UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Zebra Android 11 users must complete required training.


Overview

Finding ID Version Rule ID IA Controls Severity
V-252870 ZEBR-11-008700 SV-252870r820537_rule Medium
Description
The security posture of Zebra devices requires the device user to configure several required policy rules on their device. User-Based Enforcement (UBE) is required for these controls. In addition, if the Authorizing Official (AO) has approved the use of an unmanaged personal space, the user must receive training on risks. If a user is not aware of their responsibilities and does not comply with UBE requirements, the security posture of the Zebra mobile device may become compromised and DoD sensitive data may become compromised. SFR ID: NA
STIG Date
Zebra Android 11 COBO Security Technical Implementation Guide 2022-08-31

Details

Check Text ( C-56326r820535_chk )
Review a sample of site User Agreements for Zebra device users or similar training records and training course content.

Verify that Zebra device users have completed the required training. The intent is that required training is renewed periodically in a time period determined by the AO.

If any Zebra device user has not completed the required training, this is a finding.
Fix Text (F-56276r820536_fix)
All Zebra device users must complete training on the following training topics (users must acknowledge that they have reviewed training via a signed User Agreement or similar written record):

- Operational security concerns introduced by unmanaged applications/unmanaged personal space, including applications using global positioning system (GPS) tracking.
- Need to ensure no DoD data is saved to the personal space or transmitted from a personal app (for example, from personal email). (NA for COBO deployment)
- If the Purebred key management app is used, users are responsible for maintaining positive control of their credentialed device at all times. The DoD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys and to report any loss of control so the credentials can be revoked. Upon device retirement, turn-in, or reassignment, ensure that a factory data reset is performed prior to device hand-off. Follow mobility service provider decommissioning procedures as applicable.
- How to configure the following UBE controls (users must configure the control) on the Zebra device:
**Secure use of Calendar Alarm
**Local screen mirroring and mirroring procedures (authorized/not authorized for use)
**Do not upload DoD contacts via smart call and caller ID services
**Do not remove DoD intermediate and root PKI digital certificates
**Disable Wi-Fi Sharing
**Do not configure a DoD network (work) VPN profile on any third-party VPN client installed in the personal space
**If Bluetooth connections are approved for mobile device, types of allowed connections (for example car hands-free, but not Bluetooth wireless keyboard)
**How to perform a full device wipe
- AO guidance on acceptable use and restrictions, if any, on downloading and installing personal apps and data (music, photos, etc.) in the Zebra device personal space.