Smartphone Instant Messaging (IM) client application must connect only to a DoD controlled IM server compliant with the Instant Messaging STIG.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-24965 | WIR-SPP-009 | SV-30702r2_rule | ECSC-1 | Medium |
| Description |
|---|
| Non-DoD IM servers can be located anywhere in the world and may be under an adversary’s control. If a DoD smartphone IM client connects to a non-DoD IM server, malware could be installed on the smartphone/tablet from the server or sensitive DoD data on the smartphone could be transferred to the server. In addition, if malware is installed on the smartphone, this could lead to hacker attacks on the DoD enclave the smartphone connects to. |
| STIG | Date |
|---|---|
| Smartphone Policy Security Technical Implementation Guide | 2012-10-09 |
Details
| Check Text ( C-31129r3_chk ) |
|---|
| Interview the IAO or smartphone/tablet system administrator and determine if smartphone IM is used on site-managed smartphones. If yes, determine what server the smartphone IM system connects to. - The server should be managed by a DoD site. - The IM system must be compliant with the Instant Messaging STIG. Mark as a finding if the IM server the smartphone IM app connects to is not managed by a DoD site. |
| Fix Text (F-27600r1_fix) |
|---|
| Apply the Instant Messaging (IM) STIG requirements for the IM application on smartphones. |