is better covered in another CCI. CCI-001274 Ensures the MDM server will have the capability to disable CMD if an incident is detected.",
"fixid": "F-40932r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36400",
"ruleID": "SV-47804r1_rule",
"severity": "medium",
"title": "Applications that are designed and intended to address incident response scenarios must provide a configurable capability to automatically disable an information system if any of the organization defined security violations are detected.",
"version": "SRG-APP-181-NA"
},
"V-36401": {
"checkid": "C-44643r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\nRationale for non-applicability: This vulnerability is better addressed by another CCI. CCI-000130 covers audit records to a sufficient degree for the MDM server.",
"fixid": "F-40933r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36401",
"ruleID": "SV-47805r1_rule",
"severity": "medium",
"title": "Applications must include organization defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.\n",
"version": "SRG-APP-101-NA"
},
"V-36402": {
"checkid": "C-44644r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Non-organizational users include all information system users other than organizational users which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). \nRationale for non-applicability: There is no business purpose for a non-organizational user to access the MDM server system.",
"fixid": "F-40934r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36402",
"ruleID": "SV-47806r1_rule",
"severity": "medium",
"title": "The application must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).",
"version": "SRG-APP-180-NA"
},
"V-36403": {
"checkid": "C-44645r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Device authentication is a solution enabling an organization to manage devices. \nRationale for non-applicability: While the MDM server manages wireless devices, these devices connect to the carrier infrastructure. Therefore, there would not be a direct wireless connection to the MDM server.",
"fixid": "F-40935r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36403",
"ruleID": "SV-47807r1_rule",
"severity": "medium",
"title": "Applications managing network connections for devices must authenticate devices before establishing wireless network connections by using bidirectional authentication that is cryptographically based.",
"version": "SRG-APP-160-NA"
},
"V-36404": {
"checkid": "C-44646r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "It is critical when a system is at risk of failing to process audit logs as required; actions are automatically taken to mitigate the failure. Audit processing failures include: software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. \nRationale for non-applicability: MDM server functionality involves the transfer of small policy and configuration files and other commands, none of which are expected to trigger network volume thresholds. If such protection is desired, it is better performed by the operating system or a network firewall.",
"fixid": "F-40936r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36404",
"ruleID": "SV-47808r1_rule",
"severity": "medium",
"title": "The application must enforce configurable traffic volume thresholds representing auditing capacity for network traffic.\n",
"version": "SRG-APP-105-NA"
},
"V-36405": {
"checkid": "C-44647r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Applications are typically designed to incorporate their audit logs into the auditing sub-system hosted by the operating system. However, in some instances application developers may decide to forego the audit capabilities offered by the operating system and maintain application audit logs separately. \nRationale for non-applicability: This requirement is not applicable to an MDM server. It is applicable to a central audit management system.",
"fixid": "F-40937r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36405",
"ruleID": "SV-47809r1_rule",
"severity": "medium",
"title": "The application must have the capability to produce audit records on hardware-enforced, write-once media.\n",
"version": "SRG-APP-124-NA"
},
"V-36406": {
"checkid": "C-44648r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. \nRationale for non-applicability: The MDM server should only be accessed by authorized administrators, which means that non-privileged accounts will not be present.",
"fixid": "F-40938r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36406",
"ruleID": "SV-47810r1_rule",
"severity": "medium",
"title": "The application must use organization defined replay-resistant authentication mechanisms for network access to non-privileged accounts.",
"version": "SRG-APP-157-NA"
},
"V-36407": {
"checkid": "C-44649r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \nRationale for non-applicability: The MDM server must use the Enterprise Authentication Mechanism for administrator accounts.",
"fixid": "F-40939r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36407",
"ruleID": "SV-47811r1_rule",
"severity": "medium",
"title": "The application must support organizational requirements to enforce password complexity by the number of lower case characters used.\n",
"version": "SRG-APP-167-NA"
},
"V-36408": {
"checkid": "C-44650r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \nRationale for non-applicability: The MDM server should only be accessed by authorized administrators, which means that non-privileged accounts will not be present.",
"fixid": "F-40940r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36408",
"ruleID": "SV-47812r1_rule",
"severity": "medium",
"title": "Applications using multifactor authentication when accessing non-privileged accounts via the network must provide one of the factors by a device separate from the information system gaining access.",
"version": "SRG-APP-155-NA"
},
"V-36409": {
"checkid": "C-44651r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \nRationale for non-applicability: The MDM server must use the Enterprise Authentication Mechanism for administrator accounts.",
"fixid": "F-40941r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36409",
"ruleID": "SV-47813r1_rule",
"severity": "medium",
"title": "The application must support organizational requirements to enforce password complexity by the number of numeric characters used.\n",
"version": "SRG-APP-168-NA"
},
"V-36410": {
"checkid": "C-44652r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \nRationale for non-applicability: Authentication to the MDM server is controlled by the Enterprise Authentication Mechanism.",
"fixid": "F-40942r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36410",
"ruleID": "SV-47814r1_rule",
"severity": "medium",
"title": "Applications using multifactor authentication when accessing privileged accounts via the network must provide one of the factors by a device that is separate from the information system gaining access.",
"version": "SRG-APP-154-NA"
},
"V-36411": {
"checkid": "C-44653r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Passwords need to be changed at specific policy based intervals. \nRationale for non-applicability: The MDM server must use the Enterprise Authentication Mechanism for administrator accounts.",
"fixid": "F-40943r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36411",
"ruleID": "SV-47815r1_rule",
"severity": "medium",
"title": "The application must support organizational requirements to enforce the number of characters that get changed when passwords are changed.\n",
"version": "SRG-APP-170-NA"
},
"V-36412": {
"checkid": "C-44654r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised.\nRationale for non-applicability: The MDM server must use the Enterprise Authentication Mechanism for administrator accounts.",
"fixid": "F-40944r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36412",
"ruleID": "SV-47816r1_rule",
"severity": "medium",
"title": "The application must support organizational requirements to enforce password encryption for storage.\n",
"version": "SRG-APP-171-NA"
},
"V-36413": {
"checkid": "C-44655r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \nRationale for non-applicability: The MDM server should only be accessed by authorized administrators, which means that non-privileged accounts will not be present.",
"fixid": "F-40945r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36413",
"ruleID": "SV-47817r1_rule",
"severity": "medium",
"title": "The application must use multifactor authentication for local access to non-privileged accounts.",
"version": "SRG-APP-152-NA"
},
"V-36414": {
"checkid": "C-44656r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Password minimum lifetime is defined as: the minimum period of time, (typically in days) a user's password must be in effect before the user can change it. \nRationale for non-applicability: The MDM server must use the Enterprise Authentication Mechanism for administrator accounts.",
"fixid": "F-40946r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36414",
"ruleID": "SV-47818r1_rule",
"severity": "medium",
"title": "Applications must enforce password minimum lifetime restrictions.\n",
"version": "SRG-APP-173-NA"
},
"V-36415": {
"checkid": "C-44657r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \nRationale for non-applicability: The MDM server should only be accessed by authorized administrators, which means that non-privileged accounts will not be present.",
"fixid": "F-40947r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36415",
"ruleID": "SV-47819r1_rule",
"severity": "medium",
"title": "The application must use multifactor authentication for network access to non-privileged accounts.",
"version": "SRG-APP-150-NA"
},
"V-36416": {
"checkid": "C-44658r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Password maximum lifetime is defined as: the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it. \nRationale for non-applicability: The MDM server must use the Enterprise Authentication Mechanism for administrator accounts.",
"fixid": "F-40948r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36416",
"ruleID": "SV-47820r1_rule",
"severity": "medium",
"title": "Applications must enforce password maximum lifetime restrictions.\n",
"version": "SRG-APP-174-NA"
},
"V-36417": {
"checkid": "C-44659r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "To assure accountability and prevent unauthorized access, organizational users shall be identified and authenticated. \nRationale for non-applicability: The MDM server will leverage Enterprise Authentication Mechanism accounts. Therefore, the Enterprise Authentication Mechanism will perform authentication, and not the application. This is better covered by SRG-APP-149-MDM server-033-SRV.",
"fixid": "F-40949r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36417",
"ruleID": "SV-47821r1_rule",
"severity": "medium",
"title": "The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).",
"version": "SRG-APP-148-NA"
},
"V-36418": {
"checkid": "C-44660r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \nRationale for non-applicability: The MDM server must use the Enterprise Authentication Mechanism for administrator accounts.",
"fixid": "F-40950r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36418",
"ruleID": "SV-47822r1_rule",
"severity": "medium",
"title": "The application must support organizational requirements to prohibit password reuse for the organization defined number of generations.\n",
"version": "SRG-APP-165-NA"
},
"V-36419": {
"checkid": "C-44661r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Information system backup is a critical step in maintaining data assurance and availability. \nRationale for non-applicability: The MDM server does not manage documentation. Documentation is readily available from a number of sources, including online.",
"fixid": "F-40951r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36419",
"ruleID": "SV-47823r1_rule",
"severity": "medium",
"title": "The application must support and must not impede organizational requirements to conduct backups of information system documentation including security-related documentation per organization defined frequency.",
"version": "SRG-APP-147-NA"
},
"V-36420": {
"checkid": "C-44662r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \nRationale for non-applicability: The MDM server must use the Enterprise Authentication Mechanism for administrator accounts.",
"fixid": "F-40952r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36420",
"ruleID": "SV-47824r1_rule",
"severity": "medium",
"title": "The application must support organizational requirements to enforce minimum password length.\n",
"version": "SRG-APP-164-NA"
},
"V-36421": {
"checkid": "C-44663r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \nRationale for non-applicability: An MDM server supports only one security domain.",
"fixid": "F-40953r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36421",
"ruleID": "SV-47825r1_rule",
"severity": "medium",
"title": "Applications providing flow control must identify data type, specification and usage when transferring information between different security domains so that policy restrictions may be applied.\n",
"version": "SRG-APP-043-NA"
},
"V-36422": {
"checkid": "C-44664r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Information system backup is a critical step in maintaining data assurance and availability. \nRationale for non-applicability: The MDM server is not a Backup / Disaster Recovery oriented application. To the extent such services are needed, they would be provided by the operating system or backup agent software. In addition, the administrators who access the MDM server are not expected to have any user-level information to perform their administrative functions.",
"fixid": "F-40954r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36422",
"ruleID": "SV-47826r1_rule",
"severity": "medium",
"title": "Backup / Disaster Recovery oriented applications must be capable of backing up user-level information per a defined frequency.",
"version": "SRG-APP-145-NA"
},
"V-36423": {
"checkid": "C-44665r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). \nRationale for non-applicability: MDM server functionality is controlled by the assigned administrator role. ",
"fixid": "F-40956r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36423",
"ruleID": "SV-47827r1_rule",
"severity": "medium",
"title": "Applications must adhere to the principles of least functionality by providing only essential capabilities.",
"version": "SRG-APP-141-NA"
},
"V-36424": {
"checkid": "C-44666r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \nRationale for non-applicability: An MDM server supports only one security domain.",
"fixid": "F-40955r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36424",
"ruleID": "SV-47828r1_rule",
"severity": "medium",
"title": "Applications, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms.\n",
"version": "SRG-APP-044-NA"
},
"V-36425": {
"checkid": "C-44667r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "The application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. \nRationale for non-applicability: This vulnerability is better addressed by another CCI. CCI-000066 deals with remote access to the device.",
"fixid": "F-40957r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36425",
"ruleID": "SV-47829r1_rule",
"severity": "medium",
"title": "Applications must provide the ability to enforce security policies regarding information on interconnected systems.\n",
"version": "SRG-APP-048-NA"
},
"V-36426": {
"checkid": "C-44668r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Configuration settings are the configurable security-related parameters of operating system. \nRationale for non-applicability: This vulnerability is better addressed by CCI-000370.\n",
"fixid": "F-40958r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36426",
"ruleID": "SV-47830r1_rule",
"severity": "medium",
"title": "The MDM server must have the capability to use automated mechanisms to centrally apply configuration settings to managed mobile devices.",
"version": "SRG-APP-136-NA"
},
"V-36427": {
"checkid": "C-44669r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "The application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \nRationale for non-applicability: This vulnerability is better addressed by another CCI. CCI-000066 deals with remote access to the device.",
"fixid": "F-40959r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36427",
"ruleID": "SV-47831r1_rule",
"severity": "medium",
"title": "The application must bind security attributes to information to facilitate information flow policy enforcement.\n",
"version": "SRG-APP-052-NA"
},
"V-36428": {
"checkid": "C-44670r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.",
"description": "Regarding access restrictions for changes made to organization defined information system components and system level information. Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. \nRationale for non-applicability: The IA posture of the MDM server does not warrant application of the two-person rule.",
"fixid": "F-40960r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-36428",
"ruleID": "SV-47832r1_rule",
"severity": "medium",
"title": "The application must support the enforcement of a two-person rule for changes to organization defined application components and system-level information.",
"version": "SRG-APP-132-NA"
},
"V-36429": {
"checkid": "C-44671r1_chk",
"checktext": "This requirement is NA for the MDM server SRG.\n",
"description": "Applications must employ the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. \nRationale for non-applicability: An MDM server supports only one security domain.",
"fixid": "F-40961r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-36429",
"ruleID": "SV-47833r1_rule",
"severity": "medium",
"title": "Applications must be able to function within separate processing domains (virtualized systems), when specified, so as to enable finer-grained allocation of user privileges.\n",
"version": "SRG-APP-064-NA"
},
"V-36430": {
"checkid": "C-44672r1_chk",
"checktext": "Examine the server configuration to determine whether there is a DoD approved host-based firewall installed. If no firewall is installed, this is a finding. If a non-approved firewall is installed, this is a finding.\n",
"description": "Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since MDM server is a critical component of the mobility architecture and it must be configured to only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A host firewall installed on the MDM server provides a protection mechanism to ensure unwanted service requests do not reach the MDM server and outbound traffic is limited to only MDM server functionality.",
"fixid": "F-40962r1_fix",
"fixtext": "Remove any non-approved firewalls if present. \n\nInstall a DoD approved host-based firewall. ",
"iacontrols": null,
"id": "V-36430",
"ruleID": "SV-47834r1_rule",
"severity": "high",
"title": "The MDM server must have a DoD approved host-based firewall installed on the host server.\n",
"version": "SRG-APP-142-MDM-028-SRV"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-36006": "true",
"V-36007": "true",
"V-36008": "true",
"V-36009": "true",
"V-36010": "true",
"V-36011": "true",
"V-36012": "true",
"V-36013": "true",
"V-36014": "true",
"V-36015": "true",
"V-36016": "true",
"V-36017": "true",
"V-36018": "true",
"V-36019": "true",
"V-36020": "true",
"V-36021": "true",
"V-36022": "true",
"V-36023": "true",
"V-36024": "true",
"V-36025": "true",
"V-36026": "true",
"V-36027": "true",
"V-36028": "true",
"V-36029": "true",
"V-36030": "true",
"V-36031": "true",
"V-36032": "true",
"V-36033": "true",
"V-36034": "true",
"V-36035": "true",
"V-36036": "true",
"V-36037": "true",
"V-36038": "true",
"V-36039": "true",
"V-36040": "true",
"V-36041": "true",
"V-36042": "true",
"V-36043": "true",
"V-36044": "true",
"V-36045": "true",
"V-36046": "true",
"V-36047": "true",
"V-36048": "true",
"V-36049": "true",
"V-36050": "true",
"V-36051": "true",
"V-36052": "true",
"V-36053": "true",
"V-36054": "true",
"V-36055": "true",
"V-36056": "true",
"V-36057": "true",
"V-36058": "true",
"V-36059": "true",
"V-36060": "true",
"V-36061": "true",
"V-36062": "true",
"V-36063": "true",
"V-36064": "true",
"V-36065": "true",
"V-36066": "true",
"V-36067": "true",
"V-36068": "true",
"V-36069": "true",
"V-36070": "true",
"V-36071": "true",
"V-36072": "true",
"V-36073": "true",
"V-36074": "true",
"V-36075": "true",
"V-36076": "true",
"V-36077": "true",
"V-36078": "true",
"V-36079": "true",
"V-36080": "true",
"V-36081": "true",
"V-36082": "true",
"V-36083": "true",
"V-36084": "true",
"V-36085": "true",
"V-36086": "true",
"V-36087": "true",
"V-36088": "true",
"V-36089": "true",
"V-36090": "true",
"V-36091": "true",
"V-36092": "true",
"V-36093": "true",
"V-36094": "true",
"V-36095": "true",
"V-36096": "true",
"V-36097": "true",
"V-36098": "true",
"V-36099": "true",
"V-36100": "true",
"V-36101": "true",
"V-36102": "true",
"V-36103": "true",
"V-36104": "true",
"V-36105": "true",
"V-36106": "true",
"V-36107": "true",
"V-36108": "true",
"V-36109": "true",
"V-36110": "true",
"V-36111": "true",
"V-36112": "true",
"V-36113": "true",
"V-36114": "true",
"V-36115": "true",
"V-36116": "true",
"V-36117": "true",
"V-36118": "true",
"V-36119": "true",
"V-36120": "true",
"V-36121": "true",
"V-36122": "true",
"V-36123": "true",
"V-36124": "true",
"V-36125": "true",
"V-36126": "true",
"V-36127": "true",
"V-36128": "true",
"V-36129": "true",
"V-36130": "true",
"V-36131": "true",
"V-36132": "true",
"V-36133": "true",
"V-36134": "true",
"V-36135": "true",
"V-36136": "true",
"V-36137": "true",
"V-36138": "true",
"V-36139": "true",
"V-36140": "true",
"V-36141": "true",
"V-36142": "true",
"V-36143": "true",
"V-36144": "true",
"V-36145": "true",
"V-36146": "true",
"V-36147": "true",
"V-36148": "true",
"V-36149": "true",
"V-36150": "true",
"V-36151": "true",
"V-36152": "true",
"V-36153": "true",
"V-36154": "true",
"V-36155": "true",
"V-36156": "true",
"V-36157": "true",
"V-36158": "true",
"V-36159": "true",
"V-36160": "true",
"V-36161": "true",
"V-36162": "true",
"V-36163": "true",
"V-36164": "true",
"V-36165": "true",
"V-36166": "true",
"V-36167": "true",
"V-36168": "true",
"V-36169": "true",
"V-36170": "true",
"V-36171": "true",
"V-36172": "true",
"V-36173": "true",
"V-36174": "true",
"V-36175": "true",
"V-36176": "true",
"V-36177": "true",
"V-36178": "true",
"V-36179": "true",
"V-36180": "true",
"V-36181": "true",
"V-36182": "true",
"V-36183": "true",
"V-36184": "true",
"V-36185": "true",
"V-36186": "true",
"V-36187": "true",
"V-36188": "true",
"V-36189": "true",
"V-36190": "true",
"V-36191": "true",
"V-36192": "true",
"V-36193": "true",
"V-36194": "true",
"V-36195": "true",
"V-36196": "true",
"V-36197": "true",
"V-36198": "true",
"V-36199": "true",
"V-36200": "true",
"V-36201": "true",
"V-36202": "true",
"V-36203": "true",
"V-36204": "true",
"V-36205": "true",
"V-36206": "true",
"V-36207": "true",
"V-36208": "true",
"V-36209": "true",
"V-36210": "true",
"V-36211": "true",
"V-36212": "true",
"V-36213": "true",
"V-36214": "true",
"V-36215": "true",
"V-36216": "true",
"V-36217": "true",
"V-36218": "true",
"V-36219": "true",
"V-36220": "true",
"V-36221": "true",
"V-36222": "true",
"V-36223": "true",
"V-36224": "true",
"V-36225": "true",
"V-36226": "true",
"V-36227": "true",
"V-36228": "true",
"V-36229": "true",
"V-36230": "true",
"V-36231": "true",
"V-36232": "true",
"V-36233": "true",
"V-36234": "true",
"V-36235": "true",
"V-36236": "true",
"V-36237": "true",
"V-36238": "true",
"V-36239": "true",
"V-36240": "true",
"V-36241": "true",
"V-36242": "true",
"V-36243": "true",
"V-36244": "true",
"V-36245": "true",
"V-36246": "true",
"V-36247": "true",
"V-36248": "true",
"V-36249": "true",
"V-36250": "true",
"V-36251": "true",
"V-36252": "true",
"V-36253": "true",
"V-36254": "true",
"V-36255": "true",
"V-36256": "true",
"V-36257": "true",
"V-36258": "true",
"V-36259": "true",
"V-36260": "true",
"V-36261": "true",
"V-36262": "true",
"V-36263": "true",
"V-36264": "true",
"V-36265": "true",
"V-36266": "true",
"V-36267": "true",
"V-36268": "true",
"V-36269": "true",
"V-36270": "true",
"V-36271": "true",
"V-36272": "true",
"V-36273": "true",
"V-36274": "true",
"V-36275": "true",
"V-36276": "true",
"V-36277": "true",
"V-36278": "true",
"V-36279": "true",
"V-36280": "true",
"V-36281": "true",
"V-36282": "true",
"V-36283": "true",
"V-36284": "true",
"V-36285": "true",
"V-36286": "true",
"V-36287": "true",
"V-36288": "true",
"V-36289": "true",
"V-36290": "true",
"V-36291": "true",
"V-36292": "true",
"V-36293": "true",
"V-36294": "true",
"V-36295": "true",
"V-36296": "true",
"V-36297": "true",
"V-36298": "true",
"V-36299": "true",
"V-36300": "true",
"V-36301": "true",
"V-36302": "true",
"V-36303": "true",
"V-36304": "true",
"V-36305": "true",
"V-36306": "true",
"V-36307": "true",
"V-36308": "true",
"V-36309": "true",
"V-36310": "true",
"V-36311": "true",
"V-36312": "true",
"V-36313": "true",
"V-36314": "true",
"V-36315": "true",
"V-36316": "true",
"V-36317": "true",
"V-36318": "true",
"V-36319": "true",
"V-36320": "true",
"V-36321": "true",
"V-36322": "true",
"V-36323": "true",
"V-36324": "true",
"V-36325": "true",
"V-36326": "true",
"V-36327": "true",
"V-36328": "true",
"V-36329": "true",
"V-36330": "true",
"V-36331": "true",
"V-36332": "true",
"V-36333": "true",
"V-36334": "true",
"V-36335": "true",
"V-36336": "true",
"V-36337": "true",
"V-36338": "true",
"V-36339": "true",
"V-36340": "true",
"V-36341": "true",
"V-36342": "true",
"V-36343": "true",
"V-36344": "true",
"V-36345": "true",
"V-36346": "true",
"V-36347": "true",
"V-36348": "true",
"V-36349": "true",
"V-36350": "true",
"V-36351": "true",
"V-36352": "true",
"V-36353": "true",
"V-36354": "true",
"V-36355": "true",
"V-36356": "true",
"V-36357": "true",
"V-36358": "true",
"V-36359": "true",
"V-36360": "true",
"V-36361": "true",
"V-36362": "true",
"V-36363": "true",
"V-36364": "true",
"V-36365": "true",
"V-36366": "true",
"V-36367": "true",
"V-36368": "true",
"V-36370": "true",
"V-36371": "true",
"V-36372": "true",
"V-36373": "true",
"V-36374": "true",
"V-36375": "true",
"V-36376": "true",
"V-36377": "true",
"V-36378": "true",
"V-36379": "true",
"V-36380": "true",
"V-36381": "true",
"V-36382": "true",
"V-36383": "true",
"V-36384": "true",
"V-36385": "true",
"V-36386": "true",
"V-36387": "true",
"V-36388": "true",
"V-36389": "true",
"V-36390": "true",
"V-36391": "true",
"V-36392": "true",
"V-36393": "true",
"V-36394": "true",
"V-36395": "true",
"V-36396": "true",
"V-36397": "true",
"V-36398": "true",
"V-36399": "true",
"V-36400": "true",
"V-36401": "true",
"V-36402": "true",
"V-36403": "true",
"V-36404": "true",
"V-36405": "true",
"V-36406": "true",
"V-36407": "true",
"V-36408": "true",
"V-36409": "true",
"V-36410": "true",
"V-36411": "true",
"V-36412": "true",
"V-36413": "true",
"V-36414": "true",
"V-36415": "true",
"V-36416": "true",
"V-36417": "true",
"V-36418": "true",
"V-36419": "true",
"V-36420": "true",
"V-36421": "true",
"V-36422": "true",
"V-36423": "true",
"V-36424": "true",
"V-36425": "true",
"V-36426": "true",
"V-36427": "true",
"V-36428": "true",
"V-36429": "true",
"V-36430": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critial Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-36006": "true",
"V-36007": "true",
"V-36008": "true",
"V-36009": "true",
"V-36010": "true",
"V-36011": "true",
"V-36012": "true",
"V-36013": "true",
"V-36014": "true",
"V-36015": "true",
"V-36016": "true",
"V-36017": "true",
"V-36018": "true",
"V-36019": "true",
"V-36020": "true",
"V-36021": "true",
"V-36022": "true",
"V-36023": "true",
"V-36024": "true",
"V-36025": "true",
"V-36026": "true",
"V-36027": "true",
"V-36028": "true",
"V-36029": "true",
"V-36030": "true",
"V-36031": "true",
"V-36032": "true",
"V-36033": "true",
"V-36034": "true",
"V-36035": "true",
"V-36036": "true",
"V-36037": "true",
"V-36038": "true",
"V-36039": "true",
"V-36040": "true",
"V-36041": "true",
"V-36042": "true",
"V-36043": "true",
"V-36044": "true",
"V-36045": "true",
"V-36046": "true",
"V-36047": "true",
"V-36048": "true",
"V-36049": "true",
"V-36050": "true",
"V-36051": "true",
"V-36052": "true",
"V-36053": "true",
"V-36054": "true",
"V-36055": "true",
"V-36056": "true",
"V-36057": "true",
"V-36058": "true",
"V-36059": "true",
"V-36060": "true",
"V-36061": "true",
"V-36062": "true",
"V-36063": "true",
"V-36064": "true",
"V-36065": "true",
"V-36066": "true",
"V-36067": "true",
"V-36068": "true",
"V-36069": "true",
"V-36070": "true",
"V-36071": "true",
"V-36072": "true",
"V-36073": "true",
"V-36074": "true",
"V-36075": "true",
"V-36076": "true",
"V-36077": "true",
"V-36078": "true",
"V-36079": "true",
"V-36080": "true",
"V-36081": "true",
"V-36082": "true",
"V-36083": "true",
"V-36084": "true",
"V-36085": "true",
"V-36086": "true",
"V-36087": "true",
"V-36088": "true",
"V-36089": "true",
"V-36090": "true",
"V-36091": "true",
"V-36092": "true",
"V-36093": "true",
"V-36094": "true",
"V-36095": "true",
"V-36096": "true",
"V-36097": "true",
"V-36098": "true",
"V-36099": "true",
"V-36100": "true",
"V-36101": "true",
"V-36102": "true",
"V-36103": "true",
"V-36104": "true",
"V-36105": "true",
"V-36106": "true",
"V-36107": "true",
"V-36108": "true",
"V-36109": "true",
"V-36110": "true",
"V-36111": "true",
"V-36112": "true",
"V-36113": "true",
"V-36114": "true",
"V-36115": "true",
"V-36116": "true",
"V-36117": "true",
"V-36118": "true",
"V-36119": "true",
"V-36120": "true",
"V-36121": "true",
"V-36122": "true",
"V-36123": "true",
"V-36124": "true",
"V-36125": "true",
"V-36126": "true",
"V-36127": "true",
"V-36128": "true",
"V-36129": "true",
"V-36130": "true",
"V-36131": "true",
"V-36132": "true",
"V-36133": "true",
"V-36134": "true",
"V-36135": "true",
"V-36136": "true",
"V-36137": "true",
"V-36138": "true",
"V-36139": "true",
"V-36140": "true",
"V-36141": "true",
"V-36142": "true",
"V-36143": "true",
"V-36144": "true",
"V-36145": "true",
"V-36146": "true",
"V-36147": "true",
"V-36148": "true",
"V-36149": "true",
"V-36150": "true",
"V-36151": "true",
"V-36152": "true",
"V-36153": "true",
"V-36154": "true",
"V-36155": "true",
"V-36156": "true",
"V-36157": "true",
"V-36158": "true",
"V-36159": "true",
"V-36160": "true",
"V-36161": "true",
"V-36162": "true",
"V-36163": "true",
"V-36164": "true",
"V-36165": "true",
"V-36166": "true",
"V-36167": "true",
"V-36168": "true",
"V-36169": "true",
"V-36170": "true",
"V-36171": "true",
"V-36172": "true",
"V-36173": "true",
"V-36174": "true",
"V-36175": "true",
"V-36176": "true",
"V-36177": "true",
"V-36178": "true",
"V-36179": "true",
"V-36180": "true",
"V-36181": "true",
"V-36182": "true",
"V-36183": "true",
"V-36184": "true",
"V-36185": "true",
"V-36186": "true",
"V-36187": "true",
"V-36188": "true",
"V-36189": "true",
"V-36190": "true",
"V-36191": "true",
"V-36192": "true",
"V-36193": "true",
"V-36194": "true",
"V-36195": "true",
"V-36196": "true",
"V-36197": "true",
"V-36198": "true",
"V-36199": "true",
"V-36200": "true",
"V-36201": "true",
"V-36202": "true",
"V-36203": "true",
"V-36204": "true",
"V-36205": "true",
"V-36206": "true",
"V-36207": "true",
"V-36208": "true",
"V-36209": "true",
"V-36210": "true",
"V-36211": "true",
"V-36212": "true",
"V-36213": "true",
"V-36214": "true",
"V-36215": "true",
"V-36216": "true",
"V-36217": "true",
"V-36218": "true",
"V-36219": "true",
"V-36220": "true",
"V-36221": "true",
"V-36222": "true",
"V-36223": "true",
"V-36224": "true",
"V-36225": "true",
"V-36226": "true",
"V-36227": "true",
"V-36228": "true",
"V-36229": "true",
"V-36230": "true",
"V-36231": "true",
"V-36232": "true",
"V-36233": "true",
"V-36234": "true",
"V-36235": "true",
"V-36236": "true",
"V-36237": "true",
"V-36238": "true",
"V-36239": "true",
"V-36240": "true",
"V-36241": "true",
"V-36242": "true",
"V-36243": "true",
"V-36244": "true",
"V-36245": "true",
"V-36246": "true",
"V-36247": "true",
"V-36248": "true",
"V-36249": "true",
"V-36250": "true",
"V-36251": "true",
"V-36252": "true",
"V-36253": "true",
"V-36254": "true",
"V-36255": "true",
"V-36256": "true",
"V-36257": "true",
"V-36258": "true",
"V-36259": "true",
"V-36260": "true",
"V-36261": "true",
"V-36262": "true",
"V-36263": "true",
"V-36264": "true",
"V-36265": "true",
"V-36266": "true",
"V-36267": "true",
"V-36268": "true",
"V-36269": "true",
"V-36270": "true",
"V-36271": "true",
"V-36272": "true",
"V-36273": "true",
"V-36274": "true",
"V-36275": "true",
"V-36276": "true",
"V-36277": "true",
"V-36278": "true",
"V-36279": "true",
"V-36280": "true",
"V-36281": "true",
"V-36282": "true",
"V-36283": "true",
"V-36284": "true",
"V-36285": "true",
"V-36286": "true",
"V-36287": "true",
"V-36288": "true",
"V-36289": "true",
"V-36290": "true",
"V-36291": "true",
"V-36292": "true",
"V-36293": "true",
"V-36294": "true",
"V-36295": "true",
"V-36296": "true",
"V-36297": "true",
"V-36298": "true",
"V-36299": "true",
"V-36300": "true",
"V-36301": "true",
"V-36302": "true",
"V-36303": "true",
"V-36304": "true",
"V-36305": "true",
"V-36306": "true",
"V-36307": "true",
"V-36308": "true",
"V-36309": "true",
"V-36310": "true",
"V-36311": "true",
"V-36312": "true",
"V-36313": "true",
"V-36314": "true",
"V-36315": "true",
"V-36316": "true",
"V-36317": "true",
"V-36318": "true",
"V-36319": "true",
"V-36320": "true",
"V-36321": "true",
"V-36322": "true",
"V-36323": "true",
"V-36324": "true",
"V-36325": "true",
"V-36326": "true",
"V-36327": "true",
"V-36328": "true",
"V-36329": "true",
"V-36330": "true",
"V-36331": "true",
"V-36332": "true",
"V-36333": "true",
"V-36334": "true",
"V-36335": "true",
"V-36336": "true",
"V-36337": "true",
"V-36338": "true",
"V-36339": "true",
"V-36340": "true",
"V-36341": "true",
"V-36342": "true",
"V-36343": "true",
"V-36344": "true",
"V-36345": "true",
"V-36346": "true",
"V-36347": "true",
"V-36348": "true",
"V-36349": "true",
"V-36350": "true",
"V-36351": "true",
"V-36352": "true",
"V-36353": "true",
"V-36354": "true",
"V-36355": "true",
"V-36356": "true",
"V-36357": "true",
"V-36358": "true",
"V-36359": "true",
"V-36360": "true",
"V-36361": "true",
"V-36362": "true",
"V-36363": "true",
"V-36364": "true",
"V-36365": "true",
"V-36366": "true",
"V-36367": "true",
"V-36368": "true",
"V-36370": "true",
"V-36371": "true",
"V-36372": "true",
"V-36373": "true",
"V-36374": "true",
"V-36375": "true",
"V-36376": "true",
"V-36377": "true",
"V-36378": "true",
"V-36379": "true",
"V-36380": "true",
"V-36381": "true",
"V-36382": "true",
"V-36383": "true",
"V-36384": "true",
"V-36385": "true",
"V-36386": "true",
"V-36387": "true",
"V-36388": "true",
"V-36389": "true",
"V-36390": "true",
"V-36391": "true",
"V-36392": "true",
"V-36393": "true",
"V-36394": "true",
"V-36395": "true",
"V-36396": "true",
"V-36397": "true",
"V-36398": "true",
"V-36399": "true",
"V-36400": "true",
"V-36401": "true",
"V-36402": "true",
"V-36403": "true",
"V-36404": "true",
"V-36405": "true",
"V-36406": "true",
"V-36407": "true",
"V-36408": "true",
"V-36409": "true",
"V-36410": "true",
"V-36411": "true",
"V-36412": "true",
"V-36413": "true",
"V-36414": "true",
"V-36415": "true",
"V-36416": "true",
"V-36417": "true",
"V-36418": "true",
"V-36419": "true",
"V-36420": "true",
"V-36421": "true",
"V-36422": "true",
"V-36423": "true",
"V-36424": "true",
"V-36425": "true",
"V-36426": "true",
"V-36427": "true",
"V-36428": "true",
"V-36429": "true",
"V-36430": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critial Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-36006": "true",
"V-36007": "true",
"V-36008": "true",
"V-36009": "true",
"V-36010": "true",
"V-36011": "true",
"V-36012": "true",
"V-36013": "true",
"V-36014": "true",
"V-36015": "true",
"V-36016": "true",
"V-36017": "true",
"V-36018": "true",
"V-36019": "true",
"V-36020": "true",
"V-36021": "true",
"V-36022": "true",
"V-36023": "true",
"V-36024": "true",
"V-36025": "true",
"V-36026": "true",
"V-36027": "true",
"V-36028": "true",
"V-36029": "true",
"V-36030": "true",
"V-36031": "true",
"V-36032": "true",
"V-36033": "true",
"V-36034": "true",
"V-36035": "true",
"V-36036": "true",
"V-36037": "true",
"V-36038": "true",
"V-36039": "true",
"V-36040": "true",
"V-36041": "true",
"V-36042": "true",
"V-36043": "true",
"V-36044": "true",
"V-36045": "true",
"V-36046": "true",
"V-36047": "true",
"V-36048": "true",
"V-36049": "true",
"V-36050": "true",
"V-36051": "true",
"V-36052": "true",
"V-36053": "true",
"V-36054": "true",
"V-36055": "true",
"V-36056": "true",
"V-36057": "true",
"V-36058": "true",
"V-36059": "true",
"V-36060": "true",
"V-36061": "true",
"V-36062": "true",
"V-36063": "true",
"V-36064": "true",
"V-36065": "true",
"V-36066": "true",
"V-36067": "true",
"V-36068": "true",
"V-36069": "true",
"V-36070": "true",
"V-36071": "true",
"V-36072": "true",
"V-36073": "true",
"V-36074": "true",
"V-36075": "true",
"V-36076": "true",
"V-36077": "true",
"V-36078": "true",
"V-36079": "true",
"V-36080": "true",
"V-36081": "true",
"V-36082": "true",
"V-36083": "true",
"V-36084": "true",
"V-36085": "true",
"V-36086": "true",
"V-36087": "true",
"V-36088": "true",
"V-36089": "true",
"V-36090": "true",
"V-36091": "true",
"V-36092": "true",
"V-36093": "true",
"V-36094": "true",
"V-36095": "true",
"V-36096": "true",
"V-36097": "true",
"V-36098": "true",
"V-36099": "true",
"V-36100": "true",
"V-36101": "true",
"V-36102": "true",
"V-36103": "true",
"V-36104": "true",
"V-36105": "true",
"V-36106": "true",
"V-36107": "true",
"V-36108": "true",
"V-36109": "true",
"V-36110": "true",
"V-36111": "true",
"V-36112": "true",
"V-36113": "true",
"V-36114": "true",
"V-36115": "true",
"V-36116": "true",
"V-36117": "true",
"V-36118": "true",
"V-36119": "true",
"V-36120": "true",
"V-36121": "true",
"V-36122": "true",
"V-36123": "true",
"V-36124": "true",
"V-36125": "true",
"V-36126": "true",
"V-36127": "true",
"V-36128": "true",
"V-36129": "true",
"V-36130": "true",
"V-36131": "true",
"V-36132": "true",
"V-36133": "true",
"V-36134": "true",
"V-36135": "true",
"V-36136": "true",
"V-36137": "true",
"V-36138": "true",
"V-36139": "true",
"V-36140": "true",
"V-36141": "true",
"V-36142": "true",
"V-36143": "true",
"V-36144": "true",
"V-36145": "true",
"V-36146": "true",
"V-36147": "true",
"V-36148": "true",
"V-36149": "true",
"V-36150": "true",
"V-36151": "true",
"V-36152": "true",
"V-36153": "true",
"V-36154": "true",
"V-36155": "true",
"V-36156": "true",
"V-36157": "true",
"V-36158": "true",
"V-36159": "true",
"V-36160": "true",
"V-36161": "true",
"V-36162": "true",
"V-36163": "true",
"V-36164": "true",
"V-36165": "true",
"V-36166": "true",
"V-36167": "true",
"V-36168": "true",
"V-36169": "true",
"V-36170": "true",
"V-36171": "true",
"V-36172": "true",
"V-36173": "true",
"V-36174": "true",
"V-36175": "true",
"V-36176": "true",
"V-36177": "true",
"V-36178": "true",
"V-36179": "true",
"V-36180": "true",
"V-36181": "true",
"V-36182": "true",
"V-36183": "true",
"V-36184": "true",
"V-36185": "true",
"V-36186": "true",
"V-36187": "true",
"V-36188": "true",
"V-36189": "true",
"V-36190": "true",
"V-36191": "true",
"V-36192": "true",
"V-36193": "true",
"V-36194": "true",
"V-36195": "true",
"V-36196": "true",
"V-36197": "true",
"V-36198": "true",
"V-36199": "true",
"V-36200": "true",
"V-36201": "true",
"V-36202": "true",
"V-36203": "true",
"V-36204": "true",
"V-36205": "true",
"V-36206": "true",
"V-36207": "true",
"V-36208": "true",
"V-36209": "true",
"V-36210": "true",
"V-36211": "true",
"V-36212": "true",
"V-36213": "true",
"V-36214": "true",
"V-36215": "true",
"V-36216": "true",
"V-36217": "true",
"V-36218": "true",
"V-36219": "true",
"V-36220": "true",
"V-36221": "true",
"V-36222": "true",
"V-36223": "true",
"V-36224": "true",
"V-36225": "true",
"V-36226": "true",
"V-36227": "true",
"V-36228": "true",
"V-36229": "true",
"V-36230": "true",
"V-36231": "true",
"V-36232": "true",
"V-36233": "true",
"V-36234": "true",
"V-36235": "true",
"V-36236": "true",
"V-36237": "true",
"V-36238": "true",
"V-36239": "true",
"V-36240": "true",
"V-36241": "true",
"V-36242": "true",
"V-36243": "true",
"V-36244": "true",
"V-36245": "true",
"V-36246": "true",
"V-36247": "true",
"V-36248": "true",
"V-36249": "true",
"V-36250": "true",
"V-36251": "true",
"V-36252": "true",
"V-36253": "true",
"V-36254": "true",
"V-36255": "true",
"V-36256": "true",
"V-36257": "true",
"V-36258": "true",
"V-36259": "true",
"V-36260": "true",
"V-36261": "true",
"V-36262": "true",
"V-36263": "true",
"V-36264": "true",
"V-36265": "true",
"V-36266": "true",
"V-36267": "true",
"V-36268": "true",
"V-36269": "true",
"V-36270": "true",
"V-36271": "true",
"V-36272": "true",
"V-36273": "true",
"V-36274": "true",
"V-36275": "true",
"V-36276": "true",
"V-36277": "true",
"V-36278": "true",
"V-36279": "true",
"V-36280": "true",
"V-36281": "true",
"V-36282": "true",
"V-36283": "true",
"V-36284": "true",
"V-36285": "true",
"V-36286": "true",
"V-36287": "true",
"V-36288": "true",
"V-36289": "true",
"V-36290": "true",
"V-36291": "true",
"V-36292": "true",
"V-36293": "true",
"V-36294": "true",
"V-36295": "true",
"V-36296": "true",
"V-36297": "true",
"V-36298": "true",
"V-36299": "true",
"V-36300": "true",
"V-36301": "true",
"V-36302": "true",
"V-36303": "true",
"V-36304": "true",
"V-36305": "true",
"V-36306": "true",
"V-36307": "true",
"V-36308": "true",
"V-36309": "true",
"V-36310": "true",
"V-36311": "true",
"V-36312": "true",
"V-36313": "true",
"V-36314": "true",
"V-36315": "true",
"V-36316": "true",
"V-36317": "true",
"V-36318": "true",
"V-36319": "true",
"V-36320": "true",
"V-36321": "true",
"V-36322": "true",
"V-36323": "true",
"V-36324": "true",
"V-36325": "true",
"V-36326": "true",
"V-36327": "true",
"V-36328": "true",
"V-36329": "true",
"V-36330": "true",
"V-36331": "true",
"V-36332": "true",
"V-36333": "true",
"V-36334": "true",
"V-36335": "true",
"V-36336": "true",
"V-36337": "true",
"V-36338": "true",
"V-36339": "true",
"V-36340": "true",
"V-36341": "true",
"V-36342": "true",
"V-36343": "true",
"V-36344": "true",
"V-36345": "true",
"V-36346": "true",
"V-36347": "true",
"V-36348": "true",
"V-36349": "true",
"V-36350": "true",
"V-36351": "true",
"V-36352": "true",
"V-36353": "true",
"V-36354": "true",
"V-36355": "true",
"V-36356": "true",
"V-36357": "true",
"V-36358": "true",
"V-36359": "true",
"V-36360": "true",
"V-36361": "true",
"V-36362": "true",
"V-36363": "true",
"V-36364": "true",
"V-36365": "true",
"V-36366": "true",
"V-36367": "true",
"V-36368": "true",
"V-36370": "true",
"V-36371": "true",
"V-36372": "true",
"V-36373": "true",
"V-36374": "true",
"V-36375": "true",
"V-36376": "true",
"V-36377": "true",
"V-36378": "true",
"V-36379": "true",
"V-36380": "true",
"V-36381": "true",
"V-36382": "true",
"V-36383": "true",
"V-36384": "true",
"V-36385": "true",
"V-36386": "true",
"V-36387": "true",
"V-36388": "true",
"V-36389": "true",
"V-36390": "true",
"V-36391": "true",
"V-36392": "true",
"V-36393": "true",
"V-36394": "true",
"V-36395": "true",
"V-36396": "true",
"V-36397": "true",
"V-36398": "true",
"V-36399": "true",
"V-36400": "true",
"V-36401": "true",
"V-36402": "true",
"V-36403": "true",
"V-36404": "true",
"V-36405": "true",
"V-36406": "true",
"V-36407": "true",
"V-36408": "true",
"V-36409": "true",
"V-36410": "true",
"V-36411": "true",
"V-36412": "true",
"V-36413": "true",
"V-36414": "true",
"V-36415": "true",
"V-36416": "true",
"V-36417": "true",
"V-36418": "true",
"V-36419": "true",
"V-36420": "true",
"V-36421": "true",
"V-36422": "true",
"V-36423": "true",
"V-36424": "true",
"V-36425": "true",
"V-36426": "true",
"V-36427": "true",
"V-36428": "true",
"V-36429": "true",
"V-36430": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critial Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-36006": "true",
"V-36007": "true",
"V-36008": "true",
"V-36009": "true",
"V-36010": "true",
"V-36011": "true",
"V-36012": "true",
"V-36013": "true",
"V-36014": "true",
"V-36015": "true",
"V-36016": "true",
"V-36017": "true",
"V-36018": "true",
"V-36019": "true",
"V-36020": "true",
"V-36021": "true",
"V-36022": "true",
"V-36023": "true",
"V-36024": "true",
"V-36025": "true",
"V-36026": "true",
"V-36027": "true",
"V-36028": "true",
"V-36029": "true",
"V-36030": "true",
"V-36031": "true",
"V-36032": "true",
"V-36033": "true",
"V-36034": "true",
"V-36035": "true",
"V-36036": "true",
"V-36037": "true",
"V-36038": "true",
"V-36039": "true",
"V-36040": "true",
"V-36041": "true",
"V-36042": "true",
"V-36043": "true",
"V-36044": "true",
"V-36045": "true",
"V-36046": "true",
"V-36047": "true",
"V-36048": "true",
"V-36049": "true",
"V-36050": "true",
"V-36051": "true",
"V-36052": "true",
"V-36053": "true",
"V-36054": "true",
"V-36055": "true",
"V-36056": "true",
"V-36057": "true",
"V-36058": "true",
"V-36059": "true",
"V-36060": "true",
"V-36061": "true",
"V-36062": "true",
"V-36063": "true",
"V-36064": "true",
"V-36065": "true",
"V-36066": "true",
"V-36067": "true",
"V-36068": "true",
"V-36069": "true",
"V-36070": "true",
"V-36071": "true",
"V-36072": "true",
"V-36073": "true",
"V-36074": "true",
"V-36075": "true",
"V-36076": "true",
"V-36077": "true",
"V-36078": "true",
"V-36079": "true",
"V-36080": "true",
"V-36081": "true",
"V-36082": "true",
"V-36083": "true",
"V-36084": "true",
"V-36085": "true",
"V-36086": "true",
"V-36087": "true",
"V-36088": "true",
"V-36089": "true",
"V-36090": "true",
"V-36091": "true",
"V-36092": "true",
"V-36093": "true",
"V-36094": "true",
"V-36095": "true",
"V-36096": "true",
"V-36097": "true",
"V-36098": "true",
"V-36099": "true",
"V-36100": "true",
"V-36101": "true",
"V-36102": "true",
"V-36103": "true",
"V-36104": "true",
"V-36105": "true",
"V-36106": "true",
"V-36107": "true",
"V-36108": "true",
"V-36109": "true",
"V-36110": "true",
"V-36111": "true",
"V-36112": "true",
"V-36113": "true",
"V-36114": "true",
"V-36115": "true",
"V-36116": "true",
"V-36117": "true",
"V-36118": "true",
"V-36119": "true",
"V-36120": "true",
"V-36121": "true",
"V-36122": "true",
"V-36123": "true",
"V-36124": "true",
"V-36125": "true",
"V-36126": "true",
"V-36127": "true",
"V-36128": "true",
"V-36129": "true",
"V-36130": "true",
"V-36131": "true",
"V-36132": "true",
"V-36133": "true",
"V-36134": "true",
"V-36135": "true",
"V-36136": "true",
"V-36137": "true",
"V-36138": "true",
"V-36139": "true",
"V-36140": "true",
"V-36141": "true",
"V-36142": "true",
"V-36143": "true",
"V-36144": "true",
"V-36145": "true",
"V-36146": "true",
"V-36147": "true",
"V-36148": "true",
"V-36149": "true",
"V-36150": "true",
"V-36151": "true",
"V-36152": "true",
"V-36153": "true",
"V-36154": "true",
"V-36155": "true",
"V-36156": "true",
"V-36157": "true",
"V-36158": "true",
"V-36159": "true",
"V-36160": "true",
"V-36161": "true",
"V-36162": "true",
"V-36163": "true",
"V-36164": "true",
"V-36165": "true",
"V-36166": "true",
"V-36167": "true",
"V-36168": "true",
"V-36169": "true",
"V-36170": "true",
"V-36171": "true",
"V-36172": "true",
"V-36173": "true",
"V-36174": "true",
"V-36175": "true",
"V-36176": "true",
"V-36177": "true",
"V-36178": "true",
"V-36179": "true",
"V-36180": "true",
"V-36181": "true",
"V-36182": "true",
"V-36183": "true",
"V-36184": "true",
"V-36185": "true",
"V-36186": "true",
"V-36187": "true",
"V-36188": "true",
"V-36189": "true",
"V-36190": "true",
"V-36191": "true",
"V-36192": "true",
"V-36193": "true",
"V-36194": "true",
"V-36195": "true",
"V-36196": "true",
"V-36197": "true",
"V-36198": "true",
"V-36199": "true",
"V-36200": "true",
"V-36201": "true",
"V-36202": "true",
"V-36203": "true",
"V-36204": "true",
"V-36205": "true",
"V-36206": "true",
"V-36207": "true",
"V-36208": "true",
"V-36209": "true",
"V-36210": "true",
"V-36211": "true",
"V-36212": "true",
"V-36213": "true",
"V-36214": "true",
"V-36215": "true",
"V-36216": "true",
"V-36217": "true",
"V-36218": "true",
"V-36219": "true",
"V-36220": "true",
"V-36221": "true",
"V-36222": "true",
"V-36223": "true",
"V-36224": "true",
"V-36225": "true",
"V-36226": "true",
"V-36227": "true",
"V-36228": "true",
"V-36229": "true",
"V-36230": "true",
"V-36231": "true",
"V-36232": "true",
"V-36233": "true",
"V-36234": "true",
"V-36235": "true",
"V-36236": "true",
"V-36237": "true",
"V-36238": "true",
"V-36239": "true",
"V-36240": "true",
"V-36241": "true",
"V-36242": "true",
"V-36243": "true",
"V-36244": "true",
"V-36245": "true",
"V-36246": "true",
"V-36247": "true",
"V-36248": "true",
"V-36249": "true",
"V-36250": "true",
"V-36251": "true",
"V-36252": "true",
"V-36253": "true",
"V-36254": "true",
"V-36255": "true",
"V-36256": "true",
"V-36257": "true",
"V-36258": "true",
"V-36259": "true",
"V-36260": "true",
"V-36261": "true",
"V-36262": "true",
"V-36263": "true",
"V-36264": "true",
"V-36265": "true",
"V-36266": "true",
"V-36267": "true",
"V-36268": "true",
"V-36269": "true",
"V-36270": "true",
"V-36271": "true",
"V-36272": "true",
"V-36273": "true",
"V-36274": "true",
"V-36275": "true",
"V-36276": "true",
"V-36277": "true",
"V-36278": "true",
"V-36279": "true",
"V-36280": "true",
"V-36281": "true",
"V-36282": "true",
"V-36283": "true",
"V-36284": "true",
"V-36285": "true",
"V-36286": "true",
"V-36287": "true",
"V-36288": "true",
"V-36289": "true",
"V-36290": "true",
"V-36291": "true",
"V-36292": "true",
"V-36293": "true",
"V-36294": "true",
"V-36295": "true",
"V-36296": "true",
"V-36297": "true",
"V-36298": "true",
"V-36299": "true",
"V-36300": "true",
"V-36301": "true",
"V-36302": "true",
"V-36303": "true",
"V-36304": "true",
"V-36305": "true",
"V-36306": "true",
"V-36307": "true",
"V-36308": "true",
"V-36309": "true",
"V-36310": "true",
"V-36311": "true",
"V-36312": "true",
"V-36313": "true",
"V-36314": "true",
"V-36315": "true",
"V-36316": "true",
"V-36317": "true",
"V-36318": "true",
"V-36319": "true",
"V-36320": "true",
"V-36321": "true",
"V-36322": "true",
"V-36323": "true",
"V-36324": "true",
"V-36325": "true",
"V-36326": "true",
"V-36327": "true",
"V-36328": "true",
"V-36329": "true",
"V-36330": "true",
"V-36331": "true",
"V-36332": "true",
"V-36333": "true",
"V-36334": "true",
"V-36335": "true",
"V-36336": "true",
"V-36337": "true",
"V-36338": "true",
"V-36339": "true",
"V-36340": "true",
"V-36341": "true",
"V-36342": "true",
"V-36343": "true",
"V-36344": "true",
"V-36345": "true",
"V-36346": "true",
"V-36347": "true",
"V-36348": "true",
"V-36349": "true",
"V-36350": "true",
"V-36351": "true",
"V-36352": "true",
"V-36353": "true",
"V-36354": "true",
"V-36355": "true",
"V-36356": "true",
"V-36357": "true",
"V-36358": "true",
"V-36359": "true",
"V-36360": "true",
"V-36361": "true",
"V-36362": "true",
"V-36363": "true",
"V-36364": "true",
"V-36365": "true",
"V-36366": "true",
"V-36367": "true",
"V-36368": "true",
"V-36370": "true",
"V-36371": "true",
"V-36372": "true",
"V-36373": "true",
"V-36374": "true",
"V-36375": "true",
"V-36376": "true",
"V-36377": "true",
"V-36378": "true",
"V-36379": "true",
"V-36380": "true",
"V-36381": "true",
"V-36382": "true",
"V-36383": "true",
"V-36384": "true",
"V-36385": "true",
"V-36386": "true",
"V-36387": "true",
"V-36388": "true",
"V-36389": "true",
"V-36390": "true",
"V-36391": "true",
"V-36392": "true",
"V-36393": "true",
"V-36394": "true",
"V-36395": "true",
"V-36396": "true",
"V-36397": "true",
"V-36398": "true",
"V-36399": "true",
"V-36400": "true",
"V-36401": "true",
"V-36402": "true",
"V-36403": "true",
"V-36404": "true",
"V-36405": "true",
"V-36406": "true",
"V-36407": "true",
"V-36408": "true",
"V-36409": "true",
"V-36410": "true",
"V-36411": "true",
"V-36412": "true",
"V-36413": "true",
"V-36414": "true",
"V-36415": "true",
"V-36416": "true",
"V-36417": "true",
"V-36418": "true",
"V-36419": "true",
"V-36420": "true",
"V-36421": "true",
"V-36422": "true",
"V-36423": "true",
"V-36424": "true",
"V-36425": "true",
"V-36426": "true",
"V-36427": "true",
"V-36428": "true",
"V-36429": "true",
"V-36430": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-36006": "true",
"V-36007": "true",
"V-36008": "true",
"V-36009": "true",
"V-36010": "true",
"V-36011": "true",
"V-36012": "true",
"V-36013": "true",
"V-36014": "true",
"V-36015": "true",
"V-36016": "true",
"V-36017": "true",
"V-36018": "true",
"V-36019": "true",
"V-36020": "true",
"V-36021": "true",
"V-36022": "true",
"V-36023": "true",
"V-36024": "true",
"V-36025": "true",
"V-36026": "true",
"V-36027": "true",
"V-36028": "true",
"V-36029": "true",
"V-36030": "true",
"V-36031": "true",
"V-36032": "true",
"V-36033": "true",
"V-36034": "true",
"V-36035": "true",
"V-36036": "true",
"V-36037": "true",
"V-36038": "true",
"V-36039": "true",
"V-36040": "true",
"V-36041": "true",
"V-36042": "true",
"V-36043": "true",
"V-36044": "true",
"V-36045": "true",
"V-36046": "true",
"V-36047": "true",
"V-36048": "true",
"V-36049": "true",
"V-36050": "true",
"V-36051": "true",
"V-36052": "true",
"V-36053": "true",
"V-36054": "true",
"V-36055": "true",
"V-36056": "true",
"V-36057": "true",
"V-36058": "true",
"V-36059": "true",
"V-36060": "true",
"V-36061": "true",
"V-36062": "true",
"V-36063": "true",
"V-36064": "true",
"V-36065": "true",
"V-36066": "true",
"V-36067": "true",
"V-36068": "true",
"V-36069": "true",
"V-36070": "true",
"V-36071": "true",
"V-36072": "true",
"V-36073": "true",
"V-36074": "true",
"V-36075": "true",
"V-36076": "true",
"V-36077": "true",
"V-36078": "true",
"V-36079": "true",
"V-36080": "true",
"V-36081": "true",
"V-36082": "true",
"V-36083": "true",
"V-36084": "true",
"V-36085": "true",
"V-36086": "true",
"V-36087": "true",
"V-36088": "true",
"V-36089": "true",
"V-36090": "true",
"V-36091": "true",
"V-36092": "true",
"V-36093": "true",
"V-36094": "true",
"V-36095": "true",
"V-36096": "true",
"V-36097": "true",
"V-36098": "true",
"V-36099": "true",
"V-36100": "true",
"V-36101": "true",
"V-36102": "true",
"V-36103": "true",
"V-36104": "true",
"V-36105": "true",
"V-36106": "true",
"V-36107": "true",
"V-36108": "true",
"V-36109": "true",
"V-36110": "true",
"V-36111": "true",
"V-36112": "true",
"V-36113": "true",
"V-36114": "true",
"V-36115": "true",
"V-36116": "true",
"V-36117": "true",
"V-36118": "true",
"V-36119": "true",
"V-36120": "true",
"V-36121": "true",
"V-36122": "true",
"V-36123": "true",
"V-36124": "true",
"V-36125": "true",
"V-36126": "true",
"V-36127": "true",
"V-36128": "true",
"V-36129": "true",
"V-36130": "true",
"V-36131": "true",
"V-36132": "true",
"V-36133": "true",
"V-36134": "true",
"V-36135": "true",
"V-36136": "true",
"V-36137": "true",
"V-36138": "true",
"V-36139": "true",
"V-36140": "true",
"V-36141": "true",
"V-36142": "true",
"V-36143": "true",
"V-36144": "true",
"V-36145": "true",
"V-36146": "true",
"V-36147": "true",
"V-36148": "true",
"V-36149": "true",
"V-36150": "true",
"V-36151": "true",
"V-36152": "true",
"V-36153": "true",
"V-36154": "true",
"V-36155": "true",
"V-36156": "true",
"V-36157": "true",
"V-36158": "true",
"V-36159": "true",
"V-36160": "true",
"V-36161": "true",
"V-36162": "true",
"V-36163": "true",
"V-36164": "true",
"V-36165": "true",
"V-36166": "true",
"V-36167": "true",
"V-36168": "true",
"V-36169": "true",
"V-36170": "true",
"V-36171": "true",
"V-36172": "true",
"V-36173": "true",
"V-36174": "true",
"V-36175": "true",
"V-36176": "true",
"V-36177": "true",
"V-36178": "true",
"V-36179": "true",
"V-36180": "true",
"V-36181": "true",
"V-36182": "true",
"V-36183": "true",
"V-36184": "true",
"V-36185": "true",
"V-36186": "true",
"V-36187": "true",
"V-36188": "true",
"V-36189": "true",
"V-36190": "true",
"V-36191": "true",
"V-36192": "true",
"V-36193": "true",
"V-36194": "true",
"V-36195": "true",
"V-36196": "true",
"V-36197": "true",
"V-36198": "true",
"V-36199": "true",
"V-36200": "true",
"V-36201": "true",
"V-36202": "true",
"V-36203": "true",
"V-36204": "true",
"V-36205": "true",
"V-36206": "true",
"V-36207": "true",
"V-36208": "true",
"V-36209": "true",
"V-36210": "true",
"V-36211": "true",
"V-36212": "true",
"V-36213": "true",
"V-36214": "true",
"V-36215": "true",
"V-36216": "true",
"V-36217": "true",
"V-36218": "true",
"V-36219": "true",
"V-36220": "true",
"V-36221": "true",
"V-36222": "true",
"V-36223": "true",
"V-36224": "true",
"V-36225": "true",
"V-36226": "true",
"V-36227": "true",
"V-36228": "true",
"V-36229": "true",
"V-36230": "true",
"V-36231": "true",
"V-36232": "true",
"V-36233": "true",
"V-36234": "true",
"V-36235": "true",
"V-36236": "true",
"V-36237": "true",
"V-36238": "true",
"V-36239": "true",
"V-36240": "true",
"V-36241": "true",
"V-36242": "true",
"V-36243": "true",
"V-36244": "true",
"V-36245": "true",
"V-36246": "true",
"V-36247": "true",
"V-36248": "true",
"V-36249": "true",
"V-36250": "true",
"V-36251": "true",
"V-36252": "true",
"V-36253": "true",
"V-36254": "true",
"V-36255": "true",
"V-36256": "true",
"V-36257": "true",
"V-36258": "true",
"V-36259": "true",
"V-36260": "true",
"V-36261": "true",
"V-36262": "true",
"V-36263": "true",
"V-36264": "true",
"V-36265": "true",
"V-36266": "true",
"V-36267": "true",
"V-36268": "true",
"V-36269": "true",
"V-36270": "true",
"V-36271": "true",
"V-36272": "true",
"V-36273": "true",
"V-36274": "true",
"V-36275": "true",
"V-36276": "true",
"V-36277": "true",
"V-36278": "true",
"V-36279": "true",
"V-36280": "true",
"V-36281": "true",
"V-36282": "true",
"V-36283": "true",
"V-36284": "true",
"V-36285": "true",
"V-36286": "true",
"V-36287": "true",
"V-36288": "true",
"V-36289": "true",
"V-36290": "true",
"V-36291": "true",
"V-36292": "true",
"V-36293": "true",
"V-36294": "true",
"V-36295": "true",
"V-36296": "true",
"V-36297": "true",
"V-36298": "true",
"V-36299": "true",
"V-36300": "true",
"V-36301": "true",
"V-36302": "true",
"V-36303": "true",
"V-36304": "true",
"V-36305": "true",
"V-36306": "true",
"V-36307": "true",
"V-36308": "true",
"V-36309": "true",
"V-36310": "true",
"V-36311": "true",
"V-36312": "true",
"V-36313": "true",
"V-36314": "true",
"V-36315": "true",
"V-36316": "true",
"V-36317": "true",
"V-36318": "true",
"V-36319": "true",
"V-36320": "true",
"V-36321": "true",
"V-36322": "true",
"V-36323": "true",
"V-36324": "true",
"V-36325": "true",
"V-36326": "true",
"V-36327": "true",
"V-36328": "true",
"V-36329": "true",
"V-36330": "true",
"V-36331": "true",
"V-36332": "true",
"V-36333": "true",
"V-36334": "true",
"V-36335": "true",
"V-36336": "true",
"V-36337": "true",
"V-36338": "true",
"V-36339": "true",
"V-36340": "true",
"V-36341": "true",
"V-36342": "true",
"V-36343": "true",
"V-36344": "true",
"V-36345": "true",
"V-36346": "true",
"V-36347": "true",
"V-36348": "true",
"V-36349": "true",
"V-36350": "true",
"V-36351": "true",
"V-36352": "true",
"V-36353": "true",
"V-36354": "true",
"V-36355": "true",
"V-36356": "true",
"V-36357": "true",
"V-36358": "true",
"V-36359": "true",
"V-36360": "true",
"V-36361": "true",
"V-36362": "true",
"V-36363": "true",
"V-36364": "true",
"V-36365": "true",
"V-36366": "true",
"V-36367": "true",
"V-36368": "true",
"V-36370": "true",
"V-36371": "true",
"V-36372": "true",
"V-36373": "true",
"V-36374": "true",
"V-36375": "true",
"V-36376": "true",
"V-36377": "true",
"V-36378": "true",
"V-36379": "true",
"V-36380": "true",
"V-36381": "true",
"V-36382": "true",
"V-36383": "true",
"V-36384": "true",
"V-36385": "true",
"V-36386": "true",
"V-36387": "true",
"V-36388": "true",
"V-36389": "true",
"V-36390": "true",
"V-36391": "true",
"V-36392": "true",
"V-36393": "true",
"V-36394": "true",
"V-36395": "true",
"V-36396": "true",
"V-36397": "true",
"V-36398": "true",
"V-36399": "true",
"V-36400": "true",
"V-36401": "true",
"V-36402": "true",
"V-36403": "true",
"V-36404": "true",
"V-36405": "true",
"V-36406": "true",
"V-36407": "true",
"V-36408": "true",
"V-36409": "true",
"V-36410": "true",
"V-36411": "true",
"V-36412": "true",
"V-36413": "true",
"V-36414": "true",
"V-36415": "true",
"V-36416": "true",
"V-36417": "true",
"V-36418": "true",
"V-36419": "true",
"V-36420": "true",
"V-36421": "true",
"V-36422": "true",
"V-36423": "true",
"V-36424": "true",
"V-36425": "true",
"V-36426": "true",
"V-36427": "true",
"V-36428": "true",
"V-36429": "true",
"V-36430": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-36006": "true",
"V-36007": "true",
"V-36008": "true",
"V-36009": "true",
"V-36010": "true",
"V-36011": "true",
"V-36012": "true",
"V-36013": "true",
"V-36014": "true",
"V-36015": "true",
"V-36016": "true",
"V-36017": "true",
"V-36018": "true",
"V-36019": "true",
"V-36020": "true",
"V-36021": "true",
"V-36022": "true",
"V-36023": "true",
"V-36024": "true",
"V-36025": "true",
"V-36026": "true",
"V-36027": "true",
"V-36028": "true",
"V-36029": "true",
"V-36030": "true",
"V-36031": "true",
"V-36032": "true",
"V-36033": "true",
"V-36034": "true",
"V-36035": "true",
"V-36036": "true",
"V-36037": "true",
"V-36038": "true",
"V-36039": "true",
"V-36040": "true",
"V-36041": "true",
"V-36042": "true",
"V-36043": "true",
"V-36044": "true",
"V-36045": "true",
"V-36046": "true",
"V-36047": "true",
"V-36048": "true",
"V-36049": "true",
"V-36050": "true",
"V-36051": "true",
"V-36052": "true",
"V-36053": "true",
"V-36054": "true",
"V-36055": "true",
"V-36056": "true",
"V-36057": "true",
"V-36058": "true",
"V-36059": "true",
"V-36060": "true",
"V-36061": "true",
"V-36062": "true",
"V-36063": "true",
"V-36064": "true",
"V-36065": "true",
"V-36066": "true",
"V-36067": "true",
"V-36068": "true",
"V-36069": "true",
"V-36070": "true",
"V-36071": "true",
"V-36072": "true",
"V-36073": "true",
"V-36074": "true",
"V-36075": "true",
"V-36076": "true",
"V-36077": "true",
"V-36078": "true",
"V-36079": "true",
"V-36080": "true",
"V-36081": "true",
"V-36082": "true",
"V-36083": "true",
"V-36084": "true",
"V-36085": "true",
"V-36086": "true",
"V-36087": "true",
"V-36088": "true",
"V-36089": "true",
"V-36090": "true",
"V-36091": "true",
"V-36092": "true",
"V-36093": "true",
"V-36094": "true",
"V-36095": "true",
"V-36096": "true",
"V-36097": "true",
"V-36098": "true",
"V-36099": "true",
"V-36100": "true",
"V-36101": "true",
"V-36102": "true",
"V-36103": "true",
"V-36104": "true",
"V-36105": "true",
"V-36106": "true",
"V-36107": "true",
"V-36108": "true",
"V-36109": "true",
"V-36110": "true",
"V-36111": "true",
"V-36112": "true",
"V-36113": "true",
"V-36114": "true",
"V-36115": "true",
"V-36116": "true",
"V-36117": "true",
"V-36118": "true",
"V-36119": "true",
"V-36120": "true",
"V-36121": "true",
"V-36122": "true",
"V-36123": "true",
"V-36124": "true",
"V-36125": "true",
"V-36126": "true",
"V-36127": "true",
"V-36128": "true",
"V-36129": "true",
"V-36130": "true",
"V-36131": "true",
"V-36132": "true",
"V-36133": "true",
"V-36134": "true",
"V-36135": "true",
"V-36136": "true",
"V-36137": "true",
"V-36138": "true",
"V-36139": "true",
"V-36140": "true",
"V-36141": "true",
"V-36142": "true",
"V-36143": "true",
"V-36144": "true",
"V-36145": "true",
"V-36146": "true",
"V-36147": "true",
"V-36148": "true",
"V-36149": "true",
"V-36150": "true",
"V-36151": "true",
"V-36152": "true",
"V-36153": "true",
"V-36154": "true",
"V-36155": "true",
"V-36156": "true",
"V-36157": "true",
"V-36158": "true",
"V-36159": "true",
"V-36160": "true",
"V-36161": "true",
"V-36162": "true",
"V-36163": "true",
"V-36164": "true",
"V-36165": "true",
"V-36166": "true",
"V-36167": "true",
"V-36168": "true",
"V-36169": "true",
"V-36170": "true",
"V-36171": "true",
"V-36172": "true",
"V-36173": "true",
"V-36174": "true",
"V-36175": "true",
"V-36176": "true",
"V-36177": "true",
"V-36178": "true",
"V-36179": "true",
"V-36180": "true",
"V-36181": "true",
"V-36182": "true",
"V-36183": "true",
"V-36184": "true",
"V-36185": "true",
"V-36186": "true",
"V-36187": "true",
"V-36188": "true",
"V-36189": "true",
"V-36190": "true",
"V-36191": "true",
"V-36192": "true",
"V-36193": "true",
"V-36194": "true",
"V-36195": "true",
"V-36196": "true",
"V-36197": "true",
"V-36198": "true",
"V-36199": "true",
"V-36200": "true",
"V-36201": "true",
"V-36202": "true",
"V-36203": "true",
"V-36204": "true",
"V-36205": "true",
"V-36206": "true",
"V-36207": "true",
"V-36208": "true",
"V-36209": "true",
"V-36210": "true",
"V-36211": "true",
"V-36212": "true",
"V-36213": "true",
"V-36214": "true",
"V-36215": "true",
"V-36216": "true",
"V-36217": "true",
"V-36218": "true",
"V-36219": "true",
"V-36220": "true",
"V-36221": "true",
"V-36222": "true",
"V-36223": "true",
"V-36224": "true",
"V-36225": "true",
"V-36226": "true",
"V-36227": "true",
"V-36228": "true",
"V-36229": "true",
"V-36230": "true",
"V-36231": "true",
"V-36232": "true",
"V-36233": "true",
"V-36234": "true",
"V-36235": "true",
"V-36236": "true",
"V-36237": "true",
"V-36238": "true",
"V-36239": "true",
"V-36240": "true",
"V-36241": "true",
"V-36242": "true",
"V-36243": "true",
"V-36244": "true",
"V-36245": "true",
"V-36246": "true",
"V-36247": "true",
"V-36248": "true",
"V-36249": "true",
"V-36250": "true",
"V-36251": "true",
"V-36252": "true",
"V-36253": "true",
"V-36254": "true",
"V-36255": "true",
"V-36256": "true",
"V-36257": "true",
"V-36258": "true",
"V-36259": "true",
"V-36260": "true",
"V-36261": "true",
"V-36262": "true",
"V-36263": "true",
"V-36264": "true",
"V-36265": "true",
"V-36266": "true",
"V-36267": "true",
"V-36268": "true",
"V-36269": "true",
"V-36270": "true",
"V-36271": "true",
"V-36272": "true",
"V-36273": "true",
"V-36274": "true",
"V-36275": "true",
"V-36276": "true",
"V-36277": "true",
"V-36278": "true",
"V-36279": "true",
"V-36280": "true",
"V-36281": "true",
"V-36282": "true",
"V-36283": "true",
"V-36284": "true",
"V-36285": "true",
"V-36286": "true",
"V-36287": "true",
"V-36288": "true",
"V-36289": "true",
"V-36290": "true",
"V-36291": "true",
"V-36292": "true",
"V-36293": "true",
"V-36294": "true",
"V-36295": "true",
"V-36296": "true",
"V-36297": "true",
"V-36298": "true",
"V-36299": "true",
"V-36300": "true",
"V-36301": "true",
"V-36302": "true",
"V-36303": "true",
"V-36304": "true",
"V-36305": "true",
"V-36306": "true",
"V-36307": "true",
"V-36308": "true",
"V-36309": "true",
"V-36310": "true",
"V-36311": "true",
"V-36312": "true",
"V-36313": "true",
"V-36314": "true",
"V-36315": "true",
"V-36316": "true",
"V-36317": "true",
"V-36318": "true",
"V-36319": "true",
"V-36320": "true",
"V-36321": "true",
"V-36322": "true",
"V-36323": "true",
"V-36324": "true",
"V-36325": "true",
"V-36326": "true",
"V-36327": "true",
"V-36328": "true",
"V-36329": "true",
"V-36330": "true",
"V-36331": "true",
"V-36332": "true",
"V-36333": "true",
"V-36334": "true",
"V-36335": "true",
"V-36336": "true",
"V-36337": "true",
"V-36338": "true",
"V-36339": "true",
"V-36340": "true",
"V-36341": "true",
"V-36342": "true",
"V-36343": "true",
"V-36344": "true",
"V-36345": "true",
"V-36346": "true",
"V-36347": "true",
"V-36348": "true",
"V-36349": "true",
"V-36350": "true",
"V-36351": "true",
"V-36352": "true",
"V-36353": "true",
"V-36354": "true",
"V-36355": "true",
"V-36356": "true",
"V-36357": "true",
"V-36358": "true",
"V-36359": "true",
"V-36360": "true",
"V-36361": "true",
"V-36362": "true",
"V-36363": "true",
"V-36364": "true",
"V-36365": "true",
"V-36366": "true",
"V-36367": "true",
"V-36368": "true",
"V-36370": "true",
"V-36371": "true",
"V-36372": "true",
"V-36373": "true",
"V-36374": "true",
"V-36375": "true",
"V-36376": "true",
"V-36377": "true",
"V-36378": "true",
"V-36379": "true",
"V-36380": "true",
"V-36381": "true",
"V-36382": "true",
"V-36383": "true",
"V-36384": "true",
"V-36385": "true",
"V-36386": "true",
"V-36387": "true",
"V-36388": "true",
"V-36389": "true",
"V-36390": "true",
"V-36391": "true",
"V-36392": "true",
"V-36393": "true",
"V-36394": "true",
"V-36395": "true",
"V-36396": "true",
"V-36397": "true",
"V-36398": "true",
"V-36399": "true",
"V-36400": "true",
"V-36401": "true",
"V-36402": "true",
"V-36403": "true",
"V-36404": "true",
"V-36405": "true",
"V-36406": "true",
"V-36407": "true",
"V-36408": "true",
"V-36409": "true",
"V-36410": "true",
"V-36411": "true",
"V-36412": "true",
"V-36413": "true",
"V-36414": "true",
"V-36415": "true",
"V-36416": "true",
"V-36417": "true",
"V-36418": "true",
"V-36419": "true",
"V-36420": "true",
"V-36421": "true",
"V-36422": "true",
"V-36423": "true",
"V-36424": "true",
"V-36425": "true",
"V-36426": "true",
"V-36427": "true",
"V-36428": "true",
"V-36429": "true",
"V-36430": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-36006": "true",
"V-36007": "true",
"V-36008": "true",
"V-36009": "true",
"V-36010": "true",
"V-36011": "true",
"V-36012": "true",
"V-36013": "true",
"V-36014": "true",
"V-36015": "true",
"V-36016": "true",
"V-36017": "true",
"V-36018": "true",
"V-36019": "true",
"V-36020": "true",
"V-36021": "true",
"V-36022": "true",
"V-36023": "true",
"V-36024": "true",
"V-36025": "true",
"V-36026": "true",
"V-36027": "true",
"V-36028": "true",
"V-36029": "true",
"V-36030": "true",
"V-36031": "true",
"V-36032": "true",
"V-36033": "true",
"V-36034": "true",
"V-36035": "true",
"V-36036": "true",
"V-36037": "true",
"V-36038": "true",
"V-36039": "true",
"V-36040": "true",
"V-36041": "true",
"V-36042": "true",
"V-36043": "true",
"V-36044": "true",
"V-36045": "true",
"V-36046": "true",
"V-36047": "true",
"V-36048": "true",
"V-36049": "true",
"V-36050": "true",
"V-36051": "true",
"V-36052": "true",
"V-36053": "true",
"V-36054": "true",
"V-36055": "true",
"V-36056": "true",
"V-36057": "true",
"V-36058": "true",
"V-36059": "true",
"V-36060": "true",
"V-36061": "true",
"V-36062": "true",
"V-36063": "true",
"V-36064": "true",
"V-36065": "true",
"V-36066": "true",
"V-36067": "true",
"V-36068": "true",
"V-36069": "true",
"V-36070": "true",
"V-36071": "true",
"V-36072": "true",
"V-36073": "true",
"V-36074": "true",
"V-36075": "true",
"V-36076": "true",
"V-36077": "true",
"V-36078": "true",
"V-36079": "true",
"V-36080": "true",
"V-36081": "true",
"V-36082": "true",
"V-36083": "true",
"V-36084": "true",
"V-36085": "true",
"V-36086": "true",
"V-36087": "true",
"V-36088": "true",
"V-36089": "true",
"V-36090": "true",
"V-36091": "true",
"V-36092": "true",
"V-36093": "true",
"V-36094": "true",
"V-36095": "true",
"V-36096": "true",
"V-36097": "true",
"V-36098": "true",
"V-36099": "true",
"V-36100": "true",
"V-36101": "true",
"V-36102": "true",
"V-36103": "true",
"V-36104": "true",
"V-36105": "true",
"V-36106": "true",
"V-36107": "true",
"V-36108": "true",
"V-36109": "true",
"V-36110": "true",
"V-36111": "true",
"V-36112": "true",
"V-36113": "true",
"V-36114": "true",
"V-36115": "true",
"V-36116": "true",
"V-36117": "true",
"V-36118": "true",
"V-36119": "true",
"V-36120": "true",
"V-36121": "true",
"V-36122": "true",
"V-36123": "true",
"V-36124": "true",
"V-36125": "true",
"V-36126": "true",
"V-36127": "true",
"V-36128": "true",
"V-36129": "true",
"V-36130": "true",
"V-36131": "true",
"V-36132": "true",
"V-36133": "true",
"V-36134": "true",
"V-36135": "true",
"V-36136": "true",
"V-36137": "true",
"V-36138": "true",
"V-36139": "true",
"V-36140": "true",
"V-36141": "true",
"V-36142": "true",
"V-36143": "true",
"V-36144": "true",
"V-36145": "true",
"V-36146": "true",
"V-36147": "true",
"V-36148": "true",
"V-36149": "true",
"V-36150": "true",
"V-36151": "true",
"V-36152": "true",
"V-36153": "true",
"V-36154": "true",
"V-36155": "true",
"V-36156": "true",
"V-36157": "true",
"V-36158": "true",
"V-36159": "true",
"V-36160": "true",
"V-36161": "true",
"V-36162": "true",
"V-36163": "true",
"V-36164": "true",
"V-36165": "true",
"V-36166": "true",
"V-36167": "true",
"V-36168": "true",
"V-36169": "true",
"V-36170": "true",
"V-36171": "true",
"V-36172": "true",
"V-36173": "true",
"V-36174": "true",
"V-36175": "true",
"V-36176": "true",
"V-36177": "true",
"V-36178": "true",
"V-36179": "true",
"V-36180": "true",
"V-36181": "true",
"V-36182": "true",
"V-36183": "true",
"V-36184": "true",
"V-36185": "true",
"V-36186": "true",
"V-36187": "true",
"V-36188": "true",
"V-36189": "true",
"V-36190": "true",
"V-36191": "true",
"V-36192": "true",
"V-36193": "true",
"V-36194": "true",
"V-36195": "true",
"V-36196": "true",
"V-36197": "true",
"V-36198": "true",
"V-36199": "true",
"V-36200": "true",
"V-36201": "true",
"V-36202": "true",
"V-36203": "true",
"V-36204": "true",
"V-36205": "true",
"V-36206": "true",
"V-36207": "true",
"V-36208": "true",
"V-36209": "true",
"V-36210": "true",
"V-36211": "true",
"V-36212": "true",
"V-36213": "true",
"V-36214": "true",
"V-36215": "true",
"V-36216": "true",
"V-36217": "true",
"V-36218": "true",
"V-36219": "true",
"V-36220": "true",
"V-36221": "true",
"V-36222": "true",
"V-36223": "true",
"V-36224": "true",
"V-36225": "true",
"V-36226": "true",
"V-36227": "true",
"V-36228": "true",
"V-36229": "true",
"V-36230": "true",
"V-36231": "true",
"V-36232": "true",
"V-36233": "true",
"V-36234": "true",
"V-36235": "true",
"V-36236": "true",
"V-36237": "true",
"V-36238": "true",
"V-36239": "true",
"V-36240": "true",
"V-36241": "true",
"V-36242": "true",
"V-36243": "true",
"V-36244": "true",
"V-36245": "true",
"V-36246": "true",
"V-36247": "true",
"V-36248": "true",
"V-36249": "true",
"V-36250": "true",
"V-36251": "true",
"V-36252": "true",
"V-36253": "true",
"V-36254": "true",
"V-36255": "true",
"V-36256": "true",
"V-36257": "true",
"V-36258": "true",
"V-36259": "true",
"V-36260": "true",
"V-36261": "true",
"V-36262": "true",
"V-36263": "true",
"V-36264": "true",
"V-36265": "true",
"V-36266": "true",
"V-36267": "true",
"V-36268": "true",
"V-36269": "true",
"V-36270": "true",
"V-36271": "true",
"V-36272": "true",
"V-36273": "true",
"V-36274": "true",
"V-36275": "true",
"V-36276": "true",
"V-36277": "true",
"V-36278": "true",
"V-36279": "true",
"V-36280": "true",
"V-36281": "true",
"V-36282": "true",
"V-36283": "true",
"V-36284": "true",
"V-36285": "true",
"V-36286": "true",
"V-36287": "true",
"V-36288": "true",
"V-36289": "true",
"V-36290": "true",
"V-36291": "true",
"V-36292": "true",
"V-36293": "true",
"V-36294": "true",
"V-36295": "true",
"V-36296": "true",
"V-36297": "true",
"V-36298": "true",
"V-36299": "true",
"V-36300": "true",
"V-36301": "true",
"V-36302": "true",
"V-36303": "true",
"V-36304": "true",
"V-36305": "true",
"V-36306": "true",
"V-36307": "true",
"V-36308": "true",
"V-36309": "true",
"V-36310": "true",
"V-36311": "true",
"V-36312": "true",
"V-36313": "true",
"V-36314": "true",
"V-36315": "true",
"V-36316": "true",
"V-36317": "true",
"V-36318": "true",
"V-36319": "true",
"V-36320": "true",
"V-36321": "true",
"V-36322": "true",
"V-36323": "true",
"V-36324": "true",
"V-36325": "true",
"V-36326": "true",
"V-36327": "true",
"V-36328": "true",
"V-36329": "true",
"V-36330": "true",
"V-36331": "true",
"V-36332": "true",
"V-36333": "true",
"V-36334": "true",
"V-36335": "true",
"V-36336": "true",
"V-36337": "true",
"V-36338": "true",
"V-36339": "true",
"V-36340": "true",
"V-36341": "true",
"V-36342": "true",
"V-36343": "true",
"V-36344": "true",
"V-36345": "true",
"V-36346": "true",
"V-36347": "true",
"V-36348": "true",
"V-36349": "true",
"V-36350": "true",
"V-36351": "true",
"V-36352": "true",
"V-36353": "true",
"V-36354": "true",
"V-36355": "true",
"V-36356": "true",
"V-36357": "true",
"V-36358": "true",
"V-36359": "true",
"V-36360": "true",
"V-36361": "true",
"V-36362": "true",
"V-36363": "true",
"V-36364": "true",
"V-36365": "true",
"V-36366": "true",
"V-36367": "true",
"V-36368": "true",
"V-36370": "true",
"V-36371": "true",
"V-36372": "true",
"V-36373": "true",
"V-36374": "true",
"V-36375": "true",
"V-36376": "true",
"V-36377": "true",
"V-36378": "true",
"V-36379": "true",
"V-36380": "true",
"V-36381": "true",
"V-36382": "true",
"V-36383": "true",
"V-36384": "true",
"V-36385": "true",
"V-36386": "true",
"V-36387": "true",
"V-36388": "true",
"V-36389": "true",
"V-36390": "true",
"V-36391": "true",
"V-36392": "true",
"V-36393": "true",
"V-36394": "true",
"V-36395": "true",
"V-36396": "true",
"V-36397": "true",
"V-36398": "true",
"V-36399": "true",
"V-36400": "true",
"V-36401": "true",
"V-36402": "true",
"V-36403": "true",
"V-36404": "true",
"V-36405": "true",
"V-36406": "true",
"V-36407": "true",
"V-36408": "true",
"V-36409": "true",
"V-36410": "true",
"V-36411": "true",
"V-36412": "true",
"V-36413": "true",
"V-36414": "true",
"V-36415": "true",
"V-36416": "true",
"V-36417": "true",
"V-36418": "true",
"V-36419": "true",
"V-36420": "true",
"V-36421": "true",
"V-36422": "true",
"V-36423": "true",
"V-36424": "true",
"V-36425": "true",
"V-36426": "true",
"V-36427": "true",
"V-36428": "true",
"V-36429": "true",
"V-36430": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-36006": "true",
"V-36007": "true",
"V-36008": "true",
"V-36009": "true",
"V-36010": "true",
"V-36011": "true",
"V-36012": "true",
"V-36013": "true",
"V-36014": "true",
"V-36015": "true",
"V-36016": "true",
"V-36017": "true",
"V-36018": "true",
"V-36019": "true",
"V-36020": "true",
"V-36021": "true",
"V-36022": "true",
"V-36023": "true",
"V-36024": "true",
"V-36025": "true",
"V-36026": "true",
"V-36027": "true",
"V-36028": "true",
"V-36029": "true",
"V-36030": "true",
"V-36031": "true",
"V-36032": "true",
"V-36033": "true",
"V-36034": "true",
"V-36035": "true",
"V-36036": "true",
"V-36037": "true",
"V-36038": "true",
"V-36039": "true",
"V-36040": "true",
"V-36041": "true",
"V-36042": "true",
"V-36043": "true",
"V-36044": "true",
"V-36045": "true",
"V-36046": "true",
"V-36047": "true",
"V-36048": "true",
"V-36049": "true",
"V-36050": "true",
"V-36051": "true",
"V-36052": "true",
"V-36053": "true",
"V-36054": "true",
"V-36055": "true",
"V-36056": "true",
"V-36057": "true",
"V-36058": "true",
"V-36059": "true",
"V-36060": "true",
"V-36061": "true",
"V-36062": "true",
"V-36063": "true",
"V-36064": "true",
"V-36065": "true",
"V-36066": "true",
"V-36067": "true",
"V-36068": "true",
"V-36069": "true",
"V-36070": "true",
"V-36071": "true",
"V-36072": "true",
"V-36073": "true",
"V-36074": "true",
"V-36075": "true",
"V-36076": "true",
"V-36077": "true",
"V-36078": "true",
"V-36079": "true",
"V-36080": "true",
"V-36081": "true",
"V-36082": "true",
"V-36083": "true",
"V-36084": "true",
"V-36085": "true",
"V-36086": "true",
"V-36087": "true",
"V-36088": "true",
"V-36089": "true",
"V-36090": "true",
"V-36091": "true",
"V-36092": "true",
"V-36093": "true",
"V-36094": "true",
"V-36095": "true",
"V-36096": "true",
"V-36097": "true",
"V-36098": "true",
"V-36099": "true",
"V-36100": "true",
"V-36101": "true",
"V-36102": "true",
"V-36103": "true",
"V-36104": "true",
"V-36105": "true",
"V-36106": "true",
"V-36107": "true",
"V-36108": "true",
"V-36109": "true",
"V-36110": "true",
"V-36111": "true",
"V-36112": "true",
"V-36113": "true",
"V-36114": "true",
"V-36115": "true",
"V-36116": "true",
"V-36117": "true",
"V-36118": "true",
"V-36119": "true",
"V-36120": "true",
"V-36121": "true",
"V-36122": "true",
"V-36123": "true",
"V-36124": "true",
"V-36125": "true",
"V-36126": "true",
"V-36127": "true",
"V-36128": "true",
"V-36129": "true",
"V-36130": "true",
"V-36131": "true",
"V-36132": "true",
"V-36133": "true",
"V-36134": "true",
"V-36135": "true",
"V-36136": "true",
"V-36137": "true",
"V-36138": "true",
"V-36139": "true",
"V-36140": "true",
"V-36141": "true",
"V-36142": "true",
"V-36143": "true",
"V-36144": "true",
"V-36145": "true",
"V-36146": "true",
"V-36147": "true",
"V-36148": "true",
"V-36149": "true",
"V-36150": "true",
"V-36151": "true",
"V-36152": "true",
"V-36153": "true",
"V-36154": "true",
"V-36155": "true",
"V-36156": "true",
"V-36157": "true",
"V-36158": "true",
"V-36159": "true",
"V-36160": "true",
"V-36161": "true",
"V-36162": "true",
"V-36163": "true",
"V-36164": "true",
"V-36165": "true",
"V-36166": "true",
"V-36167": "true",
"V-36168": "true",
"V-36169": "true",
"V-36170": "true",
"V-36171": "true",
"V-36172": "true",
"V-36173": "true",
"V-36174": "true",
"V-36175": "true",
"V-36176": "true",
"V-36177": "true",
"V-36178": "true",
"V-36179": "true",
"V-36180": "true",
"V-36181": "true",
"V-36182": "true",
"V-36183": "true",
"V-36184": "true",
"V-36185": "true",
"V-36186": "true",
"V-36187": "true",
"V-36188": "true",
"V-36189": "true",
"V-36190": "true",
"V-36191": "true",
"V-36192": "true",
"V-36193": "true",
"V-36194": "true",
"V-36195": "true",
"V-36196": "true",
"V-36197": "true",
"V-36198": "true",
"V-36199": "true",
"V-36200": "true",
"V-36201": "true",
"V-36202": "true",
"V-36203": "true",
"V-36204": "true",
"V-36205": "true",
"V-36206": "true",
"V-36207": "true",
"V-36208": "true",
"V-36209": "true",
"V-36210": "true",
"V-36211": "true",
"V-36212": "true",
"V-36213": "true",
"V-36214": "true",
"V-36215": "true",
"V-36216": "true",
"V-36217": "true",
"V-36218": "true",
"V-36219": "true",
"V-36220": "true",
"V-36221": "true",
"V-36222": "true",
"V-36223": "true",
"V-36224": "true",
"V-36225": "true",
"V-36226": "true",
"V-36227": "true",
"V-36228": "true",
"V-36229": "true",
"V-36230": "true",
"V-36231": "true",
"V-36232": "true",
"V-36233": "true",
"V-36234": "true",
"V-36235": "true",
"V-36236": "true",
"V-36237": "true",
"V-36238": "true",
"V-36239": "true",
"V-36240": "true",
"V-36241": "true",
"V-36242": "true",
"V-36243": "true",
"V-36244": "true",
"V-36245": "true",
"V-36246": "true",
"V-36247": "true",
"V-36248": "true",
"V-36249": "true",
"V-36250": "true",
"V-36251": "true",
"V-36252": "true",
"V-36253": "true",
"V-36254": "true",
"V-36255": "true",
"V-36256": "true",
"V-36257": "true",
"V-36258": "true",
"V-36259": "true",
"V-36260": "true",
"V-36261": "true",
"V-36262": "true",
"V-36263": "true",
"V-36264": "true",
"V-36265": "true",
"V-36266": "true",
"V-36267": "true",
"V-36268": "true",
"V-36269": "true",
"V-36270": "true",
"V-36271": "true",
"V-36272": "true",
"V-36273": "true",
"V-36274": "true",
"V-36275": "true",
"V-36276": "true",
"V-36277": "true",
"V-36278": "true",
"V-36279": "true",
"V-36280": "true",
"V-36281": "true",
"V-36282": "true",
"V-36283": "true",
"V-36284": "true",
"V-36285": "true",
"V-36286": "true",
"V-36287": "true",
"V-36288": "true",
"V-36289": "true",
"V-36290": "true",
"V-36291": "true",
"V-36292": "true",
"V-36293": "true",
"V-36294": "true",
"V-36295": "true",
"V-36296": "true",
"V-36297": "true",
"V-36298": "true",
"V-36299": "true",
"V-36300": "true",
"V-36301": "true",
"V-36302": "true",
"V-36303": "true",
"V-36304": "true",
"V-36305": "true",
"V-36306": "true",
"V-36307": "true",
"V-36308": "true",
"V-36309": "true",
"V-36310": "true",
"V-36311": "true",
"V-36312": "true",
"V-36313": "true",
"V-36314": "true",
"V-36315": "true",
"V-36316": "true",
"V-36317": "true",
"V-36318": "true",
"V-36319": "true",
"V-36320": "true",
"V-36321": "true",
"V-36322": "true",
"V-36323": "true",
"V-36324": "true",
"V-36325": "true",
"V-36326": "true",
"V-36327": "true",
"V-36328": "true",
"V-36329": "true",
"V-36330": "true",
"V-36331": "true",
"V-36332": "true",
"V-36333": "true",
"V-36334": "true",
"V-36335": "true",
"V-36336": "true",
"V-36337": "true",
"V-36338": "true",
"V-36339": "true",
"V-36340": "true",
"V-36341": "true",
"V-36342": "true",
"V-36343": "true",
"V-36344": "true",
"V-36345": "true",
"V-36346": "true",
"V-36347": "true",
"V-36348": "true",
"V-36349": "true",
"V-36350": "true",
"V-36351": "true",
"V-36352": "true",
"V-36353": "true",
"V-36354": "true",
"V-36355": "true",
"V-36356": "true",
"V-36357": "true",
"V-36358": "true",
"V-36359": "true",
"V-36360": "true",
"V-36361": "true",
"V-36362": "true",
"V-36363": "true",
"V-36364": "true",
"V-36365": "true",
"V-36366": "true",
"V-36367": "true",
"V-36368": "true",
"V-36370": "true",
"V-36371": "true",
"V-36372": "true",
"V-36373": "true",
"V-36374": "true",
"V-36375": "true",
"V-36376": "true",
"V-36377": "true",
"V-36378": "true",
"V-36379": "true",
"V-36380": "true",
"V-36381": "true",
"V-36382": "true",
"V-36383": "true",
"V-36384": "true",
"V-36385": "true",
"V-36386": "true",
"V-36387": "true",
"V-36388": "true",
"V-36389": "true",
"V-36390": "true",
"V-36391": "true",
"V-36392": "true",
"V-36393": "true",
"V-36394": "true",
"V-36395": "true",
"V-36396": "true",
"V-36397": "true",
"V-36398": "true",
"V-36399": "true",
"V-36400": "true",
"V-36401": "true",
"V-36402": "true",
"V-36403": "true",
"V-36404": "true",
"V-36405": "true",
"V-36406": "true",
"V-36407": "true",
"V-36408": "true",
"V-36409": "true",
"V-36410": "true",
"V-36411": "true",
"V-36412": "true",
"V-36413": "true",
"V-36414": "true",
"V-36415": "true",
"V-36416": "true",
"V-36417": "true",
"V-36418": "true",
"V-36419": "true",
"V-36420": "true",
"V-36421": "true",
"V-36422": "true",
"V-36423": "true",
"V-36424": "true",
"V-36425": "true",
"V-36426": "true",
"V-36427": "true",
"V-36428": "true",
"V-36429": "true",
"V-36430": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-36006": "true",
"V-36007": "true",
"V-36008": "true",
"V-36009": "true",
"V-36010": "true",
"V-36011": "true",
"V-36012": "true",
"V-36013": "true",
"V-36014": "true",
"V-36015": "true",
"V-36016": "true",
"V-36017": "true",
"V-36018": "true",
"V-36019": "true",
"V-36020": "true",
"V-36021": "true",
"V-36022": "true",
"V-36023": "true",
"V-36024": "true",
"V-36025": "true",
"V-36026": "true",
"V-36027": "true",
"V-36028": "true",
"V-36029": "true",
"V-36030": "true",
"V-36031": "true",
"V-36032": "true",
"V-36033": "true",
"V-36034": "true",
"V-36035": "true",
"V-36036": "true",
"V-36037": "true",
"V-36038": "true",
"V-36039": "true",
"V-36040": "true",
"V-36041": "true",
"V-36042": "true",
"V-36043": "true",
"V-36044": "true",
"V-36045": "true",
"V-36046": "true",
"V-36047": "true",
"V-36048": "true",
"V-36049": "true",
"V-36050": "true",
"V-36051": "true",
"V-36052": "true",
"V-36053": "true",
"V-36054": "true",
"V-36055": "true",
"V-36056": "true",
"V-36057": "true",
"V-36058": "true",
"V-36059": "true",
"V-36060": "true",
"V-36061": "true",
"V-36062": "true",
"V-36063": "true",
"V-36064": "true",
"V-36065": "true",
"V-36066": "true",
"V-36067": "true",
"V-36068": "true",
"V-36069": "true",
"V-36070": "true",
"V-36071": "true",
"V-36072": "true",
"V-36073": "true",
"V-36074": "true",
"V-36075": "true",
"V-36076": "true",
"V-36077": "true",
"V-36078": "true",
"V-36079": "true",
"V-36080": "true",
"V-36081": "true",
"V-36082": "true",
"V-36083": "true",
"V-36084": "true",
"V-36085": "true",
"V-36086": "true",
"V-36087": "true",
"V-36088": "true",
"V-36089": "true",
"V-36090": "true",
"V-36091": "true",
"V-36092": "true",
"V-36093": "true",
"V-36094": "true",
"V-36095": "true",
"V-36096": "true",
"V-36097": "true",
"V-36098": "true",
"V-36099": "true",
"V-36100": "true",
"V-36101": "true",
"V-36102": "true",
"V-36103": "true",
"V-36104": "true",
"V-36105": "true",
"V-36106": "true",
"V-36107": "true",
"V-36108": "true",
"V-36109": "true",
"V-36110": "true",
"V-36111": "true",
"V-36112": "true",
"V-36113": "true",
"V-36114": "true",
"V-36115": "true",
"V-36116": "true",
"V-36117": "true",
"V-36118": "true",
"V-36119": "true",
"V-36120": "true",
"V-36121": "true",
"V-36122": "true",
"V-36123": "true",
"V-36124": "true",
"V-36125": "true",
"V-36126": "true",
"V-36127": "true",
"V-36128": "true",
"V-36129": "true",
"V-36130": "true",
"V-36131": "true",
"V-36132": "true",
"V-36133": "true",
"V-36134": "true",
"V-36135": "true",
"V-36136": "true",
"V-36137": "true",
"V-36138": "true",
"V-36139": "true",
"V-36140": "true",
"V-36141": "true",
"V-36142": "true",
"V-36143": "true",
"V-36144": "true",
"V-36145": "true",
"V-36146": "true",
"V-36147": "true",
"V-36148": "true",
"V-36149": "true",
"V-36150": "true",
"V-36151": "true",
"V-36152": "true",
"V-36153": "true",
"V-36154": "true",
"V-36155": "true",
"V-36156": "true",
"V-36157": "true",
"V-36158": "true",
"V-36159": "true",
"V-36160": "true",
"V-36161": "true",
"V-36162": "true",
"V-36163": "true",
"V-36164": "true",
"V-36165": "true",
"V-36166": "true",
"V-36167": "true",
"V-36168": "true",
"V-36169": "true",
"V-36170": "true",
"V-36171": "true",
"V-36172": "true",
"V-36173": "true",
"V-36174": "true",
"V-36175": "true",
"V-36176": "true",
"V-36177": "true",
"V-36178": "true",
"V-36179": "true",
"V-36180": "true",
"V-36181": "true",
"V-36182": "true",
"V-36183": "true",
"V-36184": "true",
"V-36185": "true",
"V-36186": "true",
"V-36187": "true",
"V-36188": "true",
"V-36189": "true",
"V-36190": "true",
"V-36191": "true",
"V-36192": "true",
"V-36193": "true",
"V-36194": "true",
"V-36195": "true",
"V-36196": "true",
"V-36197": "true",
"V-36198": "true",
"V-36199": "true",
"V-36200": "true",
"V-36201": "true",
"V-36202": "true",
"V-36203": "true",
"V-36204": "true",
"V-36205": "true",
"V-36206": "true",
"V-36207": "true",
"V-36208": "true",
"V-36209": "true",
"V-36210": "true",
"V-36211": "true",
"V-36212": "true",
"V-36213": "true",
"V-36214": "true",
"V-36215": "true",
"V-36216": "true",
"V-36217": "true",
"V-36218": "true",
"V-36219": "true",
"V-36220": "true",
"V-36221": "true",
"V-36222": "true",
"V-36223": "true",
"V-36224": "true",
"V-36225": "true",
"V-36226": "true",
"V-36227": "true",
"V-36228": "true",
"V-36229": "true",
"V-36230": "true",
"V-36231": "true",
"V-36232": "true",
"V-36233": "true",
"V-36234": "true",
"V-36235": "true",
"V-36236": "true",
"V-36237": "true",
"V-36238": "true",
"V-36239": "true",
"V-36240": "true",
"V-36241": "true",
"V-36242": "true",
"V-36243": "true",
"V-36244": "true",
"V-36245": "true",
"V-36246": "true",
"V-36247": "true",
"V-36248": "true",
"V-36249": "true",
"V-36250": "true",
"V-36251": "true",
"V-36252": "true",
"V-36253": "true",
"V-36254": "true",
"V-36255": "true",
"V-36256": "true",
"V-36257": "true",
"V-36258": "true",
"V-36259": "true",
"V-36260": "true",
"V-36261": "true",
"V-36262": "true",
"V-36263": "true",
"V-36264": "true",
"V-36265": "true",
"V-36266": "true",
"V-36267": "true",
"V-36268": "true",
"V-36269": "true",
"V-36270": "true",
"V-36271": "true",
"V-36272": "true",
"V-36273": "true",
"V-36274": "true",
"V-36275": "true",
"V-36276": "true",
"V-36277": "true",
"V-36278": "true",
"V-36279": "true",
"V-36280": "true",
"V-36281": "true",
"V-36282": "true",
"V-36283": "true",
"V-36284": "true",
"V-36285": "true",
"V-36286": "true",
"V-36287": "true",
"V-36288": "true",
"V-36289": "true",
"V-36290": "true",
"V-36291": "true",
"V-36292": "true",
"V-36293": "true",
"V-36294": "true",
"V-36295": "true",
"V-36296": "true",
"V-36297": "true",
"V-36298": "true",
"V-36299": "true",
"V-36300": "true",
"V-36301": "true",
"V-36302": "true",
"V-36303": "true",
"V-36304": "true",
"V-36305": "true",
"V-36306": "true",
"V-36307": "true",
"V-36308": "true",
"V-36309": "true",
"V-36310": "true",
"V-36311": "true",
"V-36312": "true",
"V-36313": "true",
"V-36314": "true",
"V-36315": "true",
"V-36316": "true",
"V-36317": "true",
"V-36318": "true",
"V-36319": "true",
"V-36320": "true",
"V-36321": "true",
"V-36322": "true",
"V-36323": "true",
"V-36324": "true",
"V-36325": "true",
"V-36326": "true",
"V-36327": "true",
"V-36328": "true",
"V-36329": "true",
"V-36330": "true",
"V-36331": "true",
"V-36332": "true",
"V-36333": "true",
"V-36334": "true",
"V-36335": "true",
"V-36336": "true",
"V-36337": "true",
"V-36338": "true",
"V-36339": "true",
"V-36340": "true",
"V-36341": "true",
"V-36342": "true",
"V-36343": "true",
"V-36344": "true",
"V-36345": "true",
"V-36346": "true",
"V-36347": "true",
"V-36348": "true",
"V-36349": "true",
"V-36350": "true",
"V-36351": "true",
"V-36352": "true",
"V-36353": "true",
"V-36354": "true",
"V-36355": "true",
"V-36356": "true",
"V-36357": "true",
"V-36358": "true",
"V-36359": "true",
"V-36360": "true",
"V-36361": "true",
"V-36362": "true",
"V-36363": "true",
"V-36364": "true",
"V-36365": "true",
"V-36366": "true",
"V-36367": "true",
"V-36368": "true",
"V-36370": "true",
"V-36371": "true",
"V-36372": "true",
"V-36373": "true",
"V-36374": "true",
"V-36375": "true",
"V-36376": "true",
"V-36377": "true",
"V-36378": "true",
"V-36379": "true",
"V-36380": "true",
"V-36381": "true",
"V-36382": "true",
"V-36383": "true",
"V-36384": "true",
"V-36385": "true",
"V-36386": "true",
"V-36387": "true",
"V-36388": "true",
"V-36389": "true",
"V-36390": "true",
"V-36391": "true",
"V-36392": "true",
"V-36393": "true",
"V-36394": "true",
"V-36395": "true",
"V-36396": "true",
"V-36397": "true",
"V-36398": "true",
"V-36399": "true",
"V-36400": "true",
"V-36401": "true",
"V-36402": "true",
"V-36403": "true",
"V-36404": "true",
"V-36405": "true",
"V-36406": "true",
"V-36407": "true",
"V-36408": "true",
"V-36409": "true",
"V-36410": "true",
"V-36411": "true",
"V-36412": "true",
"V-36413": "true",
"V-36414": "true",
"V-36415": "true",
"V-36416": "true",
"V-36417": "true",
"V-36418": "true",
"V-36419": "true",
"V-36420": "true",
"V-36421": "true",
"V-36422": "true",
"V-36423": "true",
"V-36424": "true",
"V-36425": "true",
"V-36426": "true",
"V-36427": "true",
"V-36428": "true",
"V-36429": "true",
"V-36430": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "mobile_device_manager_security_requirements_guide",
"title": "Mobile Device Manager Security Requirements Guide",
"version": "1"
}
}