Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

BlackBerry OS 7.x.x Security Technical Implementation Guide

  • Version/Release: V2R11
  • Published: 2017-09-11
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

BlackBerry OS 7.x.x STIG in XCCDF format
a
When the Password Keeper is enabled on the BlackBerry device, the AO must review and approve its use, and the application must be configured as required.
Low - V-11865 - SV-12364r3_rule
RMF Control
Severity
Low
CCI
Version
WIR1030-01
Vuln IDs
  • V-11865
Rule IDs
  • SV-12364r3_rule
Password Keeper is a default BlackBerry application that can be installed on the BlackBerry handheld device. This application allows users to store passwords. The use of Password Keeper should be reviewed and approved by the local AO. Passwords are stored using 256-bit AES encryption using the BlackBerry FIPS 140-2 certified encryption module. Passwords in the Password Keeper can be copied and pasted into other applications but the password is unencrypted while it resides in the BlackBerry handheld device clipboard.System AdministratorInformation Assurance Officer
Checks: C-12372r3_chk

Detailed Policy Requirements: When the Password Keeper is enabled on the BlackBerry device, the AO must have reviewed and approved its use, and the application must be configured to enforce the following password rules. Require use of eight or more characters. The Password Keeper must be configured to enforce this policy. Set the number of incorrect passwords entered before a device wipe occurs to 10 or less. The Password Keeper must be configured to enforce this policy. Set local policy to require a change of password at least every 90 days. Check Requirements: Interview the ISSO. Ask if users are allowed to use Password Keeper on their handheld devices. If Password Keeper is used: Review the AO approval documentation regarding this. Work with the ISSO to view the Password Keeper configuration on a sampling of BlackBerry devices using this application. On each BlackBerry, go to Applications/Password Keeper. The Password Keeper icon may also be installed directly on the BlackBerry home screen. Verify the following Password Keeper setting (have user log into Password Keeper, then click menu and select Options). Verify Random Password Length is set to 8 or more. Verify Password Attempts is set to 10 or less. Verify users are trained on password change requirement (90 days or less) by reviewing user agreement or training materials. If Password Keeper is not authorized: Review a sample of site BlackBerry devices (2-3 devices) to verify Password Keeper is not installed: Settings >> Options >> Advanced >> Applications. Review the list of installed applications and confirm Password Keeper is not on the list.

Fix: F-23342r2_fix

When the Password Keeper is enabled on the BlackBerry device, the AO has reviewed and approved its use, and the application is configured as required.

a
BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Low - V-11866 - SV-12366r3_rule
RMF Control
Severity
Low
CCI
Version
WIR1040-02
Vuln IDs
  • V-11866
Rule IDs
  • SV-12366r3_rule
Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.System AdministratorInformation Assurance Officer
Checks: C-14985r3_chk

Detailed Policy Requirements: When the BlackBerry Bluetooth Smart Card Reader (SCR) is used as a PC SCR, the following requirements must be followed: The AO must approve the use of a Bluetooth smart card reader with command/site PCs. Check Procedures: Interview the ISSO and wireless email system administrator. Determine if use of the BlackBerry SCR with site PCs has been approved. If Yes, verify the following requirements are met: The AO has approved the use of the BlackBerry SCR with site PCs. Have the ISSO provide documentation showing AO approval (letter, memo, SSP, etc.).

Fix: F-23344r1_fix

BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.

c
Onset Technologies METAmessage software must not be installed on DoD BlackBerry devices or on the BES.
High - V-11870 - SV-12370r3_rule
RMF Control
Severity
High
CCI
Version
WIR1050-01
Vuln IDs
  • V-11870
Rule IDs
  • SV-12370r3_rule
Onset Technologies METAmessage software is production software which may introduce a virus or other malicious code on the system. This software is not approved for use on DoD systems.System AdministratorInformation Assurance Officer
Checks: C-11491r4_chk

Perform the following procedures on the BES and a sample of BlackBerry devices (use 2-3 devices for a random sample) as appropriate. Check a sample of BlackBerry devices (Settings >> Options >> Advanced Options >> Applications) to ensure the METAmessage application is not loaded on the BlackBerry device. On the BES, have the BlackBerry Administrator show that the BES Application White List does not contain the application. This review should be performed at the same time checks WIR1310-01, WIR1310-02, and WIR1310-03 are reviewed so work is not duplicated. View the list of applications assigned to 3-4 samples Application White List software configurations assigned to users. Verify METAmessage is not listed. The METAmessage application allows the user to open and create Microsoft Office files, such as MS Word or Excel attachments or documents. These documents can then be sent via email, saved, or printed. This application presents a security risk and is not allowed for use in DoD. Verify this software application is not used by interviewing the ISSO or reviewing a sampling of the devices.

Fix: F-23346r1_fix

Remove Onset Technologies METAmessage software installed on DoD BlackBerry devices or on the BES.

a
BlackBerry devices must be provisioned so users can digitally sign and encrypt email notifications or any other email required by DoD policy.
Low - V-11871 - SV-12371r3_rule
RMF Control
Severity
Low
CCI
Version
WIR1055-01
Vuln IDs
  • V-11871
Rule IDs
  • SV-12371r3_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance that the message is authentic and is required by DoD policy. Reference the DoD CIO memorandum regarding interim guidance on the use of derived PKI credentials (2015-05-06 DoD Interim Guidance for Implementing Derived PKI Credentials on Unclass CMDs) for BlackBerry certificate configuration information.System AdministratorInformation Assurance Officer
Checks: C-14987r2_chk

Perform the following steps on a sample of site BlackBerry devices (use 2-3 devices as a random sample), as appropriate, to verify users have the capability to sign and encrypt email. Verify S/MIME is configured such that users may sign messages. Check a sample of BlackBerry devices: - Verify S/MIME application and Smart Card Reader drivers are installed on the device: o On the BlackBerry go to Settings>Options>Advanced Options>Applications. o Look for the following applications: ---S/MIME Support Package ---PIV Drivers (optional) ---BlackBerry Smart Card Reader ---DoD Root Certificates -Verify Certificates are configured on the BlackBerry: ---Settings>Options>Security Options>Certificate Servers – GDS and OCSP servers should be listed. ---Settings>Options>Security Options>Certificate - DoD Root certificates should be listed. ---Settings>Options>Security Options>S/MIME – User’s public keys should be loaded.

Fix: F-23347r2_fix

BlackBerry devices must be provisioned so users can digitally sign and encrypt emergency and/or critical email notifications.

a
If BlackBerry email auto signatures are used, the signature message must not disclose that the email originated from a BlackBerry or mobile device (e.g., “Sent From My Wireless Handheld”).
Low - V-11872 - SV-12372r2_rule
RMF Control
Severity
Low
CCI
Version
WIR1060-01
Vuln IDs
  • V-11872
Rule IDs
  • SV-12372r2_rule
The disclaimer message may give information which may key an attacker in on the device. This is primarily an OPSEC issue. This setting was directed by the USCYBERCOM.Information Assurance Officer
Checks: C-14988r1_chk

Check a sample of BlackBerry devices (use 2-3 devices as a random sample): - Open the BlackBerry email folder. - Highlight the date line at the top of the list of messages. - Click the Menu button. - Select Options, then Email Settings. - Check the contents of “Auto Signature” text box to verify compliance.

Fix: F-23348r1_fix

If BlackBerry email auto signatures are used, the signature message does not disclose that the email originated from a BlackBerry or mobile device (e.g., “Sent From My Wireless Handheld”).

a
All Internet browser icons must be disabled from the BlackBerry device except for the BlackBerry Internet Browser icon.
Low - V-11875 - SV-12375r2_rule
RMF Control
Severity
Low
CCI
Version
WIR1075-01
Vuln IDs
  • V-11875
Rule IDs
  • SV-12375r2_rule
The BlackBerry Browser forces all Internet browsing to go through the site internet gateway, which provides additional security over the carrier's browser.
Checks: C-11498r2_chk

Complete the following procedures on a sample of site BlackBerry devices (2-3 devices), as appropriate. - Review a sample (3-4) of handheld devices and verify the Wireless Carrier’s Internet browser icon, web portal browser icon, and all other browser icons (Yahoo, etc.) are not installed on the BlackBerry device. The only browser icon installed should be the BlackBerry browser icon. Go to the BlackBerry device Home screen and verify only the BlackBerry browser icon is present. Settings>Options>Advanced Options>Browser Verify the BlackBerry Browser is set as the default browser.

Fix: F-23351r1_fix

All Internet browsers must be disabled and removed from the BlackBerry device except for the BlackBerry Internet Browser.

b
BlackBerry devices must have required operating system software version installed.
Medium - V-19213 - SV-21102r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1040-01
Vuln IDs
  • V-19213
Rule IDs
  • SV-21102r3_rule
Required security features are not available in earlier OS versions. In addition, there are known vulnerabilities in earlier versions.System AdministratorInformation Assurance Officer
Checks: C-23150r3_chk

Detailed Policy Requirements: BlackBerry Handheld Software must be version 7.1 or later on BlackBerry devices. Otherwise, this is a finding. Check Procedures: Verify required BlackBerry Handheld Software version is being used. On a sample of site BlackBerry devices (use 2-3 for random sampling) check the installed software version as follows: Select Settings >> Options >> About.

Fix: F-23343r2_fix

Update BlackBerry devices to the required operating system software version.

a
Security configuration settings on the BlackBerry devices managed by the site must be compliant with requirements listed in Table 5, BlackBerry STIG Configuration Tables.
Low - V-19227 - SV-21127r2_rule
RMF Control
Severity
Low
CCI
Version
WIR1080-01
Vuln IDs
  • V-19227
Rule IDs
  • SV-21127r2_rule
These checks are related to a defense-in-depth approach for the BlackBerry, including ensuring the locked BlackBerry is not identified as a DoD BlackBerry and providing visual indicators when the Bluetooth radio is being used so users can verify they have initiated a Bluetooth connection attempt or if a hacker has initiated the connection.ECWN-1
Checks: C-23179r2_chk

Verify the BlackBerry administrator has used the configuration settings list in Table 5, BlackBerry STIG Configuration Tables and check the following settings: -Device Name (this is checked in two locations) -Reader LED – Low Battery -Reader LED – Pairing -Reader LED – Traffic A sample of BlackBerry devices should be checked (use 2-3 devices as a random sample). Table 5, BlackBerry STIG Configuration Tables contains instructions on how to verify correct settings on a BlackBerry.

Fix: F-23352r1_fix

Security configuration settings on the BlackBerry devices managed by the site are compliant with requirements listed in Table 1, BlackBerry STIG Configuration Tables.

a
BlackBerry devices must be provisioned so users can digitally sign and encrypt email notifications.
Low - V-19281 - SV-21197r3_rule
RMF Control
Severity
Low
CCI
Version
WIR1055-02
Vuln IDs
  • V-19281
Rule IDs
  • SV-21197r3_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance that the message is authentic and is required by DoD policy. Reference the DoD CIO memorandum regarding interim guidance on the use of derived PKI credentials (2015-05-06 DoD Interim Guidance for Implementing Derived PKI Credentials on Unclass CMDs) for Blackberry BlackBerry certificate configuration information.Information Assurance Officer
Checks: C-23326r3_chk

If user software certificates are used on the BlackBerry instead of the CAC, verify the AO has approved their use (letter, memo, SSP, etc.).

Fix: F-23347r2_fix

BlackBerry devices must be provisioned so users can digitally sign and encrypt emergency and/or critical email notifications.

b
BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Medium - V-19311 - SV-21228r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1040-03
Vuln IDs
  • V-19311
Rule IDs
  • SV-21228r3_rule
Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.System AdministratorInformation Assurance Officer
Checks: C-23355r3_chk

Detailed Policy Requirements: When the BlackBerry Bluetooth Smart Card Reader (SCR) is used as a PC SCR, the following requirements must be followed: At the time of the publication of this document, the use of the BlackBerry SCR for authentication with PCs is only authorized with PCs that have Microsoft Windows XP. The Microsoft Vista and Windows 7 Bluetooth stack has not yet been tested with the BlackBerry SCR to determine if Bluetooth device pairing can be done in a secure manner and meets DoD security requirements. Check Procedures: Perform the following checks on site PCs used with the BlackBerry Bluetooth SCR: Interview the ISSO and SA and verify the BlackBerry SCR is not used with Windows Vista and Windows 7. BlackBerry users with Vista or Windows 7 on their PCs must be put in the BlackBerry users group not authorized to use the BlackBerry SCR with their PCs.

Fix: F-23344r1_fix

BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.

b
BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Medium - V-19312 - SV-21229r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1040-04
Vuln IDs
  • V-19312
Rule IDs
  • SV-21229r3_rule
Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.System AdministratorInformation Assurance Officer
Checks: C-23356r3_chk

Detailed Policy Requirements: When the BlackBerry Bluetooth Smart Card Reader (SCR) is used as a PC SCR, the following requirements must be followed: The PC must have the Bluetooth Lockdown tool installed and configured correctly. Check Procedures: Perform the following checks on a sample (use 2-3 for random sample) of site PCs used with the BlackBerry Bluetooth SCR: Verify the Bluetooth Lockdown tool is installed and configured correctly: On the PC, go to Start >> Control Panel >> Add or Remove Programs >> Select BlackBerry Smart Card Reader v1.5.1 and click the "Change/Remove" button. In the first pop-up dialog box, click the "Next" button. In the next dialog box, verify "Modify" is selected and click the "Next" button. In the next dialog box, click the "Next" button. In the next dialog box, (Restrict Bluetooth Functionality), verify the checkbox is checked. Click the "Cancel" button to cancel installation.

Fix: F-23344r1_fix

BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.

a
BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Low - V-19313 - SV-21230r3_rule
RMF Control
Severity
Low
CCI
Version
WIR1040-05
Vuln IDs
  • V-19313
Rule IDs
  • SV-21230r3_rule
Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.System AdministratorInformation Assurance Officer
Checks: C-23357r3_chk

Detailed Policy Requirements: When the BlackBerry Bluetooth Smart Card Reader (SCR) is used as a PC SCR, the following requirements must be followed: Bluetooth radios installed in site PCs must be Class 2 or 3. Class 1 (100 mW) Bluetooth radios are not allowed. Note: ISSOs: To determine the "class" rating of the Bluetooth radio, look under the specification section of the Bluetooth Network Interface Card manual, which can be downloaded from the laptop vendor’s web site or the Bluetooth dongle vendor’s web site. Nearly all internal laptop Bluetooth radios are Class 2 or 3, and many Bluetooth dongle radios are Class 1. Check Procedures: Perform the following checks on site PCs used with the BlackBerry Bluetooth SCR: Interview the ISSO to verify only Bluetooth Class 2 or 3 radios are used in site PCs. Have the ISSO or site BlackBerry Administrator show for a sample of PCs the Bluetooth radio is not a Class 1 radio by providing a copy of the Bluetooth radio specification sheet.

Fix: F-23344r1_fix

BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.

a
Required version of the BlackBerry Smart Card Reader (SCR) hardware must be used, and required versions of the drivers must be installed both on the BlackBerry and the SCR.
Low - V-21949 - SV-25132r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1040-06
Vuln IDs
  • V-21949
Rule IDs
  • SV-25132r4_rule
Required SCR security features are not available in earlier versions, and therefore Bluetooth vulnerabilities will not have been patched.System AdministratorInformation Assurance Officer
Checks: C-26799r6_chk

Detailed Policy Requirements: Site BlackBerry devices and SCRs must have required software versions installed. The BlackBerry SCR hardware must be version 1 (model PRD-09695-004) or version 2 (model PRD-16951-001). BlackBerry SCR software package version 4.2.0.107 or later is required (Application version 4.2.0.107, Software platform 1.5.0.81). Apriva Bluetooth SCR (BT200) driver v03-30-02 or later is required. Biometric Associates BaiMobile 3000MP SCR driver 0.1.3(19.07.13) or later. Check Procedures: If using the BlackBerry SCR: Verify required SCR model is used. The model number can be found under the battery. Verify required BlackBerry SCR software is being used. On a sample of BlackBerry SCRs (use 2-3 devices for random sample), press and hold the Action button until "rEsetInG" appears, and then read the Application version and Software platform version as they are displayed. If using the Apriva SCR: On the BlackBerry, press lower case v (as in Victor) to verify the version number of the Apriva Utility installed on the BlackBerry. On the BlackBerry, press lower case r (as in Romeo) to verify the version number of the Apriva driver installed on the Apriva SCR. If using the Biometric Associates SCR: On the BlackBerry, go to Settings >> Device >> Application Management >> baiSmartCardReader and verify the version number of the installed driver. If the required driver is not installed, this is a finding.

Fix: F-11479r1_fix

Comply with DoD policy.

a
BlackBerry Web Desktop Manager (BWDM) or BlackBerry Desktop Manager (BDM) must be configured as required.
Low - V-22058 - SV-25495r3_rule
RMF Control
Severity
Low
CCI
Version
WIR1095-01
Vuln IDs
  • V-22058
Rule IDs
  • SV-25495r3_rule
The BWDM provides the capability for users to self provision their BlackBerry, and to synchronize the BlackBerrys to the BES. The BWDM works by providing a web client interface to the BlackBerry database via the BlackBerry Administrative Service (BAS). Users must log into the BAS to access the data service. The BAS is a private web server. CTO 0715rev 1 requires either CAC authentication or a complex 15-character password to log into DoD private web servers. DoD users must use their CAC for authentication to the BAS because they do not know their 256 character AD password.System AdministratorInformation Assurance Officer
Checks: C-27007r2_chk

Detailed Policy Requirement: BDM nor BWDM are required on BlackBerry users desktops, but if either are used, they must meet the following requirements: -For BDM, follow instructions found in USCYBERCOM IAVM Notice 2010-A-0132. If BWDM is used, the BlackBerry Administration Server (BAS) must be configured for Microsoft Active Directory authentication on the BES. Check Procedures: The site can use either BlackBerry Desktop Manager or BlackBerry Web Desktop Manager or neither. Check a sample of BlackBerry user PCs (2-3). If BlackBerry Desktop Manager is used, verify the requirements found in USCYBERCOM IAVM Notice 2010-A-0132 have been followed. If BlackBerry Web Desktop Manager is used, no further action is required since the BES review will verify the BES has been configured for Microsoft Active Directory authentication in check WIR1355-01 (V-22102).

Fix: F-23324r1_fix

Configure BlackBerry Web Desktop Manager (BWDM) for CAC authentication, if used or use approved version of BlackBerry Desktop Manager.

b
Only approved Bluetooth headset and handsfree devices must be used with site managed BlackBerry devices.
Medium - V-26508 - SV-33354r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR1045-01
Vuln IDs
  • V-26508
Rule IDs
  • SV-33354r2_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.
Checks: C-33857r2_chk

Detailed Policy Requirements: The following Bluetooth headset and handsfree devices are approved: Biometric Associates, LP (BAL) blueARMOR family of headsets (blueARMOR 100, blueARMOR 105, and blueARMOR 200) with firmware version 1.5.x. Check Procedures: For the BAL headset, the only way to verify the device model number and firmware version is to check the Bluetooth device name of a paired headset. Have the user pair the device to the BlackBerry, if not already paired. On the BlackBerry handheld, go to Options > Networks and Connections > Bluetooth Connections and check the list of paired devices. The device name should be in the form of baiMobileBA100 V1.5.0. The reviewer should check a sample of BlackBerry devices at the site (2-3) and verify compliance. Note: If the site uses the FIXMO Sentinel Enterprise integrity verification tool, checking BlackBerry handhelds is not required. Have the system administrator show that the Sentinel server is configured to audit paired Bluetooth devices on site managed BlackBerry handhelds.

Fix: F-29526r1_fix

Use only approved Bluetooth headset and handsfree devices.

c
Only supported versions of BlackBerry OS 7.x must be used.
CM-6 - High - CCI-000370 - V-76833 - SV-91529r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000370
Version
WIR1096
Vuln IDs
  • V-76833
Rule IDs
  • SV-91529r1_rule
If an unsupported version of BlackBerry OS 7.x is being used, the device is not being updated with security patches and may contain vulnerabilities that may expose sensitive DoD data to unauthorized people. BlackBerry OS 7.x supports old and obsolete technologies and is no longer being supported by BlackBerry.
Checks: C-76489r1_chk

Determine if any version of BlackBerry OS 7.x is installed at the site. BlackBerry stopped supporting all versions of BlackBerry OS on 30 September 2017. If any version of BlackBerry OS 7.x is installed on site BlackBerry devices, this is a finding.

Fix: F-83529r1_fix

Remove all BlackBerry devices using BlackBerry OS 7.x.