Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Detailed Policy Requirements: When the Password Keeper is enabled on the BlackBerry device, the AO must have reviewed and approved its use, and the application must be configured to enforce the following password rules. Require use of eight or more characters. The Password Keeper must be configured to enforce this policy. Set the number of incorrect passwords entered before a device wipe occurs to 10 or less. The Password Keeper must be configured to enforce this policy. Set local policy to require a change of password at least every 90 days. Check Requirements: Interview the ISSO. Ask if users are allowed to use Password Keeper on their handheld devices. If Password Keeper is used: Review the AO approval documentation regarding this. Work with the ISSO to view the Password Keeper configuration on a sampling of BlackBerry devices using this application. On each BlackBerry, go to Applications/Password Keeper. The Password Keeper icon may also be installed directly on the BlackBerry home screen. Verify the following Password Keeper setting (have user log into Password Keeper, then click menu and select Options). Verify Random Password Length is set to 8 or more. Verify Password Attempts is set to 10 or less. Verify users are trained on password change requirement (90 days or less) by reviewing user agreement or training materials. If Password Keeper is not authorized: Review a sample of site BlackBerry devices (2-3 devices) to verify Password Keeper is not installed: Settings >> Options >> Advanced >> Applications. Review the list of installed applications and confirm Password Keeper is not on the list.
When the Password Keeper is enabled on the BlackBerry device, the AO has reviewed and approved its use, and the application is configured as required.
Detailed Policy Requirements: When the BlackBerry Bluetooth Smart Card Reader (SCR) is used as a PC SCR, the following requirements must be followed: The AO must approve the use of a Bluetooth smart card reader with command/site PCs. Check Procedures: Interview the ISSO and wireless email system administrator. Determine if use of the BlackBerry SCR with site PCs has been approved. If Yes, verify the following requirements are met: The AO has approved the use of the BlackBerry SCR with site PCs. Have the ISSO provide documentation showing AO approval (letter, memo, SSP, etc.).
BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Perform the following procedures on the BES and a sample of BlackBerry devices (use 2-3 devices for a random sample) as appropriate. Check a sample of BlackBerry devices (Settings >> Options >> Advanced Options >> Applications) to ensure the METAmessage application is not loaded on the BlackBerry device. On the BES, have the BlackBerry Administrator show that the BES Application White List does not contain the application. This review should be performed at the same time checks WIR1310-01, WIR1310-02, and WIR1310-03 are reviewed so work is not duplicated. View the list of applications assigned to 3-4 samples Application White List software configurations assigned to users. Verify METAmessage is not listed. The METAmessage application allows the user to open and create Microsoft Office files, such as MS Word or Excel attachments or documents. These documents can then be sent via email, saved, or printed. This application presents a security risk and is not allowed for use in DoD. Verify this software application is not used by interviewing the ISSO or reviewing a sampling of the devices.
Remove Onset Technologies METAmessage software installed on DoD BlackBerry devices or on the BES.
Perform the following steps on a sample of site BlackBerry devices (use 2-3 devices as a random sample), as appropriate, to verify users have the capability to sign and encrypt email. Verify S/MIME is configured such that users may sign messages. Check a sample of BlackBerry devices: - Verify S/MIME application and Smart Card Reader drivers are installed on the device: o On the BlackBerry go to Settings>Options>Advanced Options>Applications. o Look for the following applications: ---S/MIME Support Package ---PIV Drivers (optional) ---BlackBerry Smart Card Reader ---DoD Root Certificates -Verify Certificates are configured on the BlackBerry: ---Settings>Options>Security Options>Certificate Servers – GDS and OCSP servers should be listed. ---Settings>Options>Security Options>Certificate - DoD Root certificates should be listed. ---Settings>Options>Security Options>S/MIME – User’s public keys should be loaded.
BlackBerry devices must be provisioned so users can digitally sign and encrypt emergency and/or critical email notifications.
Check a sample of BlackBerry devices (use 2-3 devices as a random sample): - Open the BlackBerry email folder. - Highlight the date line at the top of the list of messages. - Click the Menu button. - Select Options, then Email Settings. - Check the contents of “Auto Signature” text box to verify compliance.
If BlackBerry email auto signatures are used, the signature message does not disclose that the email originated from a BlackBerry or mobile device (e.g., “Sent From My Wireless Handheld”).
Complete the following procedures on a sample of site BlackBerry devices (2-3 devices), as appropriate. - Review a sample (3-4) of handheld devices and verify the Wireless Carrier’s Internet browser icon, web portal browser icon, and all other browser icons (Yahoo, etc.) are not installed on the BlackBerry device. The only browser icon installed should be the BlackBerry browser icon. Go to the BlackBerry device Home screen and verify only the BlackBerry browser icon is present. Settings>Options>Advanced Options>Browser Verify the BlackBerry Browser is set as the default browser.
All Internet browsers must be disabled and removed from the BlackBerry device except for the BlackBerry Internet Browser.
Detailed Policy Requirements: BlackBerry Handheld Software must be version 7.1 or later on BlackBerry devices. Otherwise, this is a finding. Check Procedures: Verify required BlackBerry Handheld Software version is being used. On a sample of site BlackBerry devices (use 2-3 for random sampling) check the installed software version as follows: Select Settings >> Options >> About.
Update BlackBerry devices to the required operating system software version.
Verify the BlackBerry administrator has used the configuration settings list in Table 5, BlackBerry STIG Configuration Tables and check the following settings: -Device Name (this is checked in two locations) -Reader LED – Low Battery -Reader LED – Pairing -Reader LED – Traffic A sample of BlackBerry devices should be checked (use 2-3 devices as a random sample). Table 5, BlackBerry STIG Configuration Tables contains instructions on how to verify correct settings on a BlackBerry.
Security configuration settings on the BlackBerry devices managed by the site are compliant with requirements listed in Table 1, BlackBerry STIG Configuration Tables.
If user software certificates are used on the BlackBerry instead of the CAC, verify the AO has approved their use (letter, memo, SSP, etc.).
BlackBerry devices must be provisioned so users can digitally sign and encrypt emergency and/or critical email notifications.
Detailed Policy Requirements: When the BlackBerry Bluetooth Smart Card Reader (SCR) is used as a PC SCR, the following requirements must be followed: At the time of the publication of this document, the use of the BlackBerry SCR for authentication with PCs is only authorized with PCs that have Microsoft Windows XP. The Microsoft Vista and Windows 7 Bluetooth stack has not yet been tested with the BlackBerry SCR to determine if Bluetooth device pairing can be done in a secure manner and meets DoD security requirements. Check Procedures: Perform the following checks on site PCs used with the BlackBerry Bluetooth SCR: Interview the ISSO and SA and verify the BlackBerry SCR is not used with Windows Vista and Windows 7. BlackBerry users with Vista or Windows 7 on their PCs must be put in the BlackBerry users group not authorized to use the BlackBerry SCR with their PCs.
BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Detailed Policy Requirements: When the BlackBerry Bluetooth Smart Card Reader (SCR) is used as a PC SCR, the following requirements must be followed: The PC must have the Bluetooth Lockdown tool installed and configured correctly. Check Procedures: Perform the following checks on a sample (use 2-3 for random sample) of site PCs used with the BlackBerry Bluetooth SCR: Verify the Bluetooth Lockdown tool is installed and configured correctly: On the PC, go to Start >> Control Panel >> Add or Remove Programs >> Select BlackBerry Smart Card Reader v1.5.1 and click the "Change/Remove" button. In the first pop-up dialog box, click the "Next" button. In the next dialog box, verify "Modify" is selected and click the "Next" button. In the next dialog box, click the "Next" button. In the next dialog box, (Restrict Bluetooth Functionality), verify the checkbox is checked. Click the "Cancel" button to cancel installation.
BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Detailed Policy Requirements: When the BlackBerry Bluetooth Smart Card Reader (SCR) is used as a PC SCR, the following requirements must be followed: Bluetooth radios installed in site PCs must be Class 2 or 3. Class 1 (100 mW) Bluetooth radios are not allowed. Note: ISSOs: To determine the "class" rating of the Bluetooth radio, look under the specification section of the Bluetooth Network Interface Card manual, which can be downloaded from the laptop vendor’s web site or the Bluetooth dongle vendor’s web site. Nearly all internal laptop Bluetooth radios are Class 2 or 3, and many Bluetooth dongle radios are Class 1. Check Procedures: Perform the following checks on site PCs used with the BlackBerry Bluetooth SCR: Interview the ISSO to verify only Bluetooth Class 2 or 3 radios are used in site PCs. Have the ISSO or site BlackBerry Administrator show for a sample of PCs the Bluetooth radio is not a Class 1 radio by providing a copy of the Bluetooth radio specification sheet.
BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Detailed Policy Requirements: Site BlackBerry devices and SCRs must have required software versions installed. The BlackBerry SCR hardware must be version 1 (model PRD-09695-004) or version 2 (model PRD-16951-001). BlackBerry SCR software package version 4.2.0.107 or later is required (Application version 4.2.0.107, Software platform 1.5.0.81). Apriva Bluetooth SCR (BT200) driver v03-30-02 or later is required. Biometric Associates BaiMobile 3000MP SCR driver 0.1.3(19.07.13) or later. Check Procedures: If using the BlackBerry SCR: Verify required SCR model is used. The model number can be found under the battery. Verify required BlackBerry SCR software is being used. On a sample of BlackBerry SCRs (use 2-3 devices for random sample), press and hold the Action button until "rEsetInG" appears, and then read the Application version and Software platform version as they are displayed. If using the Apriva SCR: On the BlackBerry, press lower case v (as in Victor) to verify the version number of the Apriva Utility installed on the BlackBerry. On the BlackBerry, press lower case r (as in Romeo) to verify the version number of the Apriva driver installed on the Apriva SCR. If using the Biometric Associates SCR: On the BlackBerry, go to Settings >> Device >> Application Management >> baiSmartCardReader and verify the version number of the installed driver. If the required driver is not installed, this is a finding.
Comply with DoD policy.
Detailed Policy Requirement: BDM nor BWDM are required on BlackBerry users desktops, but if either are used, they must meet the following requirements: -For BDM, follow instructions found in USCYBERCOM IAVM Notice 2010-A-0132. If BWDM is used, the BlackBerry Administration Server (BAS) must be configured for Microsoft Active Directory authentication on the BES. Check Procedures: The site can use either BlackBerry Desktop Manager or BlackBerry Web Desktop Manager or neither. Check a sample of BlackBerry user PCs (2-3). If BlackBerry Desktop Manager is used, verify the requirements found in USCYBERCOM IAVM Notice 2010-A-0132 have been followed. If BlackBerry Web Desktop Manager is used, no further action is required since the BES review will verify the BES has been configured for Microsoft Active Directory authentication in check WIR1355-01 (V-22102).
Configure BlackBerry Web Desktop Manager (BWDM) for CAC authentication, if used or use approved version of BlackBerry Desktop Manager.
Detailed Policy Requirements: The following Bluetooth headset and handsfree devices are approved: Biometric Associates, LP (BAL) blueARMOR family of headsets (blueARMOR 100, blueARMOR 105, and blueARMOR 200) with firmware version 1.5.x. Check Procedures: For the BAL headset, the only way to verify the device model number and firmware version is to check the Bluetooth device name of a paired headset. Have the user pair the device to the BlackBerry, if not already paired. On the BlackBerry handheld, go to Options > Networks and Connections > Bluetooth Connections and check the list of paired devices. The device name should be in the form of baiMobileBA100 V1.5.0. The reviewer should check a sample of BlackBerry devices at the site (2-3) and verify compliance. Note: If the site uses the FIXMO Sentinel Enterprise integrity verification tool, checking BlackBerry handhelds is not required. Have the system administrator show that the Sentinel server is configured to audit paired Bluetooth devices on site managed BlackBerry handhelds.
Use only approved Bluetooth headset and handsfree devices.
Determine if any version of BlackBerry OS 7.x is installed at the site. BlackBerry stopped supporting all versions of BlackBerry OS on 30 September 2017. If any version of BlackBerry OS 7.x is installed on site BlackBerry devices, this is a finding.
Remove all BlackBerry devices using BlackBerry OS 7.x.