If the MDM server includes a mobile email management capability, the email client must cache the certificate status of signed emails that have been received on the handheld device for a period not extending beyond the expiration period of the revocation data.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36227	SRG-APP-196-MDM-209-MEM	SV-47631r1_rule		Low

Description
Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement is to cache the certificate status of signed emails on the mobile device.

STIG	Date
Mobile Device Manager Security Requirements Guide	2013-01-24

Details

Check Text ( C-44467r1_chk )
Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Determine if the mobile email client caches the certificate status of an email recipient's PKI certificate. If yes, verify the certificate status is purged from cache within 7 days after being saved. Seven days is considered the default value for the expiration period. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client saves the certificate status of an email recipient's PKI certificate and does not purge the certificate status within 7 days after being saved, this is a finding.

Check Text ( C-44467r1_chk )

Determine if the MDM server includes a mobile email management capability. If no, this requirement is not applicable. If yes, perform the following procedure: Determine if the mobile email client caches the certificate status of an email recipient's PKI certificate. If yes, verify the certificate status is purged from cache within 7 days after being saved. Seven days is considered the default value for the expiration period. Talk to the site system administrator and have them confirm this capability exists in the MDM server. Also, review the MDM server configuration. If the mobile email client saves the certificate status of an email recipient's PKI certificate and does not purge the certificate status within 7 days after being saved, this is a finding.

Fix Text (F-40757r1_fix)
If the MDM server saves the certificate status of an email recipient's PKI certificate, configure the MDM server to purge the certificate status within a period not extending beyond the expiration period of the revocation data.