The MDM server must employ NSA approved cryptography when cryptography is required to protect classified information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36054	SRG-APP-198-MDM-050-SRV	SV-47444r1_rule		High

Description
The most common vulnerabilities with cryptographic modules are those associated with poor implementation. NSA approval is required for cryptography for classified data and applications when such data is not adequately protected through local physical security controls. NSA approval provides assurance that the implementation is not vulnerable to attacks that might impact the confidentiality, integrity, or availability of the information.

Description

The most common vulnerabilities with cryptographic modules are those associated with poor implementation. NSA approval is required for cryptography for classified data and applications when such data is not adequately protected through local physical security controls. NSA approval provides assurance that the implementation is not vulnerable to attacks that might impact the confidentiality, integrity, or availability of the information.

STIG	Date
Mobile Device Manager Security Requirements Guide	2013-01-24

Details

Check Text ( C-44293r2_chk )
Identify the classified data stored, transmitted, or processed by the MDM server. Data processed by the MDM server that may be classified includes, but is not limited to, vulnerability-related alerts and audit log entries and, if the MDM processes email, the content of classified email messages. Once the classified data are identified, determine whether there are any applicable DAR and DIT requirements for cryptography. Classified DIT transmitted between CMD and the MDM server must be encrypted. In general, if either classified DIT or DAR remain within a protected enclave that otherwise meets requirements for classified computing, then there are no requirements for encryption. However, local command or site policies requiring encryption will apply if they exist. If classified DIT leaves a protected enclave then it must be encrypted. For example, classified vulnerability messages transmitted to an enterprise intrusion detection or response center must be encrypted if those messages are transmitted from the enclave in which the MDM server resides to the enclave in which the enterprise servers reside over a medium at a lower level of classification. Once the requirements have been identified, determine the network component used to comply with the requirement. For example, when classified DIT is transmitted across network boundaries, HAIPE technology in the infrastructure may be used to protect DIT. In this case, the requirement does not apply to the MDM server. For all identified classified DAR and DIT requirements addressed by the MDM server, review documentation associated with the cryptography implemented to comply with the requirement. Any cryptography used to protect classified DAR or DIT in this circumstance must be NSA-approved, although not necessarily with classified algorithms. If cryptography is not employed, or if the cryptography the MDM server employs is not NSA approved, this is a finding. Note: In cases where NSA approved encryption is not required as described above, organizations may implement cryptography to protect classified DAR or DIT when as a defense in depth measure or other for reasons. In these cases, the cryptography need not be NSA-approved.

Check Text ( C-44293r2_chk )

Identify the classified data stored, transmitted, or processed by the MDM server. Data processed by the MDM server that may be classified includes, but is not limited to, vulnerability-related alerts and audit log entries and, if the MDM processes email, the content of classified email messages.

Once the classified data are identified, determine whether there are any applicable DAR and DIT requirements for cryptography. Classified DIT transmitted between CMD and the MDM server must be encrypted. In general, if either classified DIT or DAR remain within a protected enclave that otherwise meets requirements for classified computing, then there are no requirements for encryption. However, local command or site policies requiring encryption will apply if they exist. If classified DIT leaves a protected enclave then it must be encrypted. For example, classified vulnerability messages transmitted to an enterprise intrusion detection or response center must be encrypted if those messages are transmitted from the enclave in which the MDM server resides to the enclave in which the enterprise servers reside over a medium at a lower level of classification.

Once the requirements have been identified, determine the network component used to comply with the requirement. For example, when classified DIT is transmitted across network boundaries, HAIPE technology in the infrastructure may be used to protect DIT. In this case, the requirement does not apply to the MDM server.

For all identified classified DAR and DIT requirements addressed by the MDM server, review documentation associated with the cryptography implemented to comply with the requirement. Any cryptography used to protect classified DAR or DIT in this circumstance must be NSA-approved, although not necessarily with classified algorithms. If cryptography is not employed, or if the cryptography the MDM server employs is not NSA approved, this is a finding.

Note: In cases where NSA approved encryption is not required as described above, organizations may implement cryptography to protect classified DAR or DIT when as a defense in depth measure or other for reasons. In these cases, the cryptography need not be NSA-approved.

Fix Text (F-40584r2_fix)
Stop using the MDM server until the NSA has approved the required applications of cryptography.