UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Mobile Email Management (MEM) Server Security Technical Implementation Guide (STIG)


Overview

Date Finding Count (37)
2012-07-20 CAT I (High): 2 CAT II (Med): 14 CAT III (Low): 21
STIG Description
This STIG provides technical security controls required for the use of a MEM server that manages mobile email from/to mobile devices in the DoD environment. The requirements listed in this benchmark apply to any DoD iOS 5 implementation when iOS 5 devices process sensitive DoD information, connect to a DoD network or network connected PC, or provide service to a DoD email system. The requirements can be implemented in an application server separate from the MDM server or included in the MDM server.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-26564 High Authentication on system administration accounts for mobile management servers must be configured to support Microsoft Active Directory (AD) authentication.
V-24975 High The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
V-32806 Medium All email sent to the mobile device must be managed by the mobile email server. Desktop or Internet controlled email redirection are not authorized.
V-32803 Medium The MEM client must support SHA2 or later signing operations.
V-32800 Medium The MEM client must provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP.
V-32777 Medium The MEM client must alert the user if it receives a public-key certificate issued from an untrusted certificate authority.
V-32799 Medium The MEM client must provide the mobile device user the capability to decrypt incoming email messages using software or hardware based digital certificates.
V-32798 Medium The MEM client must provide the mobile device user the capability to digitally sign and/or encrypt outgoing email messages using software or hardware based digital certificates.
V-32793 Medium The MEM client S/MIME encryption algorithm must be 3DES both AES. When AES is used, AES 128 bit encryption key length is the minimum requirement; AES 256 desired.
V-32791 Medium The MEM client must be capable of providing S/MIME v3 (or later version) encryption of email.
V-32790 Medium The MEM server and client must encrypt all data using a FIPS 140-2 validated cryptographic module.
V-32797 Medium The MEM client must set the Smart Card or Certificate Store Password caching timeout period from at least 15 to 120 minutes, if Smart Card or Certificate Store Password caching is available.
V-32794 Medium MEM client S/MIME cryptographic module must be FIPS 140-2 validated.
V-24973 Medium The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Web Server, Apache Tomcat, IIS, etc.).
V-32789 Medium All data (including email and attachments) sent over the wireless link between the mobile email client and MEM server located on the DoD network must be encrypted using AES.
V-32782 Medium The MEM client must verify all digital certificates in the certificate chain (user, intermediate, and root) when performing PKI transactions.
V-32807 Low If access is enabled to the MEM client contacts lists by the mobile device OS contact list, the list of contact information must be limited.
V-32805 Low The MEM client must support SHA2 signature verification.
V-32804 Low The MEM client must either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device.
V-32802 Low The MEM client must support retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes.
V-32801 Low The MEM client must provide a noticeable warning to the user if the CRL, SCVP, or OCSP server cannot be contacted or the revocation data provided cannot be verified.
V-32779 Low The MEM client must alert the user if it receives an invalid public-key certificate.
V-32778 Low The MEM client must provide users with the option to deny acceptance of a certificate when the certificate was issued by an untrusted certificate authority.
V-32795 Low The MEM client must provide the capability to save public certificates of contacts in an acceptable method.
V-32776 Low The MEM client must provide users with the option to deny acceptance of a certificate when the certificates revocation status cannot be verified.
V-32792 Low The MEM client S/MIME must be fully interoperable with DoD PKI.
V-32796 Low The MEM client must cache the certificate status of signed emails that have been received on the handheld device for a period not extending beyond the expiration period of the revocation data.
V-33231 Low The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed on a periodic basis.
V-25754 Low The PKI digital certificate installed on mobile management servers must be a DoD PKI-issued certificate.
V-32788 Low The MEM client must alert the user if it receives an unverified public-key certificate.
V-32780 Low The MEM client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid.
V-32781 Low The MEM client must not accept certificate revocation information without verifying its authenticity.
V-32783 Low The MEM client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified.
V-32784 Low The MEM client must alert the user if it receives a public-key certificate with a non-FIPS approved algorithm.
V-32785 Low The MEM client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm.
V-32786 Low The MEM client must alert the user if the certificate uses an unverified CRL.
V-32787 Low The MEM client must give the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified.