Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

BlackBerry Enterprise Server (version 5.x), Part 3 Security Technical Implementation Guide

  • Version/Release: V2R8
  • Published: 2015-07-02
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

BlackBerry Enterprise Server (version 5.x) STIG, Part 3 in XCCDF format. Part 1: BES architecture and training requirements. Part 2: BES configuration requirements. Part 3: BES IT Policy configuration requirements.
c
BlackBerry devices must be protected by authenticated login procedures to unlock the device. Either CAC or Password authentication is required. IT Policy rule “Password Required” (Device Only policy group) must be set to “Yes” or “True”.
High - V-3545 - SV-3545r4_rule
RMF Control
Severity
High
CCI
Version
WIR1400-01
Vuln IDs
  • V-3545
Rule IDs
  • SV-3545r4_rule
Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.ECSC-1
Checks: C-11522r4_chk

This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the following procedure. 1. Make a list of all IT Policies that have been assigned to BlackBerry user accounts. The list of IT Policies set up on the BES can be viewed as follows (do not list the default IT Policy) (Use Method #1 or Method #2 below): Method #1 BAS >> BlackBerry solution management box >> Policy >> Manage IT policies. Look at each IT policy listed under Manage IT policies to be checked. -Click on the policy name. -Click on "View users with IT policy." -Click Search. A list of all users assigned to the policy will be shown. For each policy that has users assigned to it, complete steps. Method #2 -Launch and log into the BlackBerry Monitoring Service. -On the monitoring menu, expand Reporting. -Click "Create custom report". -Select the following fields for the report: **Select report type: User. **Report title: IT Policies on BES. **Select the following columns: "IT policy name" and "User name." **Sort by "IT policy name". **Report format: PDF recommended. **Generate report. 2. Check each "Required" IT Policy rule listed in Table 1, BlackBerry STIG Configuration Tables. (There are approximately 125 rules with required configuration settings.) Note: All IT policy rules that have not been set correctly and the name of the IT policy currently being reviewed. The name of each IT policy that has an IT policy rule not set correctly should be noted in VMS. Note: Table 1 shows which Check STIG ID # should be marked as a finding for each IT policy rule not set correctly. 3. Repeat step 2 for each IT Policy that has users assigned to it. 4. In VMS, for each check with a finding, list the IT Policies that were found to be noncompliant. ***** For this check, verify IT Policy rule “Password Required” (Device Only policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
IT Policy rule “Maximum Security Timeout” (Device-Only policy group) must be set as required.
Medium - V-11876 - SV-12376r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1450-01
Vuln IDs
  • V-11876
Rule IDs
  • SV-12376r4_rule
Handheld may not lock after the specified period of inactivity and DoD data could be exposed.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-14990r4_chk

Detailed Policy Requirements: Handheld must be set to lock after 15 minutes or less of inactivity. *****For this check, set IT Policy rule "Maximum Security Timeout" (Device-Only policy group) to "15 or less". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Maximum Security Timeout" (Device-Only policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
Data-at-Rest encryption (Content Protection) must be enabled on BlackBerry devices. IT Policy rule Content Protection Strength (Security policy group) must be set as required.
Medium - V-12164 - SV-12718r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1445-01
Vuln IDs
  • V-12164
Rule IDs
  • SV-12718r4_rule
DoD 8500 policy requires data-at-rest protection be enabled on all IT devices containing sensitive data in case the device is lost or stolen. This protection normally involves password or pin protected access.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-14991r4_chk

*****For this check, set IT Policy rule "Content Protection Strength" (Security policy group) to "Stronger or Strongest". Data-at-Rest encryption (Content Protection) must be enabled on BlackBerry devices. Note: When Content Protection is enabled in BES 4.1.4 and earlier and BlackBerry handheld software version before 4.5, the BES system administrator cannot remotely unlock a BlackBerry device and remotely reset the device password. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Content Protection Strength" (Security policy group) is set as required. This check can also be verified on a sample of site BlackBerrys (3-4 devices) but the preferred procedure is to verify on the BES. Use the following procedure on BlackBerry devices: Settings >> Options >> Security Options >> General Settings >> Content Protection Verify Content Protection is set to Enabled. Verify the setting cannot be changed. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Bluetooth” (Bluetooth policy group) must be set as required.
Medium - V-14198 - SV-14809r5_rule
RMF Control
Severity
Medium
CCI
Version
WIR1405-01
Vuln IDs
  • V-14198
Rule IDs
  • SV-14809r5_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.Information Assurance OfficerECSC-1
Checks: C-14984r5_chk

Detailed Policy Requirements: DoD BlackBerry users must apply the following Bluetooth controls: Bluetooth data transmissions, such as syncing to the desktop or transfer of data files, on wireless email devices are disabled except for the Bluetooth CAC reader (i.e., Bluetooth Smart Card Reader [SCR]). Bluetooth for voice transmissions, such as the Bluetooth headset, is authorized if a DoD-approved headset is used. ***** For this check, set IT Policy rule "Disable Bluetooth" (Bluetooth policy group) to "Yes" or "No", depending on if the Bluetooth Smart Card Reader (SCR) or an approved Bluetooth headset is used at the site. Set to "No" if used. Set to "Yes" if not used. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Bluetooth" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
Wireless email device users must not install or remove applications and/or software on their handheld device unless under the direction and supervision of an authorized system administrator. IT Policy rule “Show Application Loader” (Desktop-Only policy group) must be is set as required.
Medium - V-14478 - SV-15096r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1415-01
Vuln IDs
  • V-14478
Rule IDs
  • SV-15096r4_rule
The wireless email server can be configured to prevent users from installing or removing applications. These configuration settings must be set at the enterprise level to prevent users from downloading, using desktop software, unauthorized software, or harmful code.System AdministratorECSC-1
Checks: C-14986r4_chk

Detailed Policy Requirements: ***** For this check, set IT Policy rule "Show Application Loader" (Desktop-Only policy group) to "No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Show Application Loader" (Desktop-Only policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
IT Policy rule Disable Wi-Fi must be set as required.
Low - V-16058 - SV-17045r5_rule
RMF Control
Severity
Low
CCI
Version
WIR1435-01
Vuln IDs
  • V-16058
Rule IDs
  • SV-17045r5_rule
Improperly configured WLAN systems can expose the BlackBerry device and DoD network to attack.System AdministratorECSC-1
Checks: C-17398r5_chk

Detail Policy Requirements: If BlackBerry Wi-Fi service is not authorized for use at the site, the following conditions apply: A BlackBerry WLAN IT policy has been set up for the site on the BES and is configured as shown in Table 1, BlackBerry STIG Configuration Tables. *****Set IT Policy rule "Disable Wi-Fi" (WLAN policy group) to "Yes". If WLAN use is authorized, set to "No". Check procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). Interview the BES Administrator and determine if BlackBerry Wi-Fi is authorized. *****Verify "Disable Wi-Fi" has been configured as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

c
BlackBerry devices must be protected by authenticated login procedures to unlock the device. Either CAC or Password authentication is required. IT Policy rule “Minimum Password Length” (Device Only policy group) must be set as required.
High - V-19234 - SV-21144r5_rule
RMF Control
Severity
High
CCI
Version
WIR1400-02
Vuln IDs
  • V-19234
Rule IDs
  • SV-21144r5_rule
Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23258r6_chk

Detailed Policy Requirements: See Check WIR1400-01 (V0003545 ) for detailed policy requirements. *****For this check, Set IT Policy rule "Minimum Password Length" (Device Only policy group) to 6 or more. If CAC authentication is used, set to 6, 7, or 8 (it is recommended that the password length equal the CAC PIN length). Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). Interview the ISSO and administrator. Verify CAC authentication or PIN authentication is used. Determine if software certificates are used on the BlackBerry. *****Verify IT Policy rule "Password Required" (Device Only policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

c
BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “User Can Disable Passwords” (Device Only policy group) must be set as required.
High - V-19235 - SV-21145r4_rule
RMF Control
Severity
High
CCI
Version
WIR1400-03
Vuln IDs
  • V-19235
Rule IDs
  • SV-21145r4_rule
Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23259r5_chk

Detailed Policy Requirements: See Check WIR1400-01 (V0003545 ) for detailed policy requirements. *****For this check, Set IT Policy rule "User Can Disable Passwords" (Device Only policy group) to "No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "User Can Disable Passwords" (Device Only policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Set Password Timeout” (Password policy group) must be set as required.
Medium - V-19238 - SV-21148r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1400-06
Vuln IDs
  • V-19238
Rule IDs
  • SV-21148r4_rule
Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23262r5_chk

Detailed Policy Requirements: See Check WIR1400-01 (V0003545 ) for detailed policy requirements. *****For this check, Set IT Policy rule "Set Password Timeout" (Password policy group) to "15". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Set Password Timeout" (Password policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

c
BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Set Maximum Password Attempts” (Password policy group) must be set as required.
High - V-19239 - SV-21149r4_rule
RMF Control
Severity
High
CCI
Version
WIR1400-07
Vuln IDs
  • V-19239
Rule IDs
  • SV-21149r4_rule
Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23263r4_chk

Detailed Policy Requirements: See Check WIR1400-01 (V0003545) for detailed policy requirements. *****For this check, Set IT Policy rule "Set Maximum Password Attempts" (Password policy group) to "10 or less". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Set Maximum Password Attempts" (Password policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Suppress Password Echo” (Password policy group) must be set as required.
Low - V-19240 - SV-21150r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1400-08
Vuln IDs
  • V-19240
Rule IDs
  • SV-21150r4_rule
Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23264r5_chk

Detailed Policy Requirements: See Check WIR1400-01 (V0003545) for detailed policy requirements. *****For this check, Set IT Policy rule "Suppress Password Echo" (Password policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Suppress Password Echo" (Password policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Forbidden Passwords” (Password policy group) must be set as required.
Low - V-19242 - SV-21153r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1400-10
Vuln IDs
  • V-19242
Rule IDs
  • SV-21153r4_rule
Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23267r4_chk

Detailed Policy Requirements: See Check WIR1400-01 (V0003545) for detailed policy requirements. *****For this check, Set IT Policy rule "Forbidden Passwords" (Password policy group) to "List forbidden passwords based on local security policies". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Forbidden Passwords" (Password policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

c
BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule Reset to Factory Defaults on Wipe (Security policy group) must be set as required.
High - V-19243 - SV-21154r5_rule
RMF Control
Severity
High
CCI
Version
WIR1400-11
Vuln IDs
  • V-19243
Rule IDs
  • SV-21154r5_rule
Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23266r6_chk

Detailed Policy Requirements: See Check WIR1400-01 (V0003545) for detailed policy requirements. *****For this check, Set IT Policy rule "Reset to Factory Defaults on Wipe" (Security policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Reset to Factory Defaults on Wipe" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
All PDAs and smartphones must display the required banner during device unlock/logon. The IT Policy rule “Lock Owner Info” must be set as required.
Medium - V-19244 - SV-21155r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1455-01
Vuln IDs
  • V-19244
Rule IDs
  • SV-21155r4_rule
DoDI 8500.01 requires all PDAs, BlackBerrys, and smartphones to have a consent banner displayed during logon/device unlock to ensure user understands their responsibilities to safeguard DoD data. Note: DoDI 8500.01 does not include the required banner within the Instruction, but instead points to the RMF Knowledge Service for the required text. System AdministratorInformation Assurance OfficerEBCR-1
Checks: C-23268r3_chk

Detail Policy Requirements: All PDAs and smartphones must display the following banner during device unlock/logon: A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK."] You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. B. For BlackBerrys and other PDAs/PEDs with severe character limitations: I've read & consent to terms in IS user agreem't. Check Procedures: Work with the SA to review the configuration of the PDA security management server or security policy configured on the PDA/smartphone. Review a sample of devices to check that the required banner is being used. Note: Depending on the system, this setting could be set on the management server or on the handheld device. *****Set IT Policy rule “Lock Owner Info“ (Common policy group) to “1 (Lock Information text) or 3 (Lock both Name and Information text)“. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545 ). *****Verify the IT Policy rule “Lock Owner Info" has been configured as required. Mark as a finding if not set as required.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
All PDAs and smartphones must display the required banner during device unlock/ logon. The IT Policy rule “Set Owner Info” must be set as required.
Medium - V-19245 - SV-21156r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1455-02
Vuln IDs
  • V-19245
Rule IDs
  • SV-21156r3_rule
DoD CIO memo requires all PDAs, BlackBerrys, and smartphones to have a consent banner displayed during logon/device unlock to ensure users understand their responsibilities to safeguard DoD data. System AdministratorInformation Assurance OfficerEBCR-1
Checks: C-23269r3_chk

Detail Policy Requirements: See Check WIR1455-01 for policy information. *****Set IT Policy rule “Set Owner Info" (Common policy group) to “I've read & consent to terms in IS user agreem't”. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify the IT Policy rule “Set Owner Info“ has been configured as required. Mark as a finding if not set as required.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Pairing” (Bluetooth Only policy group) must be set as required.
Medium - V-19257 - SV-21172r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1405-02
Vuln IDs
  • V-19257
Rule IDs
  • SV-21172r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23292r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Disable Pairing" (Bluetooth policy group) to "Yes" or "No", depending on if the Bluetooth Smart Card Reader (SCR) is used at the site. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Pairing" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Headset Profile” (Bluetooth Only policy group) must be set as required.
Medium - V-19258 - SV-21173r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1405-03
Vuln IDs
  • V-19258
Rule IDs
  • SV-21173r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23293r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements and check procedures. *****For this check: Set IT Policy rule "Disable Headset Profile" (Bluetooth policy group) to "Yes" for non-headset IT policies. Set IT Policy rule "Disable Headset Profile" (Bluetooth policy group) to "No" for headset IT policies. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Headset Profile" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Handsfree Profile” (Bluetooth Only policy group) must be set as required.
Medium - V-19259 - SV-21175r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1405-04
Vuln IDs
  • V-19259
Rule IDs
  • SV-21175r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23294r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements and check procedures. *****For this check: Set IT Policy rule "Disable Handsfree Profile" (Bluetooth policy group) to "Yes" for non-headset IT policies. Set IT Policy rule "Disable Handsfree Profile" (Bluetooth policy group) to "No" for headset IT policies. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Handsfree Profile" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Serial Port Profile” (Bluetooth Only policy group) must be set as required.
Medium - V-19260 - SV-21176r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1405-05
Vuln IDs
  • V-19260
Rule IDs
  • SV-21176r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23295r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Disable Serial Port Profile" (Bluetooth policy group) to "Yes" or "No", depending on if the Bluetooth Smart Card Reader is used at the site. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Serial Port Profile" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Discoverable Mode” (Bluetooth Only policy group) must be set as required.
Medium - V-19261 - SV-21177r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1405-06
Vuln IDs
  • V-19261
Rule IDs
  • SV-21177r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23296r4_chk

Detailed Policy Requirements: See Check WIR4050-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Disable Discoverable Mode" (Bluetooth policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Discoverable Mode" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Address Book Transfer” (Bluetooth Only policy group) will be set as required.
Low - V-19263 - SV-21179r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1405-08
Vuln IDs
  • V-19263
Rule IDs
  • SV-21179r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23298r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Disable Address Book Transfer" (Bluetooth policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Address Book Transfer" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Desktop Connectivity” (Bluetooth Only policy group) must be set as required.
Low - V-19264 - SV-21180r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1405-09
Vuln IDs
  • V-19264
Rule IDs
  • SV-21180r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23299r5_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Disable Desktop Connectivity" (Bluetooth policy group) to "Yes" or "No", depending on if the Bluetooth Smart Card Reader (SCR) is used at the site and approved to connect to site PCs. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Desktop Connectivity" (Bluetooth policy group) is set as required. If set to "No", verify that the ISSO or ISSM has approved the use of BlackBerry smart card readers with site PCs. If set to "Yes", there is no finding. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Wireless Bypass” (Bluetooth Only policy group) must be set as required.
Medium - V-19265 - SV-21181r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1405-10
Vuln IDs
  • V-19265
Rule IDs
  • SV-21181r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23300r5_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Disable Wireless Bypass" (Bluetooth policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Wireless Bypass" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Require Password for Enabling Bluetooth Support” (Bluetooth Only policy group) must be set as required.
Low - V-19266 - SV-21182r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1405-11
Vuln IDs
  • V-19266
Rule IDs
  • SV-21182r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23301r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Require Password for Enabling Bluetooth Support" to "No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Require Password for Enabling Bluetooth Support" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Require Password for Discoverable Mode” (Bluetooth Only policy group) must be set as required.
Low - V-19267 - SV-21183r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1405-12
Vuln IDs
  • V-19267
Rule IDs
  • SV-21183r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23302r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Require Password for Discoverable Mode" (Bluetooth policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V000354). *****Verify IT Policy rule "Require Password for Discoverable Mode" (Bluetooth policy group) is set as required. If not set as required, this is finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Require Encryption” (Bluetooth Only policy group) must be set as required.
Medium - V-19268 - SV-21184r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1405-13
Vuln IDs
  • V-19268
Rule IDs
  • SV-21184r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23303r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Require Encryption" (Bluetooth policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Require Encryption" (Bluetooth policy group) is set as required. If not set as required, this is finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable File Transfer” (Bluetooth Only policy group) must be set as required.
Medium - V-19269 - SV-21185r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1405-14
Vuln IDs
  • V-19269
Rule IDs
  • SV-21185r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23304r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Disable File Transfer" (Bluetooth policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable File Transfer" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Require LED Connection Indicator” (Bluetooth Only policy group) must be set as required.
Low - V-19270 - SV-21186r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1405-15
Vuln IDs
  • V-19270
Rule IDs
  • SV-21186r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23305r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Require LED Connection Indicator" (Bluetooth policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Require LED Connection Indicator" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Dial-Up Networking” (Bluetooth Only policy group) must be set as required.
Medium - V-19271 - SV-21187r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1405-16
Vuln IDs
  • V-19271
Rule IDs
  • SV-21187r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23306r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Disable Dial-Up Networking" (Bluetooth policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Dial-Up Networking" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Force CHAP Authentication Bluetooth Link” (Bluetooth Only policy group) must be set as required.
Medium - V-19272 - SV-21188r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1405-17
Vuln IDs
  • V-19272
Rule IDs
  • SV-21188r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23307r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Force CHAP Authentication Bluetooth Link" (Bluetooth policy group) to "No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Force CHAP Authentication Bluetooth Link" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Advanced Audio Distribution Profile” (Bluetooth Only policy group) must be set as required.
Medium - V-19273 - SV-21189r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1405-18
Vuln IDs
  • V-19273
Rule IDs
  • SV-21189r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23308r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Disable Advanced Audio Distribution Profile" (Bluetooth policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Advanced Audio Distribution Profile" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Audio/Video Remote Control Profile” (Bluetooth Only policy group) must be set as required.
Medium - V-19274 - SV-21190r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1405-19
Vuln IDs
  • V-19274
Rule IDs
  • SV-21190r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23309r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Disable Audio/Video Remote Control Profile" (Bluetooth policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Audio/Video Remote Control Profile" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Limit Discoverable Time” (Bluetooth Only policy group) must be set as required.
Low - V-19276 - SV-21192r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1405-20
Vuln IDs
  • V-19276
Rule IDs
  • SV-21192r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23311r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Limit Discoverable Time" (Bluetooth policy group) to "No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Limit Discoverable Time" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable SIM Access Profile” (Bluetooth Only policy group) must be set as required.
Medium - V-19278 - SV-21194r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1405-21
Vuln IDs
  • V-19278
Rule IDs
  • SV-21194r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23313r5_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Disable SIM Access Profile" (Bluetooth policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable SIM Access Profile" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other message required by DoD policy. IT Policy rule Disable Revoked Certificate Use (Security policy group) must be set as required.
Low - V-19282 - SV-21198r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1420-01
Vuln IDs
  • V-19282
Rule IDs
  • SV-21198r4_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23329r4_chk

Detailed Policy Requirements: ***** For this check, set IT Policy rule "Disable Revoked Certificate Use" (Security policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Revoked Certificate Use" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule Disable Key Store Low Security (Security policy group) must be set as required.
Low - V-19283 - SV-21199r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1420-02
Vuln IDs
  • V-19283
Rule IDs
  • SV-21199r4_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23330r4_chk

Detailed Policy Requirements: ***** For this check, set IT Policy rule "Disable Key Store Low Security" (Security policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Key Store Low Security" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule Certificate Status Cache Timeout (Security policy group) must be set as required.
Low - V-19284 - SV-21200r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1420-03
Vuln IDs
  • V-19284
Rule IDs
  • SV-21200r4_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23331r4_chk

Detailed Policy Requirements: ***** For this check, set IT Policy rule "Certificate Status Cache Timeout" (Security policy group) to "7". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Certificate Status Cache Timeout" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule Disable Invalid Certificate Use (Security policy group) must be set as required.
Low - V-19285 - SV-21201r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1420-04
Vuln IDs
  • V-19285
Rule IDs
  • SV-21201r4_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.ECSC-1
Checks: C-23332r4_chk

Detailed Policy Requirements: ***** For this check, set IT Policy rule "Disable Invalid Certificate Use" (Security policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Invalid Certificate Use" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule Disable Weak Certificate Use (Security policy group) must be set as required.
Low - V-19286 - SV-21202r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1420-05
Vuln IDs
  • V-19286
Rule IDs
  • SV-21202r4_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23333r4_chk

Detailed Policy Requirements: ***** For this check, set IT Policy rule "Disable Weak Certificate Use" (Security policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V000354). *****Verify IT Policy rule "Disable Weak Certificate Use" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule Certificate Status Maximum Expiry Time (Security policy group) must be set as required.
Low - V-19287 - SV-21203r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1420-06
Vuln IDs
  • V-19287
Rule IDs
  • SV-21203r4_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23334r4_chk

Detailed Policy Requirements: ***** For this check, set IT Policy rule "Certificate Status Maximum Expiry Time" (Security policy group) to "168 or less". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Certificate Status Maximum Expiry Time" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule Disable Unverified CRLs (Security policy group) must be set as required.
Low - V-19288 - SV-21204r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1420-07
Vuln IDs
  • V-19288
Rule IDs
  • SV-21204r4_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23335r4_chk

Detailed Policy Requirements: ***** For this check, set IT Policy rule "Disable Unverified CRLs" (Security policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Unverified CRLs" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule S/MIME Minimum Strong RSA Key Length (S/MIME Application policy group) must be set as required.
Low - V-19289 - SV-21205r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1420-08
Vuln IDs
  • V-19289
Rule IDs
  • SV-21205r4_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23336r4_chk

Detailed Policy Requirements: ***** For this check, set IT Policy rule "S/MIME Minimum Strong RSA Key Length" (S/MIME Application policy group) to "1024". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "S/MIME Minimum Strong RSA Key Length" (S/MIME Application policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule S/MIME Minimum Strong DH Key Length (S/MIME Application policy group) must be set as required.
Low - V-19290 - SV-21206r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1420-09
Vuln IDs
  • V-19290
Rule IDs
  • SV-21206r4_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23337r4_chk

Detailed Policy Requirements: ***** For this check, set IT Policy rule "S/MIME Minimum Strong DH Key Length" (S/MIME Application policy group) to "1024". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "S/MIME Minimum Strong DH Key Length" (S/MIME Application policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “S/MIME Minimum Strong ECC Key Length” (S/MIME Application policy group) must be to “163”.
Low - V-19291 - SV-21207r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1420-10
Vuln IDs
  • V-19291
Rule IDs
  • SV-21207r4_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23338r4_chk

Detailed Policy Requirements: ***** For this check, set IT Policy rule "S/MIME Minimum Strong ECC Key Length" (S/MIME Application policy group) to "163". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "S/MIME Minimum Strong ECC Key Length" (S/MIME Application policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “S/MIME Allowed Content Ciphers” (S/MIME Application policy group) must be set as required.
Low - V-19292 - SV-21208r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1420-11
Vuln IDs
  • V-19292
Rule IDs
  • SV-21208r4_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23339r4_chk

Detailed Policy Requirements: ***** For this check, set IT Policy rule "S/MIME Allowed Content Ciphers" (S/MIME Application policy group) to "Check the following: 0 (AES-256 bit) 1 (AES-192 bit) 2 (AES-128 bit) 5 (Triple DES)" Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "S/MIME Allowed Content Ciphers" (S/MIME Application policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule S/MIME Minimum Strong DSA Key Length (S/MIME Application policy group) must be set as required.
Low - V-19293 - SV-21209r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1420-12
Vuln IDs
  • V-19293
Rule IDs
  • SV-21209r4_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23340r4_chk

Detailed Policy Requirements: ***** For this check, set IT Policy rule "S/MIME Minimum Strong DSA Key Length" (S/MIME Application policy group) to "1024". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "S/MIME Minimum Strong DSA Key Length" (S/MIME Application policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule Entrust Messaging Server (EMS) Email Address (S/MIME Application policy group) must be set as required.
Low - V-19294 - SV-21210r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1420-13
Vuln IDs
  • V-19294
Rule IDs
  • SV-21210r4_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23341r4_chk

Detailed Policy Requirements: ***** For this check, set IT Policy rule "Entrust Messaging Server (EMS) Email Address" (S/MIME Application policy group) to "<blank>". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Entrust Messaging Server (EMS) Email Address" (S/MIME Application policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule S/MIME Allowed Encryption Types (S/MIME Application policy group) must be set as required.
Low - V-19295 - SV-21211r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1420-14
Vuln IDs
  • V-19295
Rule IDs
  • SV-21211r4_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23342r4_chk

Detailed Policy Requirements: *****For this check, set IT Policy rule "S/MIME Allowed Encryption Types" (S/MIME Application policy group) to "Certificate based-only". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "S/MIME Allowed Encryption Types" (S/MIME Application policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Security requirements for Instant Messaging (IM) must be followed. IT Policy rule Allow Public Yahoo! Messenger Services (Service Exclusivity policy group) must be set as required.
Low - V-19304 - SV-21221r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1430-01
Vuln IDs
  • V-19304
Rule IDs
  • SV-21221r4_rule
Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23348r5_chk

Detailed Policy Requirements: *****For this check, set IT Policy rule "Allow Public Yahoo! Messenger Services" (Service Exclusivity policy group) to "No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Allow Public Yahoo! Messenger Services" (Service Exclusivity policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Security requirements for Instant Messaging (IM) must be followed. IT Policy rule “Allow Public AIM Services” (Service Exclusivity policy group) must be set as required.
Low - V-19305 - SV-21222r3_rule
RMF Control
Severity
Low
CCI
Version
WIR1430-02
Vuln IDs
  • V-19305
Rule IDs
  • SV-21222r3_rule
Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack. System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23349r3_chk

Detailed Policy Requirements: *****For this check, set IT Policy rule “Allow Public AIM Services” (Service Exclusivity group) to “No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule “Allow Public AIM Services” (Service Exclusivity policy group) is set as required. Mark as a finding if not set as required.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
Security requirements for Instant Messaging (IM) must be followed. IT Policy rule Allow Public ICQ Services (Service Exclusivity policy group) must be set as required.
Medium - V-19306 - SV-21223r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1430-03
Vuln IDs
  • V-19306
Rule IDs
  • SV-21223r4_rule
Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23350r4_chk

Detailed Policy Requirements: *****For this check, set IT Policy rule "Allow Public ICQ Services" (Service Exclusivity policy group) to "No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Allow Public ICQ Services" (Service Exclusivity policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
Security requirements for Instant Messaging (IM) must be followed. IT Policy rule Allow Public IM Services (Service Exclusivity policy group) must be set as required.
Medium - V-19307 - SV-21224r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1430-04
Vuln IDs
  • V-19307
Rule IDs
  • SV-21224r4_rule
Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23351r4_chk

Detailed Policy Requirements: ***** For this check, set IT Policy rule "Allow Public IM Services" (Service Exclusivity policy group) to "No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Allow Public IM Services" (Service Exclusivity policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Security requirements for Instant Messaging (IM) must be followed. IT Policy rule Allow Public Google Talk Services (Service Exclusivity policy group) must be set as required.
Low - V-19308 - SV-21225r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1430-05
Vuln IDs
  • V-19308
Rule IDs
  • SV-21225r4_rule
Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23352r4_chk

Detailed Policy Requirements: *****For this check, Set IT Policy rule "Allow Public Google Talk Services" (Service Exclusivity policy group) to "No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Allow Public Google Talk Services" (Service Exclusivity policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
Security requirements for Instant Messaging (IM) must be followed. IT Policy rule Allow Public WLM Services (Service Exclusivity policy group) must be set as required.
Low - V-19309 - SV-21226r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1430-06
Vuln IDs
  • V-19309
Rule IDs
  • SV-21226r4_rule
Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23353r4_chk

Detailed Policy Requirements: *****For this check, set IT Policy rule "Allow Public WLM Services" (Service Exclusivity policy group) to "No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Allow Public WLM Services" (Service Exclusivity policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
IT Policy rule “Maximum Bluetooth Range (BlackBerry Smart Card Reader policy group) must be set as required.
Low - V-19315 - SV-21232r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1410-01
Vuln IDs
  • V-19315
Rule IDs
  • SV-21232r4_rule
Insecure Bluetooth SCR could make the BlackBerry vulnerable to compromise via a Bluetooth attack.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23358r4_chk

Detailed Policy Requirements: *****For this check, set IT Policy rule "Maximum Bluetooth Range" (BlackBerry SCR policy group) to "50% or less" Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1100-01 (V0003545). *****Verify IT Policy rule "Maximum Bluetooth Range" (BlackBerry SCR policy group) is set as required. Note: The correct setting can also be verified on the handheld: See "Reader Setting – Bluetooth Range" in Table 5, BlackBerry STIG Configuration Tables. Verifying the correct setting on the BES is the preferred procedure. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
IT Policy rule “Maximum PC Disconnect Timeout (BlackBerry Smart Card Reader policy group) must be set as required.
Low - V-19317 - SV-21234r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1410-02
Vuln IDs
  • V-19317
Rule IDs
  • SV-21234r4_rule
Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.ECSC-1
Checks: C-23359r4_chk

Detailed Policy Requirements: *****For this check, set IT Policy rule "Maximum PC Disconnect Timeout" (BlackBerry Smart Card Reader policy group) to "0" or "<blank>." Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Maximum PC Disconnect Timeout" (BlackBerry Smart Card Reader policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
IT Policy rule “Maximum Number of PC Pairings (BlackBerry Smart Card Reader policy group) must be set as required.
Medium - V-19318 - SV-21235r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1410-03
Vuln IDs
  • V-19318
Rule IDs
  • SV-21235r4_rule
Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23360r4_chk

Detailed Policy Requirements: *****For this check, set IT Policy rule "Maximum Number of PC Pairings" (BlackBerry Smart Card Reader policy group) to "0" or "1" depending on if SCR connections to PCs are authorized. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1100-01 (V0003545). *****Verify IT Policy rule "Maximum Number of PC Pairings" (BlackBerry Smart Card Reader policy group) is set as required. Note: The correct setting can also be verified on the handheld: See "Reader Setting – Bluetooth Range" in Table 5, BlackBerry STIG Configuration Tables. Verifying the correct setting on the BES is the preferred procedure. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
All Internet browsers must be disabled and removed from the BlackBerry device except for the BlackBerry internet browser. IT Policy rule Allow IBS Browser (Browser policy group) is set as required.
Low - V-19337 - SV-21254r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1440-01
Vuln IDs
  • V-19337
Rule IDs
  • SV-21254r4_rule
The BlackBerry Browser forces all Internet browsing to go through the site Internet gateway, which provides additional security over the carrier's browser.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23366r4_chk

Detailed Policy Requirements: *****For this check, set IT Policy rule "Allow IBS Browser" (Browser policy group) to "No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Allow IBS Browser" (Browser policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
All Internet browsers must be disabled from the BlackBerry device except for the BlackBerry Internet browser. IT Policy rule Allow Other Browser Services (Services Exclusivity policy group) is set as required.
Low - V-19343 - SV-21260r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1440-03
Vuln IDs
  • V-19343
Rule IDs
  • SV-21260r4_rule
Requiring the use of the BlackBerry browser forces all Internet browsing to go through the enclave web proxy. Therefore, all Internet use will be filtered and protected by enclave malware protection services. Otherwise, BlackBerry Internet browsing would make the BlackBerry handheld and the enclave more vulnerable to malware that could be downloaded from the Internet.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23368r4_chk

Detailed Policy Requirements: *****For this check, set IT Policy rule "Allow Other Browser Services" (Services Exclusivity policy group) to "No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Allow Other Browser Services" (Services Exclusivity policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
IT Policy rule Force Load Count (Desktop-Only policy group) must be set as required.
Low - V-19718 - SV-21859r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-03
Vuln IDs
  • V-19718
Rule IDs
  • SV-21859r4_rule
Required software update may not be installed, resulting in un-patched system.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24155r4_chk

Detailed Policy Requirements: Users must be forced to install critical software updates. *****For this check, set IT Policy rule "Force Load Count" (Desktop-Only policy group) to "1" or "2". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Force Load Count" (Desktop-Only policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
IT Policy rule “Force Load Message” (Desktop-Only policy group) must be set as required.
Low - V-19719 - SV-21860r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-04
Vuln IDs
  • V-19719
Rule IDs
  • SV-21860r4_rule
Required software update may not be installed, resulting in un-patched system.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24156r4_chk

Detailed Policy Requirements: Users must be forced to install critical software updates and be notified when a software update is available. *****For this check, a notification message will be added to the IT Policy rule "Force Load Message" (Desktop-Only policy group). See the BlackBerry STIG Overview for an example. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Force Load Message" (Desktop-Only policy group) is set as required. If not set as required, this is not a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
IT Policy rule “Set Owner Name” (Common policy group) must be set as required.
Low - V-19721 - SV-21862r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-06
Vuln IDs
  • V-19721
Rule IDs
  • SV-21862r4_rule
If not set correctly, BlackBerry may be identified as a DoD BlackBerry when found after being lost or stolen. This is an operational security issue.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24158r4_chk

Detailed Policy Requirements: If used, "Owner Name" must not identify a BlackBerry as a DoD BlackBerry. *****For this check, set IT Policy rule "Set Owner Name" (Common policy group) as follows: Leave blank or follow guidance in comment listed in the BlackBerry STIG Overview. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Set Owner Name" (Common policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
IT Policy rule “Keystore Password Maximum Timeout” (Security policy group) must be set as required.
Low - V-19723 - SV-21864r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-08
Vuln IDs
  • V-19723
Rule IDs
  • SV-21864r4_rule
Encryption keys and certificates stored in the keystore may be exposed to compromise if the keystore is not locked after a set period of inactivity.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24160r4_chk

Detailed Policy Requirements: A timeout must be set up for the BlackBerry keystore password of 60 or less. 15 is recommended. *****For this check, set IT Policy rule "Keystore Password Maximum Timeout" (Security policy group) to 60 or less. 15 is recommended. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Keystore Password Maximum Timeout" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
IT Policy rule Allow Split-Pipe Connections (Security policy group) must be set as required.
Medium - V-19724 - SV-21865r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1450-09
Vuln IDs
  • V-19724
Rule IDs
  • SV-21865r4_rule
BlackBerry could be at risk if an application is able to open an internal and external connection on the BlackBerry at the same time. The BlackBerry could be exposed to Malware.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24161r5_chk

Detailed Policy Requirements: Split-pipe Connections are not allowed on DoD BlackBerrys. *****For this check, set IT Policy rule "Allow Split-Pipe connections" (Security policy group) to "No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Allow Split-Pipe Connections" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
IT Policy rule “FIPS Level” (Security policy group) must be set as required.
Medium - V-19725 - SV-21866r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1450-10
Vuln IDs
  • V-19725
Rule IDs
  • SV-21866r3_rule
Data stored on the Blackberry or transmitted by the Blackberry could be compromised if not encrypted according to DoD/NIST standards.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24162r3_chk

Detailed Policy Requirements: BlackBerry FIPS level must be set to Level 1. *****For this check, set IT Policy rule "FIPS Level" (Security policy group) to "1 (FIPS 140-2 Level 1)." Check Procedures: This is a BES IT Policy check. Recommend that all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "FIPS Level" (Security policy group) is set as required. Note: This rule is obsolete in BlackBerry® Enterprise Server versions 4.1 SP3 and later and BlackBerry® Device Software versions 4.2.1and later. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
IT Policy rule Minimal Signing Key Store Security Level (Security policy group) must be set as required.
Low - V-19726 - SV-21867r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-11
Vuln IDs
  • V-19726
Rule IDs
  • SV-21867r4_rule
If not set correctly, the keystore, when encryption keys and digital certificates are stored, may not be encrypted with a strong encryption key.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24163r4_chk

Detailed Policy Requirements: The BlackBerry keystore security level must be set to Medium or higher. *****For this check, set IT Policy rule "Minimal Signing Key Store Security Level" (Security policy group) to "Medium Security or High Security". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Minimal Signing Key Store Security Level" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
IT Policy rule Minimal Encryption Key Store Security Level (Security policy group) must be set as required.
Low - V-19727 - SV-21868r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-12
Vuln IDs
  • V-19727
Rule IDs
  • SV-21868r4_rule
If not set correctly, the keystore, when encryption keys and digital certificates are stored, may not be encrypted with a strong encryption key.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24164r4_chk

Detailed Policy Requirements: The BlackBerry keystore security level encryption key must be set to Medium or higher. *****For this check, set IT Policy rule "Minimal Encryption Key Store Security Level" (Security policy group) to "Medium Security or High Security". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Minimal Encryption Key Store Security Level" (Security policy group) is set as required. If not set as required, this is a finging.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
IT Policy rule Force Content Protection of Master Keys (Security policy group) must be set as required.
Medium - V-19728 - SV-21869r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1450-13
Vuln IDs
  • V-19728
Rule IDs
  • SV-21869r4_rule
Master keys (used for data encryption) will be stored on the BlackBerry in un-encrypted form and could be compromised.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24165r4_chk

Detailed Policy Requirements: BlackBerry Master keys must be stored on the BlackBerry in encrypted form. *****For this check, set IT Policy rule "Force Content Protection of Master Keys" (Security policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Force Content Protection of Master Keys" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
IT Policy rule Force LED Blinking When Microphone Is On (Security policy group) must be set as required.
Low - V-19729 - SV-21870r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-14
Vuln IDs
  • V-19729
Rule IDs
  • SV-21870r4_rule
User not aware that sensitive conversations are being recorded and/or transmitted.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24166r4_chk

Detailed Policy Requirements: The BlackBerry microphone indicator light must be on when the BlackBerry microphone is active. *****For this check, set IT Policy rule "Force LED Blinking When Microphone Is On" (Security policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Force LED Blinking When Microphone Is On" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
IT Policy rule Password Required for Application Download (Security policy group) must be set as required.
Low - V-19731 - SV-21872r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-16
Vuln IDs
  • V-19731
Rule IDs
  • SV-21872r4_rule
Malware or unauthorized applications could be downloaded inadvertently by user if control not set.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24168r4_chk

Detailed Policy Requirements: Users must be required to enter their BlackBerry password prior to the download of applications. *****For this check, set IT Policy rule "Password Required for Application Download" (Security policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Password Required for Application Download" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES IT Policy rule must be configured as required. IT Policy rule “Disable Public Photo Sharing Applications” (Security group policy) must be set as required.
Low - V-19733 - SV-21874r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-18
Vuln IDs
  • V-19733
Rule IDs
  • SV-21874r4_rule
Public photo sharing web sites are known to be malware infested.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24170r4_chk

Detailed Policy Requirements: User access to Public Photo Sharing Applications will be blocked. *****For this check, set IT Policy rule "Disable Public Photo Sharing Applications" (Security group policy) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Public Photo Sharing Applications" (Security group policy) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES IT Policy rule must be configured as required. IT Policy rule Security Transcoder Cod File Hashes (Security policy group) must be set as required.
Low - V-19734 - SV-21880r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-19
Vuln IDs
  • V-19734
Rule IDs
  • SV-21880r4_rule
Third party applications can act as transcoders and use the transcoder API and can impact the security posture of the BlackBerry. A transcoder is used to translate specific types of content into a format for transmission to a BlackBerry and can cause changes to normally secure connections between the BlackBerry and web sites. See http://blog.masabi.com/2009/01/how-do-transcoders-affect-https.html for more details.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24176r4_chk

Detailed Policy Requirements: The use of transcoders is not permitted on DoD BlackBerrys. *****For this check, set IT Policy rule "Security Transcoder Cod File Hashes" (Security policy group) to <blank>. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Security Transcoder Cod File Hashes" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES IT Policy rule must be configured as required. IT Policy rule Require FIPS Ciphers (TLS policy group) must be set as required.
Low - V-19736 - SV-21882r5_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-21
Vuln IDs
  • V-19736
Rule IDs
  • SV-21882r5_rule
Only DoD FIPS encryption ciphers (e.g., AES) are authorized. Otherwise, the encrypted data in web connections may be susceptible to being analyzed by a hacker.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24178r5_chk

Detailed Policy Requirements: Only DoD-approved FIPS algorithms will be used. *****For this check, set IT Policy rule "Require FIPS Ciphers" (TLS policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Require FIPS Ciphers" (TLS policy group) is set as required. If not set as required, this is a finding.

Fix: F-44085r1_fix

Configure the BES IT policy rule "Require FIPS Ciphers" to Yes.

a
BES IT Policy rule must be configured as required. IT Policy rule Require FIPS Ciphers (WTLS Application policy group) must be set as required.
Low - V-19737 - SV-21883r5_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-22
Vuln IDs
  • V-19737
Rule IDs
  • SV-21883r5_rule
Only DoD FIPS encryption ciphers (e.g., AES) are authorized. Otherwise the encrypted data in web connections may be susceptible being analyzed by a hacker.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24179r5_chk

Detailed Policy Requirements: Only DoD-approved FIPS algorithms will be used. *****For this check, set IT Policy rule "Require FIPS Ciphers" (WTLS Application policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Require FIPS Ciphers" (WTLS Application policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES IT Policy rule must be configured as required. IT Policy rule Allow Application Download Services (Browser policy group) must be set as required.
Low - V-19738 - SV-21884r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-23
Vuln IDs
  • V-19738
Rule IDs
  • SV-21884r4_rule
Disables and removes icons placed on the BlackBerry by carriers (e.g., Verizon Wireless, AT&T, etc.) that are used to connect to carriers’ web sites where applications are sold. Unapproved applications can cause security issues to the DoD BlackBerry system.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24181r4_chk

Detailed Policy Requirements: The use of Application Download Services will be blocked. *****For this check, set IT Policy rule "Allow Application Download Services" (Browser policy group) to "No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Allow Application Download Services" (Browser policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES IT Policy rule must be configured as required. IT Policy rule “Verify BlackBerry MDS Integration Service Certificate” (BlackBerry MDS Integration Service policy group) must be set as required.
Medium - V-19739 - SV-21885r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1450-24
Vuln IDs
  • V-19739
Rule IDs
  • SV-21885r4_rule
Un-authenticated connection will be made between the BlackBerry and the BES MDS Integration Service, which could degrade security in the enclave.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24182r4_chk

Detailed Policy Requirements: Only trusted connections will be allowed between the BlackBerry and the BlackBerry MDS Integration Service. *****For this check, set IT Policy rule "Verify BlackBerry MDS Integration Service Certificate" (BlackBerry MDS Integration Service policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Verify BlackBerry MDS Integration Service Certificate" (BlackBerry MDS Integration Service policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES IT Policy rule must be configured as required. IT Policy rule Disable Activation With Public BlackBerry MDS Integration Service (BlackBerry MDS Integration Service policy group) must be set as required.
Medium - V-19740 - SV-21886r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1450-25
Vuln IDs
  • V-19740
Rule IDs
  • SV-21886r4_rule
User can connect to public BlackBerry MDS Integration Services to access public content, web, and application servers. These servers are not DoD-approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24183r4_chk

Detailed Policy Requirements: Access to Public BlackBerry MDS Integration Services will be blocked. *****For this check, set IT Policy rule "Disable Activation With Public BlackBerry MDS Integration Service" (BlackBerry MDS Integration Service policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Activation With Public BlackBerry MDS Integration Service" (BlackBerry MDS Integration Service policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES IT Policy rule must be configured as required. IT Policy rule Disable Carrier Directory (Application Center policy group) must be set as required.
Low - V-19746 - SV-21892r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-27
Vuln IDs
  • V-19746
Rule IDs
  • SV-21892r4_rule
Disables the carrier’s application center directory on a BlackBerry device. Application Center is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD-approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24192r4_chk

Detailed Policy Requirements: Access to Web application stores will be blocked. *****For this check, set IT Policy rule "Disable Carrier Directory" (Application Center policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Carrier Directory" (Application Center policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES IT Policy rule must be configured as required. IT Policy rule “Desktop Allow Device Switch” (Desktop policy group) must be set as required.
Medium - V-19747 - SV-21893r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1450-28
Vuln IDs
  • V-19747
Rule IDs
  • SV-21893r4_rule
Stops a user from changing BlackBerry devices without the approval of the BlackBerry Administrator. BlackBerry security software (S/MIME, etc.) may not be installed correctly and other required provisioning steps may not be completed. BlackBerry device and system could be vulnerable to attack by hackers or malware.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24193r4_chk

Detailed Policy Requirements: Configuration management of the BlackBerry device software will be maintained. Only authorized software will be installed from a trusted source. Provisioning of the handheld will be completed under the control of the BlackBerry system administrator. *****For this check, set IT Policy rule "Desktop Allow Device Switch" (Desktop policy group) to "No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Desktop Allow Device Switch" (Desktop policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES IT Policy rule must be configured as required. IT Policy rule Disallow File Transfer Types (Instant Messaging policy group) must be set as required.
Low - V-19753 - SV-21899r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-34
Vuln IDs
  • V-19753
Rule IDs
  • SV-21899r4_rule
Insecure file types are transferred to BlackBerry via IM, increasing the risk of malware being downloaded on the BlackBerry and being transferred to the DoD enclave.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24199r4_chk

Detailed Policy Requirements: File types with known vulnerabilities will not be downloaded via an IM connection. Specific banned file types are based on local policy (e.g., .exe, .bat.). *****For this check, set IT Policy rule "Disallow File Transfer Types" (Instant Messaging policy group) to "*" (to block all files) or specify specific file types to block based on local policy (e.g., .exe, .bat, mp3, .zip). Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disallow File Transfer Types" (Instant Messaging policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES IT Policy rule must be configured as required. IT Policy rule Disable BlackBerry Unite! Applications (BlackBerry Unite! policy group) must be set as required.
Low - V-19754 - SV-21900r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-35
Vuln IDs
  • V-19754
Rule IDs
  • SV-21900r4_rule
BlackBerry Unite! is a public data sharing service where groups of BlackBerry users can share photos, calendar information, and other data. This service allows other users to see sensitive DoD data stored on a DoD BlackBerry.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24200r4_chk

Detailed Policy Requirements: File sharing services and applications will not be used on DoD BlackBerry systems, including BlackBerry Unite!. *****For this check, set IT Policy rule IT Policy rule "Disable BlackBerry Unite! Applications" (BlackBerry Unite! policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule IT Policy rule "Disable BlackBerry Unite! Applications" (BlackBerry Unite! policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES IT Policy rule must be configured as required. IT Policy rule Disable Download Manager (BlackBerry Unite! policy group) must be set as required.
Low - V-19755 - SV-21901r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-36
Vuln IDs
  • V-19755
Rule IDs
  • SV-21901r4_rule
BlackBerry Unite! is a public data sharing service where groups of BlackBerry users can share photos, calendar information, and other data. This service allows other users to see sensitive DoD data stored on a DoD BlackBerry. System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24201r4_chk

Detailed Policy Requirements: File sharing services and applications will not be used on DoD BlackBerry systems, including BlackBerry Unite!. *****For this check, set IT Policy rule IT Policy rule "Disable Download Manager" (BlackBerry Unite! policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule IT Policy rule "Disable Download Manager" (BlackBerry Unite! policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BlackBerrys with removable memory cards (e.g., MicroSD) must be compliant with requirements. IT Policy rule "External File System Encryption Level" (Security policy group) must be set as required.
Medium - V-19767 - SV-21914r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1460-02
Vuln IDs
  • V-19767
Rule IDs
  • SV-21914r3_rule
Malware could be downloaded from the memory card to the PC if not compliant. System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24282r3_chk

Detailed Policy Requirements: *****For this check, set IT policy “External File System Encryption Level” (Security policy group) to “4 - Encrypt to Device Key (including multi-media directories)". Check Procedures: This is an IT policy check. Recommend all checks related to BES IT Policies be reviewed using the procedures found in check WIR1400-01 (V0003545). *****Verify the IT policy assigned to each user has the IT Policy rule "External File System Encryption Level" (Security policy group) is set as required. Mark as a finding if not set as required.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES IT Policy rule must be configured as required. IT Policy rule “Disable User Initiated Activation With Public BlackBerry MDS Integration Service” (BlackBerry MDS Integration Service policy group) must be set as required.
Medium - V-19775 - SV-21938r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1450-37
Vuln IDs
  • V-19775
Rule IDs
  • SV-21938r4_rule
Users can connect to public BlackBerry MDS Integration Services to access public content, web, and application servers. These servers are not DoD approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-24824r4_chk

Detailed Policy Requirements: User Initiated access to Public BlackBerry MDS Integration Services will be blocked. *****For this check, set IT Policy rule "Disable User Initiated Activation With Public BlackBerry MDS Integration Service" (BlackBerry MDS Integration Service policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable User initiated Activation With Public BlackBerry MDS Integration Service" (BlackBerry MDS Integration Service policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
IT Policy rule “Allow BlackBerry Desktop Software Statistics” (Desktop policy group) must be set as required.
Low - V-22047 - SV-25478r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-38
Vuln IDs
  • V-22047
Rule IDs
  • SV-25478r4_rule
This rule could allow software statistics on DoD BlackBerry devices to be automatically sent to BlackBerry, which may expose OPSEC information.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-26998r3_chk

Detailed Policy Requirements: *****For this check, set IT Policy rule “Allow BlackBerry Desktop Software Statistics” (Desktop policy group) to “No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule “Allow BlackBerry Desktop Software Statistics” (Desktop policy group) is set as required. Mark as a finding if not set as required.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
IT Policy rule “Allow Discovery by User” (MDS Integration Service policy group) must be set as required.
Medium - V-22048 - SV-25479r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1450-39
Vuln IDs
  • V-22048
Rule IDs
  • SV-25479r3_rule
This rule allows a user to search for and install BlackBerry MDS Runtime Applications on a BlackBerry device. This could lead to the installation of unapproved applications and possible malware.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-26999r3_chk

Detailed Policy Requirements: Only DoD approved applications will be used. *****For this check, set IT Policy rule “Allow Discovery by User” (MDS Integration Service policy group) to “No”. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy “Allow Discovery by User” (MDS Integration Service policy group) is set as required. Mark as a finding if not set as required.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
IT Policy rule Encryption on On-Board Device Memory Media Files (Security policy group) must be set as required.
Medium - V-22050 - SV-25482r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1445-03
Vuln IDs
  • V-22050
Rule IDs
  • SV-25482r4_rule
If a media card is inserted in the BlackBerry® device, this rule specifies whether the media files that are located in the media card are encrypted to the user password and the device-generated key. If data is not encrypted, sensitive DoD data could be exposed to unauthorized people.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-27001r4_chk

*****For this check, set IT Policy rule "Encryption on On-Board Device Memory Media Files" (Security policy group) to "Required". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Encryption on On-Board Device Memory Media Files" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
IT Policy rule Allow Network Address Book Sync (Service Exclusivity policy group) must be set as required.
Low - V-22051 - SV-25483r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-42
Vuln IDs
  • V-22051
Rule IDs
  • SV-25483r4_rule
This rule specifies whether the carrier's backup can run on a BlackBerry® device, which permits a BlackBerry device user to synchronize only the contacts that are included in the user's MyFaves plan with the carrier's mobile backup. Use of this service may allow the storage of DoD sensitive data on a carrier server and expose the data to non-DoD personnel. System AdministratorInformation Assurance OfficerECWN-1
Checks: C-27002r5_chk

Detailed Policy Requirements: *****For this check, set IT Policy rule “Allow Network Address Book Sync” (Service Exclusivity policy group) to “Disabled". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule “Allow Network Address Book Sync” (Service Exclusivity policy group) is set as required. Mark as a finding if not set as required.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
IT Policy rule “Allow User Feedback” (User Feedback policy group) must be set as required.
Low - V-22052 - SV-25484r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-43
Vuln IDs
  • V-22052
Rule IDs
  • SV-25484r4_rule
This rule specifies whether a user can provide feedback to BlackBerry via a system message. This capability may provide OPSEC information about a DoD BlackBerry system or device.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-27003r3_chk

Detailed Policy Requirements: *****For this check, set IT Policy rule “Allow User Feedback” (User Feedback policy group) to “No". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule “Allow User Feedback” (User Feedback policy group) is set as required. Mark as a finding if not set as required.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
IT Policy rule Disable organizer data access for social networking applications (Value-Added Applications policy group) must be set as required.
Low - V-22053 - SV-25489r3_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-40
Vuln IDs
  • V-22053
Rule IDs
  • SV-25489r3_rule
This rule specifies whether a BlackBerry® device must prevent social networking applications from accessing organizer data. BlackBerry organizer (calendar, notes, and contacts) may contain sensitive DoD information that could be exposed to the public if social networking applications had access to it.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-27004r3_chk

Detailed Policy Requirements: *****For this check, set IT Policy rule "Disable organizer data access for social networking applications" (Value-Added Applications policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable organizer data access for social networking applications" (Value-Added Applications policy group) is set as required.

Fix: F-27141r2_fix

Set IT Policy rule "Disable organizer data access for social networking applications" (Value-Added Applications policy group) to "Yes".

a
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Message Access Profile” (Bluetooth policy group) must be set as required.
Low - V-25873 - SV-32228r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1405-22
Vuln IDs
  • V-25873
Rule IDs
  • SV-32228r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorECSC-1
Checks: C-32694r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Disable Message Access Profile" (Bluetooth policy group) to "Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Disable Message Access Profile" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES IT Policy rule is configured as required. IT Policy rule “Application Restriction Rule” (BlackBerry App World policy group) will be set as required.
Low - V-25875 - SV-32230r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1465-02
Vuln IDs
  • V-25875
Rule IDs
  • SV-32230r4_rule
BlackBerry App World is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD-approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.System AdministratorECSC-1, IAKM-2
Checks: C-32696r4_chk

Note: This check is Not Applicable if an Application White List has been set up on the BES and there are no findings for Application White List checks. Verify there are no findings for checks V-16341/WIR1310-01 and V-22042/WIR1310-02. Detailed Policy Requirements: Access to Web application stores will be blocked. *****For this check, set IT Policy rule “Application Restriction Rule” (BlackBerry App World policy group) to “Allow". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule “Application Restriction Rule” (BlackBerry App World policy group) is set as required. Mark as a finding if not set as required.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES IT Policy rule must be configured as required. IT Policy rule “Category Restriction Rule” (BlackBerry App World policy group) must be set as required.
Low - V-25876 - SV-32231r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1465-03
Vuln IDs
  • V-25876
Rule IDs
  • SV-32231r4_rule
BlackBerry App World is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD-approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave. System AdministratorECSC-1
Checks: C-32697r4_chk

Note: This check is Not Applicable if an Application White List has been set up on the BES and there are no findings for Application White List checks. Verify there are no findings for checks V-16341/WIR1310-01 and V-22042/WIR1310-02. Detailed Policy Requirements: Access to Web application stores will be blocked. *****For this check, set IT Policy rule “Category Restriction Rule” (BlackBerry App World policy group) to “Deny". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule “Category Restriction Rule” (BlackBerry App World policy group) is set as required. Mark as a finding if not set as required.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

a
BES IT Policy rule must be configured as required. IT Policy rule “Disable Application Purchasing” (BlackBerry App World policy group) must be set as required.
Low - V-25877 - SV-32232r3_rule
RMF Control
Severity
Low
CCI
Version
WIR1465-04
Vuln IDs
  • V-25877
Rule IDs
  • SV-32232r3_rule
BlackBerry App World is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.System AdministratorECSC-1
Checks: C-32698r3_chk

Detailed Policy Requirements: Access to Web application stores will be blocked. *****For this check, set IT Policy rule “Disable Application Purchasing” (BlackBerry App World policy group) to “Yes”. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule “Disable Application Purchasing” (BlackBerry App World policy group) is set as required. Mark as a finding if not set as required.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES IT Policy rule must be configured as required. IT Policy rule “Content Protection Usage” (Security policy group) must be set as required.
Medium - V-25878 - SV-32233r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1445-04
Vuln IDs
  • V-25878
Rule IDs
  • SV-32233r4_rule
DoD 8500 policy requires data-at-rest protection be enabled on all IT devices containing sensitive data in case the device is lost or stolen. This protection normally involves password or pin protected access.System AdministratorECSC-1
Checks: C-32699r4_chk

For this check, set IT Policy rule "Content Protection Usage" (Security policy group) to "Allowed". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Content Protection Usage" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES IT Policy rule is configured as required. IT Policy rule “Disable Browsing Of Remote Shared Folders” (Security policy group) must be set as required.
Medium - V-25879 - SV-32234r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1450-44
Vuln IDs
  • V-25879
Rule IDs
  • SV-32234r3_rule
When not configured properly, users can access data on the DoD network in shared folders without required CAC authentication to the network. System AdministratorECSC-1
Checks: C-32700r3_chk

Detailed Policy Requirements: For this check, set IT Policy rule “Disable Browsing Of Remote Shared Folders” (Security policy group) to “Yes". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule “Disable Browsing Of Remote Shared Folders” (Security policy group) is set as required. Mark as a finding if not set as required.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES Bluetooth controls must be compliant with requirements. IT Policy rule “Minimum Encryption Key Length” (Bluetooth Only policy group) must be set as required.
Medium - V-26507 - SV-33353r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1405-23
Vuln IDs
  • V-26507
Rule IDs
  • SV-33353r4_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorECSC-1
Checks: C-33856r4_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements and check procedures. *****For this check, set IT Policy rule "Minimum Encryption Key Length" (Bluetooth policy group) to either "<blank>" or "16" for STIG IT Policies for no Bluetooth headsets or to "16" for STIG IT Policies for Bluetooth headsets. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Minimum Encryption Key Length" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-23386r4_fix

Configure the IT Policy rule as specified in the "Checks" block.

b
BES IT Policy rule is configured as required. IT Policy rule “Application Restriction List” (BlackBerry App World policy group) must be set as required.
Medium - V-30295 - SV-39949r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1465-05
Vuln IDs
  • V-30295
Rule IDs
  • SV-39949r3_rule
BlackBerry App World is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD-approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.System AdministratorECSC-1, ECWN-1
Checks: C-39020r3_chk

Note: This check is Not Applicable if an Application White List has been set up on the BES and there are no findings for Application White List checks. Verify there are no findings for checks V-16341/WIR1310-01 and V-22042/WIR1310-02. Detailed Policy Requirements: Access to Web application stores will be blocked. *****For this check, set IT Policy rule “Application Restriction List” (BlackBerry App World policy group) to list all applications the AO has approved for download from BlackBerry App World.. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule “Application Restriction List” (BlackBerry App World policy group) is set as required. Mark as a finding if not set as required.

Fix: F-34089r1_fix

Configure the Application Restriction List IT Policy rule as specified in the "Checks" block.

b
BES IT Policy rule is configured as required. IT Policy rule “BlackBerry Playbook Log Submission” (Companion Devices policy group) must be set as required.
Medium - V-30767 - SV-40622r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1470-01
Vuln IDs
  • V-30767
Rule IDs
  • SV-40622r3_rule
Sensitive DoD information could be exposed if Playbook log information was sent to BlackBerry.System AdministratorECSC-1, ECWN-1
Checks: C-39364r2_chk

Detailed Policy Requirements: For this check, set IT Policy rule “BlackBerry Playbook Log Submission” (Companion Devices policy group) to "Disable". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). Verify "BlackBerry Playbook Log Submission” (Companion Devices policy group) is set as required. Mark as a finding if not set as required.

Fix: F-34475r1_fix

Configure the BlackBerry Playbook Log Submission IT Policy rule as specified in the "Checks" section.

b
BlackBerry devices must be protected by authenticated login procedures to unlock the device. Either CAC or Password authentication is required. The device password must not contain more than two sequential characters or more than two repeating characters.
Medium - V-37372 - SV-49134r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1400-12
Vuln IDs
  • V-37372
Rule IDs
  • SV-49134r3_rule
Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals. If the password complexity is not compliant, it may be possible for a hacker to guess the password.System AdministratorECSC-1, IAIA-1
Checks: C-45620r4_chk

This requirement can only be met via User Based Enforcement (UBE) at this time. Consult with the user to ensure there are no more than two sequential characters (for example, abc) or no more than two repeating characters (for example, 222) in the password. If the device password contains more than two sequential characters or more than two repeating characters, this is a finding.

Fix: F-42297r3_fix

Configure the device password so that there are no more than two sequential characters or no more than two repeating characters.

b
BES Bluetooth controls must be compliant with requirements. IT Policy rule Human Interface Device Profile (Bluetooth Only policy group) must be set as required.
Medium - V-37373 - SV-49135r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR1405-24
Vuln IDs
  • V-37373
Rule IDs
  • SV-49135r2_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable. Only Bluetooth profiles required for either the BlackBerry smart card reader or headset should be used.System AdministratorECSC-1
Checks: C-45621r3_chk

Detailed Policy Requirements: See Check WIR1405-01 (V0014198) for detailed policy requirements. *****For this check, set IT Policy rule "Human Interface Device Profile" (Bluetooth policy group) to "Disallow". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Human Interface Device Profile" (Bluetooth policy group) is set as required. If not set as required, this is a finding.

Fix: F-42298r1_fix

Configure the IT Policy rule Human Interface Device Profile as specified in the "Checks" block.

b
IT Policy rule Disable Data Exchange for Mobile Hotspot Mode must be set as required.
Medium - V-37374 - SV-49136r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR1435-02
Vuln IDs
  • V-37374
Rule IDs
  • SV-49136r2_rule
Sensitive DoD data could be exposed since data exchanged between CMDs connected to a hotspot is not encrypted.System AdministratorECSC-1
Checks: C-45622r2_chk

Detailed Policy Requirements: Set IT Policy rule "Disable Data Exchange for Mobile Hotspot Mode" (WLAN policy group) to "Yes". Check procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). Verify "Disable Data Exchange for Mobile Hotspot Mode" has been configured as required.

Fix: F-42299r1_fix

Configure the IT Policy rule Disable Data Exchange for Mobile Hotspot Mode as specified in the "Checks" block.

b
BES IT Policy rule must be configured as required. IT Policy rule Media Card Format on Device Wipe (Security policy group) must be set as required.
Medium - V-37375 - SV-49137r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR1445-05
Vuln IDs
  • V-37375
Rule IDs
  • SV-49137r2_rule
DoD 8500 policy requires data-at-rest protection be enabled on all IT devices containing sensitive data in case the device is lost or stolen. This protection normally involves password or pin protected access.System AdministratorECSC-1
Checks: C-45623r3_chk

For this check, set IT Policy rule "Media Card Format on Device Wipe" (Security policy group) to "Required". Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule "Media Card Format on Device Wipe" (Security policy group) is set as required. If not set as required, this is a finding.

Fix: F-42300r1_fix

Configure the IT Policy rule Media Card Format on Device Wipe as specified in the "Checks" block.

a
BES IT Policy rule is configured as required. IT Policy rule Application Installation Methods (Security policy group) must be set as required.
Low - V-37376 - SV-49138r2_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-46
Vuln IDs
  • V-37376
Rule IDs
  • SV-49138r2_rule
Unapproved applications have not been properly vetted and may contain malware. Therefore, applications should only be deployed to BlackBerry devices from BlackBerry Enterprise Servers (BES). System AdministratorCODP-1, ECSC-1
Checks: C-45624r3_chk

Detailed Policy Requirements: For this check, set IT Policy rule “Application Installation Methods” (Security policy group) to: • Disallow Browser • Disallow Media Card • Disallow USB Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule “Application Installation Methods” (Wired Software Updates policy group) is set as required.

Fix: F-42301r1_fix

Configure the IT Policy rule Application Installation Methods as specified in the "Checks" block.

a
BES IT Policy rule is configured as required. IT Policy rule Media Server (Media Server policy group) must be set as required.
Low - V-37377 - SV-49139r1_rule
RMF Control
Severity
Low
CCI
Version
WIR1450-47
Vuln IDs
  • V-37377
Rule IDs
  • SV-49139r1_rule
The media server function on the device allows media files to be shared between BlackBerry devices without the data being encrypted. Therefore, sensitive DoD data could be exposed.System AdministratorECSC-1
Checks: C-45625r2_chk

Detailed Policy Requirements: For this check, set IT Policy rule “Media Server” (Media Server policy group) to “Disallow”. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule “Media Server” (Media Server policy group) is set as required.

Fix: F-42303r1_fix

Configure the IT Policy rule Media Server as specified in the "Checks" block.

b
BES IT Policy rule is configured as required. IT Policy rule Public Channel Downloads (BlackBerry App World policy group) must be set as required.
Medium - V-37378 - SV-49140r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR1465-06
Vuln IDs
  • V-37378
Rule IDs
  • SV-49140r1_rule
BlackBerry App World is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.System AdministratorECSC-1, ECWN-1
Checks: C-45626r1_chk

Detailed Policy Requirements: Access to Web application stores will be blocked. *****For this check, set IT Policy rule “Public Channel Downloads” (BlackBerry App World policy group) to “Disallow”. Check Procedures: This is a BES IT Policy check. Recommend all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule “Public Channel Downloads” (BlackBerry App World policy group) is set as required. Mark as a finding if not set as required.

Fix: F-42304r1_fix

Configure the Public Channel Downloads IT Policy rule as specified in the "Checks" block.

b
IT Policy rule Enforce FIPS Mode of Operation (Security policy group) must be set as required.
Medium - V-40410 - SV-52390r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR1450-48
Vuln IDs
  • V-40410
Rule IDs
  • SV-52390r1_rule
Data stored on the Blackberry or transmitted by the Blackberry could be compromised if not encrypted according to DoD/NIST standards.System AdministratorECSC-1
Checks: C-46988r2_chk

Detailed Policy Requirements: BlackBerry FIPS level must be set to Level 1. *****For this check, set IT Policy rule “Enforce FIPS Mode of Operation” (Security policy group) to “Yes.” Check Procedures: This is a BES IT Policy check. Recommend that all checks related to BES IT policies be reviewed using the procedure in Check WIR1400-01 (V0003545). *****Verify IT Policy rule “Enforce FIPS Mode of Operation” (Security policy group) is set as required. Mark as a finding if the IT Policy rule “Enforce FIPS Mode of Operation” (Security policy group) is not set to “Yes.” Note: This rule is applies to BlackBerry OS 7.x.

Fix: F-45353r1_fix

Configure the IT Policy rule Enforce FIPS Mode of Operation as specified in the "Checks" block.