Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Good for Enterprise 8.x Security Technical Implementation Guide

  • Version/Release: V1R3
  • Published: 2017-12-14
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

Developed by Good Technology in coordination with DISA for the DoD.
c
The Good Mobility Suite must implement separation of administrator duties by requiring a specific role to be assigned to each administrator account.
AC-5 - High - CCI-000037 - V-53019 - SV-67235r1_rule
RMF Control
AC-5
Severity
High
CCI
CCI-000037
Version
GOOD-00-000010
Vuln IDs
  • V-53019
Rule IDs
  • SV-67235r1_rule
Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system and the authority to delete any record of those changes. This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of a role is intended to address those situations where an access control policy, such as Role-Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and a non-privileged account. It is recommended that the following or similar roles be supported: 1) Good Mobility Suite administrative account administrator is responsible for server installation, initial configuration, and maintenance functions. 2) Security configuration policy administrator (IA technical professional) is responsible for security configuration of the server and setting up and maintenance of mobile device security policies. 3) Device management administrator (Technical operator) is responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. 4) Auditor (internal auditor or reviewer) is responsible for reviewing and maintaining server and mobile device audit logs.
Checks: C-54519r2_chk

Review the Good Mobility Suite configuration to determine if separation of administrator duties has been implemented by assigning a specific role to each administrator account. Otherwise, this is a finding.

Fix: F-57829r2_fix

Configure the Good Mobility Suite to implement separation of administrator duties by requiring a specific role to be assigned to each administrator account. - Launch the Good Mobile Control Web console, select the roles tab. - Validate that administrative users are assigned to different roles based upon job function as defined by local policy. Service Administrator - Service account super-user Administrator - Server administrator Helpdesk - Add/remove users Self-service - Users take action on their own devices - DO NOT USE

c
The Good Mobility Suite server must accept alerts from the mobile operating system when the mobile OS has detected integrity check failures.
SI-4 - High - CCI-001274 - V-53027 - SV-67243r1_rule
RMF Control
SI-4
Severity
High
CCI
CCI-001274
Version
GOOD-00-000650
Vuln IDs
  • V-53027
Rule IDs
  • SV-67243r1_rule
Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. Alerting a Good Mobility Suite mitigates the potential for attacks triggering integrity failures to have further consequences to the enterprise.
Checks: C-54527r1_chk

Review the Good Mobility Suite configuration to determine if alerts are accepted from the mobile operating system when the mobile OS has detected integrity check failures. Otherwise, this is a finding.

Fix: F-57837r1_fix

Configure the Good Mobility Suite server to accept alerts from the mobile operating system when the mobile OS has detected integrity check failures. -Good Logs are Saved in standard .log format. The Default location for these logs are in the Good install directory (C:/Program Files (x86)/Good Technology/Good Mobile Control) Log Directory. This allows data to be consumed by any third-party SYSLog tool. Please refer to Third-Party Documentation to Configure required Alerts/Notification.

c
The Good Mobility Suite server must perform required actions when a security-related alert is received.
SI-4 - High - CCI-001265 - V-53029 - SV-67245r1_rule
RMF Control
SI-4
Severity
High
CCI
CCI-001265
Version
GOOD-00-000640
Vuln IDs
  • V-53029
Rule IDs
  • SV-67245r1_rule
Incident response functions are intended to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is accurate and timely notification of events. Notifications can be made more efficient by the creation of notification groups containing members who would be responding to a particular alarm or event. Types of actions the Good Mobility Suite must be able to perform after a security alert include: log the alert, send email to a system administrator, wipe the managed mobile device, lock the mobile device account on the Good Mobility Suite, disable the security container, wipe the security container, and delete an unapproved application. Security alerts include any alert from the MDIS or MAM component of the Good Mobility Suite.
Checks: C-54529r1_chk

Review the Good Mobility Suite configuration to determine if it has the capability to perform required actions after receiving a security-related alert. Otherwise, this is a finding.

Fix: F-57839r2_fix

Use a Good Mobility Suite that can perform required actions after receiving security related alerts. -Launch the Good Mobile Control Web console and click on the Policies tab -Select a policy set to review and click on the policy -On the left tab, select Compliance Manager under Mobile Device Management and click Add Rule - Select the Compliance Rule - Under Failure Action, select the appropriate action

c
The Good Mobility Suite server must detect and report the version of the operating system, device drivers, and application software for managed mobile devices.
SI-2 - High - CCI-001233 - V-53031 - SV-67247r1_rule
RMF Control
SI-2
Severity
High
CCI
CCI-001233
Version
GOOD-00-000630
Vuln IDs
  • V-53031
Rule IDs
  • SV-67247r1_rule
Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report this information to designated organizational officials with information security responsibilities (e.g., senior information security officers, information system security managers, information systems security officers). To support this requirement, an automated process or mechanism is required. This mechanism also ensures the network configuration is known for risk mitigation when known issues are found with certain versions of the operating system or applications.
Checks: C-54531r2_chk

Review the Good Mobility Suite server configuration to determine if the Good Mobility Suite detects and reports the version of the operating system, device drivers, and application software for managed mobile devices. Otherwise, this is a finding.

Fix: F-57841r2_fix

Configure the Good Mobility Suite server to detect and report the version of the operating system, device drivers, and application software for managed mobile devices. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on iOS Configuration -Verify all checkboxes are checked on the General tab

a
The Good Mobility Suite email client must support retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes.
SC-13 - Low - CCI-001144 - V-53033 - SV-67249r1_rule
RMF Control
SC-13
Severity
Low
CCI
CCI-001144
Version
GOOD-00-000620
Vuln IDs
  • V-53033
Rule IDs
  • SV-67249r1_rule
Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement stated that the email client must support retrieving certificates not stored in the local trust anchor store.
Checks: C-54537r1_chk

Review the Good Mobility Suite server configuration to verify the mobile email client that supports retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes. Otherwise, this is a finding.

Fix: F-57843r2_fix

Configure the Good Mobility Suite server to retrieve encryption certificates not stored in the local trust anchor store for S/MIME purposes. -Launch the Good Mobile Control Web console and click on the Settings tab -On the left side, select Secure Messaging (S/MIME) -Verify Enable Secure Messaging (S/MIME) is checked and the LDAP and OCSP URL values are configured properly -Click on Save

b
The Good Mobility Suite email client must provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP.
SC-13 - Medium - CCI-001144 - V-53035 - SV-67251r1_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-001144
Version
GOOD-00-000610
Vuln IDs
  • V-53035
Rule IDs
  • SV-67251r1_rule
Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement states that the email client must validate certificates through a trusted OCSP, CRL, or SCVP.
Checks: C-54539r1_chk

Review the Good Mobility Suite server configuration to verify the mobile email client provides a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP. Otherwise, this is a finding.

Fix: F-57845r2_fix

Configure the Good Mobility Suite server to provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP. -Launch the Good Mobile Control Web console and click on the Settings tab -On the left side, select Secure Messaging (S/MIME) -Verify Enable Secure Messaging (S/MIME) is checked and the LDAP and OCSP URL values are configured properly -Click on Save and proceed to the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Enable S/MIME is checked Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.

b
The Good Mobility Suite email client must provide the mobile device user the capability to decrypt incoming email messages using software- or hardware-based digital certificates.
SC-13 - Medium - CCI-001144 - V-53037 - SV-67253r1_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-001144
Version
GOOD-00-000600
Vuln IDs
  • V-53037
Rule IDs
  • SV-67253r1_rule
Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement states that the email client must be able to decrypt incoming email messages.
Checks: C-54541r1_chk

Review the Good Mobility Suite server configuration to verify the mobile email client that provides the mobile device user the capability to decrypt incoming email messages using software- or hardware-based digital certificates. Otherwise, this is a finding.

Fix: F-57847r2_fix

Configure the Good Mobility Suite server to provide the mobile device user the capability to decrypt incoming email messages using software- or hardware-based digital certificates. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Enable S/MIME is checked Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.

b
The Good Mobility Suite email client must provide the mobile device user the capability to digitally sign and encrypt outgoing email messages using software- or hardware-based digital certificates.
SC-13 - Medium - CCI-001144 - V-53039 - SV-67255r1_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-001144
Version
GOOD-00-000590
Vuln IDs
  • V-53039
Rule IDs
  • SV-67255r1_rule
Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement states that the email client must be able to sign and/or encrypt outgoing messages.
Checks: C-54543r1_chk

Review the Good Mobility Suite server configuration to verify the mobile email client provides the mobile device user the capability to digitally sign and encrypt outgoing email messages using software- or hardware-based digital certificates. Otherwise, this is a finding.

Fix: F-57849r2_fix

Configure the Good Mobility Suite to provide the mobile device user the capability to digitally sign and encrypt outgoing email messages using software- or hardware-based digital certificates. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Enable S/MIME is checked Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.

b
The Good Mobility Suite email client must set the Smart Card or Certificate Store Password caching timeout period to 120 minutes.
SC-13 - Medium - CCI-001144 - V-53041 - SV-67257r1_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-001144
Version
GOOD-00-000580
Vuln IDs
  • V-53041
Rule IDs
  • SV-67257r1_rule
Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement states that Smart Card/Certificate Store password caching must time out.
Checks: C-54545r1_chk

Review the Good Mobility Suite server configuration to verify the mobile email client sets the Smart Card or Certificate Store Password caching timeout period to 120 minutes. Otherwise, this is a finding.

Fix: F-57851r2_fix

Configure the Good Mobility Suite to set the Smart Card or Certificate Store Password caching timeout period to 120 minutes. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Re-challenge for password every is checked and set to 120 minutes

a
The Good Mobility Suite email client S/MIME must be fully interoperable with DoD PKI and CAC/PIV. CAC/PIV (hard token) and PKCS#12 (soft token) certificate stores must be supported.
SC-13 - Low - CCI-001144 - V-53043 - SV-67259r1_rule
RMF Control
SC-13
Severity
Low
CCI
CCI-001144
Version
GOOD-00-000570
Vuln IDs
  • V-53043
Rule IDs
  • SV-67259r1_rule
Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the CAC is the required mechanism for that protection.
Checks: C-54547r1_chk

Review the Good Mobility Suite server configuration to verify the mobile email client S/MIME feature is fully interoperable with DoD PKI and CAC/PIV. CAC/PIV (hard token) and PKCS#12 (soft token) certificate stores must be supported. Otherwise, this is a finding.

Fix: F-57853r2_fix

Configure the Good Mobility Suite email client to utilize DoD PKI and CAC/PIV. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Enable S/MIME is checked Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.

b
The Good Mobility Suite email client must be capable of providing S/MIME v3 (or later version) encryption of email.
SC-13 - Medium - CCI-001144 - V-53045 - SV-67261r1_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-001144
Version
GOOD-00-000560
Vuln IDs
  • V-53045
Rule IDs
  • SV-67261r1_rule
Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, S/MIME is the required mechanism for encryption of email.
Checks: C-54549r1_chk

Review the Good Mobility Suite server configuration to verify the mobile email client provides S/MIME v3 (or later version) encryption of email. Otherwise, this is a finding.

Fix: F-57855r2_fix

Configure the Good Mobility Suite server to provide S/MIME v3 (or later version) encryption of email. -Launch the Good Mobile Control Web console and click on the Settings tab -On the left side, select Secure Messaging (S/MIME) -Verify Enable Secure Messaging (S/MIME) is checked and the LDAP and OCSP URL values are configured properly -Click on Save and proceed to the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Enable S/MIME is checked Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.

a
The Good Mobility Suite email client must restrict contact list data elements transferred to the phone application.
SC-4 - Low - CCI-001090 - V-53047 - SV-67263r1_rule
RMF Control
SC-4
Severity
Low
CCI
CCI-001090
Version
GOOD-00-000550
Vuln IDs
  • V-53047
Rule IDs
  • SV-67263r1_rule
The contact list data elements may contain sensitive or PII information; therefore, the data elements accessed outside the security container must be limited so sensitive data is not exposed.
Checks: C-54551r1_chk

Review the Good Mobility Suite server configuration to determine whether the email client restricts contact list data elements transferred to the phone application. Otherwise, this is a finding.

Fix: F-57857r2_fix

Configure the Good Mobility Suite to restrict contact list data elements transferred to the phone application. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select the Messaging tab -Verify Enable access to Good Contacts is checked -Click on Choose Fields to select the fields to sync - Name and Phone Number

b
The Good Mobility Suite server must disable copying data from inside a security container to a non-secure data area on a mobile device via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53049 - SV-67265r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000540
Vuln IDs
  • V-53049
Rule IDs
  • SV-67265r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately. If this control is not available, sensitive DoD data stored inside the security container could be exposed if it is copied to a non-secure area on the device.
Checks: C-54553r1_chk

Review the Good Mobility Suite server configuration to determine whether the capability to disable the copying of data stored inside the security container to an unsecured area outside the container has been disabled. Otherwise, this is a finding.

Fix: F-57859r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable the copying of data stored inside the security container to an unsecured area outside the container. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select the Messaging tab -Verify Do not allow data to be copied from the Good application is unchecked -Select the File Handling tab and make sure Enable importing to Good only is selected -Verify Exceptions to importing/exporting between Good and 3rd party is checked and Trust only these external applications is selected

b
The Good Mobility Suite server must specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user.
CM-6 - Medium - CCI-000370 - V-53051 - SV-67267r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000530
Vuln IDs
  • V-53051
Rule IDs
  • SV-67267r1_rule
DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system, in most cases, can be configured to disable user access to public application stores. In some cases, some applications are required for secure operation of the mobile devices controlled by the Good Mobility Suite. In these cases, the ability for users to remove the application is needed to ensure proper secure operations of the device.
Checks: C-54555r1_chk

Review the Good Mobility Suite server configuration to determine whether there is a list of approved applications that must be installed on the mobile device and cannot be removed by the user. Otherwise, this is a finding.

Fix: F-57861r2_fix

Configure the Good Mobility Suite to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select the Application Management tab -Verify Required applications have been assigned under Enterprise Applications and are marked as Managed under the 'Type' field -Click Save

b
The Good Mobility Suite server must configure the mobile device agent to prohibit the download of software from a non-DoD approved source.
CM-6 - Medium - CCI-000370 - V-53053 - SV-67269r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000520
Vuln IDs
  • V-53053
Rule IDs
  • SV-67269r1_rule
DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system, in most cases, can be configured to disable user access to public application stores.
Checks: C-54557r1_chk

Review the Good Mobility Suite server configuration to determine if the mobile device agent prohibits the download of software from a DoD non-approved source. Otherwise, this is a finding.

Fix: F-57863r2_fix

Configure the Good Mobility Suite mobile device agent to prohibit the download of software from a DoD non-approved source. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify Allow installing apps is unchecked

b
The Good Mobility Suite server must prohibit the mobile device user from installing unapproved applications on the mobile device.
CM-6 - Medium - CCI-000370 - V-53055 - SV-67271r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000510
Vuln IDs
  • V-53055
Rule IDs
  • SV-67271r1_rule
The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. Preventing a user from installing unapproved applications mitigates this risk. All OS core applications, third-party applications, and carrier-installed applications must be approved. In this case, applications include any applets, browse channel apps, and icon apps.
Checks: C-54559r1_chk

Review the Good Mobility Suite server configuration to determine if the mobile device user is prohibited from installing unapproved applications on the mobile device. Otherwise, this is a finding.

Fix: F-57865r2_fix

Configure the Good Mobility Suite to prohibit the mobile device user from installing unapproved applications on the mobile device. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify Allow installing apps is unchecked

c
The Good Mobility Suite server application white list for managed mobile devices must be set to Deny All by default when no applications are listed.
CM-6 - High - CCI-000370 - V-53057 - SV-67273r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000370
Version
GOOD-00-000500
Vuln IDs
  • V-53057
Rule IDs
  • SV-67273r1_rule
The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. If the system administrator has control over what applications are downloaded, then the system administrator can check that only known good programs are installed, which significantly mitigates the risk posed by malicious software.
Checks: C-54561r1_chk

Review the Good Mobility Suite server configuration to determine if the Good Mobility Suite application white list for managed mobile devices is set to "Deny All" by default when no applications are listed. Otherwise, this is a finding.

Fix: F-57867r2_fix

Configure the Good Mobility Suite application white list for managed mobile devices to "Deny All" by default when no applications are listed. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select the Compliance Manager tab -Verify An iOS rule Exists with the 'Application Exceptions' rule type and is set to enabled -select Edit for the iOS rule -Verify Trust only these applications is Selected -verify only allowed applications are added to the "Apps Selected' list

b
The Good Mobility Suite server must configure the Good Mobility Suite agent to prohibit the download of applications on mobile operating system devices without system administrator control.
CM-6 - Medium - CCI-000370 - V-53059 - SV-67275r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000490
Vuln IDs
  • V-53059
Rule IDs
  • SV-67275r1_rule
The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. If the system administrator has control over what applications are downloaded, then the system administrator can check that only known good programs are installed, which significantly mitigates the risk posed by malicious software.
Checks: C-54563r1_chk

Review the Good Mobility Suite server configuration to determine if the Good Mobility Suite agent prohibits the download of applications on mobile operating system devices without administrator control. If this function is not present, this is a finding.

Fix: F-57869r3_fix

Configure the Good Mobility Suite so the Good Mobility Suite agent is configured to prohibit the download of applications on mobile operating system devices without system administrator control. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select the iOS Management tab -Verify Enable iOS Configuration is checked -select the Restrictions under iOS Management tab -Verify Allow use of iTunes Music Store is Unchecked

b
The Good Mobility Suite server must enable iOS Force encrypted backups via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53061 - SV-67277r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000480
Vuln IDs
  • V-53061
Rule IDs
  • SV-67277r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54565r1_chk

Review the Good Mobility Suite server policy configuration to determine whether iOS Force encrypted backups has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57871r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to enable iOS Force encrypted backups. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Require iTunes backups to be encrypted is checked

b
The Good Mobility Suite server must disable iOS Allow diagnostic data to be sent to Apple via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53063 - SV-67279r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000470
Vuln IDs
  • V-53063
Rule IDs
  • SV-67279r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54567r1_chk

Review the Good Mobility Suite server policy configuration to determine whether iOS Allow diagnostic data to be sent to Apple has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57873r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Allow diagnostic data to be sent to Apple. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow diagnostic data to be sent to Apple is unchecked

b
The Good Mobility Suite server must disable iOS Auto-fill via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53065 - SV-67281r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000460
Vuln IDs
  • V-53065
Rule IDs
  • SV-67281r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54569r1_chk

Review the Good Mobility Suite server policy configuration to determine whether iOS Auto-fill has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57875r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Auto-fill. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow Auto-fill is unchecked

b
The Good Mobility Suite server must disable iOS Allow documents from unmanaged apps in managed apps via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53067 - SV-67283r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000450
Vuln IDs
  • V-53067
Rule IDs
  • SV-67283r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54571r1_chk

Review the Good Mobility Suite server policy configuration to determine whether iOS Allow documents from unmanaged apps in managed apps has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57877r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Allow documents from unmanaged apps in managed apps. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow "Open In" from unmanaged to managed is unchecked

b
The Good Mobility Suite server must disable iOS Allow documents from managed apps in unmanaged apps via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53069 - SV-67285r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000440
Vuln IDs
  • V-53069
Rule IDs
  • SV-67285r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54573r1_chk

Review the Good Mobility Suite server policy configuration to determine whether iOS Allow documents from managed apps in unmanaged apps has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57879r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Allow documents from managed apps in unmanaged apps. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow "Open In" from managed to unmanaged is unchecked

b
The Good Mobility Suite server must disable iOS Touch ID to unlock device via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53071 - SV-67287r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000430
Vuln IDs
  • V-53071
Rule IDs
  • SV-67287r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54575r1_chk

Review the Good Mobility Suite server policy configuration to determine whether iOS Touch ID to unlock device has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57881r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Touch ID to unlock device. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow fingerprint unlock is unchecked

b
The Good Mobility Suite server must disable the iOS Today View in lock screen via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53073 - SV-67289r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000420
Vuln IDs
  • V-53073
Rule IDs
  • SV-67289r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54577r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the iOS Today View in lock screen has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57883r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable the iOS Today View in lock screen. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow lock screen Today View is unchecked

b
The Good Mobility Suite server must disable iOS Airdrop via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53075 - SV-67291r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000410
Vuln IDs
  • V-53075
Rule IDs
  • SV-67291r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54579r1_chk

Review the Good Mobility Suite server policy configuration to determine whether iOS Airdrop has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57885r1_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Airdrop. This setting can only be enforced by User-Based Enforcement.

b
The Good Mobility Suite server must disable the iOS notification center in lock screen via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53077 - SV-67293r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000400
Vuln IDs
  • V-53077
Rule IDs
  • SV-67293r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54581r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the iOS notification center in lock screen has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57887r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable the iOS notification center in lock screen. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow lock screen notifications view is unchecked

b
The Good Mobility Suite server must disable iOS voice dialing via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53079 - SV-67295r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000390
Vuln IDs
  • V-53079
Rule IDs
  • SV-67295r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54583r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS voice dialing has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57889r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS voice dialing. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow voice dialing is unchecked

b
The Good Mobility Suite server must disable iOS Siri while the device is locked via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53081 - SV-67297r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000380
Vuln IDs
  • V-53081
Rule IDs
  • SV-67297r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54585r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS Siri while the device is locked has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57891r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Siri while the device is locked. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow Siri While device is locked is unchecked

b
The Good Mobility Suite server must enable iOS force limited ad tracking via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53083 - SV-67299r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000370
Vuln IDs
  • V-53083
Rule IDs
  • SV-67299r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54587r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS force limited ad tracking has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57893r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to enable iOS force limited ad tracking. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Force limit ad tracking is checked

b
The Good Mobility Suite server must disable iOS iCloud documents and data via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53085 - SV-67301r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000360
Vuln IDs
  • V-53085
Rule IDs
  • SV-67301r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54589r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS iCloud documents and data has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57895r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS iCloud documents and data. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow document syncing is unchecked

b
The Good Mobility Suite server must disable iOS iCloud backup via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53087 - SV-67303r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000350
Vuln IDs
  • V-53087
Rule IDs
  • SV-67303r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54591r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS iCloud backup has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57897r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS iCloud backup. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow iCloud backup is unchecked

b
The Good Mobility Suite server must disable iOS iCloud keychain sync via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53089 - SV-67305r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000340
Vuln IDs
  • V-53089
Rule IDs
  • SV-67305r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54593r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS iCloud keychain sync has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57899r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS iCloud keychain. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow iCloud keychain sync is unchecked

b
The Good Mobility Suite server must disable iOS photo streams via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53091 - SV-67307r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000330
Vuln IDs
  • V-53091
Rule IDs
  • SV-67307r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54595r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the ability to use iOS photo streams has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57901r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS photo streams. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow Photo Stream is unchecked

b
The Good Mobility Suite server must disable iOS shared photo streams via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53093 - SV-67309r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000320
Vuln IDs
  • V-53093
Rule IDs
  • SV-67309r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54597r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the ability to use iOS shared photo streams has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57903r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS shared photo streams. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow Shared Photo Stream is unchecked

b
The Good Mobility Suite server must disable iOS screenshots via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53095 - SV-67311r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000310
Vuln IDs
  • V-53095
Rule IDs
  • SV-67311r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54599r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the ability to take iOS screenshots has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57905r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS screenshots. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow screen capture is unchecked

a
The Good Mobility Suite email client must either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device.
AC-19 - Low - CCI-000086 - V-53097 - SV-67313r1_rule
RMF Control
AC-19
Severity
Low
CCI
CCI-000086
Version
GOOD-00-000020
Vuln IDs
  • V-53097
Rule IDs
  • SV-67313r1_rule
HTML code embedded in emails can contain links to malicious sites. Requiring that all emails are viewed in plain text helps remediate phishing attempts.
Checks: C-54601r1_chk

Review the Good Mobility Suite configuration to determine if the mobile email server/client either blocks or converts all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. Otherwise, this is a finding.

Fix: F-57907r1_fix

Configure the Good Mobility Suite to either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. Verify that the following registry entry exists on servers running the Good GMM/ Good Link Service [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GoodLinkServer\parameters\sync] "HtmlEmail"=0

c
The Good Mobility Suite must transfer audit logs from managed mobile devices to the Good Mobility Suite.
AU-3 - High - CCI-000136 - V-53099 - SV-67315r1_rule
RMF Control
AU-3
Severity
High
CCI
CCI-000136
Version
GOOD-00-000030
Vuln IDs
  • V-53099
Rule IDs
  • SV-67315r1_rule
Good Mobility Suite auditing capability is critical for accurate forensic analysis. The ability to transfer audit logs often is necessary to quickly isolate them, protect their integrity, and analyze their contents.
Checks: C-54603r1_chk

Review the Good Mobility Suite mobile device account configuration to verify the audit logs can be transferred from managed mobile devices to the Good Mobility Suite. Have the system administrator show the logs of managed mobile devices on the Good Mobility Suite and whether audit logs are being transferred on request or on a period schedule. Otherwise, this is a finding.

Fix: F-57909r1_fix

Configure the Good Mobility Suite to transfer audit logs from managed mobile devices to the Good Mobility Suite. -Good Logs are saved in standard .log format. The Default location for these logs are in the Good install directory (C:/Program Files (x86)/Good Technology/Good Mobile Control) Log Directory. This allows data to be consumed by any third-party SYSLog tool. Please refer to Third-Party Documentation to configure required Alerts/Notification. - To Enable Good Mobile Messaging Server Diagnostic Logging, the following 3 Registry entries must be configured as String Values. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GoodLinkServer\parameters\diagnostics "cachesize" = 0 "encrypt" = 0 "expand" = 1

a
The Good Mobility Suite email client must notify the user if it cannot verify the revocation status of the certificate.
IA-5 - Low - CCI-000185 - V-53101 - SV-67317r1_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-000185
Version
GOOD-00-000040
Vuln IDs
  • V-53101
Rule IDs
  • SV-67317r1_rule
If the user is aware that the revocation status of a certificate could not be verified, the user is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can use revoked certificates without detection.
Checks: C-54605r1_chk

Review the Good Mobility Suite configuration to verify the mobile email client notifies the user if it cannot verify the revocation status of the certificate. Otherwise, this is a finding.

Fix: F-57911r2_fix

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

a
The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if it cannot verify the certificates revocation status.
IA-5 - Low - CCI-000185 - V-53103 - SV-67319r1_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-000185
Version
GOOD-00-000050
Vuln IDs
  • V-53103
Rule IDs
  • SV-67319r1_rule
When additional assurance is required, the system should deny acceptance of a certificate if it cannot verify its revocation status. Otherwise, there is the potential that it is accepting the credentials of an unauthorized system. Allowing the operating system or user to deny certificates with unverified revocation status mitigates the risk associated with the acceptance of such certificates.
Checks: C-54607r1_chk

Review the Good Mobility Suite configuration to verify the mobile email client gives the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status. Otherwise, this is a finding.

Fix: F-57913r2_fix

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

b
The Good Mobility Suite email client must alert the user if it receives a public-key certificate issued from an untrusted certificate authority.
IA-5 - Medium - CCI-000185 - V-53105 - SV-67321r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
GOOD-00-000060
Vuln IDs
  • V-53105
Rule IDs
  • SV-67321r1_rule
If the user is aware that a certificate has been issued from an untrusted certificate authority, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.
Checks: C-54609r1_chk

Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if it receives a public-key certificate issued from an untrusted certificate authority. Otherwise, this is a finding.

Fix: F-57915r3_fix

Configure the Good Mobility Suite to alert the user if it receives a public-key certificate issued from an untrusted certificate authority. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

b
The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the certificate was issued by an untrusted certificate authority.
IA-5 - Medium - CCI-000185 - V-53107 - SV-67323r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
GOOD-00-000070
Vuln IDs
  • V-53107
Rule IDs
  • SV-67323r1_rule
When the operating system accepts the use of certificates issued from untrusted certificate authorities, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity. When additional assurance is required, the system must deny acceptance of a certificate if it was issued by an untrusted certificate authority.
Checks: C-54611r1_chk

Review the Good Mobility Suite configuration to verify the email client provides users with the option to deny acceptance of a certificate when the certificate was issued by an untrusted certificate authority. Otherwise, this is a finding.

Fix: F-57917r3_fix

Configure the Good Mobility Suite to provide users with the option to deny acceptance of a certificate when the certificate was issued by an untrusted certificate authority. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

b
The Good Mobility Suite email client must alert the user if it receives an invalid public-key certificate.
IA-5 - Medium - CCI-000185 - V-53109 - SV-67325r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
GOOD-00-000080
Vuln IDs
  • V-53109
Rule IDs
  • SV-67325r1_rule
If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.
Checks: C-54613r1_chk

Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if it receives an invalid public-key certificate. Otherwise, this is a finding.

Fix: F-57919r2_fix

Configure the Good Mobility Suite to alert the user if it receives an invalid public-key certificate. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

b
The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid.
IA-5 - Medium - CCI-000185 - V-53111 - SV-67327r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
GOOD-00-000090
Vuln IDs
  • V-53111
Rule IDs
  • SV-67327r1_rule
When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity. When additional assurance is required, the system must deny acceptance of invalid certificates.
Checks: C-54615r1_chk

Review the Good Mobility Suite configuration to verify the email client gives the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid. Otherwise, this is a finding.

Fix: F-57921r2_fix

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

a
The Good Mobility Suite email client must not accept certificate revocation information without verifying its authenticity.
IA-5 - Low - CCI-000185 - V-53113 - SV-67329r1_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-000185
Version
GOOD-00-000100
Vuln IDs
  • V-53113
Rule IDs
  • SV-67329r1_rule
If the operating system does not verify the authenticity of revocation information, there is the potential that an authorized system is providing false information. Acceptance of the false information could result in the installation of unauthorized software or connection to rogue networks, depending on the use for which the certificate is intended. Verifying the authenticity of revocation information mitigates this risk.
Checks: C-54617r1_chk

Review the Good Mobility Suite configuration to verify the mobile email client does not accept certificate revocation information without verifying its authenticity. Otherwise, this is a finding.

Fix: F-57923r2_fix

Configure the Good Mobility Suite to not accept certificate revocation information without verifying its authenticity. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

a
The Good Mobility Suite email client must verify all digital certificates in the certificate chain when performing PKI transactions.
IA-5 - Low - CCI-000185 - V-53115 - SV-67331r1_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-000185
Version
GOOD-00-000110
Vuln IDs
  • V-53115
Rule IDs
  • SV-67331r1_rule
If an adversary is able to compromise one of the certificates in the certificate chain, the adversary may be able to sign lower-level certificates in the chain. This would enable the adversary to masquerade as other users or systems. By providing the mobile user with such false assurance, the adversary may be able obtain DoD information, capture authentication credentials, and perform other unauthorized functions. Verifying all digital certificates in the chain mitigates this risk.
Checks: C-54619r1_chk

Review the Good Mobility Suite configuration to verify the mobile email client verifies all digital certificates in the certificate chain (user, intermediate, and root) when performing PKI transactions. Otherwise, this is a finding.

Fix: F-57925r2_fix

Configure the Good Mobility Suite verifies all digital certificates in the certificate chain (user, intermediate, and root) when performing PKI transactions. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

b
The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified.
IA-5 - Medium - CCI-000185 - V-53117 - SV-67333r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
GOOD-00-000120
Vuln IDs
  • V-53117
Rule IDs
  • SV-67333r1_rule
When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity. When additional assurance is required, the system must deny acceptance of invalid certificates.
Checks: C-54621r1_chk

Review the Good Mobility Suite configuration to verify the mobile email client gives the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified. Otherwise, this is a finding.

Fix: F-57929r2_fix

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

b
The Good Mobility Suite email client must alert the user if it receives a public-key certificate with a non-FIPS approved algorithm.
IA-5 - Medium - CCI-000185 - V-53125 - SV-67341r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
GOOD-00-000130
Vuln IDs
  • V-53125
Rule IDs
  • SV-67341r1_rule
If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.
Checks: C-54623r1_chk

Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if it receives a public-key certificate with a non-FIPS approved algorithm. Otherwise, this is a finding.

Fix: F-57935r2_fix

Configure the Good Mobility Suite to alert the user if it receives a public-key certificate with a non-FIPS approved algorithm. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

b
The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm.
IA-5 - Medium - CCI-000185 - V-53127 - SV-67343r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
GOOD-00-000140
Vuln IDs
  • V-53127
Rule IDs
  • SV-67343r1_rule
When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity. When additional assurance is required, the system must deny acceptance of invalid certificates.
Checks: C-54625r1_chk

Review the Good Mobility Suite configuration to verify the mobile email client gives the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm. Otherwise, this is a finding.

Fix: F-57937r2_fix

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

b
The Good Mobility Suite email client must alert the user if it receives an unverified public-key certificate.
IA-5 - Medium - CCI-000185 - V-53129 - SV-67345r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
GOOD-00-000170
Vuln IDs
  • V-53129
Rule IDs
  • SV-67345r1_rule
If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.
Checks: C-54627r1_chk

Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if it receives an unverified public-key certificate. Otherwise, this is a finding.

Fix: F-57941r2_fix

Configure the Good Mobility Suite to alert the user if it receives an unverified public-key certificate. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

b
The Good Mobility Suite must be configured to provide the administrative functionality to transmit a remote Data Wipe command, including removable media cards, to a managed mobile device.
CM-6 - Medium - CCI-000370 - V-53133 - SV-67349r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000180
Vuln IDs
  • V-53133
Rule IDs
  • SV-67349r1_rule
Without a Data Wipe capability, the data on the mobile device can be compromised in the event of a lost or stolen device.
Checks: C-54629r1_chk

Review the Good Mobility Suite configuration to determine whether there is administrative functionality to transmit a remote data wipe command, including removable media cards, to a managed mobile device. Otherwise, this is a finding.

Fix: F-57943r1_fix

Configure the Good Mobility Suite so it has the administrative functionality to transmit a remote data wipe command, including removable media cards, to a managed mobile device. Enable iOS MDM Profile 1. Select each security policy iOS devices are assigned to, and, in turn, verify the required settings are in the policy. Verify the latest available version of the MDM agent is set in the compliance rule. -Verify "Enable MDM profile" is checked. -Verify "Enable remote full device wipe" is checked.

b
The Good Mobility Suite must enforce the minimum password length for the device unlock password via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53135 - SV-67351r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000190
Vuln IDs
  • V-53135
Rule IDs
  • SV-67351r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54631r1_chk

Review the Good Mobility Suite server policy configuration to determine if the minimum password length for the device unlock password is at least 4 characters. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57945r2_fix

Configure the centrally managed Good Mobility Suite server policy rule to enable a device unlock password with a minimum length of 4 characters. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Passcode Tab -Verify require passcode is checked and minimum length is set to 4

b
The Good Mobility Suite server must set the device inactivity timeout to 15 minutes via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53137 - SV-67353r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000200
Vuln IDs
  • V-53137
Rule IDs
  • SV-67353r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54633r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the device inactivity timeout is set to 15 minutes. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57947r2_fix

Configure the centrally managed Good Mobility Suite server policy rule to set the device inactivity timeout to 15 minutes. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Passcode Tab -Verify Auto-lock is checked and set to the appropriate value

b
The Good Mobility Suite server must set the device inactivity timeout grace period to be immediate via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53143 - SV-67359r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000210
Vuln IDs
  • V-53143
Rule IDs
  • SV-67359r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54635r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the device inactivity timeout grace period is set to be immediate. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57953r2_fix

Configure the centrally managed Good Mobility Suite server policy rule to set the device inactivity timeout grace period to be immediate. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Passcode Tab -Verify Grace Period checkbox is checked and its dropdown menu set to Immediate

b
The Good Mobility Suite server must disable the mobile device users access to an application store or repository via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53145 - SV-67361r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000220
Vuln IDs
  • V-53145
Rule IDs
  • SV-67361r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54637r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the mobile device user's access to an application store or repository has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57955r2_fix

Configure the centrally managed Good Mobility Suite server policy rule to disable the mobile device user's access to an application store or repository. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify Allow installing apps is unchecked and set to the appropriate value

b
The Good Mobility Suite server must block access to specific web sites via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53149 - SV-67365r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000230
Vuln IDs
  • V-53149
Rule IDs
  • SV-67365r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54639r1_chk

Review the Good Mobility Suite server policy configuration to determine whether access to specific web sites has been blocked. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57959r2_fix

Configure the centrally managed Good Mobility Suite server policy rule to block access to specific web sites. -Launch the Good Mobile Control Web console and click on the Settings tab -On the left tab, select Good Mobile Access (Secure Browser) -Populate the Approved DoD Proxy settings applicable to your Network -Click on Policies Tab -Select the policy set for the smart phone and click on Good Mobile Access (Secure Browser) -Check Enable access to the Intranet, click on Edit and add routeall.gmm.good, click ok and click Save. At this point the Secure Browser will utilize your DoD proxy settings.

b
The Good Mobility Suite server must force the display of a warning banner on the mobile device via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53153 - SV-67369r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000240
Vuln IDs
  • V-53153
Rule IDs
  • SV-67369r2_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately. The warning banner must be displayed before or immediately after the user successfully unlocks the mobile device or unlocks a secure application where sensitive DoD data is stored: "I've read & consent to terms in IS user agreement." (Wording must be exactly as specified.)
Checks: C-54641r1_chk

Review the Good Mobility Suite server policy configuration to determine the display of a warning banner on the mobile device is being forced. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57963r3_fix

Configure the centrally managed Good Mobility Suite server policy rule to force the display of a warning banner on the mobile device. -Create a Notepad text file, and enter the following and then save as disclaimer.xml (DO NOT DEVIATE FROM BELOW CONTENT) : <disclaimer> <dtext value="I've read &amp consent to terms in IS user agreem't."/> </disclaimer> -Launch the Good Mobile Control Web console and click on the Policies tab -Select a policy set to review and click on the policy -On the left tab, select Compliance Manager and click Add Rule -Select iOS as the Rule Platform - Under Check to run select custom - Enter a Name and Description for your Rule - Under Perform Checks select Rule file and upload your Disclaimer.xml - Click Okay to save the rule to compliance manger - Select the newly created rule and click enable - Click Save to save the Policy

b
The Good Mobility Suite server must set the number of incorrect password attempts before a data wipe procedure is initiated to 10 via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53155 - SV-67371r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000250
Vuln IDs
  • V-53155
Rule IDs
  • SV-67371r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54643r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the number of incorrect password attempts before a data wipe procedure is initiated is set to 10. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57965r2_fix

Configure the centrally managed Good Mobility Suite server policy rule to set the number of incorrect password attempts before a data wipe procedure is initiated to 10. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Passcode Tab -Verify Maximum Failed Attempts checkbox is checked and its dropdown menu set to a value of 10 or less

b
The Good Mobility Suite server must enable a Good Mobility Suite agent password via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53157 - SV-67373r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000260
Vuln IDs
  • V-53157
Rule IDs
  • SV-67373r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54645r1_chk

Review the Good Mobility Suite server policy configuration to determine whether a Good Mobility Suite Agent password has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57969r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to enable a Good Mobility Suite Agent password. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Password-protected (with or without soft token and S/MIME) is selected

b
The Good Mobility Suite server must enable the Good Mobility Suite agent password length to be six or more characters.
CM-6 - Medium - CCI-000370 - V-53161 - SV-67377r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000270
Vuln IDs
  • V-53161
Rule IDs
  • SV-67377r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54647r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the Good Mobility Suite agent password is at least 6 characters. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57971r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to set the minimum Good Mobility Suite agent password length of six or more characters. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Require minimum length is checked and is set to 6 characters

b
The Good Mobility Suite must set the Good Mobility Suite agent inactivity timeout to 15 minutes via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53163 - SV-67379r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000280
Vuln IDs
  • V-53163
Rule IDs
  • SV-67379r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54649r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the Good Mobility Suite agent inactivity timeout is set to 15 minutes. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57973r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to set the Good Mobility Suite agent inactivity timeout to 15 minutes. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Require password when idle for is checked and is set to 15 minutes

b
The Good Mobility Suite server must disable the automatic removal of the iOS configuration profile via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53165 - SV-67381r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000290
Vuln IDs
  • V-53165
Rule IDs
  • SV-67381r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54651r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the automatic removal of the iOS configuration profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57975r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable the automatic removal of the iOS configuration profile. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the General Tab -Verify Automatically Remove Profile is set to Never

b
The Good Mobility Suite server must disable the use of simple values within the iOS Good Mobility Server agent password via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-53167 - SV-67383r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
GOOD-00-000300
Vuln IDs
  • V-53167
Rule IDs
  • SV-67383r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
Checks: C-54653r1_chk

Review the Good Mobility Suite server policy configuration to determine whether the use of simple values within the iOS Good Mobility Server agent password has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-57977r2_fix

Configure the centrally managed Good Mobility Suite security policy rule to disable the use of simple values within the iOS Good Mobility Server agent password. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Passcode Tab -Verify Allow Simple Value is unchecked

b
The Good Mobility Suite email client must alert the user if the certificate uses an unverified CRL.
IA-5 - Medium - CCI-000185 - V-53251 - SV-67467r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
GOOD-00-000150
Vuln IDs
  • V-53251
Rule IDs
  • SV-67467r1_rule
If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.
Checks: C-54657r2_chk

Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if the certificate uses an unverified CRL. Otherwise, this is a finding.

Fix: F-58063r2_fix

Configure the Good Mobility Suite to alert the user if the certificate uses an unverified CRL. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

b
The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified.
IA-5 - Medium - CCI-000185 - V-53253 - SV-67469r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
GOOD-00-000160
Vuln IDs
  • V-53253
Rule IDs
  • SV-67469r1_rule
If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.
Checks: C-54659r1_chk

Review the Good Mobility Suite configuration to verify the mobile email client gives the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified. Otherwise, this is a finding.

Fix: F-58065r2_fix

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

c
Only supported versions of the Good for Enterprise must be used.
High - V-76677 - SV-91373r2_rule
RMF Control
Severity
High
CCI
Version
GOOD-00-000700
Vuln IDs
  • V-76677
Rule IDs
  • SV-91373r2_rule
If an unsupported version of the Good for Enterprise is being used, the device is not being updated with security patches and may contain vulnerabilities that may expose sensitive DoD data to unauthorized people. Good for Enterprise supports old and obsolete technologies and is no longer being supported by BlackBerry.
Checks: C-76333r3_chk

Determine if any version of Good for Enterprise server is installed at the site. BlackBerry stopped supporting all versions of this server on 30 September 2017. If any version of Good for Enterprise server is installed at the site, this is a finding. Exception: This requirement is Not Applicable for sites that have a valid extended service agreement with BlackBerry for service on the Good for Enterprise product. This exception is valid until the end of the service agreement or until 31 August 2018, whichever occurs first. CCI-000370

Fix: F-83373r1_fix

Remove all versions of Good for Enterprise server installed at the site.