Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

CMD Management Server Policy Security Technical Implementation Guide (STIG)

  • Version/Release: V2R3
  • Published: 2014-08-05
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG contains the policy, training, and operating procedure security controls for the use of CMD management servers in the DoD environment. This STIG replaces the Wireless Management Server STIG (V1R6). Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.
b
A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site CMDs.
Medium - V-24955 - SV-30692r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR-SPP-003-01
Vuln IDs
  • V-24955
Rule IDs
  • SV-30692r4_rule
When a data spill occurs on a CMD, classified or sensitive data must be protected to prevent disclosure. After a data spill, the CMD must either be wiped using approved procedures, or destroyed if no procedures are available, so classified or sensitive data is not exposed. If a data spill procedure is not published, the site may not use approved procedures to remediate after a data spill occurs and classified data could be exposed.Information Assurance OfficerVIIR-1, VIIR-2
Checks: C-31114r4_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or “data spill” occurs when a classified email is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer to include web browser downloads and files transferred through tethered connections. CMDs are not authorized for processing classified data. A data spill also occurs if a classified document is attached to an otherwise unclassified email. For BlackBerry and Good Mobile Messaging systems, a data spill will only occur if the classified attached document is viewed or opened by the CMD user since the CMD system only downloads an attachment on the CMD if the user views or opens the attachment. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for smartphone destruction procedures. Check Procedures: Interview the IAO. Verify classified incident handling, response, and reporting procedures are documented in site CMD procedures or security policies. Mark as a finding if classified incident handling, response, and reporting procedures are not documented in site CMD procedures or security policies. This requirement applies at both sites where CMDs are issued and managed and at sites where the CMD management server is located. ---At the CMD management server site, verify Incident Handling and Response procedures include actions to sanitize the CMD management server and email servers (e.g., Exchange, Oracle mail). ---At CMD sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified smartphone devices. The following actions will be followed for all CMDs involved in a data spill: -BlackBerry CMDs: follow procedures in the DoD Data Spill Procedures Guide for BlackBerry Smartphones located at http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html. -Windows Mobile, Android, and iOS CMDs: the CMD will be destroyed. Mark as a finding if Incident Handling and Response procedures do not include required information.

Fix: F-27582r3_fix

Publish a Classified Message Incident (CMI) procedure or policy for the site.

c
If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures.
High - V-24957 - SV-30694r3_rule
RMF Control
Severity
High
CCI
Version
WIR-SPP-003-02
Vuln IDs
  • V-24957
Rule IDs
  • SV-30694r3_rule
If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel.System AdministratorInformation Assurance OfficerVIIR-1, VIIR-2
Checks: C-31115r3_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). If a data spill occurs on a CMD, the following actions must be completed: - The CMD management server and email servers (i.e., Exchange, Oracle mail, etc.) are handled as classified systems until they are sanitized according to appropriate procedures. (See NSA/CSS Storage Device Declassification Manual 9-12 for sanitization procedures.) - The CMD is handled as a classified device and destroyed according to DoD guidance for destroying classified equipment or sanitized as directed in Check WIR-SPP-003-01. Check Procedures: Interview the IAO. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. Mark as a finding if the site had a data spill within the previous 24 months and required procedures were not followed.

Fix: F-27583r4_fix

Follow required procedures after a data spill occurs.

a
The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.
Low - V-24962 - SV-30699r4_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-007-01
Vuln IDs
  • V-24962
Rule IDs
  • SV-30699r4_rule
Sensitive DoD data could be stored in memory on a DoD operated mobile operating system (OS) based CMD and the data could be compromised if required actions are not followed when a CMD is lost or stolen. Without procedures for lost or stolen mobile operating system (OS) based CMD devices, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.Information Assurance OfficerECSC-1, VIIR-1, VIIR-2
Checks: C-31122r4_chk

Detailed Policy Requirements: The site (location where CMDs are issued and managed and the site where the mobile operating system (OS) based CMD management server is located) must publish procedures to follow if a CMD has been lost or stolen. The procedures should include (as appropriate): -Mobile device user notifies IAO, SM, and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. -The IAO notifies the mobile device management server system administrator and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. The site mobile device management server administrator sends a wipe command to the CMD and then disables the user account on the management server or removes the CMD from the user account. -The site will contact the carrier to have the device deactivated on the carrier’s network. Check procedures: Interview the IAO. Review the site’s Incident Response Plan or other policies and determine if the site has a written plan of action. Mark as a finding if the site does not have a written plan of action following a lost or stolen CMD.

Fix: F-27603r2_fix

Publish procedures to follow if a mobile operating system (OS) based CMD is lost or stolen.

a
Required actions must be followed at the site when a CMD has been lost or stolen.
Low - V-24969 - SV-30706r4_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-007-02
Vuln IDs
  • V-24969
Rule IDs
  • SV-30706r4_rule
If procedures for lost or stolen CMDs are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-31133r2_chk

Interview the IAO. Determine if any site mobile devices were reported lost or stolen within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. Mark as a finding if the site had a lost or stolen mobile device within the previous 24 months and required procedures were not followed.

Fix: F-27592r3_fix

Follow required actions when a CMD is reported lost or stolen.

a
The CMD management server administrator must receive required training.
Low - V-24970 - SV-30707r5_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMSP-001-01
Vuln IDs
  • V-24970
Rule IDs
  • SV-30707r5_rule
The security posture of the CMD management server could be compromised if the administrator is not trained to follow required procedures. System AdministratorInformation Assurance OfficerPRTN-1
Checks: C-31134r6_chk

Detailed policy requirements: The CMD management server administrator must be trained on the following requirements: -Requirement that administrative service accounts will not be used to log into the CMD management server or any server service. -Activation passwords or PINs will consist of a pseudo-random pattern of at least eight characters consisting of at least two letters and two numbers. A new activation password must be selected each time one is assigned (e.g., the same password cannot be used for all users or for a group of users). -User and group accounts on the CMD management server will always be assigned a STIG-compliant security/IT policy. -For an MDM server that manages Samsung Knox 1.0 Android devices, the MDM system administrator must be trained to not remotely unlock the Knox security container. If a container is locked after the tenth incorrect password, this is an indicator the device may not be under the control of an authorized DoD user. MDM system administrators may unlock the Knox container if the device is physically in the possession of the administrator. Check procedures: -Verify the CMD management server administrator(s) has received the required training. The site should document when the training was completed. If the CMD management server administrator did not receive required training, this is a finding.

Fix: F-27604r1_fix

Have smartphone management server administrator complete and document his/her training.

a
The IAO at the mobile device management server site must verify local sites, where mobile devices are provisioned, issued, and managed, are conducting annual self assessments.
Low - V-24971 - SV-30708r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMSP-002
Vuln IDs
  • V-24971
Rule IDs
  • SV-30708r2_rule
The security integrity of the mobile device system depends on local sites where mobile devices are provisioned and issued complying with STIG requirements. The risk of malware introduced on a handheld device and avenues of attack into the enclave via a mobile device could result if STIG procedures are not followed.Information Assurance OfficerECWN-1
Checks: C-31135r2_chk

Annual self assessments will be conducted according to the appropriate mobile device STIG, with the assessment results being entered into VMS/Component Provided Tracking Database. Verify the IAO of the site, where the smartphone management server is located, is tracking local/remote sites (where smartphone devices are provisioned, issued, and managed) are conducting annual self assessments according to the appropriate smartphone STIG. Verify the results of the assessments are being entered into VMS/Component Provided Tracking Database. Note: Command-level action should be considered for local sites not complying with STIG requirements for the provisioning, issuance, and managements of smartphones. Mark as a finding if required annual self assessments have not been completed by the site.

Fix: F-27605r2_fix

The IAO at the mobile device management server site verifies local sites are conducting annual self assessments.

a
CMD management server administrator training must be renewed annually.
Low - V-28313 - SV-36041r4_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMSP-001-02
Vuln IDs
  • V-28313
Rule IDs
  • SV-36041r4_rule
The CMD management server administrator must renew required training annually.Information Assurance OfficerPRTN-1
Checks: C-35162r4_chk

The site should document when training was completed. -Verify training is renewed annually. Mark as a finding if smartphone management server administrator training is not renewed annually.

Fix: F-30410r1_fix

Renew required training annually.