UCF STIG Viewer Logo

Mobile Operating System Security Requirements Guide


Overview

Date Finding Count (322)
2013-07-03 CAT I (High): 21 CAT II (Med): 269 CAT III (Low): 32
STIG Description
The Mobile OS Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST SP 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-33159 High The mobile operating system must employ NSA approved cryptography to protect classified information.
V-32951 High The mobile operating system must not automatically execute applications without user direction.
V-32959 High The mobile operating system must transfer audit logs to remote log or management servers.
V-33058 High The mobile operating system must not permit mobile service carriers to have privileged access to the operating system or perform any function not directed by the user.
V-33052 High The mobile operating system must prevent the installation of applications that are not digitally signed with a DoD approved private key.
V-33183 High The mobile operating system must support automated patch management tools to facilitate flaw remediation of all software components on the device.
V-33188 High The mobile operating system must prevent non-privileged users from circumventing intrusion detection and prevention capabilities.
V-33067 High The mobile operating system must prevent a user from installing unapproved applications.
V-33113 High The mobile operating system must prevent the user of the device from directly administering UIDs, file permissions, and system configuration files, and from starting and stopping system processes.
V-33192 High The operating system must provide notification to an external device and halt the boot cycle if the OS detects tampering or fails operating system security tests.
V-33195 High The mobile operating system must verify the integrity of all operating system files, device drivers, and security enforcement mechanisms at startup and at least every six hours thereafter using one or more DoD approved cryptographic mechanisms that compare attributes of the operating system configuration to a known good baseline.
V-33292 High The mobile operating system must not permit a user to disable or modify the security policy or enforcement mechanisms on the device.
V-33095 High The mobile operating system and mobile device management services must mutually authenticate each other using bi-directional PKI-based cryptographic authentication methods.
V-33013 High The mobile operating system must provide mutual authentication between the provisioning server and the provisioned device during a trusted over-the-air (OTA) provisioning session.
V-33182 High The mobile operating system must detect and report the version of the operating system, device drivers, and application software when queried by an authorized entity.
V-33169 High Only DoD PKI issued or DoD approved software authentication certificates may be installed on DoD mobile operating system devices.
V-33281 High The mobile operating system must employ malicious code protection mechanisms to detect and eradicate malicious code from installing and executing.
V-33271 High The mobile operating system must disable the mobile device upon the MDM agents instruction, permitting someone in possession of the device to make emergency 911 calls only.
V-33001 High The mobile operating system must not transmit passwords in clear text.
V-33265 High The operating system must initiate security auditing at system start-up.
V-33149 High The mobile operating system PKI certificate store must encrypt contents using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired).
V-33088 Medium The operating system must use organization defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-33099 Medium The operating system must dynamically manage identifiers, attributes, and associated access authorizations.
V-33098 Medium The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.
V-33009 Medium The operating system must enforce security policies regarding information on interconnected systems.
V-33156 Medium The mobile operating system PKI certificate store must be FIPS 140-2 validated.
V-33157 Medium The cryptographic module supporting Bluetooth data communications must be FIPS 140-2 validated.
V-33154 Medium The cryptographic module supporting encryption of data at rest must be FIPS 140-2 validated.
V-33155 Medium The cryptographic module supporting the VPN client security functions must be FIPS 140-2 validated.
V-33152 Medium The operating system must implement required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
V-33153 Medium The cryptographic module supporting encryption of data in transit (including email and attachments) must be FIPS 140-2 validated.
V-33150 Medium The mobile operating system must support both software-based and hardware-based asymmetric key technology (e.g., CAC/PIV).
V-33151 Medium The operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the users private key.
V-33255 Medium The operating system must only allow authorized entities to change security attributes.
V-33254 Medium The operating system must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.
V-33257 Medium The operating system must only allow authorized users to associate security attributes with information.
V-33256 Medium The operating system maintains the binding of security attributes to information with sufficient assurance that the information attribute association can be used as the basis for automated policy actions.
V-33251 Medium The operating system must automatically audit account disabling actions.
V-33240 Medium The mobile operating system must re-encrypt all device data when the device is locked.
V-33158 Medium The cryptographic module supporting Wi-Fi security functions must be FIPS 140-2 validated.
V-33144 Medium The operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
V-33241 Medium The mobile operating system must prohibit wireless remote access connections except for personal hotspot service.
V-32908 Medium The operating system must automatically disable inactive accounts after an organization defined time period.
V-33060 Medium The mobile operating system must verify the integrity of application software before each instance of its execution.
V-32987 Medium The mobile operating system must alert the user when it receives a public-key certificate issued from an untrusted certificate authority.
V-32956 Medium The operating system must produce audit records containing sufficient information to establish the sources of the events.
V-32950 Medium The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.
V-32952 Medium The operating system must employ automated mechanisms to enable authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.
V-33090 Medium The mobile operating systems Bluetooth module must not permit any data transfer between devices prior to Bluetooth mutual authentication.
V-32933 Medium The operating system, when the maximum number of unsuccessful attempts is exceeded, must automatically lock the account for an organization defined time period or must lock the account until released by an administrator IAW organizational policy.
V-32932 Medium The operating system must enforce the organization defined limit of consecutive invalid access attempts by a user during the organization defined time period.
V-32930 Medium The mobile operating system must audit any use of privileged accounts, or roles, with access to organization defined security functions or security relevant information, when accessing other system functions.
V-33061 Medium The mobile operating system must detect the addition of unauthorized hardware components and peripherals at start up and when they are attached.
V-33123 Medium The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service attacks.
V-33122 Medium The operating system must restrict the ability of users to launch Denial of Service attacks against other information systems or networks.
V-33121 Medium The operating system must protect against or must limit the effects of the organization defined or referenced types of Denial of Service attacks.
V-33249 Medium The operating system must support and maintain the binding of organization defined security attributes to information in transmission.
V-33127 Medium The operating system must route organization defined internal communications traffic to organization defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices.
V-33126 Medium The operating system must connect to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
V-33125 Medium The operating system must monitor and control communications at the external boundary of the information system and at key internal boundaries within the system.
V-33124 Medium The operating system must limit the use of resources by priority.
V-33242 Medium The mobile operating system must authenticate tethered connections to the device.
V-32982 Medium The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization defined level of tolerance.
V-33129 Medium The operating system must check incoming communications to ensure the communications are coming from an authorized source and routed to an authorized destination.
V-33128 Medium The operating system, at managed interfaces, must deny network traffic and must audit internal users (or malicious code) posing a threat to external information systems.
V-33246 Medium The operating system must notify the user of organization defined security-related changes to the users account that occur during the organization defined time period.
V-33247 Medium The mobile operating system must maintain the binding of digital signatures on software components and applications in storage.
V-33244 Medium The operating system must notify the user of the number of successful logins/accesses that occur during the organization defined time period.
V-33245 Medium The operating system must notify the user of the number of unsuccessful login/access attempts that occur during organization defined time period.
V-33059 Medium The operating system must configure the information system to specifically prohibit or restrict the use of organization defined functions, ports, protocols, and/or services.
V-32980 Medium The mobile operating system must allow organizational personnel through mobile device management services to select which auditable events are to be audited by the mobile operating system.
V-33053 Medium The operating system must enforce a two-person rule for changes to organization defined information system components and system-level information.
V-33051 Medium The operating system must employ automated mechanisms to support auditing of the enforcement actions.
V-33050 Medium The operating system must employ automated mechanisms to enforce access restrictions.
V-33057 Medium The mobile operating system must not permit a user to remove organizationally required applications.
V-33056 Medium The operating system must employ automated mechanisms to respond to unauthorized changes to organization defined configuration settings.
V-33055 Medium The operating system must employ automated mechanisms to centrally verify configuration settings.
V-33054 Medium The operating system must employ automated mechanisms to centrally apply configuration settings.
V-32943 Medium The mobile operating system must retain the device lock until the user reestablishes access using established identification and authentication procedures.
V-32941 Medium The operating system must limit the number of concurrent sessions for each account to an organization defined number of sessions.
V-32946 Medium The mobile operating system device lock, when activated on a device, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.
V-32944 Medium The mobile operating system must lock the device following a minimum, organizationally-defined period of inactivity.
V-32945 Medium The mobile operating system must permit the user to directly initiate device lock.
V-33259 Medium The operating system must disable the use of organization defined networking protocols within the operating system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.
V-32948 Medium The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
V-32949 Medium The mobile operating system must use cryptography to protect the confidentiality of remote access sessions.
V-32998 Medium The mobile operating system must disallow the device unlock password from containing an organizationally-defined minimum number of numeric characters.
V-33258 Medium The operating system must display security attributes in human-readable form on each object output from the system to system output devices to identify an organization identified set of special dissemination, handling, or distribution instructions using organization identified human-readable, standard naming conventions.
V-32924 Medium The operating system must support organization defined one-way flows using hardware mechanisms.
V-32925 Medium The operating system must enforce information flow control using organization defined security policy filters as a basis for flow control decisions.
V-32926 Medium The operating system must provide the capability for a privileged administrator to enable/disable organization defined security policy filters.
V-32927 Medium The operating system must provide the capability for a privileged administrator to configure the organization defined security policy filters to support different security policies.
V-32920 Medium The operating system must enforce dynamic information flow control based on policy that must allow or disallow information flows based upon changing conditions or operational considerations.
V-32921 Medium The operating system must prevent encrypted data from bypassing content checking mechanisms.
V-32922 Medium The operating system must enforce organization defined limitations on the embedding of data types within other data types.
V-32923 Medium The operating system must enforce information flow control on metadata.
V-32929 Medium The operating system must implement separation of duties through assigned information system access authorizations.
V-33131 Medium The operating system must route all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.
V-33132 Medium The operating system must prevent discovery of specific system components (or devices) composing a managed interface.
V-33133 Medium The operating system must employ automated mechanisms to enforce strict adherence to protocol format.
V-33134 Medium The operating system must fail securely in the event of an operational failure of a boundary protection device.
V-33135 Medium The operating system must protect the integrity of transmitted information.
V-33136 Medium The operating system must use multifactor authentication for network access to privileged accounts.
V-33137 Medium The operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
V-33138 Medium The operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission.
V-33139 Medium The mobile operating systems VPN client must use either IPSec or SSL/TLS when connecting to DoD networks.
V-32989 Medium The mobile operating system must give the user the option to deny acceptance of a certificate if the certificate was issued by an untrusted certificate authority.
V-33164 Medium The mobile operating system must prohibit remote activation of collaborative computing functions, including microphones, cameras, and networked white boards without user concurrence.
V-33069 Medium The mobile operating system must only permit download of software from a DoD approved source (e.g., DoD operated mobile device application store or MDM server).
V-33239 Medium The mobile operating system must require a valid password be successfully entered before the mobile device data is unencrypted.
V-33238 Medium The mobile operating system must encrypt all data on the mobile device using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired).
V-33237 Medium The mobile operating system must employ mobile device management services to centrally manage security relevant configuration and policy settings.
V-33236 Medium The operating system for publicly accessible systems must display the system use information when appropriate, before granting further access.
V-33235 Medium The mobile operating system maximum number of consecutive unsuccessful unlock attempts must be configurable within a range from 5 to 10.
V-33234 Medium The mobile operating system must wipe data on both embedded storage and removable media when performing a data wipe function.
V-33233 Medium The mobile operating system must wipe all storage media after an organization defined number of consecutive, unsuccessful attempts to unlock the mobile device.
V-33232 Medium The operating system must uniquely authenticate source domains for information transfer.
V-33250 Medium The operating system must automatically audit account modification.
V-33253 Medium The operating system must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.
V-33252 Medium The operating system must automatically audit account termination.
V-32911 Medium The operating system must dynamically manage user privileges and associated access authorizations.
V-32910 Medium The operating system must support the requirement to automatically audit on account creation.
V-32913 Medium The mobile operating system must enforce a mandatory access control (MAC) policy that prohibits any application, user, or process from modifying software in the trusted computing base with the exception of protected processes dedicated to performing updates to particular trusted computing base components.
V-32912 Medium The operating system must enforce dual authorization, based on organizational policies and procedures for organization defined privileged commands.
V-32915 Medium The mobile operating system must enforce a mandatory access control (MAC) policy that prohibits any application from having both write and execute permissions to a file on the device.
V-32917 Medium The operating system must prevent access to organization defined security-relevant information except during secure, non-operable system states.
V-32916 Medium The mobile operating system must enforce a mandatory access control (MAC) policy that prohibits any application from accessing the data or code of another application unless such data or code has been expressly allowed by the policy to be a shared resource.
V-32919 Medium The operating system must enforce information flow control using protected processing domains (e.g., domain type enforcement) as a basis for flow control decisions.
V-32918 Medium The operating system must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
V-33178 Medium The operating system must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.
V-33173 Medium The operating system must prevent the execution of prohibited mobile code.
V-33109 Medium The operating system must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
V-33070 Medium The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).
V-33105 Medium The operating system must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.
V-33104 Medium The operating system must employ automated mechanisms to restrict the use of maintenance tools to authorized personnel only.
V-33107 Medium The operating system must audit non-local maintenance and diagnostic sessions.
V-33106 Medium The operating system must terminate all sessions and network connections when non-local maintenance is completed.
V-33101 Medium The operating system must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-33100 Medium The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
V-33103 Medium The operating system must automatically terminate emergency accounts after an organization defined time period for each type of account.
V-33102 Medium The operating system must implement a configurable capability to automatically disable the operating system if any of the organization defined lists of security violations are detected.
V-33185 Medium The mobile operating system must prevent non-privileged users from circumventing malicious code protection capabilities.
V-33184 Medium The operating system must have malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
V-33187 Medium The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.
V-33186 Medium The operating system must not allow users to introduce removable media into the information system.
V-33181 Medium The operating system must install software updates automatically.
V-33180 Medium The operating system must employ organization defined information system components with no writeable storage that are persistent across component restart or power on/off.
V-33189 Medium The mobile operating system must prevent a user from using a browser that does not direct its traffic to a DoD proxy server.
V-33198 Medium The mobile operating system must not include authentication credentials or other sensitive information in audit records.
V-33108 Medium The operating system must protect non-local maintenance sessions through the use of a strong authenticator tightly bound to the user.
V-33783 Medium The operating system must use cryptographic mechanisms to protect the integrity of audit information.
V-33782 Medium The operating system at organization defined information system components must load and execute organization defined applications from hardware-enforced, read-only media.
V-33781 Medium The mobile device operating system must have access to DoD root and intermediate PKI certificates when performing DoD PKI related transactions.
V-33199 Medium The operating system must reveal error messages to authorized personnel only.
V-33784 Medium The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.
V-32906 Medium The operating system must provide automated support for account management functions.
V-32907 Medium The operating system must automatically terminate temporary accounts after an organization defined time period for each type of account.
V-33062 Medium The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.
V-33063 Medium The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
V-33119 Medium The mobile operating system must prevent non-DoD applications from accessing DoD data when the device supports multiple user environments (e.g., work and personal).
V-33066 Medium The operating system must implement transaction recovery for transaction-based systems.
V-33064 Medium The operating system must conduct backups of operating system documentation including security-related documentation per organization defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.
V-33112 Medium The operating system must separate user functionality (including user interface services) from operating system management functionality.
V-33111 Medium The operating system must employ cryptographic mechanisms to protect information in storage.
V-33116 Medium The operating system must implement an information system isolation boundary to minimize the number of non-security functions included within the boundary containing security functions.
V-33117 Medium The operating system must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
V-33114 Medium The operating system must isolate security functions from non-security functions.
V-33115 Medium The operating system must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.
V-33193 Medium The operating system must provide automated support for the management of distributed security testing.
V-33190 Medium The mobile operating system must protect information obtained from intrusion and integrity monitoring tools from unauthorized access, modification, and deletion.
V-33191 Medium The operating system must verify the correct operation of security functions in accordance with organization defined conditions and in accordance with organization defined frequency (if periodic verification).
V-33196 Medium The operating system must check the validity of information inputs.
V-33197 Medium The operating system must identify potentially security relevant error conditions.
V-33211 Medium The operating system must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy.
V-33210 Medium The operating system must enforce an organization defined Discretionary Access Control (DAC) policy that must allow users to specify and control sharing by named individuals or groups of individuals, or by both.
V-33213 Medium The operating system, when transferring information between different security domains, must detect unsanctioned information.
V-33212 Medium The operating system, when transferring information between different security domains, must implement policy filters constraining data structure and content to organization defined information security policy requirements.
V-33215 Medium The operating system must uniquely identify source domains for information transfer.
V-33214 Medium The operating system, when transferring information between different security domains, must prohibit the transfer of unsanctioned information in accordance with the security policy.
V-33291 Medium The mobile operating system must not permit a user to disable the password-protected lock feature on the device.
V-33290 Medium The mobile operating system must disallow more than an organizationally-defined quantity of sequential numbers (e.g., 456) in the device unlock password.
V-33293 Medium The mobile operating system must not cache smartcard or certificate store passwords for more than an organizationally-defined time period.
V-33295 Medium The mobile operating system must disable access to the devices contact database when the device is locked.
V-33294 Medium The mobile operating system must wipe the device upon the MDM agents instruction.
V-32991 Medium The mobile operating system must give the user the option to deny acceptance of a certificate if the mobile operating system determines that the certificate is invalid.
V-32990 Medium The mobile operating system must alert the user if it receives an invalid public-key certificate.
V-32993 Medium The mobile operating system must require authentication to access private keys saved in the key certificate store.
V-32994 Medium The mobile operating system must enforce complexity requirements for the authentication to access private keys saved in the key certificate stores.
V-32997 Medium The mobile operating system must disallow the device unlock password from containing an organizationally-defined minimum number of lower case alphabetic characters.
V-32996 Medium The mobile operating system must disallow the device unlock password from containing less than an organizationally-defined minimum number of upper case alphabetic characters.
V-32979 Medium The mobile operating system must provide audit record generation capability for the auditable events defined at the organizational level for the mobile device.
V-32978 Medium The operating system must protect against an individual falsely denying having performed a particular action.
V-32970 Medium The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.
V-32977 Medium The operating system must produce audit records on hardware-enforced, write-once media.
V-32976 Medium The mobile operating system must protect audit information from unauthorized deletion.
V-33206 Medium The mobile operating system must alert the Mobile Device Management or Intrusion Detection and Prevention System when it detects integrity check failures.
V-32999 Medium The mobile operating system must force the user to change an organizationally-defined minimum number of characters of the device unlock password whenever the passcode is changed.
V-33204 Medium The operating system must validate the binding of the reviewers identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.
V-33205 Medium The operating system must invoke a system shutdown in the event of an audit failure, unless an alternative audit capability exists.
V-33202 Medium The mobile operating system must validate the digital signature on signed software components or applications.
V-33203 Medium The operating system must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
V-33200 Medium The operating system must support the requirement that organizations, if an information system component failure is detected, must activate an organization defined alarm and/or automatically shuts down the operating system.
V-33201 Medium The operating system must associate the identity of the information producer with the information.
V-33097 Medium The operating system must authenticate devices before establishing network connections using bidirectional cryptographically based authentication between devices.
V-33096 Medium The mobile operating system VPN client must employ DoD PKI approved mechanisms for authentication when connecting to DoD networks.
V-33094 Medium The mobile operating system must authenticate devices before establishing remote network (e.g., VPN) connections using bidirectional cryptographically based authentication between devices.
V-33093 Medium The mobile operating systems Wi-Fi module must use EAP-TLS authentication when authenticating to DoD WLAN authentication servers.
V-33092 Medium The mobile operating systems Wi-Fi module must be WPA2 certified (enterprise and personal).
V-33208 Medium The operating system must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
V-33209 Medium The operating system must monitor for atypical usage of operating system accounts.
V-33015 Medium The mobile operating system must protect the integrity of the provisioning data while downloading to the mobile device during a trusted over-the-air (OTA) provisioning session.
V-33014 Medium The mobile operating system must protect the confidentiality of the provisioning data while downloading to the mobile device during a trusted over-the-air (OTA) provisioning session.
V-33012 Medium The operating system must provide the capability for a privileged administrator to configure organization defined security policy filters to support different security policies.
V-33011 Medium The mobile operating system must notify the user of certificate failures related to digital signatures on software applications or components.
V-33010 Medium The mobile operating system must notify mobile device management services of certificate failures related to digital signatures on software applications or components.
V-33167 Medium The mobile operating system must grant a downloaded application only the permissions that DoD has authorized for that application.
V-33165 Medium The Mobile OS must block both the inbound and outbound traffic between instant messaging clients that are independently configured by end users and external service providers or other unapproved DoD systems.
V-33163 Medium The operating system must protect the integrity and availability of publicly available information and applications.
V-33161 Medium The mobile operating system must employ FIPS validated or NSA approved cryptography to implement digital signatures.
V-33160 Medium The operating system must employ FIPS validated cryptography to protect information when it must be separated from individuals who have the necessary clearances, yet lack the necessary access approvals.
V-33778 Medium The operating system must prevent public access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
V-33288 Medium The operating system must notify, as required, appropriate individuals for account termination.
V-33289 Medium The operating system must use cryptographic mechanisms to protect the integrity of audit tools.
V-33286 Medium The operating system must notify, as required, appropriate individuals when accounts are modified.
V-33287 Medium The operating system must notify, as required, appropriate individuals when an account is disabled.
V-33284 Medium The operating system must enforce requirements for the connection of mobile devices to operating systems.
V-33285 Medium The operating system must notify, as required, appropriate individuals when accounts are created.
V-33282 Medium The operating system must take organization defined list of least disruptive actions to terminate suspicious events.
V-33283 Medium The operating system must respond to security function anomalies in accordance with organization defined responses and alternative action(s).
V-33280 Medium The operating system must preserve organization defined system state information in the event of a system failure.
V-32968 Medium The operating system audit records must be able to be used by a report generation capability.
V-32960 Medium The mobile operating system must allocate sufficient audit record storage capacity for 24 hours of operation.
V-32961 Medium The mobile operating system must send alerts to the mobile device management server when the audit log size reaches an organization defined critical percentage of capacity and full capacity.
V-32962 Medium The mobile operating system must alert the mobile device management server in the event of an audit processing failure.
V-32965 Medium The mobile operating system must provide a real-time alert to the mobile device management server when organization defined audit failure events occur.
V-32966 Medium The operating system must support the capability to centralize the review and analysis of audit records from multiple components within the system.
V-32967 Medium The operating system must support an audit reduction capability.
V-33273 Medium The operating system uniquely must authenticate destination domains for information transfer.
V-33272 Medium The operating system uniquely must identify destination domains for information transfer.
V-33270 Medium The mobile operating system must prohibit modifications to software libraries unless performed as part of a software installation or update from a trusted source.
V-33277 Medium The operating system must enforce password complexity by the number of special characters used.
V-33276 Medium The operating system must ensure unauthorized, security relevant configuration changes detected are tracked.
V-33275 Medium The operating system must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.
V-33274 Medium The operating system must track problems associated with the information transfer.
V-33084 Medium The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
V-33085 Medium The operating system must use multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed.
V-33279 Medium The operating system must take corrective actions, when unauthorized mobile code is identified.
V-33087 Medium The operating system must use organization defined replay-resistant authentication mechanisms for network access to privileged accounts.
V-33086 Medium The operating system must use multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the operating system being accessed.
V-33082 Medium The operating system must use multifactor authentication for local access to privileged accounts.
V-33083 Medium The operating system must use multifactor authentication for local access to non-privileged accounts.
V-33005 Medium The mobile operating system must enforce a minimum length for the device unlock password.
V-33006 Medium The operating system must enforce approved authorizations for logical access to the system in accordance with applicable policy.
V-33007 Medium The operating system, when transferring information between different security domains, must identify information flows by data type specification and usage.
V-33000 Medium The mobile operating system must encrypt passwords stored on the mobile device.
V-33002 Medium The operating system must enforce minimum password lifetime restrictions.
V-33089 Medium The mobile operating systems Bluetooth module must enforce pairing using a randomly generated passkey size of at least 6 digits.
V-33175 Medium The operating system must prevent the automatic execution of mobile code in organization defined software applications and must require organization defined actions prior to executing the code.
V-33176 Medium The operating system must fail to an organization defined known state for organization defined types of failures.
V-33177 Medium The operating system must protect the confidentiality and integrity of information at rest.
V-33008 Medium The operating system, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms.
V-33171 Medium Only DoD PKI issued or DoD approved server authentication certificates must be installed on DoD mobile operating system devices.
V-33172 Medium The operating system must implement detection and inspection mechanisms to identify unauthorized mobile code.
V-33081 Medium The operating system must use multifactor authentication for network access to non-privileged accounts.
V-33780 Medium The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.
V-32981 Medium The mobile operating system must generate audit records for the DoD-required auditable events.
V-33091 Medium The operating system must authenticate devices before establishing remote network connections using bidirectional cryptographically based authentication between devices.
V-33260 Medium The operating system must enforce the organization defined time period during which the limit of consecutive invalid access attempts by a user is counted.
V-33261 Medium The operating system must use cryptography to protect the integrity of remote access sessions.
V-33262 Medium The mobile operating system must log an audit event for each instance when a remote process uses MDM mechanisms for accessing the device security configuration settings.
V-33263 Medium The operating system must provide the capability to capture/record and log all content related to a user session.
V-33264 Medium The operating system must enforce a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.
V-33266 Medium The mobile operating system must produce audit records containing sufficient information to establish the identity of any user or subject associated with the event.
V-33267 Medium The operating system must protect audit tools from unauthorized access.
V-33268 Medium The operating system must protect audit tools from unauthorized modification.
V-33269 Medium The operating system must protect audit tools from unauthorized deletion.
V-33179 Medium The operating system at organization defined information system components must load and execute the operating environment from hardware-enforced, read-only media.
V-33148 Medium The operating system must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA approved key management technology and processes.
V-33207 Medium The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.
V-33141 Medium The mobile operating systems Wi-Fi module must use AES-CCMP encryption when connecting to a DoD network.
V-33140 Medium The mobile operating systems Bluetooth stack must use 128-bit Bluetooth encryption when performing data communications with other Bluetooth devices.
V-33143 Medium The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
V-33142 Medium The mobile operating system must encrypt all data in transit using AES encryption when communicating with DoD information resources (128-bit key length is the minimum requirement; 256-bit desired).
V-33248 Medium The mobile operating system must maintain the binding of digital signatures on software components and applications in process.
V-33147 Medium The mobile operating system must produce, control, and distribute cryptographic keys using NIST-approved or NSA-approved key management technology and processes if it produces, controls, or distributes cryptographic keys.
V-33146 Medium The operating system must establish a trusted communications path between the user and organization defined security functions within the operating system.
V-33174 Medium The operating system must prevent the download of prohibited mobile code.
V-33120 Medium The operating system must not share resources used to interface with systems operating at different security levels.
V-33168 Medium The mobile operating system must validate the integrity of a downloaded applications manifest before granting the application permissions on the device, if the operating system uses a manifest or similar mechanism external to application code to grant application permissions.
V-33278 Medium The operating system must protect non-local maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths.
V-32955 Low The mobile operating system must include the software component (e.g., user application, or operating system security module) that generated each event in audit logs.
V-32954 Low The mobile operating system must produce audit records containing date and timestamps (to one second resolution) for every event.
V-32957 Low The mobile operating system must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
V-32953 Low The mobile operating system must produce audit records containing the severity level of each recorded event.
V-32958 Low The mobile operating system must include organization defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
V-32936 Low The mobile operating system, upon successful startup unlock, must display to the user the date and time of the last successful unlock or access.
V-32935 Low The mobile operating system must retain the notification message or banner on the screen preventing further activity until the user executes a positive action to manifest agreement by selecting a box indicating acceptance.
V-32934 Low The mobile operating system must display the DoD warning banner exactly as specified at startup device unlock.
V-32939 Low The mobile operating system, upon successful unlock, must display to the user the number of unsuccessful unlock attempts since the last successful device unlock.
V-32983 Low The mobile operating system, for PKI-based authentication must validate certificates by querying the certification authority for revocation status of the certificate.
V-33130 Low The mobile operating system must be able to filter both inbound and outbound traffic based on IP address and UDP/TCP port.
V-33779 Low The mobile operating systems Bluetooth module must support the capability for a system administrator to create a non-user-modifiable white list of Bluetooth devices that are authorized to pair to the mobile device.
V-33785 Low The mobile operating system must obscure passwords on the devices display when they are entered on the device.
V-33118 Low The mobile operating system must prevent DoD applications from accessing non-DoD data when the device supports multiple user environments (e.g., work and personal) if such access has not been approved.
V-33110 Low The mobile operating system must cryptographically bind the removable media to the mobile device so data stored on the removable media can only be read by that mobile device.
V-33194 Low The mobile operating system must conduct a device integrity scan on a minimum organizationally-defined periodic basis.
V-33296 Low The mobile operating system must enable a system administrator to (i) select which data fields will be available to applications outside of the contact database application and (ii) limit the number of contact database fields accessible outside of a work persona in the case of dual persona phones.
V-32992 Low The mobile operating system must not accept certificate revocation information without verifying its authenticity.
V-32995 Low The mobile operating system browser must support public-key certificate-based authentication to remote information systems.
V-32973 Low The mobile operating system must protect audit information from unauthorized read access.
V-32972 Low The mobile operating system must synchronize the internal clock on an organizationally-defined periodic basis with an authoritative time server or the Global Positioning System.
V-32971 Low The mobile operating system must use internal system clocks to generate timestamps for audit records.
V-32975 Low The mobile operating system must protect audit information from unauthorized modification.
V-32986 Low The mobile operating system must give the user the option to deny acceptance of a certificate if it cannot verify the certificates revocation status.
V-33016 Low The mobile operating system must support the capability for the system administrator to disable over-the-air (OTA) provisioning.
V-32963 Low The mobile operating system must overwrite the oldest audit log entries when audit logs reach capacity.
V-32964 Low The mobile operating system must provide a warning to the mobile device management server when allocated audit record storage volume reaches an organization defined percentage of maximum audit record storage capacity.
V-33004 Low The operating system must prohibit password reuse for the organization-defined number of generations.
V-33003 Low The operating system must enforce maximum password lifetime restrictions.
V-32985 Low The mobile operating system must notify the user if it cannot verify the revocation status of the certificate.
V-33243 Low The mobile operating system must use automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.
V-33145 Low The mobile operating system must terminate the network connection when an application requests termination, or after an organization defined time period of inactivity.