UCF STIG Viewer Logo

Mobile Email Management (MEM) Server Security Technical Implementation Guide (STIG)


Overview

Date Finding Count (31)
2013-05-08 CAT I (High): 2 CAT II (Med): 15 CAT III (Low): 14
STIG Description
This STIG provides technical security controls required for the use of a MEM server that manages mobile email from/to mobile devices in the DoD environment. The requirements listed in this benchmark apply to any DoD iOS implementation when iOS devices process sensitive DoD information, connect to a DoD network or network connected PC, or provide service to a DoD email system. The requirements can be implemented in an application server separate from the MDM server or included in the MDM server. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-24975 High The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
V-26564 High Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements.
V-32806 Medium All email sent to the mobile device must be managed by the mobile email server. Desktop or Internet controlled email redirection are not authorized.
V-32803 Medium The MEM client must support SHA2 or later signing operations.
V-32800 Medium The MEM client must provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP.
V-32777 Medium The MEM client must alert the user if it receives a public-key certificate issued from an untrusted certificate authority.
V-32799 Medium The MEM client must provide the mobile device user the capability to decrypt incoming email messages using software or hardware based digital certificates.
V-32798 Medium The MEM client must provide the mobile device user the capability to digitally sign and/or encrypt outgoing email messages using software or hardware based digital certificates.
V-32793 Medium The MEM client S/MIME encryption algorithm must support both 3DES and AES.
V-32791 Medium The MEM client must be capable of providing S/MIME v3 (or later version) encryption of email.
V-32790 Medium The MEM server and client must encrypt all data using a FIPS 140-2 validated cryptographic module.
V-32797 Medium The MEM client must set the Smart Card or Certificate Store Password caching timeout period to no more than 120 minutes, if Smart Card or Certificate Store Password caching is available.
V-32794 Medium The MEM client S/MIME cryptographic module must be FIPS 140-2 validated.
V-24972 Medium The required mobile device management server version (or later) must be used.
V-24973 Medium The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.).
V-32789 Medium All data (including email and attachments) sent over the wireless link between the mobile email client and MEM server located on the DoD network must be encrypted using AES.
V-32782 Medium The MEM client must verify user digital certificate when performing PKI transactions.
V-32807 Low The MEM client must enable a system administrator to select which data fields in the contacts data base will be available to applications outside of the contact database.
V-32805 Low The MEM client must support SHA2 signature verification.
V-32804 Low The MEM client must either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device.
V-32802 Low The MEM client must support retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes.
V-32801 Low The MEM client must provide a noticeable warning to the user if the CRL, SCVP, or OCSP server cannot be contacted or the revocation data provided cannot be verified.
V-32779 Low The MEM client must alert the user if it receives an invalid public-key certificate.
V-32795 Low The MEM client must provide the capability to save public certificates of contacts in an acceptable method.
V-32776 Low The MEM client must provide users with the option to deny acceptance of a certificate when the certificates revocation status cannot be verified.
V-32792 Low The MEM client S/MIME must be fully interoperable with DoD PKI.
V-32796 Low The MEM client must not cache the certificate status of signed emails that have been received on the handheld device beyond the expiration period of the revocation data.
V-33231 Low The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less.
V-25754 Low The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate.
V-32788 Low The MEM client must alert the user if it receives an unverified public-key certificate.
V-32781 Low The MEM client must not accept certificate revocation information without verifying its authenticity.