Smartphones must be provisioned DoD PKI digital certificates so that users can digitally sign and encrypt e-mail notifications or other email messages required by DoD policy. DAA approval will be obtained prior to the use of software PKI certificates on smartphones.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-24968 | WIR-SPP-011 | SV-30705r3_rule | ECSC-1 | Low |
| Description |
|---|
| S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance that the message is authentic and is required by DoD policy. The use of software certificates adds additional risk of compromise to the user's digital certificates and to the DoD PKI infrastructure. |
| STIG | Date |
|---|---|
| Smartphone Policy Security Technical Implementation Guide | 2011-06-20 |
Details
| Check Text ( C-31132r3_chk ) |
|---|
| The DAA may approve the use of software certificates until approved CAC readers are available and can be purchased and fielded by the site. If user software certificates are used on site managed smartphones instead of the CAC, verify the DAA has approved their use (in a letter, memo, SSP, etc.) and that a DoD-approved CAC reader is not available for the smartphone. Mark as a finding if the site uses software certificates on site managed smartphones and the DAA has not approved their use. |
| Fix Text (F-27602r1_fix) |
|---|
| Obtain DAA approval for the use of soft certificates or purchase approved CAC readers. |