Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Mobile Email Management (MEM) Server Security Technical Implementation Guide (STIG)

  • Version/Release: V1R2
  • Published: 2013-05-08
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG provides technical security controls required for the use of a MEM server that manages mobile email from/to mobile devices in the DoD environment. The requirements listed in this benchmark apply to any DoD iOS implementation when iOS devices process sensitive DoD information, connect to a DoD network or network connected PC, or provide service to a DoD email system. The requirements can be implemented in an application server separate from the MDM server or included in the MDM server. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.
b
The required mobile device management server version (or later) must be used.
Medium - V-24972 - SV-30809r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-GD-001
Vuln IDs
  • V-24972
Rule IDs
  • SV-30809r2_rule
Earlier versions of the MDM server may have security vulnerabilities or not have required security features implemented. Therefore, sensitive DoD data could be exposed if required security features are not implemented on site-managed mobile devices.System AdministratorECSC-1
Checks: C-31225r6_chk

On the mobile device management server, determine the version number of the server. The exact procedure will vary, depending on the mobile device management product used. -Verify the server version is the latest available version and includes the latest patches available. Talk to the site system administrator and view the vendor's web site to determine the correct version number. -Mark as a finding if the server version is not as required.

Fix: F-27612r3_fix

Upgrade to required (or later) mobile device management server version.

b
The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.).
Medium - V-24973 - SV-30810r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-GD-002
Vuln IDs
  • V-24973
Rule IDs
  • SV-30810r2_rule
The host server where the mobile management server is installed must be compliant with the Windows STIG and applicable application STIGs to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the management server.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-31226r5_chk

Work with the OS Reviewer or check VMS for last review of each host server where a mobile management server is installed. This includes the host server for the MDM, MAM, MDIS, and MEM servers. The review should include the SQL server, Apache Tomcat, and IIS, if installed. Mark as a finding if the previous or current OS review of the Windows server did not include the SQL or other applications included with the management server.

Fix: F-27613r2_fix

Conduct required STIG reviews of the OS and all installed applications on the host server.

c
The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
High - V-24975 - SV-30812r2_rule
RMF Control
Severity
High
CCI
Version
WIR-WMS-GD-004
Vuln IDs
  • V-24975
Rule IDs
  • SV-30812r2_rule
A mobile device user could get access to unauthorized network resources (application and content servers, etc.) via the communications link between the mobile device and mobile management server if the server host firewall is not set up as required. HBSS is usually used to satisfy this requirement.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-31229r7_chk

The host server host-based or appliance firewall must be configured as required. The server firewall is configured with the following rules: -Deny all except when explicitly authorized. -Internal traffic from the server is limited to internal systems used to host the smartphone services (e.g., email and LDAP servers) and approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized. -Internet traffic from the server is limited to only specified services (e.g., Good NOC server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the mobile management server and/or service. -Firewall settings listed in the STIG Technology Overview or the vendor's installation manual will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trusted IP addresses and subnets. Note: At a minimum, the IP address of the site Internet proxy server must be listed so the Good secure browser can connect to the Internet. Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above. Check Procedures: -Verify the firewall configuration meets approved architecture configuration requirements (or have the Network Reviewer do the review of the firewall). -Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers the server connects to should be included on this list. - Mark as a finding if the IP addresses configured on the server host-based firewall are not on the list of trusted networks.

Fix: F-27616r2_fix

Install the management server host-based or appliance firewall and configure as required.

a
The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate.
Low - V-25754 - SV-32013r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-GD-010
Vuln IDs
  • V-25754
Rule IDs
  • SV-32013r2_rule
When a self-signed PKI certificate is used, a rogue mobile management server can impersonate the DoD mobile management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.System AdministratorIATS-1
Checks: C-32242r9_chk

Verify a DoD server certificate has been installed on the mobile management server and that the self-signed certificate, available as an option during the setup of the wireless email management server, has not been installed. The check procedure will depend on the mobile management server product used. Mark as a finding if a DoD server certificate has not been installed on the mobile device management server. For the Good Technology server follow these procedures: -Ask the SA to access the Good server using Internet Explorer. Verify no certificate error occurs. -Click the Lock icon next to the address bar, then select “view certificates”. On the General tab, verify the “Issued to:” and “Issued by:” fields do not show the same value. Then on the Certification Path tab, verify the top certificate is a trusted DoD Root certificate authority (e.g., DoD Root CA 2) and the certificate status field states “This certificate is OK”. If a certificate error occurs, either the default self-signed certificate is still installed, the Good server has not been rebooted since the DoD-issued certificate has been installed, or the computer accessing the Good server does not have the DoD Root and Intermediate certificate authorities installed. The reviewer can select the “Continue to this website” option and follow the same procedure above. If the certificate is issued from an approved DoD PKI, ask the SA to run InstallRoot on the computer accessing the Good server. Otherwise, have the SA follow the procedures outlined in the STIG to request/install a certificate issued from a trusted DoD PKI.

Fix: F-28607r3_fix

Use a DoD-issued digital certificate on the mobile management server.

c
Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements.
High - V-26564 - SV-33591r2_rule
RMF Control
Severity
High
CCI
Version
WIR-WMS-GD-011
Vuln IDs
  • V-26564
Rule IDs
  • SV-33591r2_rule
CTO 07-15 Rev 1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. This is best enforced by requiring the server support AD authentication.System AdministratorInformation Assurance OfficerIAIA-1, IATS-1
Checks: C-34053r4_chk

Review the admin accounts settings on the mobile management server to verify CTO 07-15 Rev 1 required authentication is enabled for admin accounts. The check procedure will depend on the mobile management server product used. Mark as a finding if site admin accounts do not meet the requirements.

Fix: F-29731r2_fix

Configure required authentication on system administration accounts for mobile management servers.

a
The MEM client must provide users with the option to deny acceptance of a certificate when the certificates revocation status cannot be verified.
Low - V-32776 - SV-43122r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MEM-01
Vuln IDs
  • V-32776
Rule IDs
  • SV-43122r1_rule
When the certificate revocation status cannot be verified, the email sender's identity cannot be verified and the user must have the capability to accept or deny the certificate and act on the email content based on sensitivity of the email content and mission needs.System AdministratorIAKM-1, IAKM-2
Checks: C-41109r3_chk

Verify the MEM client provides users with the option to deny acceptance of a certificate when the certificate's revocation status cannot be verified. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36657r2_fix

Use a MEM product that provides users with the option to deny acceptance of a certificate when the certificate's revocation status cannot be verified.

b
The MEM client must alert the user if it receives a public-key certificate issued from an untrusted certificate authority.
Medium - V-32777 - SV-43123r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MEM-02
Vuln IDs
  • V-32777
Rule IDs
  • SV-43123r1_rule
When the public-key certificate is issued from an untrusted certificate authority, the certificate cannot be trusted and the recipient must have the capability to accept or deny the certificate and act on the email content based on sensitivity of the email content and mission needs. System AdministratorIAKM-1, IAKM-2
Checks: C-41110r4_chk

Verify the MEM client alerts the user if it receives a public-key certificate issued from an untrusted certificate authority. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36658r2_fix

Use a MEM product that alerts the user if it receives a public-key certificate issued from an untrusted certificate authority.

a
The MEM client must alert the user if it receives an invalid public-key certificate.
Low - V-32779 - SV-43125r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MEM-03
Vuln IDs
  • V-32779
Rule IDs
  • SV-43125r1_rule
When the public-key certificate is invalid, the certificate cannot be trusted and the recipient must have the capability to accept or deny the certificate and act on the email content based on sensitivity of the email content and mission needs.System AdministratorIAKM-1, IAKM-2
Checks: C-41112r3_chk

Verify the MEM client alerts the user if it receives an invalid public-key certificate. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36660r2_fix

Use a MEM product that alerts the user if it receives an invalid public-key certificate.

a
The MEM client must not accept certificate revocation information without verifying its authenticity.
Low - V-32781 - SV-43127r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MEM-04
Vuln IDs
  • V-32781
Rule IDs
  • SV-43127r1_rule
When the public-key certificate has been identified as revoked but the revocation authenticity cannot be verified, the revocation cannot be trusted and the recipient must have the capability to accept or deny the certificate and act on the email content based on sensitivity of the email content and mission needs. System AdministratorIAKM-1, IAKM-2
Checks: C-41114r3_chk

Verify the MEM client does not accept certificate revocation information without verifying its authenticity. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36662r3_fix

Use a MEM product that does not accept certificate revocation information without verifying its authenticity.

b
The MEM client must verify user digital certificate when performing PKI transactions.
Medium - V-32782 - SV-43128r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MEM-05
Vuln IDs
  • V-32782
Rule IDs
  • SV-43128r1_rule
The trust of any PKI operation is contingent on the certificate chain. Authentication and encryption services based on PKI would be untrusted if the certificate chain is not verified.System AdministratorIAKM-1, IAKM-2
Checks: C-41115r4_chk

Verify the MEM client verifies the user digital certificate in the certificate chain when performing PKI transactions. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36663r4_fix

Use a MEM product that verifies the user digital certificate in the certificate chain.

a
The MEM client must alert the user if it receives an unverified public-key certificate.
Low - V-32788 - SV-43134r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MEM-07
Vuln IDs
  • V-32788
Rule IDs
  • SV-43134r1_rule
When the public-key certificate is unverified certificate, the certificate cannot be trusted and the recipient must have the capability to accept or deny the certificate and act on the email content based on sensitivity of the email content and mission needs. System AdministratorIAKM-1, IAKM-2
Checks: C-41121r3_chk

Verify the MEM client alerts the user if it receives an unverified public-key certificate. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36669r2_fix

Use an MEM product that alerts the user if it receives an unverified public-key certificate.

b
All data (including email and attachments) sent over the wireless link between the mobile email client and MEM server located on the DoD network must be encrypted using AES.
Medium - V-32789 - SV-43135r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MEM-08
Vuln IDs
  • V-32789
Rule IDs
  • SV-43135r1_rule
AES is the DoD standard for unclassified data encryption. When other encryption algorithms are used (non-type-1) the level of trust that sensitive DoD data cannot be compromised is not available. System AdministratorECCT-1
Checks: C-41122r4_chk

Verify the MEM client supports sending all email (including email attachments) over the wireless link between the mobile email client and MEM server located on the DoD network using AES. Verify the AES encryption key length is at least 128-bit. (AES 128-bit encryption key length is the minimum requirement; AES 256 desired.) Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36670r3_fix

Use a MEM product that supports sending all data (including email and attachments) over the wireless link between the mobile email client and MEM server located on the DoD network using AES with an encryption key length of at least 128-bit.

b
The MEM server and client must encrypt all data using a FIPS 140-2 validated cryptographic module.
Medium - V-32790 - SV-43136r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MEM-09
Vuln IDs
  • V-32790
Rule IDs
  • SV-43136r1_rule
FIPS 140-2 validated encryption is the DoD standard for unclassified data encryption. When non-FIPS validated encryption modules are used (other than Type 1) the required level of trust that sensitive DoD data cannot be compromised is not available. System AdministratorECCT-1
Checks: C-41123r3_chk

Verify the MEM client encrypts all data using a FIPS 140-2 validated cryptographic module. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Vendor must provide valid NIST FIPS Certificate for the cryptographic module utilized. Mark as a finding if the MEM server does not have required features.

Fix: F-36671r2_fix

Use a MEM product that encrypts all email using a FIPS 140-2 validated cryptographic module.

b
The MEM client must be capable of providing S/MIME v3 (or later version) encryption of email.
Medium - V-32791 - SV-43137r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MEM-10
Vuln IDs
  • V-32791
Rule IDs
  • SV-43137r1_rule
Sensitive DoD data could be exposed if the required setting is not configured on the Good server. If S/MIME support is not configured on the server, the user will not be able to view critical encrypted email or be able to encrypt email with sensitive DoD information. System AdministratorECCT-1
Checks: C-41124r3_chk

Verify the MEM client is capable of providing S/MIME v3 (or later version) encryption of email. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36672r2_fix

Use a MEM product that is capable of providing S/MIME v3 (or later version) encryption of email.

a
The MEM client S/MIME must be fully interoperable with DoD PKI.
Low - V-32792 - SV-43138r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MEM-11
Vuln IDs
  • V-32792
Rule IDs
  • SV-43138r1_rule
Without DoD PKI interoperability, the S/MIME feature would not work and could not meet DoD S/MIME requirements. System AdministratorECCT-1
Checks: C-41125r3_chk

Verify the MEM client S/MIME feature is fully interoperable with the DoD PKI. CAC/PIV (and alternative hard token form factors such as SE MicroSD) and PKCS#12 (soft token) certificates must be supported. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36673r2_fix

Use a MEM product that has an S/MIME feature that is fully interoperable with DoD PKI.

b
The MEM client S/MIME encryption algorithm must support both 3DES and AES.
Medium - V-32793 - SV-43139r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MEM-12
Vuln IDs
  • V-32793
Rule IDs
  • SV-43139r1_rule
DES and AES are the DoD standard for unclassified data encryption based on DoD PKI certificates. AES is preferred but some DoD CACs only support the 3DES encryption algorithm. When other encryption algorithms are used (non-type-1) the level of trust that sensitive DoD data cannot be compromised is not available.System AdministratorECCT-1
Checks: C-41126r4_chk

Verify the MEM client S/MIME encryption algorithm supports both 3DES and AES. When AES is used, AES 128-bit encryption key length is the minimum requirement; AES 256 desired. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36674r2_fix

Use a MEM product that supports S/MIME encryption with an algorithm that supports both 3DES and AES.

b
The MEM client S/MIME cryptographic module must be FIPS 140-2 validated.
Medium - V-32794 - SV-43140r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MEM-13
Vuln IDs
  • V-32794
Rule IDs
  • SV-43140r1_rule
FIPS 140-2 validated encryption is the DoD standard for unclassified data encryption. When non-FIPS validated encryption modules are used (other than Type 1) the level of trust that sensitive DoD data cannot be compromised is not available. System AdministratorECCT-1
Checks: C-41127r3_chk

Verify the MEM client S/MIME cryptographic module must be FIPS 140-2 validated. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36675r3_fix

Use a MEM product that has an S/MIME cryptographic module that is FIPS 140-2 validated.

a
The MEM client must provide the capability to save public certificates of contacts in an acceptable method.
Low - V-32795 - SV-43141r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MEM-14
Vuln IDs
  • V-32795
Rule IDs
  • SV-43141r1_rule
This capability is required to support S/MIME encryption of email. Without S/MIME, end-to-end data encryption is not possible and sensitive DoD data could be compromised.System AdministratorIAKM-1
Checks: C-41128r5_chk

Verify the MEM client saves public certificates of contacts in the contact object by one of the following methods: 1. By saving public PKI certificates that were attached to a received email message to the contacts object. 2. By downloading the certificates via an external partner PKI lookup from the mobile device. 3. By sending a signed email to a contact that just sent a signed email. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36676r3_fix

Use a MEM product that saves public certificates of contacts in the contact object by one of the acceptable methods.

a
The MEM client must not cache the certificate status of signed emails that have been received on the handheld device beyond the expiration period of the revocation data.
Low - V-32796 - SV-43142r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MEM-15
Vuln IDs
  • V-32796
Rule IDs
  • SV-43142r1_rule
If the revocation status of the certificate is not cached, the email client would need to retrieve the status every time a user opens a signed email, which would cause a usability issue of the mobile email feature and possibly cause the user to begin to ignore the status of signing certificates in received email.System AdministratorIAKM-1
Checks: C-41129r5_chk

There is no requirement that the certificate status of an email recipients PKI certificate be cached on the mobile device. If it is cached, the status must be deleted within 7 days after being saved in the cache. Determine if the MEM client caches the certificate status of an email recipients PKI certificate. If yes, verify the certificate status is purged from cache within 7 days after being saved. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features. Mark as NA if the MEM client does not cache the certificate status.

Fix: F-36677r2_fix

Use a MEM product that supports certificate status caching of no more than 7 days, if certificate status caching is supported.

b
The MEM client must set the Smart Card or Certificate Store Password caching timeout period to no more than 120 minutes, if Smart Card or Certificate Store Password caching is available.
Medium - V-32797 - SV-43143r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MEM-16
Vuln IDs
  • V-32797
Rule IDs
  • SV-43143r1_rule
The certificate/key store contents must not remain unencrypted indefinitely; otherwise, the encryption keys and PKI certificates stored in the store could be compromised. The store must re-encrypt contents of the store on or before the required timeout period. System AdministratorECCR-1
Checks: C-41130r3_chk

Verify the MEM client sets the Smart Card or Certificate Store Password caching timeout period from at least 15 to 120 minutes, if Smart Card or Certificate Store Password caching is available. Talk to the site system administrator and have them show this capability exists in the MEM server and is set as required. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features. Mark as NA if the MEM client does not cache the certificate store password.

Fix: F-36678r3_fix

Use a MEM product to set the Smart Card or Certificate Store Password caching timeout period of no more than 120 minutes, if Smart Card or Certificate Store Password caching is available.

b
The MEM client must provide the mobile device user the capability to digitally sign and/or encrypt outgoing email messages using software or hardware based digital certificates.
Medium - V-32798 - SV-43144r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MEM-17
Vuln IDs
  • V-32798
Rule IDs
  • SV-43144r1_rule
The email client must support signing and encrypting email using both software and hardware PKI certificates so that the DoD can use either certificate form factor based on current policy, security threats, and mission needs. System AdministratorIAKM-1
Checks: C-41131r3_chk

Verify the MEM client that provides the mobile device user the capability to digitally sign and/or encrypt outgoing email messages using software or hardware based digital certificates. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36679r2_fix

Use a MEM product that provides the mobile device user the capability to digitally sign and/or encrypt outgoing email messages using software or hardware based digital certificates.

b
The MEM client must provide the mobile device user the capability to decrypt incoming email messages using software or hardware based digital certificates.
Medium - V-32799 - SV-43145r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MEM-18
Vuln IDs
  • V-32799
Rule IDs
  • SV-43145r1_rule
The email client must support signing operations (verifying digital signatures) and decrypting email using both software and hardware PKI certificates so that the DoD can use either certificate form factor based on current policy, security threat, and mission needs.System AdministratorIAKM-1
Checks: C-41132r2_chk

Verify the MEM client provides the mobile device user the capability to decrypt incoming email messages using software or hardware based digital certificates. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36680r2_fix

Use a MEM product that provides mobile device users the capability to decrypt incoming email messages using software or hardware based digital certificates.

b
The MEM client must provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP.
Medium - V-32800 - SV-43146r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MEM-19
Vuln IDs
  • V-32800
Rule IDs
  • SV-43146r1_rule
Certificate validation is a key requirement of a robust PKI; therefore, the mobile email server must support all DoD accepted processes for distributing certificate status information.System AdministratorIAKM-1
Checks: C-41133r3_chk

Verify the MEM client provides a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP. Trusted in this context means signed with a DoD PKI certificate. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36681r3_fix

Use a MEM product that provides a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP.

a
The MEM client must provide a noticeable warning to the user if the CRL, SCVP, or OCSP server cannot be contacted or the revocation data provided cannot be verified.
Low - V-32801 - SV-43147r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MEM-20
Vuln IDs
  • V-32801
Rule IDs
  • SV-43147r1_rule
Certificate validation is a key requirement of a robust PKI; therefore, the user must be notified if the status of a certificate on a signed email cannot be verified.System AdministratorIAKM-1
Checks: C-41134r3_chk

Verify the MEM client provides a noticeable warning to the user if the CRL, SCVP, or OCSP server cannot be contacted or the revocation data provided cannot be verified. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36682r2_fix

Use a MEM product that provides a noticeable warning to the user if the CRL, SCVP, or OCSP server cannot be contacted or the revocation data provided cannot be verified.

a
The MEM client must support retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes.
Low - V-32802 - SV-43148r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MEM-21
Vuln IDs
  • V-32802
Rule IDs
  • SV-43148r1_rule
S/MIME operations cannot be performed if the device user cannot access public encryption certificates for email recipients; therefore, if encryption certificates are not stored in the contacts list or other local certificate store, S/MIME must be able to retrieve the certificates from the GAL, GDS, or other non-local DoD sources.System AdministratorIAKM-1
Checks: C-41135r2_chk

Verify the MEM client that supports retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36683r1_fix

Use a MEM product that supports retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes.

b
The MEM client must support SHA2 or later signing operations.
Medium - V-32803 - SV-43149r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MEM-22
Vuln IDs
  • V-32803
Rule IDs
  • SV-43149r1_rule
SHA2 or later signing is required because earlier signing algorithms have been compromised and do not provide the required level of trust. System AdministratorIAKM-1
Checks: C-41136r2_chk

Verify the MEM client that supports SHA2 or later signing operations. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36684r1_fix

Use a MEM product that supports SHA2 or later signing operations.

a
The MEM client must either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device.
Low - V-32804 - SV-43150r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MEM-23
Vuln IDs
  • V-32804
Rule IDs
  • SV-43150r1_rule
HTML email and inline images in email can contain malware or links to websites with malware. System AdministratorDCMC-1
Checks: C-41137r4_chk

Verify the MEM server either blocks or converts all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36685r1_fix

Use a MEM product that either blocks or converts all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device.

a
The MEM client must support SHA2 signature verification.
Low - V-32805 - SV-43151r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MEM-24
Vuln IDs
  • V-32805
Rule IDs
  • SV-43151r1_rule
SHA2 or later signing is required because earlier signing algorithms have been compromised and do not provide the required level of trust. System AdministratorIAKM-1
Checks: C-41138r2_chk

Verify the MEM client supports SHA2 signature verification. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36686r1_fix

Use a MEM product that supports SHA2 signature verification.

b
All email sent to the mobile device must be managed by the mobile email server. Desktop or Internet controlled email redirection are not authorized.
Medium - V-32806 - SV-43152r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MEM-25
Vuln IDs
  • V-32806
Rule IDs
  • SV-43152r1_rule
Desktop or Internet controlled mobile email redirection does not allow the mobile email to be managed by a mobile email management server; therefore, email security policies cannot be enforced.System AdministratorECWN-1
Checks: C-41139r2_chk

Verify the MEM manages all email by a mobile email management server. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36687r1_fix

Use a MEM product manages all email by a mobile email management server.

a
The MEM client must enable a system administrator to select which data fields in the contacts data base will be available to applications outside of the contact database.
Low - V-32807 - SV-43153r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MEM-26
Vuln IDs
  • V-32807
Rule IDs
  • SV-43153r1_rule
Sensitive contact information could be exposed to unauthorized people. System AdministratorECAN-1
Checks: C-41140r3_chk

Verify the MEM server supports the capability to limit the fields in the email client contacts list can be exported to the mobile device contacts list, if this capability is supported. This feature is usually implemented via a security policy pushed from the MEM server to the email client. Transferred email contact information should be limited to contact name and telephone numbers. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Fix: F-36688r2_fix

Use a MEM product that supports the capability to limit what fields in the email client contacts list can be exported to the mobile device contacts list.

a
The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less.
Low - V-33231 - SV-43637r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MDM-03
Vuln IDs
  • V-33231
Rule IDs
  • SV-43637r1_rule
There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use a shared secret and the second is to generate the master encryption key based on PKI key generation. When a shared secret is used, if the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be compromised. Limiting the compromise to no more than a specific period of data is a security best practice.System AdministratorIAKM-1
Checks: C-41503r3_chk

This requirement applies to any mobile management server, including the MDM, MAM, MDIS, and MEM. If PKI-based encryption key generation is used between the management server and the agent on the mobile device, this check is not applicable. Work with the server system administrator and determine how the encryption key is generated. If a shared secret is used between the management server and the agent on the mobile device, view the configuration of the master encryption key on the server. Verify AES is used for the master encryption key and it is set to rotate at least every 30 days. Mark as a finding if the master encryption key is not rotated at least every 30 days or AES encryption is not used.

Fix: F-37140r1_fix

Use an AES master encryption key and set it to rotate at least every 30 days.