Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Android 2.2 (Dell) Security Technical Implementation Guide

  • Version/Release: V1R2
  • Published: 2014-08-26
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG contains technical security controls required for the use of the Android 2.2 (Dell version) mobile operating system in the DoD environment when managed by the Good Mobility Suite.
b
The VPN client on wireless clients (PDAs, smartphones) used for remote access to DoD networks will be FIPS 140-2 validated. This check is not applicable if the installed VPN client is not used for remote access to DoD networks.
Medium - V-18627 - SV-38990r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-034-01
Vuln IDs
  • V-18627
Rule IDs
  • SV-38990r1_rule
DoD data could be compromised if transmitted data is not secured with a compliant VPN. FIPS validation provides a level of assurance that the encryption of the device has been securely implemented.ECWN-1
Checks: C-37949r1_chk

This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and FIPS 140-2 certificate. Verify the devices have a VPN client installed and is FIPS 140-2 validated. Check the NIST certificate for the mobile OS or VPN client. Mark as a finding if the VPN is not FIPS 140-2 validated.

Fix: F-20573r6_fix

Comply with requirement.

b
Removable memory cards (e.g., MicroSD) must have data stored on the card encrypted with a FIPS 140-2 validated cryptographic module.
Medium - V-18856 - SV-35045r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-033-01
Vuln IDs
  • V-18856
Rule IDs
  • SV-35045r1_rule
Memory card used to transfer files between PCs and PDAs is a migration path for the spread of malware on DoD computers and handheld devices. These risks are mitigated by the requirements listed in this check.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-34919r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the Restrictions tab. -Verify under Hardware Functionality “Allow SD card encryption” is checked. Note: Removable flash media is defined as media that is readily accessible by the user and does not require additional tools to disassemble the device or remove screws to gain access. Mark as a finding if configuration not as required.

Fix: F-30395r1_fix

Either do not use removable storage media in the smartphone or enable FIPS validated encryption on the smartphone for removable memory cards.

b
All wireless PDA clients used for remote access to DoD networks must enable AES encryption for the VPN.
Medium - V-19897 - SV-35005r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-034-02
Vuln IDs
  • V-19897
Rule IDs
  • SV-35005r1_rule
DoD data could be compromised if transmitted data is not secured with a compliant VPN.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-34881r1_chk

This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets. Verify AES encryption is enabled for the VPN client. Mark as a finding if AES is not supported or is not enabled.

Fix: F-30398r1_fix

Use only AES encryption with VPN client.

b
All wireless PDA clients used for remote access to DoD networks must have a VPN supporting CAC authentication.
Medium - V-19898 - SV-35006r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-034-03
Vuln IDs
  • V-19898
Rule IDs
  • SV-35006r1_rule
DoD data could be compromised if transmitted data is not secured with a compliant VPN.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-34882r1_chk

This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Verify the VPN client supports CAC authentication to the DoD network (recommend asking the site wireless device administrator to demo this capability). Mark as a finding if CAC authentication is not supported.

Fix: F-30399r1_fix

Do not use the smartphone VPN client if it does not support CAC authentication.

b
All wireless PDA and smartphone client VPNs must have split tunneling disabled.
Medium - V-19899 - SV-35007r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-034-04
Vuln IDs
  • V-19899
Rule IDs
  • SV-35007r1_rule
DoD data could be compromised if transmitted data is not secured with a compliant VPN.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-34883r1_chk

This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Check to see if the VPN has a setting to disable split tunneling. Verify split tunneling has been disabled. Mark not applicable if the VPN is not used for remote access to a DoD network.

Fix: F-30400r1_fix

Use only VPN clients supporting the capability to disable split-tunneling.

b
Smartphone devices must have required operating system software versions installed.
Medium - V-24981 - SV-35011r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-001
Vuln IDs
  • V-24981
Rule IDs
  • SV-35011r1_rule
Required security features are not available in earlier OS versions. In addition, there are known vulnerabilities in earlier versions.System AdministratorECSC-1, ECWN-1
Checks: C-34887r1_chk

-Verify the Android version is 2.2.2, kernel version 2.6.32.9-perf or later. --Log into the Android device. --Go to Settings > About phone. -Verify the Good App version is 1.8 or later. --Log into the Android device. --Launch the Good app and enter login info. --Go to Preferences > About. Mark as a finding if either version is not as required.

Fix: F-27622r1_fix

Install required OS version.

a
Smart Card Readers (SCRs) used with smartphone must have required software version installed.
Low - V-24982 - SV-35012r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-MOS-AND-002
Vuln IDs
  • V-24982
Rule IDs
  • SV-35012r1_rule
Required security features are not available in earlier software versions. In addition, there may be known vulnerabilities in earlier versions.System AdministratorECSC-1
Checks: C-34888r1_chk

Detailed Policy Requirements: SCR: Biometric Associates, LP (BAL) baiMobile BAL-3000MP Bluetooth Smart Card Reader. Firmware version v2.01.00 or later should be used (version v2.02.00 is recommended). Check Procedures: Check a sample of site readers (3-4). The version of the reader firmware is displayed when the user presses and holds the Action button for a couple of seconds. Mark as a finding if the firmware version on the SCR is not the approved version.

Fix: F-27623r1_fix

Install required SCR software version.

b
S/MIME must be installed on smartphones so users can sign/encrypt email.
Medium - V-24983 - SV-35013r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-003
Vuln IDs
  • V-24983
Rule IDs
  • SV-35013r1_rule
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy. Without S/MIME users will not be able to read encrypted email and will not be able to encrypt email with sensitive information.System AdministratorECSC-1
Checks: C-34889r1_chk

Verify an S/MIME profile is installed on the Android device: -Log into the Android device -Open the Good application. Go to Preferences. -Verify Smartcard and S/MIME specific settings are listed. If not listed, mark as a finding.

Fix: F-27624r5_fix

Provision the mobile email client with S/MIME so users can digitally sign and encrypt email.

a
If smartphone email auto signatures are used, the signature message must not disclose the email originated from a smartphone (e.g., “Sent From My Wireless Handheld”).
Low - V-24984 - SV-35014r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-MOS-AND-004
Vuln IDs
  • V-24984
Rule IDs
  • SV-35014r1_rule
The disclaimer message may give information which may key an attacker in on the device. System AdministratorInformation Assurance OfficerECSC-1
Checks: C-34890r1_chk

Verify the auto-signature, if used, meets requirements. -Check a random sample of 3-4 devices. -On the handheld, launch the Good client and go to Preferences > Signature. Mark as a finding if the device has been configured with an auto-signature and signature states the email originated from a smartphone.

Fix: F-27625r4_fix

Configure the iOS email auto-signature message, so it does not disclose the email originated from the iOS device (e.g., Sent From My Wireless Handheld).

a
All Internet browsing on a DoD mobile operating system (OS) device will go through a DoD Internet proxy.
Low - V-24985 - SV-38760r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-MOS-AND-005
Vuln IDs
  • V-24985
Rule IDs
  • SV-38760r1_rule
A DoD Internet proxy provides additional security over the carrier's browser. When using the DoD Internet proxy for a mobile device Internet connections, enclave Internet security controls will filter and monitor mobile device Internet connections.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-37826r1_chk

Verify the URL of a DoD external facing Internet proxy has been configured in the Good server console. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the Restrictions tab. -Verify “Enable HTTP Proxy is set and a Host URL is listed and the Port is set to 8080. Mark as a finding if configuration is not set as required. Mark as a finding if a DoD Internet proxy URL has not been setup on the Good server.

Fix: F-27626r3_fix

Use a compliant browser implementation on the iOS device.

c
All non-core applications on the mobile OS device must be approved by the DAA or Command IT Configuration Control Board.
High - V-24986 - SV-35015r1_rule
RMF Control
Severity
High
CCI
Version
WIR-MOS-AND-006-01
Vuln IDs
  • V-24986
Rule IDs
  • SV-35015r1_rule
Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server).Information Assurance OfficerDesignated Approving AuthorityInformation Assurance ManagerDCCB-1, ECWN-1
Checks: C-34891r1_chk

Detailed Requirements: Core applications are applications included in the mobile Operating system. Applications added by the wireless carrier are not considered core applications. All non-core applications on the mobile OS device must be approved by the DAA or the Command IT Configuration Control Board. Approval must be documented in some type of approval (memo, letter, etc.). Check Procedures: Review the procedures the site or command uses to review and approve third-party applications used on managed Android devices. Have the IAO or DAA representative provide a copy of the application review. Second, select 3-4 random devices managed by the site to review. -Make a list of non-core applications on each device. Look in the smartphone memory and on the SD card. --Have the user log into the device. Go to Settings > Applications > Manage applications. To view the list of applications on the smartphone select “All.”. To view a list of applications on the SD media card select “On SD card.”. --If an App is not in the list of core Apps (see below), then note the name of the App. --Verify the site has written approval to use the App from the DAA or site IT CCB. -Mark as a finding if any App has not been approved. A list of standard core Android Apps can be found in the STIG Configuration Tables document. Note: The DAA or IT CCB should also indicate if location services are approved for any approved applications, including core applications (e.g., can the user enable location services in Android for the application).

Fix: F-27627r1_fix

Have DAA or Command IT CCB review and approve all non-core applications on mobile OS devices.

b
A compliance rule must be set up in the server defining required mobile OS software versions.
Medium - V-25003 - SV-34965r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-030-01
Vuln IDs
  • V-25003
Rule IDs
  • SV-34965r1_rule
Unapproved OS versions do not support required security features. The security baseline of the Android system could be compromised if required security features are not available.System AdministratorECWN-1
Checks: C-34843r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select a policy set to review and click on the policy. -On the left tab, select Compliance Manager. -Verify “OS Version Verification” rule is listed. (Note: The rule title does not have to be exact.) -Open the rule by checking the box next to the rule, and then click on Edit. -Verify the following are set: Platform: Android Check to Run: OS Version Verification -Verify the following are checked: Android 2.2 -Verify “Failure Action” is set to “Quit Good for Enterprise”. -Verify “Check Every” is set to “1 hour”. Mark as a finding if the “OS Version Verification” rule has not been set up or is not configured as required.

Fix: F-27651r3_fix

Install the required OS version.

c
Smartphones must be configured to require a password/passcode for device unlock.
High - V-25007 - SV-35018r1_rule
RMF Control
Severity
High
CCI
Version
WIR-MOS-AND-G-010
Vuln IDs
  • V-25007
Rule IDs
  • SV-35018r1_rule
Sensitive DoD data could be compromised if a device unlock password/passcode is not set up on a DoD smartphones.System AdministratorECWN-1, IAIA-1
Checks: C-34893r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: --Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the Passcode tab. -Verify “Require passcode” is checked. Mark as a finding if configuration is not set as required.

Fix: F-27657r3_fix

Configure the MDM server to require a passcode for device unlock.

a
Maximum password/passcode age must be set.
Low - V-25009 - SV-35021r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-MOS-AND-G-013
Vuln IDs
  • V-25009
Rule IDs
  • SV-35021r1_rule
Sensitive DoD data could be compromised if a strong device unlock passcode is not set up on a DoD smartphone and the passcode is not changed periodically.System AdministratorECWN-1, IAIA-1
Checks: C-34897r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the Passcode tab. -Verify “Maximum passcode age” is checked and set to 90 days or less. Mark as a finding if configuration is not set as required.

Fix: F-27659r4_fix

Set maximum passcode age to 120 days or less if the DAA requires this setting.

b
The smartphone inactivity timeout must be set.
Medium - V-25010 - SV-35023r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-G-016
Vuln IDs
  • V-25010
Rule IDs
  • SV-35023r1_rule
Sensitive DoD data could be compromised if the smartphone does not automatically lock after 15 minutes of inactivity.System AdministratorPESL-1
Checks: C-34898r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: --Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the Passcode tab. -Verify “Grace period” is checked and set to 15 minutes or less. Mark as a finding if configuration is not set as required.

Fix: F-27661r4_fix

Enforce the CMD inactivity timeout requirement of 15 minutes or less through a combination of "Auto-Lock" and "Grace period" values that do not sum to greater than 15 minutes.

b
Password/passcode maximum failed attempts must be set to required value.
Medium - V-25011 - SV-35024r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-G-017
Vuln IDs
  • V-25011
Rule IDs
  • SV-35024r1_rule
A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.System AdministratorIAIA-1
Checks: C-34900r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: --Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the Passcode tab. -Verify “Maximum failed attempts” is checked and set to 10 or less. Mark as a finding if configuration is not set as required.

Fix: F-27662r2_fix

Set password/passcode maximum failed attempts to 10 or less.

b
Access to public application stores must be disabled.
Medium - V-25012 - SV-35030r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-G-019
Vuln IDs
  • V-25012
Rule IDs
  • SV-35030r1_rule
Strong configuration management of all applications installed on DoD device is required to ensure the security baseline of the system is maintained. Otherwise, sensitive DoD data could be compromised.System AdministratorInformation Assurance OfficerECSC-1, ECWN-1
Checks: C-34903r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. When reviewing the STIG Policy Set, check the following: -Click the Restrictions tab. -Verify “Allow installing apps from online store” is unchecked. Mark as a finding if configuration is not set as required.

Fix: F-27663r2_fix

Disable access to public media stores.

b
Users must not be allowed to download applications on smartphones without SA control.
Medium - V-25013 - SV-35034r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-G-020
Vuln IDs
  • V-25013
Rule IDs
  • SV-35034r1_rule
Strong configuration management of all applications installed on DoD device is required to ensure the security baseline of the system is maintained. Otherwise, sensitive DoD data could be compromised.System AdministratorInformation Assurance OfficerECLP-1, ECWN-1
Checks: C-34904r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. When reviewing the STIG Policy Set, check the following: -Click the Restrictions tab. -Verify “Allow installing apps” is unchecked. Mark as a finding if configuration is not set as required.

Fix: F-27664r4_fix

On the MDM server, set “Allow installing apps” to disabled (unchecked).

a
Use of the smartphone camera must be approved and documented in site physical security policy.
Low - V-25014 - SV-35035r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-MOS-AND-G-021
Vuln IDs
  • V-25014
Rule IDs
  • SV-35035r1_rule
This is an operational security issue. Sensitive DoD data could be compromised if cameras are allowed in areas not authorized by the site physical security plan.System AdministratorInformation Assurance OfficerDesignated Approving AuthorityInformation Assurance ManagerECWN-1
Checks: C-34906r1_chk

Review the site physical security plan. Determine if digital cameras are allowed in site facilities. Note: Some sites have a policy not allowing digital cameras in the facility but allow smartphones with cameras, when used outside the facility, for mission support functions. -If digital cameras are allowed, “Allow use of camera” can be checked. -If digital cameras are not allowed but smartphones with cameras, when used outside the facility, for mission support functions are allowed, “Allow use of camera” can be checked. -If the site physical security policy does not specifically state use of digital cameras is allowed, “Allow use of camera” must be unchecked. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. Note: The site has the ability to disable the camera by using the Android profile if camera use is not approved, or allow the use of the camera and if use is approved and documented in the site physical security policy. Also, the site can state in the site physical security policy that camera use outside the facility is approved, but the camera must be disabled on the phone when brought into the facility. In this case, “Allow use of camera” would not be checked. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: --Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the Restrictions tab. -Determine if “Allow use of camera” is unchecked or checked. If checked, verify the site physical security policy allows the use of smartphone cameras. Mark as a finding if “Allow use of camera” is checked and the site physical security policy does not allow the use of smartphone cameras.

Fix: F-27665r3_fix

Disable (uncheck) "Allow use of camera" in the iOS policy on the MDM server unless documented approval exists in the site physical security policy.

b
Device minimum password/passcode length must be set.
Medium - V-25016 - SV-35037r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-G-011
Vuln IDs
  • V-25016
Rule IDs
  • SV-35037r1_rule
Sensitive DoD data could be compromised if a device unlock password/passcode is not set to required length on a DoD smartphones. System AdministratorECWN-1, IAIA-1
Checks: C-34907r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the Passcode tab. -Verify “Minimum length of" is set to 8 or more for the STIG Policy Set. Mark as a finding if configuration is not set as required.

Fix: F-27687r5_fix

Configure the mobile operating system to enforce a minimum length for the device unlock password. Where a security container application is used in lieu of mobile operating system protections, configure the security container application to enforce a minimum length password for entry into the application.

b
The smartphone Auto-Lock must be set.
Medium - V-25017 - SV-35040r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-G-014
Vuln IDs
  • V-25017
Rule IDs
  • SV-35040r1_rule
Sensitive DoD data could be compromised if the smartphone does not automatically lock after a set period of inactivity.System AdministratorPESL-1
Checks: C-34910r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the Passcode tab. -Verify “Auto-lock" is set to 5 minutes or less. Mark as a finding if configuration is not set as required.

Fix: F-27688r4_fix

Set the CMD Auto-Lock to a value other than "Never". Five minutes or less is recommended.

a
The smartphone passcode history setting must be set.
Low - V-25018 - SV-35041r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-MOS-AND-G-015
Vuln IDs
  • V-25018
Rule IDs
  • SV-35041r1_rule
The password/passcode would be more susceptible to compromise if the user can select frequently used passwords/passcodes.System AdministratorIAIA-1
Checks: C-34912r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. ---------------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the Passcode tab. -Verify Passcode history is set to 3 or more. Mark as a finding if configuration is not set as required.

Fix: F-27689r4_fix

Set the mobile device passcode history setting to 3 or more if the DAA requires this setting.

b
The smartphone Bluetooth radio must be disabled if not authorized for use.
Medium - V-25019 - SV-34994r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-040-01
Vuln IDs
  • V-25019
Rule IDs
  • SV-34994r1_rule
The Bluetooth radio can be used by a hacker to connect to the smartphone without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
Checks: C-34874r1_chk

The Bluetooth radio should be turned off by the user (User Based Enforcement (UBE)) if not being used to connect the approved Bluetooth smart card reader or handsfree headset to the smartphone. On a sample of site-managed Android devices (pick 3-4 random devices), verify the Bluetooth radio is turned off if the Bluetooth smart card reader is not being used by the user. -Have the user log into the device. -Go to Settings > Wireless & networks > Bluetooth. -Verify the Bluetooth radio is off. Mark as a finding if configuration is not set as required.

Fix: F-27690r3_fix

Train the user to not connect the iOS device to unauthorized Bluetooth peripherals.

a
The smartphone device Wi-Fi radio must be disabled as the default setting and is enabled only when Wi-Fi connectivity is required.
Low - V-25020 - SV-34999r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-MOS-AND-041
Vuln IDs
  • V-25020
Rule IDs
  • SV-34999r1_rule
The Wi-Fi radio can be used by a hacker to connect to the smartphone without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-34875r1_chk

The user will never enable the Wi-Fi radio unless authorized to use Wi-Fi (User Based Enforcement (UBE)). If Wi-Fi use is authorized, the user should turn-off the smartphone Wi-Fi radio whenever Wi-Fi service is not needed. On a sample of site-managed Android devices (pick 3-4 random devices), verify the Wi-Fi radio is turned off. -Have the user turn on and log into the device. -Go to Settings > Wireless & networks > Wi-Fi. Wi-Fi should be turned off. Mark as a finding if configuration is not set as required.

Fix: F-27691r4_fix

Train user to disable the CMD Wi-Fi radio unless Wi-Fi connectivity is desired for a known authorized Wi-Fi connection.

b
All smartphones must display the required banner during device unlock/ logon.
Medium - V-25022 - SV-35042r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-G-007
Vuln IDs
  • V-25022
Rule IDs
  • SV-35042r1_rule
DoD CIO memo requires all PDAs, BlackBerrys, and smartphones to have a consent banner displayed during logon/device unlock to ensure users understand their responsibilities to safeguard DoD data. System AdministratorECWM-1
Checks: C-34914r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -On the left tab, select Compliance Manager. -Verify a "Custom" or "DoD Login Banner" rule is listed. (Note the rule title does not have to be exact.) -Open the rule by checking the box next to the rule, and then click on Edit. -Verify "Failure Action" is set to "Quit Good for Enterprise". -Verify "Check Every" is set to "1 hour". -Verify Rule File = disclaimer.xml Mark as a finding if configuration is not set as required.

Fix: F-27693r1_fix

Display the required banner during device unlock/logon.

a
Location services must be turned off on the smartphone during device provisioning.
Low - V-25051 - SV-35000r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-MOS-AND-042
Vuln IDs
  • V-25051
Rule IDs
  • SV-35000r1_rule
Smartphone location services allow applications to gather information about the location of the handheld device and possibly forward it to servers located on the Internet. This is an operational security issue for DoD smartphones devices.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-34876r1_chk

Location based services is a User Based Enforcement (UBE) service. On a sample of 3-4 devices managed by the site, verify Android Location Services is disabled for all applications unless the site has a letter/memo stating the DAA or the Command Application Configuration Control Board (CCB) has approved location-based services.. Go to Settings > Location & security settings > Use GPS satellites And Settings > Location & security settings > Use assisted GPS Verify both services are off, unless GPS services have been approved for use. Mark as a finding if configuration is not set as required.

Fix: F-27774r2_fix

Turn off location services during device provisioning and users will not enable the service unless approved for use.

b
The site must set up local operating procedures for initial provisioning and subsequent software and application updates using the procedures published in the STIG Overview document.
Medium - V-25842 - SV-35001r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-043
Vuln IDs
  • V-25842
Rule IDs
  • SV-35001r1_rule
Strong configuration management of applications on a smartphone is a key malware control. Most smartphones must have individual commercial web portal (e.g., iTunes, Android Market, etc.) accounts and be connected to the commercial App Store to provision the smartphone. A DoD user can jailbreak a smartphone and bypass smartphone application and malware controls. To ensure strong configuration management of the security baseline of the smartphone, all software loading should be done by the SA.System AdministratorInformation Assurance OfficerDCPR-1, PESP-1
Checks: C-34877r1_chk

All smartphone provisioning and updates are under the control of the site Android device System Administrator (SA). Interview the site IAO and Android device SA. Verify the site has a procedure for initial provisioning and subsequent updates of site managed Android devices. Review the site procedure and verify they follow the procedures found in the STIG Overview document. Mark as a finding if these procedures are not followed.

Fix: F-28707r1_fix

Set up local operating procedures for initial provisioning and subsequent software and application updates according to procedures published in the STIG/ISCG Overview document.

a
The Personal Hotspot feature of the mobile OS must be disabled if it does not meet DoD WLAN or Bluetooth security requirements and is not approved by the IAO.
Low - V-26559 - SV-35002r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-MOS-AND-044
Vuln IDs
  • V-26559
Rule IDs
  • SV-35002r1_rule
The Wi-Fi radio and Bluetooth radio can be used by a hacker to connect to the smartphone without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave. This setting would allow the device Wi-Fi radio to automatically connect to a Wi-Fi network. The Bluetooth and Wi-Fi connections do not support DoD wireless encryption and authentication requirements.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-34878r1_chk

USB connections for Personal Hotspot service will only be used if authorized. Bluetooth and Wi-Fi connections will not be used. Currently, the setup.apk configuration script is used to disable the “Enable Wi-Fi tethering” configuration setting in Android. (In late 2011, this configuration setting will be available in the Good server console.) Verify the Dell Setup.apk file has been installed on the mobile OS device. -Have the system administrator show that Setup.apk is in the list of installed applications on the device (Settings>Applications>Manage applications>All). If the file is not listed, confirm with the SA that the file was installed on the device during setup, run, and then removed. Note: “Tethered Modem” service must be added to the Android wireless account by the carrier for the Personal Hotspot service to work.

Fix: F-29705r1_fix

Set the mobile OS device Personal Hotspot feature as required.

b
Full Device Administration must be implemented on the smartphone.
Medium - V-27629 - SV-35082r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-G-026
Vuln IDs
  • V-27629
Rule IDs
  • SV-35082r1_rule
If this configuration is not set as required, the security policy from the server will not be implemented on the smartphone. Sensitive DoD data could be compromised.System AdministratorECWN-1
Checks: C-34945r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the General tab. -Verify “Full Device Administration” is checked. Mark as a finding if configuration is not set as required.

Fix: F-30250r1_fix

Implement Full Device Administration on the smartphone.

b
Enable Full Device Lock must be set.
Medium - V-27630 - SV-35087r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-G-027
Vuln IDs
  • V-27630
Rule IDs
  • SV-35087r1_rule
Sensitive DoD data could be exposed if this configuration is not set as required.System AdministratorECWN-1
Checks: C-34947r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the General tab. -Verify “Enable Full Device Lock” is checked. Mark as a finding if configuration is not set as required.

Fix: F-30252r1_fix

Check Enable Full Device Lock on the smartphone.

a
Enable remote device password reset must be set.
Low - V-27631 - SV-35090r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-MOS-AND-G-028
Vuln IDs
  • V-27631
Rule IDs
  • SV-35090r1_rule
Without this capability a user could be locked out of their smartphone for significant time periods, affecting the mission of the organization.System AdministratorECWN-1, IAIA-1
Checks: C-34949r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the General tab. -Verify “Enable remote device password reset” is checked. Mark as a finding if configuration is not set as required.

Fix: F-30254r1_fix

Set Enable remote device password reset as required.

b
Enable remote SD card wipe must be configured.
Medium - V-27632 - SV-35092r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-G-029-01
Vuln IDs
  • V-27632
Rule IDs
  • SV-35092r1_rule
Sensitive DoD data could be compromised if mobile OS device data could not be wiped when directed by the system administrator.System AdministratorECCR-1, ECWN-1
Checks: C-34950r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the General tab. -Verify “Enable remote SD card wipe” is checked. Mark as a finding if configuration is not set as required.

Fix: F-30255r1_fix

Configure Enable remote SD card wipe as required.

b
Allow SD card encryption must be configured.
Medium - V-27633 - SV-35095r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-G-029-02
Vuln IDs
  • V-27633
Rule IDs
  • SV-35095r1_rule
Sensitive DoD data could be compromised if a mobile OS device data is not encrypted.System AdministratorECCR-1, ECWN-1
Checks: C-34951r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the Restrictions tab. -Verify “Allow SD card encryption” is checked. Mark as a finding if configuration is not set as required.

Fix: F-30256r1_fix

Configure Allow SD card encryption as required.

b
VPN must be configured as required.
Medium - V-27634 - SV-35097r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-G-035
Vuln IDs
  • V-27634
Rule IDs
  • SV-35097r1_rule
Sensitive DoD data could be compromised if the Android VPN client is used. The VPN client is not currently FIPS 140-2 validated and does not support CAC authentication. System AdministratorECWN-1
Checks: C-34952r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the Restrictions tab. -Verify “Allow use of VPN” is not checked. Mark as a finding if configuration is not set as required.

Fix: F-30257r1_fix

Configure VPN client as required.

b
Remote full device wipe must be enabled.
Medium - V-27635 - SV-35227r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-G-008
Vuln IDs
  • V-27635
Rule IDs
  • SV-35227r1_rule
Sensitive DoD data could be compromised if mobile OS device data could not be wiped when directed by the system administrator.System AdministratorECCR-1, ECWN-1
Checks: C-35071r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click on the General tab. -Verify "Enable remote full device wipe" is checked. (Note: “Device Wipe” will wipe all data and non-core applications off the Android device.) Mark as a finding if configuration is not set as required.

Fix: F-30358r2_fix

Enable remote full device wipe on iOS devices.

b
The smartphone removable memory card (e.g., MicroSD) must be bound to the PDA or smartphone so it may not be read by any other PED or computer.
Medium - V-28295 - SV-36013r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-033-02
Vuln IDs
  • V-28295
Rule IDs
  • SV-36013r1_rule
Memory cards used to transfer files between PCs and PDAs is a migration path for the spread of malware on DoD computers and handheld devices. These risks are mitigated by the requirements listed in this check.System AdministratorECWN-1
Checks: C-35150r1_chk

This check is currently Not Applicable. The SD memory card is automatically bound to the Android smartphone by the Good server when "Allow SD card encryption" is checked in the Android policy on the Good server.

Fix: F-30396r1_fix

Implement required procedures to bind the media card to the smartphone.

b
The smartphone password/passcode complexity (alphanumeric) must be set.
Medium - V-28297 - SV-36019r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-G-012-02
Vuln IDs
  • V-28297
Rule IDs
  • SV-36019r1_rule
Sensitive DoD data could be compromised if a strong device unlock password/passcode is not set up on a DoD smartphone. The complexity of the password is a key factor in the strength of the password. Complex passwords are harder to guess or obtain via a brute force attack.System AdministratorECWN-1, IAIA-1
Checks: C-35152r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the Passcode tab. -Verify “Alphanumeric” is checked. Mark as a finding if configuration is not set as required.

Fix: F-30401r1_fix

Set the smartphone password complexity to the required value.

b
All mobile operating system (OS) device Bluetooth radio profiles must be disabled except for the serial port, handset and headset profiles.
Medium - V-29524 - SV-38756r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-040-02
Vuln IDs
  • V-29524
Rule IDs
  • SV-38756r1_rule
The Bluetooth radio can be used by a hacker to connect to the smartphone without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave. The serial port profile is used by the DoD approved Bluetooth smart card reader and the headset and handset profiles are used by the DoD approved Bluetooth headset.System AdministratorECWN-1
Checks: C-37824r1_chk

The Bluetooth Security Monitor application is used to only allow the three approved Bluetooth profiles: serial port, handset, headset. (In late 2011, this configuration setting will be available in the Good server console.) Verify the Bluetooth Security Monitor application has been installed on the mobile OS device. -Have the system administrator show that Setup.apk is in the list of installed applications on the device (Settings>Applications>Manage applications>All). Mark as a finding if the required file is not installed.

Fix: F-33963r1_fix

Install the required Bluetooth configuration application.

b
The pairing of Bluetooth devices to DoD mobile OS devices must be controlled so only approved devices can pair to the smartphone.
Medium - V-29525 - SV-38758r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-040-03
Vuln IDs
  • V-29525
Rule IDs
  • SV-38758r1_rule
The Bluetooth radio can be used by a hacker to connect to the smartphone without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave. System AdministratorECWN-1
Checks: C-37825r1_chk

The Bluetooth Security Monitor application is used to only allow approved Bluetooth smart card readers (CAC readers) and Bluetooth headsets. (In late 2011, this configuration setting will be available in the Good server console.) Verify the Bluetooth Security Monitor application has been installed on the mobile OS device. -Have the system administrator show that Bluetooth Security Monitor application is in the list of installed applications on the device (Settings>Applications>Manage applications>All). Mark as a finding if Bluetooth Security Monitor application is not installed.

Fix: F-33963r1_fix

Install the required Bluetooth configuration application.

b
The smartphone USB port must be configured as required.
Medium - V-29529 - SV-38765r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-036
Vuln IDs
  • V-29529
Rule IDs
  • SV-38765r1_rule
A smartphone can be jailbroken or rooted when connected to a PC with a jailbreak or rooting application installed on it. When a smartphone is jailbroken/rooted, the user or malware has root access and can bypass all device security controls. DoD sensitive data could be compromised.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-37827r1_chk

There are two methods that can used to meet this requirement. The site should choose which method to use. Method #1: Disable all function of the device USB port This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title, for example, STIG_Android_Policy_Set. It is recommended all non STIG-compliant policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -Click the Restrictions tab. -Verify under Hardware Functionality “Allow use of USB port” is not checked. Method #2: Enable the device USB port but disable the mass storage function of the USB port Procedure: If the USAB port is enabled (see method #1 procedure, “Allow use of USB port” is checked), then “Mass Storage” must be set to “Disable.” First, verify the Dell Setup.apk file has been installed on the mobile OS device. -Have the system administrator show that the Dell Setup.apk is in the list of installed applications on the device (Settings>Applications>Manage applications>All). If the file is not listed, confirm with the SA that the file was installed on the device during setup, run, and then removed. (Note, a future release of the Good server will include the “Mass Storage” configuration setting in the Android security policy set and setup.apk will no longer be required.) Mark as a finding if either method #1 or Method #2 has not been implemented.

Fix: F-33082r1_fix

Configure the smartphone USB port as required.

c
A security risk analysis must be performed on a mobile operating (OS) system application by the DAA or DAA authorized approval authority prior to the application being approved for use.
High - V-29894 - SV-39452r1_rule
RMF Control
Severity
High
CCI
Version
WIR-MOS-AND-006-03
Vuln IDs
  • V-29894
Rule IDs
  • SV-39452r1_rule
Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server).Information Assurance OfficerDesignated Approving AuthorityDCCB-1, ECWN-1
Checks: C-38371r1_chk

One of the primary security issues with the Android Operating System (OS) is the lack of strong application controls. Key issues include: •The list of OS resource permissions that must be selected during application install is vague and confusing and leads to applications being assigned OS permissions that are not needed. Successful exploits related to any of these issues could allow an attacker to obtain DoD sensitive information and potentially obtained elevated system or even root privileges on the device. •Applications operate in their own protected area (sandbox) but Android allows applications to share data which breaks the sandbox model. •Android allows applications to share memory space. •The Android signing key mechanism is weak. Applications can share signing keys. It is easy for an attacker to break an application’s signing key, add malware, and then resign the modified app with the original key, thereby allowing the modified application to appear as the original application. •The Android event handling mechanism is poorly implemented. Any application can listen for an event (Intent) and intercept the event, even if it is not intended for the application. An app can send an Intent to another app, which could cause unsecure conditions Detailed Requirements: Core applications are applications included in the smartphone operating system. Applications added by the wireless carrier are not considered core applications. A security risk analysis must be performed by the DAA or DAA approved approval authority prior to a mobile OS application being approved for use. -Since native encryption module included in the Android OS is not FIPS 140-2 validated, Android non-core applications can only be approved if they meet the following conditions: -- The application does not store any data locally on the device; or -- The application stores data locally on the device and the data is encrypted using a FIPS 140-2 validated cryptographic module; or --The application and application data are stored on the device micro SD card where FIPS 140-2 validated encryption is used. The DAA, DAA designated Application Configuration Control Board, or other DAA designated process has the responsibility to approve all third-party applications installed on Android devices under the purview of the DAA. The application review and approval process must include an evaluation of what OS level permissions are required by the application and how the application shares data and memory space with other applications. The review process must also ensure: - Approved applications do not contain malware or share data stored on the mobile OS device with non-DoD servers. - All approved applications are validated to ensure appropriate event handling features and proper permissions are applied on all Intents for approved applications. Check Procedures: Review this check after reviewing check WIR-MOS-AND-06-01 (V-24986). Determine if any non-core mobile OS applications have been approved by the DAA. -If no, this check is not applicable. -If yes, complete the following procedures: Ask the site for documentation that shows what security risk analysis procedures are used by the DAA prior to approving non-core applications for use. Determine if the procedures include an evaluation of the following: - What OS level permissions are required by the application? -How the application shares data and memory space with other applications. -The application does not contain malware. -The application does not share data stored on the smartphones with non-DoD servers. -Proper permissions are applied on all Intents in the application. -If the application stores data, the application data storage container is FIPS 140-2 validated. -Mark as a finding if the application security risk review procedures do not contain the required risk assessment evaluation tasks.

Fix: F-33666r1_fix

Have DAA or Command IT CCB use the required procedures to review mobile OS applications prior to approving them.

b
A compliance rule must be set up in the server defining required mobile OS software build version.
Medium - V-29949 - SV-39515r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-030-02
Vuln IDs
  • V-29949
Rule IDs
  • SV-39515r1_rule
Unapproved OS build versions do not support required security features. The security baseline of the Android system could be compromised if required security features are not available.System AdministratorECWN-1
Checks: C-38486r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------------- Step 1: -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the Android devices and click on Android Configuration on the left side. -On the left tab, select Compliance Manager. -Verify a "Custom" or "Dell Android Build Number" rule is listed. (Note the rule title does not have to be exact.) -Open the rule by checking the box next to the rule, and then click on Edit. -Verify "Failure Action" is set to "Quit Good for Enterprise". -Verify "Check Every" is set to "1 hour". -Verify Rule File = build_number_check.xml Step 2: Verify the latest release of the Dell Android build is specified in the build_number_check.xml file. -Have the system administrator (SA) provide the build number of the latest Dell Android release. The release is expected to be available on the Dell DoD web site. -Have the system administrator open the build_number_check.xml file in a browser or in Word. The build number will be listed between <fingerprint> and </fingerprint> in the script. Mark as a finding if the required rule has not been set up and includes the latest Dell Android release build number.

Fix: F-33736r1_fix

Install an approved mobile OS build.

b
The Bluetooth configuration application must be installed on the Android device.
Medium - V-30193 - SV-39764r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-006-04
Vuln IDs
  • V-30193
Rule IDs
  • SV-39764r1_rule
The Bluetooth monitor application ensures the Bluetooth configuration of the Android device is in compliance with the DoD Bluetooth security standard. If not installed, it may be possible for a hacker to spoof the Bluetooth pairing process with the Android device, connect to the Android device via a Bluetooth connection, and steal sensitive DoD information.System AdministratorECWN-1
Checks: C-38659r1_chk

Verify the Biometric Associates (BAL) Bluetooth configuration applications are installed on a sample of devices (2-4) (Application name: baiMobile Security Service (version 1.0 or later) and baiMobile WatchDog application (version 1.0 or later). -Have the system administrator show that the baiMobile applications are in the list of installed applications on the device (Settings>Applications>Manage applications>All). Mark as a finding if the required applications are not installed.

Fix: F-33925r1_fix

Install the Bluetooth configuration application on the Android device.

b
Mobile OS devices (smartphones/tablets) must have a system integrity validation application installed or have validation scanning, using a PC based tool, completed on the required schedule.
Medium - V-30248 - SV-39856r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-045-01
Vuln IDs
  • V-30248
Rule IDs
  • SV-39856r1_rule
The purpose of this scan is to determine if there has been an unexplained change in the mobile OS file system that may indicate the device has been compromised by malware or by rooting the device.ECSC-1
Checks: C-38854r1_chk

Detailed Policy Requirements: All site managed Android devices must be have the Fixmo Sentinel application integrity validation tool installed. Check Procedures: Interview the IAO and Android device Administrator. Verify the Fixmo Sentinel application is installed on site Android mobile devices. Select 4-5 Android site managed Android devices to review. For each device, have the user log into the device. Go to Settings > Applications > Manage applications. To view the list of applications on the smartphone select “All”. To view a list of applications on the SD media card select “On SD card”. Verify Sentinel is listed as an installed application. Mark as a finding if Sentinel is not installed.

Fix: F-33999r1_fix

Install Fixmo Sentinel on all site managed mobile devices.

b
The results and mitigation actions from Mobile OS device integrity validation tool scans on site managed Mobile OS devices must be maintained by the site for at least 6 months (1 year recommended).
Medium - V-30249 - SV-39869r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-045-05
Vuln IDs
  • V-30249
Rule IDs
  • SV-39869r1_rule
Scan results must be maintained so that auditors can verify mitigation actions have been completed, so that a scan can be compared to a previous scan, and to determine if there is any security vulnerability trends for site managed mobile OS devices.System AdministratorECWN-1
Checks: C-38872r1_chk

Detailed Policy Requirements: Each site must maintain the results of scans on site managed Android devices as follows: - The results of all Android device integrity validation tool scans will be maintained by either the site Android Administrator or IAO. - The site IAM should designate the length of time a site maintains the results of individual scans (6 months required, at least 1 year is recommended). The most recent control or baseline scan should be maintained until an Android device is decommissioned. Check Procedures: Interview the IAO and Android Administrator. Verify the IAO or Android Administrator is saving records of scan results and mitigation actions for the length of time designated by the site IAM. Select 4-5 Android site managed Android devices to review. -For each device, have the Android device Administrator show scan logs for each device for the period of time designated by the IAM (at least 6 months). Mark as a finding if the scan interval is not set as required.

Fix: F-34016r1_fix

Maintain the results and mitigation actions from Mobile OS device integrity validation tool scans on site managed Mobile OS devices for at least 6 months (1 year recommended).

b
Mitigation actions identified by Mobile OS device integrity tool scans on site managed Mobile OS devices must be implemented.
Medium - V-30250 - SV-39870r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-045-06
Vuln IDs
  • V-30250
Rule IDs
  • SV-39870r1_rule
If mitigation actions identified by the Mobile OS device integrity tool are not implemented, DoD data and the enclave could be at risk of being compromised.System AdministratorECWN-1
Checks: C-38873r1_chk

Determine if mitigation actions recommended by the Android device integrity validation tool, based on scanning results, have been implemented by the site. Interview the IAO and Android Administrator. Review the tool scanning results of the tool that were conducted over the previous 6 months that the site has on file. Select 4-5 site managed Android devices to review. -For each device, have the Android device Administrator show scan logs for each device for the past several months. Find several scans that have identified compromising events, if available. Determine if the site completed recommended mitigation actions. Mark as a finding if mitigation actions were not completed. Note: It is recommended that the site establish a procedure for recording mitigation actions competed for each site managed device.

Fix: F-34017r1_fix

Implement required mitigation actions.

b
Mobile OS devices (smartphones / tablets) must have a device integrity validation tool baseline scan on file.
Medium - V-30566 - SV-40283r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-045-02
Vuln IDs
  • V-30566
Rule IDs
  • SV-40283r1_rule
The purpose of this scan is to determine if there has been an unexplained change in the mobile OS file system indicating the device has been compromised by malware or by rooting the device. A baseline scan provides a known good condition to compare with subsequent scans. A new baseline scan should be completed after the installation or removal of an application.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-39129r1_chk

Interview the IAO and Android device Administrator. Verify Fixmo Sentinel baseline scans are on file for all site managed Android devices. Select 4-5 site managed Android devices to review. Have the IAO show the reviewer the baseline scan for each device using Sentinel Desktop or Sentinel server. Mark as a finding if a baseline scan is not available.

Fix: F-34279r1_fix

Create baseline scans for each site managed mobile device.

b
Mobile OS devices (smartphones/tablets) device integrity validation scan interval must be 6 hours or less.
Medium - V-30567 - SV-40286r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-045-03
Vuln IDs
  • V-30567
Rule IDs
  • SV-40286r1_rule
The purpose of this scan is to determine if there has been an unexplained change in the mobile OS file system that may indicate the device has been compromised by malware or by rooting the device.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-39132r1_chk

The scan interval is setup on the device but cannot be verified on the device. Check Procedures: Interview the IAO and Android device Administrator. Select 4-5 Android site managed Android devices to review. -For each device, have the Android device Administrator show scan logs for each device for the previous week. Verify the scans are about 6 hours or less apart. If the scans are not approximately 6 hours apart, mark as a finding. Note: There are several factors that could influence how often the scans are conducted and emailed from the mobile device, including if the device is powered on and if the device has wireless connectivity with the SMTP server. The reviewer should use their best judgment to verify that the majority of the scans received in the previous week for each device being reviewed are about 6 hours or less apart.

Fix: F-34281r1_fix

Configure the Fixmo Sentinel application to scan site managed Android devices every 6 hours or less.

b
Mobile OS device integrity tool scans must be reviewed daily by the system administrator or IAO (or continuously by a server).
Medium - V-30568 - SV-40290r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-AND-045-04
Vuln IDs
  • V-30568
Rule IDs
  • SV-40290r1_rule
If mitigation actions identified by the Mobile OS device integrity tool are not implemented, DoD data and the enclave could be at risk of being compromised.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-39136r1_chk

Interview the system administrator and IOA. Determine if the Fixmo Sentinel tool scan results are being reviewed daily by the system administrator or IAO. Determine how the site documents this action. Note: At this time, the Sentinel server cannot automatically review scan results from the device application and alert the administrator if there are events. Mark as a finding if Fixmo Sentinel tool scan results are not reviewed daily by the system administrator or IAO.

Fix: F-34283r1_fix

Implement required mitigation actions.

c
Android 2.2 Dell mobile operating systems that are no longer supported by the vendor for security updates must not be installed on a system.
CM-6 - High - CCI-000366 - V-53957 - SV-68195r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
WIR-MOS-AND-999
Vuln IDs
  • V-53957
Rule IDs
  • SV-68195r1_rule
Android 2.2 Dell mobile operating systems that are no longer supported by the vendor for security updates are not evaluated or updated for vulnerabilities, leaving them open to potential attack. Organizations must transition to a supported mobile operating system to ensure continued support.
Checks: C-54745r1_chk

Dell support for Android 2.2 ended August 15, 2011. If Android 2.2 Dell is installed on a system, this is a finding.

Fix: F-58795r1_fix

Upgrade Android 2.2 Dell systems to a supported mobile operating system.