| V-26564 | High | Authentication on system administration accounts for mobile management servers must be configured to support Microsoft Active Directory (AD) authentication.
| CTO 07-15 Rev 1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. This is best enforced by requiring the server... |
| V-24975 | High | The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
| A mobile device user could get access to unauthorized network resources (application and content servers, etc.) via the communications link between the mobile device and mobile management server... |
| V-32806 | Medium | All email sent to the mobile device must be managed by the mobile email server. Desktop or Internet controlled email redirection are not authorized.
| Desktop or Internet controlled mobile email redirection does not allow the mobile email to be managed by a mobile email management server; therefore, email security policies cannot be enforced. |
| V-32803 | Medium | The MEM client must support SHA2 or later signing operations. | SHA2 or later signing is required because earlier signing algorithms have been compromised and do not provide the required level of trust.
|
| V-32800 | Medium | The MEM client must provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP.
| Certificate validation is a key requirement of a robust PKI, therefore the mobile email server must support all DoD accepted processes for distributing certificate status information. |
| V-32777 | Medium | The MEM client must alert the user if it receives a public-key certificate issued from an untrusted certificate authority. | When the public-key certificate is issued from an untrusted certificate authority, the certificate cannot be trusted and the recipient must have the capability to accept or deny the certificate... |
| V-32799 | Medium | The MEM client must provide the mobile device user the capability to decrypt incoming email messages using software or hardware based digital certificates.
| The email client must support signing operations (verifying digital signatures) and decrypting email using both software and hardware PKI certificates so that the DoD can use either certificate... |
| V-32798 | Medium | The MEM client must provide the mobile device user the capability to digitally sign and/or encrypt outgoing email messages using software or hardware based digital certificates. | The email client must support signing and encrypting email using both software and hardware PKI certificates so that the DoD can use either certificate form factor based on current policy,... |
| V-32793 | Medium | The MEM client S/MIME encryption algorithm must be 3DES both AES. When AES is used, AES 128 bit encryption key length is the minimum requirement; AES 256 desired.
| DES and AES are the DoD standard for unclassified data encryption based on DoD PKI certificates. AES is preferred but some DoD CACs only support the 3DES encryption algorithm. When other... |
| V-32791 | Medium | The MEM client must be capable of providing S/MIME v3 (or later version) encryption of email. | Sensitive DoD data could be exposed if the required setting is not configured on the Good server. If S/MIME support is not configured on the server, the user will not be able to view critical... |
| V-32790 | Medium | The MEM server and client must encrypt all data using a FIPS 140-2 validated cryptographic module. | FIPS 140-2 validated encryption is the DoD standard for unclassified data encryption. When non-FIPS validated encryption modules are used (other than Type 1) the required level of trust that... |
| V-32797 | Medium | The MEM client must set the Smart Card or Certificate Store Password caching timeout period from at least 15 to 120 minutes, if Smart Card or Certificate Store Password caching is available. | The certificate/key store contents must not remain unencrypted indefinitely; otherwise, the encryption keys and PKI certificates stored in the store could be compromised. The store must re-encrypt... |
| V-32794 | Medium | MEM client S/MIME cryptographic module must be FIPS 140-2 validated. | FIPS 140-2 validated encryption is the DoD standard for unclassified data encryption. When non-FIPS validated encryption modules are used (other than Type 1) the level of trust that sensitive DoD... |
| V-24973 | Medium | The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Web Server, Apache Tomcat, IIS, etc.).
| The host server where the mobile management server is installed must be compliant with the Windows STIG and applicable application STIGs to ensure the system is not vulnerable to attack resulting... |
| V-32789 | Medium | All data (including email and attachments) sent over the wireless link between the mobile email client and MEM server located on the DoD network must be encrypted using AES. | AES is the DoD standard for unclassified data encryption. When other encryption algorithms are used (non-type-1) the level of trust that sensitive DoD data cannot be compromised is not available.
|
| V-32782 | Medium | The MEM client must verify all digital certificates in the certificate chain (user, intermediate, and root) when performing PKI transactions. | The trust of any PKI operation is contingent on the certificate chain. Authentication and encryption services based on PKI would be untrusted if the certificate chain is not verified. |
| V-32807 | Low | If access is enabled to the MEM client contacts lists by the mobile device OS contact list, the list of contact information must be limited.
| Sensitive contact information could be exposed to unauthorized people.
|
| V-32805 | Low | The MEM client must support SHA2 signature verification. | SHA2 or later signing is required because earlier signing algorithms have been compromised and do not provide the required level of trust.
|
| V-32804 | Low | The MEM client must either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. | HTML email and inline images in email can contain malware or links to web sites with malware.
|
| V-32802 | Low | The MEM client must support retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes. | S/MIME operations cannot be performed if the device user cannot access public encryption certificates for email recipients; therefore, if encryption certificates are not stored in the contacts... |
| V-32801 | Low | The MEM client must provide a noticeable warning to the user if the CRL, SCVP, or OCSP server cannot be contacted or the revocation data provided cannot be verified. | Certificate validation is a key requirement of a robust PKI; therefore, the user must be notified if the status of a certificate on a signed email cannot be verified. |
| V-32779 | Low | The MEM client must alert the user if it receives an invalid public-key certificate. | When the public-key certificate is invalid, the certificate cannot be trusted and the recipient must have the capability to accept or deny the certificate and act on the email content based on... |
| V-32778 | Low | The MEM client must provide users with the option to deny acceptance of a certificate when the certificate was issued by an untrusted certificate authority. | When the public-key certificate is issued from an untrusted certificate authority, the certificate cannot be trusted and the recipient must have the capability to accept or deny the certificate... |
| V-32795 | Low | The MEM client must provide the capability to save public certificates of contacts in an acceptable method. | This capability is required to support S/MIME encryption of email. Without S/MIME, end-to-end data encryption is not possible and sensitive DoD data could be compromised. |
| V-32776 | Low | The MEM client must provide users with the option to deny acceptance of a certificate when the certificates revocation status cannot be verified.
| When the certificate revocation status cannot be verified, the email sender's identify cannot be verified and the user must have the capability to accept or deny the certificate and act on the... |
| V-32792 | Low | The MEM client S/MIME must be fully interoperable with DoD PKI. | Without DoD PKI interoperability, the S/MIME feature would not work and could not meet DoD S/MIME requirements.
|
| V-32796 | Low | The MEM client must cache the certificate status of signed emails that have been received on the handheld device for a period not extending beyond the expiration period of the revocation data. | If the revocation status of the certificate is not cached, the email client would need to retrieve the status every time a user opens a signed email, which would cause a usability issue of the... |
| V-33231 | Low | The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed on a periodic basis. | If the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be... |
| V-25754 | Low | The PKI digital certificate installed on mobile management servers must be a DoD PKI-issued certificate.
| When a self signed PKI certificate is used, a rogue mobile management server can impersonate the DoD mobile management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.
|
| V-32788 | Low | The MEM client must alert the user if it receives an unverified public-key certificate. | When the public-key certificate is unverified certificate, the certificate cannot be trusted and the recipient must have the capability to accept or deny the certificate and act on the email... |
| V-32780 | Low | The MEM client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid.
| When the public-key certificate is invalid certificate, the certificate cannot be trusted and the recipient must have the capability to accept or deny the certificate and act on the email... |
| V-32781 | Low | The MEM client must not accept certificate revocation information without verifying its authenticity.
| When the public-key certificate has been identified as revoked but the revocation authenticity cannot be verified, the revocation cannot be trusted and the recipient must have the capability to... |
| V-32783 | Low | The MEM client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified.
| When the certificate is unverified, the email sender's identify cannot be verified and the user must have the capability to accept or deny the certificate and act on the email content based on... |
| V-32784 | Low | The MEM client must alert the user if it receives a public-key certificate with a non-FIPS approved algorithm. | If a DoD certificate has a non-FIPS approved algorithm, the required level of assurance that any encryption operation is secure is not available. It may be possible to compromise the integrity of... |
| V-32785 | Low | The MEM client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm. | If a DoD certificate has a non-FIPS approved algorithm, the required level of assurance that any encryption operation is secure is not available. It may be possible to compromise the integrity of... |
| V-32786 | Low | The MEM client must alert the user if the certificate uses an unverified CRL.
| When the public-key certificate has been identified as being either valid or revoked but the status comes from an unverified CRL, the certificate status cannot be trusted and the recipient must... |
| V-32787 | Low | The MEM client must give the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified. | When the public-key certificate has been identified as being either valid or revoked but the status comes from an unverified CRL, the certificate status cannot be trusted and the recipient must... |
