BlackBerry OS 7.x.x Security Technical Implementation Guide

U_BlackBerry_OS_7-X-X_V2R9_Manual-xccdf.xml

Version/Release Published Filters Downloads Update
V2R9 2015-08-12      
Update existing CKLs to this version of the STIG
BlackBerry OS 7.x.x STIG in XCCDF format
Vuln Rule Version CCI Severity Title Description
SV-12364r3_rule WIR1030-01 LOW When the Password Keeper is enabled on the BlackBerry device, the AO must review and approve its use, and the application must be configured as required. Password Keeper is a default BlackBerry application that can be installed on the BlackBerry handheld device. This application allows users to store passwords. The use of Password Keeper should be reviewed and approved by the local AO. Passwords are stored using 256-bit AES encryption using the BlackBerry FIPS 140-2 certified encryption module. Passwords in the Password Keeper can be copied and pasted into other applications but the password is unencrypted while it resides in the BlackBerry handheld device clipboard.System AdministratorInformation Assurance OfficerECSC-1
SV-12366r3_rule WIR1040-02 LOW BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements. Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.System AdministratorInformation Assurance OfficerECWN-1
SV-12370r3_rule WIR1050-01 HIGH Onset Technologies METAmessage software must not be installed on DoD BlackBerry devices or on the BES. Onset Technologies METAmessage software is production software which may introduce a virus or other malicious code on the system. This software is not approved for use on DoD systems.System AdministratorInformation Assurance OfficerECWN-1
SV-12371r3_rule WIR1055-01 LOW BlackBerry devices must be provisioned so users can digitally sign and encrypt email notifications or any other email required by DoD policy. S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance that the message is authentic and is required by DoD policy. Reference the DoD CIO memorandum regarding interim guidance on the use of derived PKI credentials (2015-05-06 DoD Interim Guidance for Implementing Derived PKI Credentials on Unclass CMDs) for BlackBerry certificate configuration information.System AdministratorInformation Assurance OfficerECSC-1
SV-12372r2_rule WIR1060-01 LOW If BlackBerry email auto signatures are used, the signature message must not disclose that the email originated from a BlackBerry or mobile device (e.g., “Sent From My Wireless Handheld”). The disclaimer message may give information which may key an attacker in on the device. This is primarily an OPSEC issue. This setting was directed by the USCYBERCOM.Information Assurance OfficerECSC-1
SV-12375r2_rule WIR1075-01 LOW All Internet browser icons must be disabled from the BlackBerry device except for the BlackBerry Internet Browser icon. The BlackBerry Browser forces all Internet browsing to go through the site internet gateway, which provides additional security over the carrier's browser.ECSC-1
SV-21102r3_rule WIR1040-01 MEDIUM BlackBerry devices must have required operating system software version installed. Required security features are not available in earlier OS versions. In addition, there are known vulnerabilities in earlier versions.System AdministratorInformation Assurance OfficerECWN-1
SV-21127r2_rule WIR1080-01 LOW Security configuration settings on the BlackBerry devices managed by the site must be compliant with requirements listed in Table 5, BlackBerry STIG Configuration Tables. These checks are related to a defense-in-depth approach for the BlackBerry, including ensuring the locked BlackBerry is not identified as a DoD BlackBerry and providing visual indicators when the Bluetooth radio is being used so users can verify they have initiated a Bluetooth connection attempt or if a hacker has initiated the connection.ECWN-1
SV-21197r3_rule WIR1055-02 LOW BlackBerry devices must be provisioned so users can digitally sign and encrypt email notifications. S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance that the message is authentic and is required by DoD policy. Reference the DoD CIO memorandum regarding interim guidance on the use of derived PKI credentials (2015-05-06 DoD Interim Guidance for Implementing Derived PKI Credentials on Unclass CMDs) for Blackberry BlackBerry certificate configuration information.Information Assurance OfficerECSC-1
SV-21228r3_rule WIR1040-03 MEDIUM BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements. Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.System AdministratorInformation Assurance OfficerECSC-1
SV-21229r3_rule WIR1040-04 MEDIUM BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements. Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.System AdministratorInformation Assurance OfficerECSC-1
SV-21230r3_rule WIR1040-05 LOW BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements. Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.System AdministratorInformation Assurance OfficerECSC-1
SV-25132r4_rule WIR1040-06 LOW Required version of the BlackBerry Smart Card Reader (SCR) hardware must be used, and required versions of the drivers must be installed both on the BlackBerry and the SCR. Required SCR security features are not available in earlier versions, and therefore Bluetooth vulnerabilities will not have been patched.System AdministratorInformation Assurance Officer
SV-25495r3_rule WIR1095-01 LOW BlackBerry Web Desktop Manager (BWDM) or BlackBerry Desktop Manager (BDM) must be configured as required. The BWDM provides the capability for users to self provision their BlackBerry, and to synchronize the BlackBerrys to the BES. The BWDM works by providing a web client interface to the BlackBerry database via the BlackBerry Administrative Service (BAS). Users must log into the BAS to access the data service. The BAS is a private web server. CTO 0715rev 1 requires either CAC authentication or a complex 15-character password to log into DoD private web servers. DoD users must use their CAC for authentication to the BAS because they do not know their 256 character AD password.System AdministratorInformation Assurance OfficerECWN-1
SV-33354r2_rule WIR1045-01 MEDIUM Only approved Bluetooth headset and handsfree devices must be used with site managed BlackBerry devices. Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.ECSC-1