Mobile devices must be provisioned with DoD PKI digital certificates, so users can digitally sign and encrypt e-mail notifications or other e-mail messages required by DoD policy. DAA approval will be obtained prior to the use of software PKI certificates on mobile devices.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24968	WIR-SPP-011	SV-30705r3_rule	ECSC-1	Low

Description
S/MIME provides the user with the ability to digitally sign and encrypt email messages, to verify the digital signatures on received messages, and to decrypt messages received from others if those messages are encrypted. Digital signatures provide strong cryptographic assurance of the authenticity and integrity of the signed message, including attachments. This capability protects against the insertion of malicious mobile code and social engineering attacks in which an adversary masquerades as a known user, as well as other exploits. Encryption provides confidentiality for sensitive information, which is particularly valuable when messages are sent to or received from users external to DoD messaging infrastructure, as such messages would otherwise travel in the clear over the public Internet. The use of software certificates adds additional risk of compromise to the user's digital certificates and to the DoD PKI infrastructure. DoD PKI certificates may not be provisioned in the native mobile operating system certificate store unless the certificate is protected with a valid FIPS 140-2 validated cryptographic module.

Description

S/MIME provides the user with the ability to digitally sign and encrypt email messages, to verify the digital signatures on received messages, and to decrypt messages received from others if those messages are encrypted. Digital signatures provide strong cryptographic assurance of the authenticity and integrity of the signed message, including attachments. This capability protects against the insertion of malicious mobile code and social engineering attacks in which an adversary masquerades as a known user, as well as other exploits. Encryption provides confidentiality for sensitive information, which is particularly valuable when messages are sent to or received from users external to DoD messaging infrastructure, as such messages would otherwise travel in the clear over the public Internet. The use of software certificates adds additional risk of compromise to the user's digital certificates and to the DoD PKI infrastructure. DoD PKI certificates may not be provisioned in the native mobile operating system certificate store unless the certificate is protected with a valid FIPS 140-2 validated cryptographic module.

STIG	Date
Smartphone Policy Security Technical Implementation Guide	2012-10-09

Details

Check Text ( C-31132r3_chk )
The DAA may approve the use of software certificates until approved CAC readers are available and can be purchased and fielded by the site. If user software certificates are used on site managed smartphones instead of the CAC, verify the DAA has approved their use (in a letter, memo, SSP, etc.) and that a DoD-approved CAC reader is not available for the smartphone. Mark as a finding if the site uses software certificates on site managed smartphones and the DAA has not approved their use. Mark as a finding if the site uses DoD PKI digital certificates natively on an iOS or Android device.

Check Text ( C-31132r3_chk )

The DAA may approve the use of software certificates until approved CAC readers are available and can be purchased and fielded by the site.

If user software certificates are used on site managed smartphones instead of the CAC, verify the DAA has approved their use (in a letter, memo, SSP, etc.) and that a DoD-approved CAC reader is not available for the smartphone.

Mark as a finding if the site uses software certificates on site managed smartphones and the DAA has not approved their use.

Mark as a finding if the site uses DoD PKI digital certificates natively on an iOS or Android device.

Fix Text (F-27602r1_fix)
Obtain DAA approval for the use of software certificates or purchase approved CAC readers.