Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Good Mobility Suite Server (Windows Phone 6.5) Security Technical Implementation Guide

  • Version/Release: V1R2
  • Published: 2011-10-04
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG provides technical security controls required for the use of the Good Mobility Suite with Windows Phone 6.5 devices in the DoD environment.
b
The required smartphone management server or later version must be used.
Medium - V-24972 - SV-30809r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-GD-001
Vuln IDs
  • V-24972
Rule IDs
  • SV-30809r2_rule
Earlier versions of the smartphone management server may have security vulnerabilities or have not implemented required security features. System AdministratorECSC-1
Checks: C-31225r1_chk

The required Good Mobile Control (GMC) server version is 1.0.3.95 or later. Click on the Settings tab in the console to view the GMC Version. The required Good Mobile Messaging (GMM) server version is 6.0.3.46 or later. Click on the Servers tab in the console to view the GMM server version. If either server version is not as required, mark as a finding.

Fix: F-27612r1_fix

Upgrade to required (or later) server version.

b
The host server where the smartphone management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Web Server, Apache Tomcat, IIS, etc.).
Medium - V-24973 - SV-30810r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-GD-002
Vuln IDs
  • V-24973
Rule IDs
  • SV-30810r2_rule
Wireless email services are installed on a Windows Server. The server must be compliant with the Windows STIG and applicable Application STIGs to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the wireless email server.System AdministratorECSC-1
Checks: C-31226r2_chk

Work with the OS Reviewer or check VMS for last review of each host Good computer asset. The review should include the SQL server and Apache Tomcat. Mark as a finding if the previous or current OS review of the Windows server did not include a review of the SQL server and Apache Tomcat. If IIS is installed, the review should also include IIS.

Fix: F-27613r1_fix

Ensure all applications installed on the host server are STIG compliant.

c
The smartphone management server email system must be set up with the required system components in the required network architecture.
High - V-24974 - SV-30811r2_rule
RMF Control
Severity
High
CCI
Version
WIR-WMS-GD-003
Vuln IDs
  • V-24974
Rule IDs
  • SV-30811r2_rule
The wireless email server architecture must comply with the DoD environment because approval of the smartphone management server is contingent on installation with the correct settings. DoD enclaves could be at risk of penetration or DoD data could be compromised if the smartphone management server is not installed as required.System AdministratorECSC-1
Checks: C-31227r2_chk

Verify the Good servers (Good Mobile Control server and Good Mobile Messaging server) are installed in the same network segment as the Back-end MS Exchange server. Mark as a finding if the Good servers are not installed in the same network segment as the Back-end MS Exchange server.

Fix: F-27615r1_fix

Install required smartphone management server components in required network architecture.

c
The smartphone management server host-based or appliance firewall must be installed and configured as required.
High - V-24975 - SV-30812r2_rule
RMF Control
Severity
High
CCI
Version
WIR-WMS-GD-004
Vuln IDs
  • V-24975
Rule IDs
  • SV-30812r2_rule
A smartphone user could get access to unauthorized network resources (application and content servers, etc.) if the smartphone management server host firewall is not set up as required.System AdministratorECSC-1
Checks: C-31229r2_chk

The Good server host-based or appliance firewall must be configured as required. The Good server firewall is configured with the following rules: - Deny all except when explicitly authorized. - Internal traffic from the Good server is limited to internal systems used to host the smartphone services (e.g., email and LDAP servers) and approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized. - Internet traffic from the Good server is limited to only those specified smartphone services (e.g., Good NOC server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the Good server and/or service. - Firewall settings listed in the STIG/ISCG Technology Overview will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trusted IP addresses and subnets. Note: At a minimum, the IP address of the site Internet proxy server must be listed so the Good secure browser can connect to the Internet. Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above. Check Procedures: -Verify the firewall configuration meets approved architecture configuration requirements (or have the Network Reviewer do the review of the firewall). -Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers the Good server connects to should be included on this list. -Mark as a finding if a list of trusted networks by IP address is not configured on the Good server host-based firewall.

Fix: F-27616r2_fix

Install the smartphone management server host-based or appliance firewall and configure as required.

b
Smartphone user accounts must not be assigned to the default security/IT policy.
Medium - V-24978 - SV-30819r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-GD-007
Vuln IDs
  • V-24978
Rule IDs
  • SV-30819r2_rule
The smartphone default security/IT policy on the smartphone management server does not include most DoD required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned the default (or other non-STIG compliant) security/IT policy.System AdministratorECSC-1
Checks: C-31348r2_chk

User accounts will only be assigned a STIG-compliant security/IT policy. Determine which policy sets on the Good server user accounts have been assigned to using the following procedures: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server by using the following procedures: --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non STIG-compliant policy sets be deleted except for a "Provisioning" policy set, which is used for initial setup and software update of the Android device. Note: Other checks will be used to verify the policy sets identified as STIG-compliant are configured correctly. Verify all users are assigned to a STIG policy set. --Log into the Good Mobile Control console. --Click on the Handhelds tab. Mark as a finding if any user account is assigned a policy set identified as not STIG-compliant.

Fix: F-27619r1_fix

User accounts will only be assigned a STIG compliant security/IT policy.

a
“Re-challenge for CAC PIN every” must be set.
Low - V-24987 - SV-30727r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-GMMS-004
Vuln IDs
  • V-24987
Rule IDs
  • SV-30727r2_rule
A user’s CAC PIN or software certificate PIN is cached in memory on the device for a short period of time so a user does not have to re-enter his/her PIN every time the user’s digital certificates are required for an S/MIME operation. The cached memory is cleared after a set period of time to limit exposure of the digital certificates to unauthorized use. Otherwise, a hacker may be able to gain access to the device while the PIN is still cached in memory and access the Good application and gain access to sensitive DoD information.System AdministratorECSC-1
Checks: C-31142r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone devices and click on Handheld Authentication on the left side. -Verify “Re-challenge for CAC PIN every” is checked and set to 60 minutes or less. (Note: 15 minutes or less is the recommended setting.) Mark as a finding if “Re-challenge for CAC PIN every” is not checked and not set to the required value.

Fix: F-27628r2_fix

Set the “Re-challenge for CAC PIN every” to checked and set to required value.

a
Handheld password will be set as required.
Low - V-24988 - SV-39982r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-GD-009-01
Vuln IDs
  • V-24988
Rule IDs
  • SV-39982r1_rule
Long used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the iPhone/iPad and sensitive DoD data stored on the iPhone/iPad.System AdministratorECWN-1, IAIA-1
Checks: C-39021r1_chk

This check is Not Applicable if “Authenticate with CAC PIN” is checked. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “After X invalid password attempts:” is set to 10 or less. Mark as a finding if “After X invalid password attempts:” is not set to 10 or less. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “Expire password after” is set to 90 days or less.

Fix: F-27629r1_fix

Set handheld password as required.

a
Previously used passwords must be disallowed for security/email client on smartphone.
Low - V-24989 - SV-30822r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-GD-009-02
Vuln IDs
  • V-24989
Rule IDs
  • SV-30822r2_rule
Previously used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the smartphone and sensitive DoD data stored on the smartphone.System AdministratorECWN-1, IAIA-1
Checks: C-31242r2_chk

This check is not applicable if “Authenticate with CAC PIN” is checked. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “Disallow previously used passwords” is set to 3 or more. Mark as a finding if “Disallow previously used passwords” is not set to 3 or more.

Fix: F-27630r1_fix

Disallow previously used passwords.

b
Password minimum length must be set as required for the smartphone security/email client.
Medium - V-24990 - SV-30823r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-GD-009-03
Vuln IDs
  • V-24990
Rule IDs
  • SV-30823r2_rule
Short passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.System AdministratorECWN-1, IAIA-1
Checks: C-31243r2_chk

This check is not applicable if “Authenticate with CAC PIN” is checked. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “Require minimum length of” is set to 8 or more for the STIG/ISCG Policy Set. Mark as a finding if “Require minimum length of” is not set to 8 or more for the STIG/ISCG Policy Set.

Fix: F-27631r1_fix

Require password minimum length is set as required.

a
Repeated password characters must be disallowed for the Good app.
Low - V-24991 - SV-30824r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-GD-009-04
Vuln IDs
  • V-24991
Rule IDs
  • SV-30824r2_rule
Repeated password characters reduces the strength of a password to withstand attacks by password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.System AdministratorECWN-1, IAIA-1
Checks: C-31244r2_chk

This check is not applicable if “Authenticate with CAC PIN” is checked. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “Disallow repeated characters after” is set to 1 or 2. Mark as a finding if “Disallow repeated characters after” is not set to 1 or 2.

Fix: F-27632r1_fix

Disallow repeated password characters.

b
Maximum invalid password attempts must be set as required for the smartphone security/email client.
Medium - V-24992 - SV-30825r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-GD-009-06
Vuln IDs
  • V-24992
Rule IDs
  • SV-30825r2_rule
A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.System AdministratorECWN-1, IAIA-1
Checks: C-31245r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “After X invalid password attempts:” is set to 10 or less. Mark as a finding if “After X invalid password attempts:” is not set to 10 or less.

Fix: F-27633r2_fix

Set the maximum invalid password attempts as required.

b
Data must be wiped after maximum password attempts reached for the smartphone security/email client.
Medium - V-24993 - SV-30827r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-GD-009-07
Vuln IDs
  • V-24993
Rule IDs
  • SV-30827r2_rule
A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data. System AdministratorECWN-1, IAIA-1
Checks: C-31248r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “After X invalid password attempts:” is set to 10 or less. Mark as a finding if “After X invalid password attempts:” is not set to 10 or less. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “Wipe handheld data” is selected. Mark as a finding if “Wipe handheld data” is not selected.

Fix: F-27634r1_fix

Wipe handheld data after maximum password attempts have been reached.

b
Inactivity lock must be set as required for the smartphone security/email client.
Medium - V-24994 - SV-30826r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-GD-009-05
Vuln IDs
  • V-24994
Rule IDs
  • SV-30826r2_rule
Sensitive DoD data could be exposed to unauthorized viewing or use if lost or stolen smartphone screen was not locked.System AdministratorPESL-1
Checks: C-31247r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “Require password when idle for more than” is set to 15 minutes or less. Mark as a finding if “Require password when idle for more than” is not set to 15 minutes or less. .

Fix: F-27635r2_fix

Set the handheld inactivity lock as required.

b
"Do not allow data to be copied from the Good application" must be checked.
Medium - V-24995 - SV-30735r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-006-01
Vuln IDs
  • V-24995
Rule IDs
  • SV-30735r2_rule
Sensitive data could be saved in the non-FIPS 140-2 validated area of memory on the smartphone, which would violate DoD policy and may expose sensitive DoD data.System AdministratorECCR-1
Checks: C-31143r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Messaging on the left side. -Verify “Do not allow data to be copied from the Good application” is checked. Mark as a finding if “Do not allow data to be copied from the Good application” is not checked.

Fix: F-27637r1_fix

Check "Do not allow data to be copied from the Good application" in the Good console.

b
The Over-The-Air (OTA) device provisioning PIN must have expiration set.
Medium - V-24998 - SV-30738r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-008
Vuln IDs
  • V-24998
Rule IDs
  • SV-30738r2_rule
The time period that a device can be provisioned via Over-The-Air (OTA) provisioning needs to be controlled to ensure unauthorized people do not have the capability to setup rogue devices on the network.System AdministratorECWN-1
Checks: C-31148r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Provisioning on the left side. -Verify “OTA Provisioning PIN expires after” is checked and is set to 7 days or less. Mark as a finding if “OTA Provisioning PIN expires after” is not checked or is not set to 7 days or less.

Fix: F-27641r2_fix

Set the Over-the-Air (OTA) device provisioning PIN as required.

a
OTA Provisioning PIN reuse must not be allowed.
Low - V-24999 - SV-30739r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-GMMS-009
Vuln IDs
  • V-24999
Rule IDs
  • SV-30739r2_rule
The reuse of the OTA PIN can allow a hacker to provision an unauthorized device on the system.System AdministratorECWN-1
Checks: C-31149r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Provisioning on the left side. -Verify “Allow OTA Provisioning PIN reuse” is unchecked. Mark as a finding if “Allow OTA Provisioning PIN reuse” is checked.

Fix: F-27642r1_fix

Do not allow OTA Provisioning PIN reuse.

a
If access is enabled to the Good app contacts lists by the smartphone, the list of contact information must be limited.
Low - V-25030 - SV-30830r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-GMMS-007
Vuln IDs
  • V-25030
Rule IDs
  • SV-30830r1_rule
Sensitive contact information could be exposed.System AdministratorECWN-1
Checks: C-31251r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. - Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Messaging section on the left side. -If “Enable access to Good Contacts” is checked, click on the Choose Fields button and verify only the following fields are checked: first name, last name, work number, mobile number, and pager number. Mark as a finding if “Enable access to Good Contacts” is checked and more than the following fields are checked: first name, last name, work number, mobile number, and pager number.

Fix: F-27717r1_fix

If access is enabled to the Good app contacts lists by the smartphone OS, limit contact information to only default fields: First name, Last name, Work number, Mobile number, and Pager number.

b
Password access to the Good app on the smartphone must be enabled.
Medium - V-25032 - SV-30832r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-001
Vuln IDs
  • V-25032
Rule IDs
  • SV-30832r2_rule
A hacker could gain access to sensitive data in the smartphone application and gain an attack vector to the enclave if the password access control/authentication feature of the application is not enabled.System AdministratorECWN-1, IAIA-1
Checks: C-31255r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld section on the left side. -Verify S/MIME with password-protected lock screen or CAC PIN (Enables S/MIME) is checked. Mark as a finding if S/MIME with password-protected lock screen or CAC PIN (Enables S/MIME) is not checked.

Fix: F-27719r1_fix

Password access to the Good app on the smartphone shall be enabled.

a
The PKI digital certificate installed on the wireless email management server must be a DoD PKI-issued certificate.
Low - V-25754 - SV-32013r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-GD-010
Vuln IDs
  • V-25754
Rule IDs
  • SV-32013r2_rule
When a self signed PKI certificate is used, a rogue wireless email management server can impersonate the DoD wireless email management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.System AdministratorIATS-1
Checks: C-32242r2_chk

Verify that a DoD server certificate has been installed on the Good wireless email management server and that the self-signed certificate, available as an option during the setup of the wireless email management server, has not been installed. Ask the SA to access the Good server using Internet Explorer. Verify no certificate error occurs. Click the Lock icon next to the address bar then select “view certificates”. On the General tab, verify the “Issued to:” and “Issued by:” fields do not show the same value. Then on the Certification Path tab, verify the top certificate is a trusted DoD Root certificate authority (e.g., DoD Root CA 2) and the certificate status field states “This certificate is OK”. If a certificate error occurs, either the default self-signed certificate is still installed, the Good server has not been rebooted since the DoD issued certificate has been installed, or the computer accessing the Good server does not have the DoD Root and Intermediate certificate authorities installed. The reviewer can select the “Continue to this website” option and follow the same procedure above. If the certificate is issued from an approved DoD PKI, ask the SA to run InstallRoot on the computer accessing the Good server. Otherwise, have the SA follow the procedures outlined in the STIG/ISCG to request/install a certificate issued from a trusted DoD PKI. Mark as a finding if a DoD server certificate has not been installed on the Good wireless email management server or that the self-signed certificate has been installed.

Fix: F-28607r1_fix

Use a DoD issued digital certificate on the wireless email management server.

b
The following Bluetooth configuration must be set as required: General Audio/Video Distribution Profile.
Medium - V-26093 - SV-32759r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-02
Vuln IDs
  • V-26093
Rule IDs
  • SV-32759r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33420r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "General Audio/Video Distribution Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Personal Area Networking Profile.
Medium - V-26094 - SV-32760r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-03
Vuln IDs
  • V-26094
Rule IDs
  • SV-32760r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33422r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Personal Area Networking Profile " is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Serial Port Profile.
Medium - V-26095 - SV-32761r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-04
Vuln IDs
  • V-26095
Rule IDs
  • SV-32761r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33428r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Serial Port Profile" is checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Enable discovery.
Medium - V-26096 - SV-32762r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-01
Vuln IDs
  • V-26096
Rule IDs
  • SV-32762r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33433r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section. -Verify "Enable discovery" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Generic Object (Exchange) Profile.
Medium - V-26097 - SV-32764r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-05
Vuln IDs
  • V-26097
Rule IDs
  • SV-32764r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33438r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Generic Object (Exchange) Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Common ISDN Access Profile.
Medium - V-26098 - SV-32765r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-06
Vuln IDs
  • V-26098
Rule IDs
  • SV-32765r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33439r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Common ISDN Access Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Dial Up Network Profile.
Medium - V-26099 - SV-32767r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-07
Vuln IDs
  • V-26099
Rule IDs
  • SV-32767r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33441r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Dial Up Network Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Fax Profile.
Medium - V-26100 - SV-32769r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-08
Vuln IDs
  • V-26100
Rule IDs
  • SV-32769r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33442r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Fax Profile" is/not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: LAN Access Profile.
Medium - V-26101 - SV-32771r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-09
Vuln IDs
  • V-26101
Rule IDs
  • SV-32771r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33446r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "LAN Access Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Cordless Telephony Profile.
Medium - V-26102 - SV-32772r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-10
Vuln IDs
  • V-26102
Rule IDs
  • SV-32772r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33448r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Cordless Telephony Profile" is not checked

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Intercom Profile.
Medium - V-26103 - SV-32773r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-11
Vuln IDs
  • V-26103
Rule IDs
  • SV-32773r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33450r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Intercom Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Wireless Application Protocol Bearer.
Medium - V-26104 - SV-32774r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-12
Vuln IDs
  • V-26104
Rule IDs
  • SV-32774r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33453r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Wireless Application Protocol Bearer" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Active Sync.
Medium - V-26105 - SV-32775r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-13
Vuln IDs
  • V-26105
Rule IDs
  • SV-32775r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33454r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Active Sync" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Advanced Audio Distribution Profile.
Medium - V-26106 - SV-32776r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-14
Vuln IDs
  • V-26106
Rule IDs
  • SV-32776r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33458r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_WinPhone_Policy_Set. It is recommended that all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Advanced Audio Distribution Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Basic Imaging Profile.
Medium - V-26107 - SV-32777r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-15
Vuln IDs
  • V-26107
Rule IDs
  • SV-32777r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33460r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Basic Imaging Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Basic Printing. Profile.
Medium - V-26108 - SV-32778r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-16
Vuln IDs
  • V-26108
Rule IDs
  • SV-32778r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33462r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Basic Printing Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: OBEX File Transfer Profile.
Medium - V-26109 - SV-32779r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-17
Vuln IDs
  • V-26109
Rule IDs
  • SV-32779r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33463r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "OBEX File Transfer Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Object Push Profile.
Medium - V-26110 - SV-32780r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-18
Vuln IDs
  • V-26110
Rule IDs
  • SV-32780r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33466r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Object Push Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Synchronization Profile.
Medium - V-26111 - SV-32781r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-19
Vuln IDs
  • V-26111
Rule IDs
  • SV-32781r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33467r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Synchronization Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Phone Book Access Profile.
Medium - V-26112 - SV-32783r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-20
Vuln IDs
  • V-26112
Rule IDs
  • SV-32783r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave. System AdministratorECWN-1
Checks: C-33468r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify " Phone Book Access Profile " is/not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Video Distribution Profile.
Medium - V-26113 - SV-32787r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-21
Vuln IDs
  • V-26113
Rule IDs
  • SV-32787r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33470r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Video Distribution Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Video Conferencing Profile.
Medium - V-26114 - SV-32789r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-22
Vuln IDs
  • V-26114
Rule IDs
  • SV-32789r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33471r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Video Conferencing Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Message Access Profile.
Medium - V-26115 - SV-32791r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-23
Vuln IDs
  • V-26115
Rule IDs
  • SV-32791r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33472r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Message Access Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: External Service Discovery Profile.
Medium - V-26116 - SV-32792r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-24
Vuln IDs
  • V-26116
Rule IDs
  • SV-32792r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33474r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "External Service Discovery Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Device ID Profile.
Medium - V-26117 - SV-32794r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-25
Vuln IDs
  • V-26117
Rule IDs
  • SV-32794r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33475r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Device ID Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Service Discovery Application Profile.
Medium - V-26118 - SV-32799r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-26
Vuln IDs
  • V-26118
Rule IDs
  • SV-32799r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33476r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Service Discovery Application Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Unrestricted Digital Information.
Medium - V-26119 - SV-32800r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-27
Vuln IDs
  • V-26119
Rule IDs
  • SV-32800r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33477r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Unrestricted Digital Information" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Audio / Video Remote Control Transport Protocol.
Medium - V-26120 - SV-32801r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-28
Vuln IDs
  • V-26120
Rule IDs
  • SV-32801r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33478r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Audio / Video Remote Control Transport Protocol" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: HeadSet and Hands Free Profile.
Medium - V-26121 - SV-32802r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-29
Vuln IDs
  • V-26121
Rule IDs
  • SV-32802r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33479r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "HeadSet and Hands Free Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Human Interface Device Profile (Service and Host).
Medium - V-26122 - SV-32803r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-30
Vuln IDs
  • V-26122
Rule IDs
  • SV-32803r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33480r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Human Interface Device Profile (Service and Host" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: Hard Copy Cable Replacement Profile.
Medium - V-26123 - SV-32804r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-31
Vuln IDs
  • V-26123
Rule IDs
  • SV-32804r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33481r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "Hard Copy Cable Replacement Profile" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The following Bluetooth configuration must be set as required: SIM Access.
Medium - V-26124 - SV-32805r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-021-32
Vuln IDs
  • V-26124
Rule IDs
  • SV-32805r2_rule
The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33482r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management. -Verify "SIM Access" is not checked.

Fix: F-29185r1_fix

Configure the Bluetooth setting on the Good server as required.

b
The Infrared radio must be disabled.
Medium - V-26125 - SV-32806r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-020
Vuln IDs
  • V-26125
Rule IDs
  • SV-32806r2_rule
The Infrared radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-33483r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the network Communications Section. -Verify "Enable Infrared radio" is not checked.

Fix: F-29187r1_fix

In the Good server, do not check “Enable Infrared radio” in each Windows Phone policy set.

b
The following Storage Card configuration must be set as required: Wipe storage card when wiping data.
Medium - V-26126 - SV-32807r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-022-01
Vuln IDs
  • V-26126
Rule IDs
  • SV-32807r2_rule
Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on external data storage cards (e.g., MicroSD, etc.).System AdministratorECCR-1
Checks: C-33484r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the Storage Card Section. -Verify "Wipe storage card when wiping data" is checked.

Fix: F-29188r1_fix

Configure the Storage Card setting on the Good server as required.

b
The following Storage Card configuration must be set as required: Enable storage card encryption.
Medium - V-26127 - SV-32808r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-022-02
Vuln IDs
  • V-26127
Rule IDs
  • SV-32808r2_rule
Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on external data storage cards (e.g., MicroSD, etc.).System AdministratorECCR-1
Checks: C-33485r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the Storage Card Section. -Verify "Enable storage card encryption" is/not checked.

Fix: F-29188r1_fix

Configure the Storage Card setting on the Good server as required.

b
The following Storage Card configuration must be set as required: Allow encrypted storage cards to work only with handheld that originally encrypted them.
Medium - V-26128 - SV-32809r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-022-03
Vuln IDs
  • V-26128
Rule IDs
  • SV-32809r2_rule
Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on external data storage cards (e.g., MicroSD, etc.).System AdministratorECCR-1
Checks: C-33486r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the Storage Card Section. -Verify "Allow encrypted storage cards to work only with handheld that originally encrypted them" is checked.

Fix: F-29188r1_fix

Configure the Storage Card setting on the Good server as required.

b
The following Data Encryption configuration must be set as required: My Music.
Medium - V-26129 - SV-32810r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-023-01
Vuln IDs
  • V-26129
Rule IDs
  • SV-32810r2_rule
Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.System AdministratorECCR-1
Checks: C-33487r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the Data Encryption Section. -Under the Windows Mobile Smartphone section, verify "My Music" is checked.

Fix: F-29189r1_fix

Configure the Data Encryption setting on the Good server as required.

b
The following Data Encryption configuration must be set as required: My Pictures.
Medium - V-26130 - SV-32811r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-023-02
Vuln IDs
  • V-26130
Rule IDs
  • SV-32811r2_rule
Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.System AdministratorECCR-1
Checks: C-33488r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the Data Encryption Section. -Under the Windows Mobile Smartphone section, verify "My Pictures" is checked.

Fix: F-29189r1_fix

Configure the Data Encryption setting on the Good server as required.

b
The following Data Encryption configuration must be set as required: Personal.
Medium - V-26131 - SV-32812r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-023-03
Vuln IDs
  • V-26131
Rule IDs
  • SV-32812r2_rule
Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.System AdministratorECCR-1
Checks: C-33489r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the Data Encryption Section. -Under the Windows Mobile Smartphone section, verify "Personal" is checked.

Fix: F-29189r1_fix

Configure the Data Encryption setting on the Good server as required.

b
The following Data Encryption configuration must be set as required: My Music.
Medium - V-26132 - SV-32813r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-023-04
Vuln IDs
  • V-26132
Rule IDs
  • SV-32813r2_rule
Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.System AdministratorECCR-1
Checks: C-33490r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the Data Encryption Section. -Under the Windows Mobile Pocket PC section, verify "My Music" is checked.

Fix: F-29189r1_fix

Configure the Data Encryption setting on the Good server as required.

b
following Data Encryption configuration must be set as required: My Pictures.
Medium - V-26133 - SV-32814r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-023-05
Vuln IDs
  • V-26133
Rule IDs
  • SV-32814r2_rule
Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.System AdministratorECCR-1
Checks: C-33491r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the Data Encryption Section. -Under the Windows Mobile Pocket PC section, verify "My Pictures" is checked.

Fix: F-29189r1_fix

Configure the Data Encryption setting on the Good server as required.

b
The following Data Encryption configuration must be set as required: Personal.
Medium - V-26134 - SV-32815r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-023-06
Vuln IDs
  • V-26134
Rule IDs
  • SV-32815r2_rule
Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.System AdministratorECCR-1
Checks: C-33492r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the Data Encryption Section. -Under the Windows Mobile Pocket PC section, verify "Personal" is checked.

Fix: F-29189r1_fix

Configure the Data Encryption setting on the Good server as required.

b
Password complexity must be set as required.
Medium - V-26135 - SV-32817r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-GD-009-08
Vuln IDs
  • V-26135
Rule IDs
  • SV-32817r2_rule
Non-complex passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.System AdministratorECWN-1, IAIA-1
Checks: C-33493r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “Do not allow sequential numbers” is checked for the STIG/ISCG Policy Set.

Fix: F-29190r1_fix

Set password complexity as required.

b
A list of Windows Mobile Pocket PC blocked apps must be set up on the Good server.
Medium - V-26144 - SV-32850r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-024-01
Vuln IDs
  • V-26144
Rule IDs
  • SV-32850r1_rule
Malware could be installed on the smartphone if required controls are not followed.System AdministratorECVP-1
Checks: C-33602r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the Blocked Application Section. -Under the Windows Mobile Pocket PC section, verify the following applications are listed: -All Bluetooth applications -Opera -Any other browser listed except IE Mobile -ActiveSync, -Messaging and Outlook Mobile, -Pictures & Videos

Fix: F-29207r1_fix

Configure a list of blocked Windows Mobile Pocket PC/Smartphone apps on the Good server as required.

b
A list of Windows Mobile Smartphone blocked apps must be set up on the Good server.
Medium - V-26145 - SV-32851r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-024-02
Vuln IDs
  • V-26145
Rule IDs
  • SV-32851r1_rule
Malware could be installed on the smartphone if required controls are not followed.System AdministratorECVP-1
Checks: C-33603r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the Blocked Application Section. -Under the Windows Mobile Smartphone section, verify the following applications are listed: -All Bluetooth applications -Opera -Any other browser listed except IE Mobile -ActiveSync, -Messaging and Outlook Mobile, -Pictures & Videos

Fix: F-29207r1_fix

Configure a list of blocked Windows Mobile Pocket PC/Smartphone apps on the Good server as required.

b
The following Good Mobile Access configuration must be set as required: Enable Good Mobile Access.
Medium - V-26146 - SV-32852r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-025-01
Vuln IDs
  • V-26146
Rule IDs
  • SV-32852r2_rule
The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.System AdministratorDCFA-1
Checks: C-33604r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the Blocked Application Section. -Under the Plug-in Policies Access Section, Good Mobile Access – Secure Browser section, verify Enable Good Mobile Access is checked.

Fix: F-29208r1_fix

Set the Good Mobile Access configuration as required.

b
The following Good Mobile Access configuration must be set as required: Require user to authenticate via NTLM.
Medium - V-26148 - SV-32854r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-025-02
Vuln IDs
  • V-26148
Rule IDs
  • SV-32854r2_rule
The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.System AdministratorDCFA-1
Checks: C-33605r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the Blocked Application Section. -Under the Plug-in Policies Access Section, Good Mobile Access – Secure Browser section, verify Require user to authenticate via NTLM is not checked.

Fix: F-29208r1_fix

Set the Good Mobile Access configuration as required.

b
The following Good Mobile Access configuration must be set as required: Route both Intranet and Internet traffic through Good Mobile Access.
Medium - V-26149 - SV-32855r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-025-03
Vuln IDs
  • V-26149
Rule IDs
  • SV-32855r2_rule
The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.System AdministratorDCFA-1
Checks: C-33606r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the Blocked Application Section. -Under the Plug-in Policies Access Section, Good Mobile Access – Secure Browser section, verify Route both Intranet and Internet traffic through Good Mobile Access is checked.

Fix: F-29208r1_fix

Set the Good Mobile Access configuration as required.

b
The following Good Mobile Access configuration must be set as required: Allow internet access on handheld when Good Mobile Access is not running.
Medium - V-26150 - SV-32856r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-025-04
Vuln IDs
  • V-26150
Rule IDs
  • SV-32856r2_rule
The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.System AdministratorDCFA-1
Checks: C-33607r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the Blocked Application Section. -Under the Plug-in Policies Access Section, Good Mobile Access – Secure Browser section, verify Allow internet access on handheld when Good Mobile Access is not running is not checked.

Fix: F-29208r1_fix

Set the Good Mobile Access configuration as required.

b
The following Good Mobile Access configuration must be set as required: Route only Intranet traffic through Good Mobile Access.
Medium - V-26151 - SV-32857r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-025-05
Vuln IDs
  • V-26151
Rule IDs
  • SV-32857r2_rule
The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.System AdministratorDCFA-1
Checks: C-33608r1_chk

This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Smartphone and click on the Blocked Application Section. -Under the Plug-in Policies Access Section, Good Mobile Access – Secure Browser section, verify Route only Intranet traffic through Good Mobile Access is not checked.

Fix: F-29208r1_fix

Set the Good Mobile Access configuration as required.

b
S/MIME must be enabled on the Good server.
Medium - V-26152 - SV-32858r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-012
Vuln IDs
  • V-26152
Rule IDs
  • SV-32858r2_rule
Sensitive DoD data could be exposed if the required setting is not configured on the Good server. If S/MIME support is not configured on the server, the user will not be able to view critical encrypted email or be able to encrypt email with sensitive DoD information.System AdministratorECCR-1
Checks: C-33609r2_chk

This is a Good server configuration check. Log into the Good server management interface, select the Setting tab, and open the Secure Messaging (S/MIME) section. Verify Enable Secure Messaging (S/MIME) is checked. Mark as a finding if Enable Secure Messaging (S/MIME) is not checked.

Fix: F-29209r1_fix

Enable S/MIME on the Good server.

b
Either CAC or password authentication must be enabled for user access to the Good app on the smartphone.
Medium - V-26560 - SV-33567r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-002
Vuln IDs
  • V-26560
Rule IDs
  • SV-33567r1_rule
Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good application stores sensitive DoD information. A hacker with access to the smartphone could easily gain access to the Good application if the required authentication control is not set.System AdministratorIAIA-1
Checks: C-34026r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the mobile OS device devices and click on Handheld Authentication on the left side. -Verify either “Authenticate with CAC PIN” or “Authenticate with password” is selected. Mark as a finding if either of the required settings is not configured in the policy.

Fix: F-29711r1_fix

Set user authentication on the Good app on the smartphone to either CAC or password authentication.

b
“Require CAC to be present” must be set.
Medium - V-26561 - SV-33569r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-003
Vuln IDs
  • V-26561
Rule IDs
  • SV-33569r1_rule
Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good applications stores sensitive DoD information. A hacker with access to the smartphone could easily gain access to the Good application if the required authentication control is not set.System AdministratorIAIA-1
Checks: C-34029r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. - If “Authenticate with CAC PIN” is checked (CAC authentication is required) verify “Require CAC to be present” is also checked. Note: if “Authenticate with CAC PIN” is not checked, then “Require CAC to be present” does not need to be checked. Mark as a finding if not not set as required.

Fix: F-29713r1_fix

Set “Require CAC to be present” to required value.

c
Authentication on system administration accounts for wireless management servers must be configured.
High - V-26564 - SV-33591r1_rule
RMF Control
Severity
High
CCI
Version
WIR-WMS-GD-011
Vuln IDs
  • V-26564
Rule IDs
  • SV-33591r1_rule
CTO 07-15Rev1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced.System AdministratorIAIA-1, IATS-1
Checks: C-34053r1_chk

Detailed Policy Requirements: One of the following authentications methods must be enforced for system administrator accounts: 1. CAC authentication. 2. The account password must be compliant with CTO 07-15 Rev1. –Password must be a 14+ character complex password consisting of at least 2 of the following: upper case letter, lower case letter, numbers, and special characters. The password must be changed every 60 days. Check Procedures: The Good messaging server uses Active Directory authentication for admin accounts to the management console. Site admin accounts are usually set up with a user ID/password authentication rather than CAC authentication. Therefore, verify the site AD is set up to require admin accounts to use passwords meeting the requirements of CTO 07-15Rev1. Discuss with the Network and AD reviewer and site IAO to verify compliance. Mark as a finding if site admin accounts do not meet the requirements.

Fix: F-29731r1_fix

Configure required authentication on system administration accounts for wireless management servers.