If the MDM server includes a mobile email management capability, all email (including email attachments) sent over the wireless link from the mobile email client MDM server mobile email management component located on the DoD network must be encrypted using AES. AES 128 bit encryption key length is the minimum requirement; AES 256 desired.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36218	SRG-APP-194-MDM-201-MEM	SV-47622r1_rule		Medium

Description
If an adversary can access the key store, it may be able to use the keys to perform a variety of unauthorized transactions. It may also be able to modify public-keys in a way that it can trick the operating system into accepting invalid certificates. Encrypting the key store protects the integrity and confidentiality of keys. AES encryption with adequate key lengths provides assurance that the protection is strong.

Description

If an adversary can access the key store, it may be able to use the keys to perform a variety of unauthorized transactions. It may also be able to modify public-keys in a way that it can trick the operating system into accepting invalid certificates. Encrypting the key store protects the integrity and confidentiality of keys. AES encryption with adequate key lengths provides assurance that the protection is strong.

STIG	Date
Mobile Device Manager Security Requirements Guide	2013-01-24

Details

Check Text ( C-44458r1_chk )
Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client supports sending all email (including email attachments) sent over the wireless link between the mobile email client and MDM server located on the DoD network using AES. Verify the AES encryption key length is at least 128 bit (AES 128 bit encryption key length is the minimum requirement; AES 256 desired.). Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not send all email (including email attachments) sent over the wireless link between the mobile email client and MDM server located on the DoD network using AES 128 (or larger bit size), this is a finding.

Check Text ( C-44458r1_chk )

Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Verify the mobile email client supports sending all email (including email attachments) sent over the wireless link between the mobile email client and MDM server located on the DoD network using AES. Verify the AES encryption key length is at least 128 bit (AES 128 bit encryption key length is the minimum requirement; AES 256 desired.). Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client does not send all email (including email attachments) sent over the wireless link between the mobile email client and MDM server located on the DoD network using AES 128 (or larger bit size), this is a finding.

Fix Text (F-40748r1_fix)
Configure the MDM server to supports sending all email (including email attachments) sent over the wireless link between the mobile email client and MEM server located on the DoD network using AES 128 (or larger bit size).