BlackBerry Enterprise Server (version 5.x), Part 3 Security Technical Implementation Guide

U_BlackBerry_Enterprise_Server_5-X_Part3_V2R8_Manual-xccdf.xml

BlackBerry Enterprise Server (version 5.x) STIG, Part 3 in XCCDF format. Part 1: BES architecture and training requirements. Part 2: BES configuration requirements. Part 3: BES IT Policy configuration requirements.
Details

Version / Release: V2R8

Published: 2015-07-02

Updated At: 2018-09-23 02:04:18

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.
    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-3545r4_rule WIR1400-01 HIGH BlackBerry devices must be protected by authenticated login procedures to unlock the device. Either CAC or Password authentication is required. IT Policy rule “Password Required” (Device Only policy group) must be set to “Yes” or “True”. Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.ECSC-1
    SV-12376r4_rule WIR1450-01 MEDIUM IT Policy rule “Maximum Security Timeout” (Device-Only policy group) must be set as required. Handheld may not lock after the specified period of inactivity and DoD data could be exposed.System AdministratorInformation Assurance OfficerECSC-1
    SV-12718r4_rule WIR1445-01 MEDIUM Data-at-Rest encryption (Content Protection) must be enabled on BlackBerry devices. IT Policy rule Content Protection Strength (Security policy group) must be set as required. DoD 8500 policy requires data-at-rest protection be enabled on all IT devices containing sensitive data in case the device is lost or stolen. This protection normally involves password or pin protected access.System AdministratorInformation Assurance OfficerECSC-1
    SV-14809r5_rule WIR1405-01 MEDIUM BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Bluetooth” (Bluetooth policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.Information Assurance OfficerECSC-1
    SV-15096r4_rule WIR1415-01 MEDIUM Wireless email device users must not install or remove applications and/or software on their handheld device unless under the direction and supervision of an authorized system administrator. IT Policy rule “Show Application Loader” (Desktop-Only policy group) must be is set as required. The wireless email server can be configured to prevent users from installing or removing applications. These configuration settings must be set at the enterprise level to prevent users from downloading, using desktop software, unauthorized software, or harmful code.System AdministratorECSC-1
    SV-17045r5_rule WIR1435-01 LOW IT Policy rule Disable Wi-Fi must be set as required. Improperly configured WLAN systems can expose the BlackBerry device and DoD network to attack.System AdministratorECSC-1
    SV-21144r5_rule WIR1400-02 HIGH BlackBerry devices must be protected by authenticated login procedures to unlock the device. Either CAC or Password authentication is required. IT Policy rule “Minimum Password Length” (Device Only policy group) must be set as required. Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.System AdministratorInformation Assurance OfficerECSC-1
    SV-21145r4_rule WIR1400-03 HIGH BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “User Can Disable Passwords” (Device Only policy group) must be set as required. Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.System AdministratorInformation Assurance OfficerECSC-1
    SV-21148r4_rule WIR1400-06 MEDIUM BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Set Password Timeout” (Password policy group) must be set as required. Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.System AdministratorInformation Assurance OfficerECSC-1
    SV-21149r4_rule WIR1400-07 HIGH BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Set Maximum Password Attempts” (Password policy group) must be set as required. Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.System AdministratorInformation Assurance OfficerECSC-1
    SV-21150r4_rule WIR1400-08 LOW BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Suppress Password Echo” (Password policy group) must be set as required. Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.System AdministratorInformation Assurance OfficerECSC-1
    SV-21153r4_rule WIR1400-10 LOW BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Forbidden Passwords” (Password policy group) must be set as required. Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.System AdministratorInformation Assurance OfficerECSC-1
    SV-21154r5_rule WIR1400-11 HIGH BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule Reset to Factory Defaults on Wipe (Security policy group) must be set as required. Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.System AdministratorInformation Assurance OfficerECSC-1
    SV-21155r4_rule WIR1455-01 MEDIUM All PDAs and smartphones must display the required banner during device unlock/logon. The IT Policy rule “Lock Owner Info” must be set as required. DoDI 8500.01 requires all PDAs, BlackBerrys, and smartphones to have a consent banner displayed during logon/device unlock to ensure user understands their responsibilities to safeguard DoD data. Note: DoDI 8500.01 does not include the required banner within the Instruction, but instead points to the RMF Knowledge Service for the required text. System AdministratorInformation Assurance OfficerEBCR-1
    SV-21156r3_rule WIR1455-02 MEDIUM All PDAs and smartphones must display the required banner during device unlock/ logon. The IT Policy rule “Set Owner Info” must be set as required. DoD CIO memo requires all PDAs, BlackBerrys, and smartphones to have a consent banner displayed during logon/device unlock to ensure users understand their responsibilities to safeguard DoD data. System AdministratorInformation Assurance OfficerEBCR-1
    SV-21172r4_rule WIR1405-02 MEDIUM BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Pairing” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21173r4_rule WIR1405-03 MEDIUM BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Headset Profile” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21175r4_rule WIR1405-04 MEDIUM BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Handsfree Profile” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21176r4_rule WIR1405-05 MEDIUM BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Serial Port Profile” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21177r4_rule WIR1405-06 MEDIUM BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Discoverable Mode” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21179r4_rule WIR1405-08 LOW BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Address Book Transfer” (Bluetooth Only policy group) will be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21180r4_rule WIR1405-09 LOW BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Desktop Connectivity” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21181r4_rule WIR1405-10 MEDIUM BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Wireless Bypass” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21182r4_rule WIR1405-11 LOW BES Bluetooth controls must be compliant with requirements. IT Policy rule “Require Password for Enabling Bluetooth Support” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21183r4_rule WIR1405-12 LOW BES Bluetooth controls must be compliant with requirements. IT Policy rule “Require Password for Discoverable Mode” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21184r4_rule WIR1405-13 MEDIUM BES Bluetooth controls must be compliant with requirements. IT Policy rule “Require Encryption” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21185r4_rule WIR1405-14 MEDIUM BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable File Transfer” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21186r4_rule WIR1405-15 LOW BES Bluetooth controls must be compliant with requirements. IT Policy rule “Require LED Connection Indicator” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21187r4_rule WIR1405-16 MEDIUM BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Dial-Up Networking” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21188r4_rule WIR1405-17 MEDIUM BES Bluetooth controls must be compliant with requirements. IT Policy rule “Force CHAP Authentication Bluetooth Link” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21189r4_rule WIR1405-18 MEDIUM BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Advanced Audio Distribution Profile” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21190r4_rule WIR1405-19 MEDIUM BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Audio/Video Remote Control Profile” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21192r4_rule WIR1405-20 LOW BES Bluetooth controls must be compliant with requirements. IT Policy rule “Limit Discoverable Time” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21194r4_rule WIR1405-21 MEDIUM BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable SIM Access Profile” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorInformation Assurance OfficerECSC-1
    SV-21198r4_rule WIR1420-01 LOW Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other message required by DoD policy. IT Policy rule Disable Revoked Certificate Use (Security policy group) must be set as required. S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
    SV-21199r4_rule WIR1420-02 LOW Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule Disable Key Store Low Security (Security policy group) must be set as required. S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
    SV-21200r4_rule WIR1420-03 LOW Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule Certificate Status Cache Timeout (Security policy group) must be set as required. S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
    SV-21201r4_rule WIR1420-04 LOW Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule Disable Invalid Certificate Use (Security policy group) must be set as required. S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.ECSC-1
    SV-21202r4_rule WIR1420-05 LOW Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule Disable Weak Certificate Use (Security policy group) must be set as required. S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
    SV-21203r4_rule WIR1420-06 LOW Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule Certificate Status Maximum Expiry Time (Security policy group) must be set as required. S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
    SV-21204r4_rule WIR1420-07 LOW Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule Disable Unverified CRLs (Security policy group) must be set as required. S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
    SV-21205r4_rule WIR1420-08 LOW Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule S/MIME Minimum Strong RSA Key Length (S/MIME Application policy group) must be set as required. S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
    SV-21206r4_rule WIR1420-09 LOW Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule S/MIME Minimum Strong DH Key Length (S/MIME Application policy group) must be set as required. S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
    SV-21207r4_rule WIR1420-10 LOW Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “S/MIME Minimum Strong ECC Key Length” (S/MIME Application policy group) must be to “163”. S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
    SV-21208r4_rule WIR1420-11 LOW Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “S/MIME Allowed Content Ciphers” (S/MIME Application policy group) must be set as required. S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
    SV-21209r4_rule WIR1420-12 LOW Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule S/MIME Minimum Strong DSA Key Length (S/MIME Application policy group) must be set as required. S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
    SV-21210r4_rule WIR1420-13 LOW Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule Entrust Messaging Server (EMS) Email Address (S/MIME Application policy group) must be set as required. S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
    SV-21211r4_rule WIR1420-14 LOW Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule S/MIME Allowed Encryption Types (S/MIME Application policy group) must be set as required. S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.System AdministratorInformation Assurance OfficerECSC-1
    SV-21221r4_rule WIR1430-01 LOW Security requirements for Instant Messaging (IM) must be followed. IT Policy rule Allow Public Yahoo! Messenger Services (Service Exclusivity policy group) must be set as required. Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack.System AdministratorInformation Assurance OfficerECSC-1
    SV-21222r3_rule WIR1430-02 LOW Security requirements for Instant Messaging (IM) must be followed. IT Policy rule “Allow Public AIM Services” (Service Exclusivity policy group) must be set as required. Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack. System AdministratorInformation Assurance OfficerECSC-1
    SV-21223r4_rule WIR1430-03 MEDIUM Security requirements for Instant Messaging (IM) must be followed. IT Policy rule Allow Public ICQ Services (Service Exclusivity policy group) must be set as required. Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack.System AdministratorInformation Assurance OfficerECSC-1
    SV-21224r4_rule WIR1430-04 MEDIUM Security requirements for Instant Messaging (IM) must be followed. IT Policy rule Allow Public IM Services (Service Exclusivity policy group) must be set as required. Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack.System AdministratorInformation Assurance OfficerECSC-1
    SV-21225r4_rule WIR1430-05 LOW Security requirements for Instant Messaging (IM) must be followed. IT Policy rule Allow Public Google Talk Services (Service Exclusivity policy group) must be set as required. Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack.System AdministratorInformation Assurance OfficerECSC-1
    SV-21226r4_rule WIR1430-06 LOW Security requirements for Instant Messaging (IM) must be followed. IT Policy rule Allow Public WLM Services (Service Exclusivity policy group) must be set as required. Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack.System AdministratorInformation Assurance OfficerECSC-1
    SV-21232r4_rule WIR1410-01 LOW IT Policy rule “Maximum Bluetooth Range (BlackBerry Smart Card Reader policy group) must be set as required. Insecure Bluetooth SCR could make the BlackBerry vulnerable to compromise via a Bluetooth attack.System AdministratorInformation Assurance OfficerECSC-1
    SV-21234r4_rule WIR1410-02 LOW IT Policy rule “Maximum PC Disconnect Timeout (BlackBerry Smart Card Reader policy group) must be set as required. Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.ECSC-1
    SV-21235r4_rule WIR1410-03 MEDIUM IT Policy rule “Maximum Number of PC Pairings (BlackBerry Smart Card Reader policy group) must be set as required. Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.System AdministratorInformation Assurance OfficerECSC-1
    SV-21254r4_rule WIR1440-01 LOW All Internet browsers must be disabled and removed from the BlackBerry device except for the BlackBerry internet browser. IT Policy rule Allow IBS Browser (Browser policy group) is set as required. The BlackBerry Browser forces all Internet browsing to go through the site Internet gateway, which provides additional security over the carrier's browser.System AdministratorInformation Assurance OfficerECSC-1
    SV-21260r4_rule WIR1440-03 LOW All Internet browsers must be disabled from the BlackBerry device except for the BlackBerry Internet browser. IT Policy rule Allow Other Browser Services (Services Exclusivity policy group) is set as required. Requiring the use of the BlackBerry browser forces all Internet browsing to go through the enclave web proxy. Therefore, all Internet use will be filtered and protected by enclave malware protection services. Otherwise, BlackBerry Internet browsing would make the BlackBerry handheld and the enclave more vulnerable to malware that could be downloaded from the Internet.System AdministratorInformation Assurance OfficerECSC-1
    SV-21859r4_rule WIR1450-03 LOW IT Policy rule Force Load Count (Desktop-Only policy group) must be set as required. Required software update may not be installed, resulting in un-patched system.System AdministratorInformation Assurance OfficerECSC-1
    SV-21860r4_rule WIR1450-04 LOW IT Policy rule “Force Load Message” (Desktop-Only policy group) must be set as required. Required software update may not be installed, resulting in un-patched system.System AdministratorInformation Assurance OfficerECSC-1
    SV-21862r4_rule WIR1450-06 LOW IT Policy rule “Set Owner Name” (Common policy group) must be set as required. If not set correctly, BlackBerry may be identified as a DoD BlackBerry when found after being lost or stolen. This is an operational security issue.System AdministratorInformation Assurance OfficerECSC-1
    SV-21864r4_rule WIR1450-08 LOW IT Policy rule “Keystore Password Maximum Timeout” (Security policy group) must be set as required. Encryption keys and certificates stored in the keystore may be exposed to compromise if the keystore is not locked after a set period of inactivity.System AdministratorInformation Assurance OfficerECSC-1
    SV-21865r4_rule WIR1450-09 MEDIUM IT Policy rule Allow Split-Pipe Connections (Security policy group) must be set as required. BlackBerry could be at risk if an application is able to open an internal and external connection on the BlackBerry at the same time. The BlackBerry could be exposed to Malware.System AdministratorInformation Assurance OfficerECSC-1
    SV-21866r3_rule WIR1450-10 MEDIUM IT Policy rule “FIPS Level” (Security policy group) must be set as required. Data stored on the Blackberry or transmitted by the Blackberry could be compromised if not encrypted according to DoD/NIST standards.System AdministratorInformation Assurance OfficerECSC-1
    SV-21867r4_rule WIR1450-11 LOW IT Policy rule Minimal Signing Key Store Security Level (Security policy group) must be set as required. If not set correctly, the keystore, when encryption keys and digital certificates are stored, may not be encrypted with a strong encryption key.System AdministratorInformation Assurance OfficerECSC-1
    SV-21868r4_rule WIR1450-12 LOW IT Policy rule Minimal Encryption Key Store Security Level (Security policy group) must be set as required. If not set correctly, the keystore, when encryption keys and digital certificates are stored, may not be encrypted with a strong encryption key.System AdministratorInformation Assurance OfficerECSC-1
    SV-21869r4_rule WIR1450-13 MEDIUM IT Policy rule Force Content Protection of Master Keys (Security policy group) must be set as required. Master keys (used for data encryption) will be stored on the BlackBerry in un-encrypted form and could be compromised.System AdministratorInformation Assurance OfficerECSC-1
    SV-21870r4_rule WIR1450-14 LOW IT Policy rule Force LED Blinking When Microphone Is On (Security policy group) must be set as required. User not aware that sensitive conversations are being recorded and/or transmitted.System AdministratorInformation Assurance OfficerECSC-1
    SV-21872r4_rule WIR1450-16 LOW IT Policy rule Password Required for Application Download (Security policy group) must be set as required. Malware or unauthorized applications could be downloaded inadvertently by user if control not set.System AdministratorInformation Assurance OfficerECSC-1
    SV-21874r4_rule WIR1450-18 LOW BES IT Policy rule must be configured as required. IT Policy rule “Disable Public Photo Sharing Applications” (Security group policy) must be set as required. Public photo sharing web sites are known to be malware infested.System AdministratorInformation Assurance OfficerECSC-1
    SV-21880r4_rule WIR1450-19 LOW BES IT Policy rule must be configured as required. IT Policy rule Security Transcoder Cod File Hashes (Security policy group) must be set as required. Third party applications can act as transcoders and use the transcoder API and can impact the security posture of the BlackBerry. A transcoder is used to translate specific types of content into a format for transmission to a BlackBerry and can cause changes to normally secure connections between the BlackBerry and web sites. See http://blog.masabi.com/2009/01/how-do-transcoders-affect-https.html for more details.System AdministratorInformation Assurance OfficerECSC-1
    SV-21882r5_rule WIR1450-21 LOW BES IT Policy rule must be configured as required. IT Policy rule Require FIPS Ciphers (TLS policy group) must be set as required. Only DoD FIPS encryption ciphers (e.g., AES) are authorized. Otherwise, the encrypted data in web connections may be susceptible to being analyzed by a hacker.System AdministratorInformation Assurance OfficerECSC-1
    SV-21883r5_rule WIR1450-22 LOW BES IT Policy rule must be configured as required. IT Policy rule Require FIPS Ciphers (WTLS Application policy group) must be set as required. Only DoD FIPS encryption ciphers (e.g., AES) are authorized. Otherwise the encrypted data in web connections may be susceptible being analyzed by a hacker.System AdministratorInformation Assurance OfficerECSC-1
    SV-21884r4_rule WIR1450-23 LOW BES IT Policy rule must be configured as required. IT Policy rule Allow Application Download Services (Browser policy group) must be set as required. Disables and removes icons placed on the BlackBerry by carriers (e.g., Verizon Wireless, AT&T, etc.) that are used to connect to carriers’ web sites where applications are sold. Unapproved applications can cause security issues to the DoD BlackBerry system.System AdministratorInformation Assurance OfficerECSC-1
    SV-21885r4_rule WIR1450-24 MEDIUM BES IT Policy rule must be configured as required. IT Policy rule “Verify BlackBerry MDS Integration Service Certificate” (BlackBerry MDS Integration Service policy group) must be set as required. Un-authenticated connection will be made between the BlackBerry and the BES MDS Integration Service, which could degrade security in the enclave.System AdministratorInformation Assurance OfficerECSC-1
    SV-21886r4_rule WIR1450-25 MEDIUM BES IT Policy rule must be configured as required. IT Policy rule Disable Activation With Public BlackBerry MDS Integration Service (BlackBerry MDS Integration Service policy group) must be set as required. User can connect to public BlackBerry MDS Integration Services to access public content, web, and application servers. These servers are not DoD-approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.System AdministratorInformation Assurance OfficerECSC-1
    SV-21892r4_rule WIR1450-27 LOW BES IT Policy rule must be configured as required. IT Policy rule Disable Carrier Directory (Application Center policy group) must be set as required. Disables the carrier’s application center directory on a BlackBerry device. Application Center is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD-approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.System AdministratorInformation Assurance OfficerECSC-1
    SV-21893r4_rule WIR1450-28 MEDIUM BES IT Policy rule must be configured as required. IT Policy rule “Desktop Allow Device Switch” (Desktop policy group) must be set as required. Stops a user from changing BlackBerry devices without the approval of the BlackBerry Administrator. BlackBerry security software (S/MIME, etc.) may not be installed correctly and other required provisioning steps may not be completed. BlackBerry device and system could be vulnerable to attack by hackers or malware.System AdministratorInformation Assurance OfficerECSC-1
    SV-21899r4_rule WIR1450-34 LOW BES IT Policy rule must be configured as required. IT Policy rule Disallow File Transfer Types (Instant Messaging policy group) must be set as required. Insecure file types are transferred to BlackBerry via IM, increasing the risk of malware being downloaded on the BlackBerry and being transferred to the DoD enclave.System AdministratorInformation Assurance OfficerECSC-1
    SV-21900r4_rule WIR1450-35 LOW BES IT Policy rule must be configured as required. IT Policy rule Disable BlackBerry Unite! Applications (BlackBerry Unite! policy group) must be set as required. BlackBerry Unite! is a public data sharing service where groups of BlackBerry users can share photos, calendar information, and other data. This service allows other users to see sensitive DoD data stored on a DoD BlackBerry.System AdministratorInformation Assurance OfficerECSC-1
    SV-21901r4_rule WIR1450-36 LOW BES IT Policy rule must be configured as required. IT Policy rule Disable Download Manager (BlackBerry Unite! policy group) must be set as required. BlackBerry Unite! is a public data sharing service where groups of BlackBerry users can share photos, calendar information, and other data. This service allows other users to see sensitive DoD data stored on a DoD BlackBerry. System AdministratorInformation Assurance OfficerECSC-1
    SV-21914r3_rule WIR1460-02 MEDIUM BlackBerrys with removable memory cards (e.g., MicroSD) must be compliant with requirements. IT Policy rule "External File System Encryption Level" (Security policy group) must be set as required. Malware could be downloaded from the memory card to the PC if not compliant. System AdministratorInformation Assurance OfficerECSC-1
    SV-21938r4_rule WIR1450-37 MEDIUM BES IT Policy rule must be configured as required. IT Policy rule “Disable User Initiated Activation With Public BlackBerry MDS Integration Service” (BlackBerry MDS Integration Service policy group) must be set as required. Users can connect to public BlackBerry MDS Integration Services to access public content, web, and application servers. These servers are not DoD approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.System AdministratorInformation Assurance OfficerECSC-1
    SV-25478r4_rule WIR1450-38 LOW IT Policy rule “Allow BlackBerry Desktop Software Statistics” (Desktop policy group) must be set as required. This rule could allow software statistics on DoD BlackBerry devices to be automatically sent to BlackBerry, which may expose OPSEC information.System AdministratorInformation Assurance OfficerECWN-1
    SV-25479r3_rule WIR1450-39 MEDIUM IT Policy rule “Allow Discovery by User” (MDS Integration Service policy group) must be set as required. This rule allows a user to search for and install BlackBerry MDS Runtime Applications on a BlackBerry device. This could lead to the installation of unapproved applications and possible malware.System AdministratorInformation Assurance OfficerECWN-1
    SV-25482r4_rule WIR1445-03 MEDIUM IT Policy rule Encryption on On-Board Device Memory Media Files (Security policy group) must be set as required. If a media card is inserted in the BlackBerry® device, this rule specifies whether the media files that are located in the media card are encrypted to the user password and the device-generated key. If data is not encrypted, sensitive DoD data could be exposed to unauthorized people.System AdministratorInformation Assurance OfficerECWN-1
    SV-25483r4_rule WIR1450-42 LOW IT Policy rule Allow Network Address Book Sync (Service Exclusivity policy group) must be set as required. This rule specifies whether the carrier's backup can run on a BlackBerry® device, which permits a BlackBerry device user to synchronize only the contacts that are included in the user's MyFaves plan with the carrier's mobile backup. Use of this service may allow the storage of DoD sensitive data on a carrier server and expose the data to non-DoD personnel. System AdministratorInformation Assurance OfficerECWN-1
    SV-25484r4_rule WIR1450-43 LOW IT Policy rule “Allow User Feedback” (User Feedback policy group) must be set as required. This rule specifies whether a user can provide feedback to BlackBerry via a system message. This capability may provide OPSEC information about a DoD BlackBerry system or device.System AdministratorInformation Assurance OfficerECWN-1
    SV-25489r3_rule WIR1450-40 LOW IT Policy rule Disable organizer data access for social networking applications (Value-Added Applications policy group) must be set as required. This rule specifies whether a BlackBerry® device must prevent social networking applications from accessing organizer data. BlackBerry organizer (calendar, notes, and contacts) may contain sensitive DoD information that could be exposed to the public if social networking applications had access to it.System AdministratorInformation Assurance OfficerECWN-1
    SV-32228r4_rule WIR1405-22 LOW BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Message Access Profile” (Bluetooth policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorECSC-1
    SV-32230r4_rule WIR1465-02 LOW BES IT Policy rule is configured as required. IT Policy rule “Application Restriction Rule” (BlackBerry App World policy group) will be set as required. BlackBerry App World is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD-approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.System AdministratorECSC-1, IAKM-2
    SV-32231r4_rule WIR1465-03 LOW BES IT Policy rule must be configured as required. IT Policy rule “Category Restriction Rule” (BlackBerry App World policy group) must be set as required. BlackBerry App World is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD-approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave. System AdministratorECSC-1
    SV-32232r3_rule WIR1465-04 LOW BES IT Policy rule must be configured as required. IT Policy rule “Disable Application Purchasing” (BlackBerry App World policy group) must be set as required. BlackBerry App World is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.System AdministratorECSC-1
    SV-32233r4_rule WIR1445-04 MEDIUM BES IT Policy rule must be configured as required. IT Policy rule “Content Protection Usage” (Security policy group) must be set as required. DoD 8500 policy requires data-at-rest protection be enabled on all IT devices containing sensitive data in case the device is lost or stolen. This protection normally involves password or pin protected access.System AdministratorECSC-1
    SV-32234r3_rule WIR1450-44 MEDIUM BES IT Policy rule is configured as required. IT Policy rule “Disable Browsing Of Remote Shared Folders” (Security policy group) must be set as required. When not configured properly, users can access data on the DoD network in shared folders without required CAC authentication to the network. System AdministratorECSC-1
    SV-33353r4_rule WIR1405-23 MEDIUM BES Bluetooth controls must be compliant with requirements. IT Policy rule “Minimum Encryption Key Length” (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.System AdministratorECSC-1
    SV-39949r3_rule WIR1465-05 MEDIUM BES IT Policy rule is configured as required. IT Policy rule “Application Restriction List” (BlackBerry App World policy group) must be set as required. BlackBerry App World is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD-approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.System AdministratorECSC-1, ECWN-1
    SV-40622r3_rule WIR1470-01 MEDIUM BES IT Policy rule is configured as required. IT Policy rule “BlackBerry Playbook Log Submission” (Companion Devices policy group) must be set as required. Sensitive DoD information could be exposed if Playbook log information was sent to BlackBerry.System AdministratorECSC-1, ECWN-1
    SV-49134r3_rule WIR1400-12 MEDIUM BlackBerry devices must be protected by authenticated login procedures to unlock the device. Either CAC or Password authentication is required. The device password must not contain more than two sequential characters or more than two repeating characters. Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals. If the password complexity is not compliant, it may be possible for a hacker to guess the password.System AdministratorECSC-1, IAIA-1
    SV-49135r2_rule WIR1405-24 MEDIUM BES Bluetooth controls must be compliant with requirements. IT Policy rule Human Interface Device Profile (Bluetooth Only policy group) must be set as required. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable. Only Bluetooth profiles required for either the BlackBerry smart card reader or headset should be used.System AdministratorECSC-1
    SV-49136r2_rule WIR1435-02 MEDIUM IT Policy rule Disable Data Exchange for Mobile Hotspot Mode must be set as required. Sensitive DoD data could be exposed since data exchanged between CMDs connected to a hotspot is not encrypted.System AdministratorECSC-1
    SV-49137r2_rule WIR1445-05 MEDIUM BES IT Policy rule must be configured as required. IT Policy rule Media Card Format on Device Wipe (Security policy group) must be set as required. DoD 8500 policy requires data-at-rest protection be enabled on all IT devices containing sensitive data in case the device is lost or stolen. This protection normally involves password or pin protected access.System AdministratorECSC-1
    SV-49138r2_rule WIR1450-46 LOW BES IT Policy rule is configured as required. IT Policy rule Application Installation Methods (Security policy group) must be set as required. Unapproved applications have not been properly vetted and may contain malware. Therefore, applications should only be deployed to BlackBerry devices from BlackBerry Enterprise Servers (BES). System AdministratorCODP-1, ECSC-1
    SV-49139r1_rule WIR1450-47 LOW BES IT Policy rule is configured as required. IT Policy rule Media Server (Media Server policy group) must be set as required. The media server function on the device allows media files to be shared between BlackBerry devices without the data being encrypted. Therefore, sensitive DoD data could be exposed.System AdministratorECSC-1
    SV-49140r1_rule WIR1465-06 MEDIUM BES IT Policy rule is configured as required. IT Policy rule Public Channel Downloads (BlackBerry App World policy group) must be set as required. BlackBerry App World is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.System AdministratorECSC-1, ECWN-1
    SV-52390r1_rule WIR1450-48 MEDIUM IT Policy rule Enforce FIPS Mode of Operation (Security policy group) must be set as required. Data stored on the Blackberry or transmitted by the Blackberry could be compromised if not encrypted according to DoD/NIST standards.System AdministratorECSC-1