BlackBerry OS 10.3.x Security Technical Implementation Guide

  • Version/Release: V1R4
  • Published: 2019-12-18
  • Released: 2020-01-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
c
BlackBerry OS 10.3 must require a valid password be successfully entered before the mobile device data is unencrypted.
SC-28 - High - CCI-002476 - V-65683 - SV-80173r1_rule
RMF Control
SC-28
Severity
High
CCI
CCI-002476
Version
BB10-3X-000100
Vuln IDs
  • V-65683
Rule IDs
  • SV-80173r1_rule
Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, then this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk. Note: MDF PP v.2.0 requires a Password Authentication Factor and requires management of its length and complexity. It leaves open whether the existence of a password is subject to management. This STIGID addresses the configuration to require a password, which is critical to the cybersecurity posture of the device. SFR ID: FIA_UAU_EXT.1.1
Checks: C-66313r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if a valid password has been successfully entered before the mobile device data is unencrypted. This procedure is performed on both the BES console and on a managed mobile device. Note: If an organization has multiple configuration profiles, then the Validation procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Setting” and “BlackBerry” tabs. 5. Scroll down to the “Password" group of IT policy rules. 6. Check "Password required for work space". On the BlackBerry device, do the following: 1. From either the Work Space or Personal Space, navigate to Settings >> BlackBerry Balance. 2. Verify "Work Password" is toggled to the right and dimmed (Not accessible). If the BES IT Policy rule "Password Required for Work Space" is not selected, or on the BlackBerry device the "Work Password" is not toggled to the right and dimmed (Not accessible) this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71701r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Password" group of IT policy rules. 7. Select the check box next to the IT Policy "Password required for work". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

a
BlackBerry OS 10.3 must enforce a minimum password length of 6 characters.
IA-5 - Low - CCI-000205 - V-65685 - SV-80175r1_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-000205
Version
BB10-3X-000110
Vuln IDs
  • V-65685
Rule IDs
  • SV-80175r1_rule
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. SFR ID: FMT_SMF_EXT.1.1 #01a
Checks: C-66319r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if a minimum password length of 6 characters is enforced. This procedure is performed on both the BES console and on a managed mobile device. Note: If an organization has multiple configuration profiles, then the Implementation procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Setting” and “BlackBerry” tabs. 5. Scroll down to the “Password” group of IT policy rules. 6. Verify "Minimum password length" is set to "6". On the BlackBerry device: 1a. For "Work-Only" activation type: navigate to Settings >> Security and Privacy >> Device Password and select "Change Password". 1b. For "Work and personal - Corporate" and "Work and personal - Regulated" activation types: navigate to Settings >> Security and Privacy >> Device Password and select "BlackBerry Balance" and select "Change Password". 2. Authenticate using the current password. 3. Attempt to change the password to a length of less than 6 characters. 4. Select "Password Rules" and verify the message "Your password must be at least 6 characters." is displayed. If the BES IT policy rule "Minimum Password Length" is not set to "6", or the BlackBerry device allows a new password to be set with less than 6 characters, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71709r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Password” group of IT policy rules. 7. Set "Minimum password length" to "6". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must lock the Work Space after 15 minutes (or less) of inactivity.
AC-11 - Medium - CCI-000057 - V-65687 - SV-80177r1_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
BB10-3X-000120
Vuln IDs
  • V-65687
Rule IDs
  • SV-80177r1_rule
The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device. SFR ID: FMT_SMF_EXT.1.1 #01b
Checks: C-66331r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if the Work Space locks after 15 minutes (or less) of inactivity. This procedure is performed on both the BES console and on a managed mobile device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Password” group of IT policy rules. 6. Verify "Security timeout" is set to "15 minutes" or less. On the BlackBerry device: 1. From either the Work Space or Personal Space, navigate to Settings >> Security and Privacy >> Device Password. 2. Verify "Lock Device After" is set to "15 Minutes" or less, with higher values hidden. If the BES IT policy rule "Security Timeout" is not set to "15 minutes" or less or on the BlackBerry device "Lock Device After" is set to more than "15 Minutes", this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71719r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Password” group of IT policy rules. 7. Set "Security timeout" to "15 minutes" or less. 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

a
BlackBerry OS 10.3 must not allow more than 10 consecutive failed authentication attempts.
AC-7 - Low - CCI-000044 - V-65689 - SV-80179r1_rule
RMF Control
AC-7
Severity
Low
CCI
CCI-000044
Version
BB10-3X-000140
Vuln IDs
  • V-65689
Rule IDs
  • SV-80179r1_rule
The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of attempts mitigates this risk. Setting the limit at 10 gives authorized users the ability to make a few mistakes when entering the password but still provides adequate protection against dictionary or brute force attacks on the password. SFR ID: FMT_SMF_EXT.1.1 #02
Checks: C-66337r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry allows more than 10 consecutive failed authentication attempts. This procedure is performed on both the BES console and on a managed mobile device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Password” group of IT policy rules. 6. Verify "Maximum password attempts" is set to "10" or less. On the BlackBerry device: 1a. For "Work-Only" activation type: navigate to Settings >> Security and Privacy >> Device Password and select "Change Device Password". Enter incorrect device password one time. Verify the error message shows "Incorrect password (n/x)" where x is 10 or less. 1b. For "Work and personal - Corporate" and "Work and personal - Regulated" activation types: navigate to Settings >> Security and Privacy >> Device Password and select "BlackBerry Balance" and verify "Password Attempt Limit" drop down box is “10” or less. If the BES IT policy rule "Maximum Password Attempts" is not set to "10" or less or on the BlackBerry device the "Password Attempt Limit" drop down box is more than “10” (for "Work and personal - Corporate" and "Work and personal - Regulated" activation types) or has an error message of "Incorrect password (n/x)" where x is more than “10” (for "Work-Only" activation type), this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71727r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Password” group of IT policy rules. 7. Set "Maximum password attempts" to "10" or less. 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must not allow protocols supporting wireless remote access connections.
AC-17 - Medium - CCI-000063 - V-65691 - SV-80181r1_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000063
Version
BB10-3X-000180
Vuln IDs
  • V-65691
Rule IDs
  • SV-80181r1_rule
Having wireless remote access connections enabled could allow establishment of unauthorized remote access connections, which may give an adversary unintended capabilities. These remote access connections would expose the mobile device to additional risk, thereby increasing the likelihood of compromise of the confidentiality and integrity of its resident data. In this context, tethering refers to wired connections to an external device and not use of the device as a hotspot. A mobile device providing personal hotspot functionality is not considered wireless remote access if the functionality only provides access to a distribution network (such as a mobile carrier's cellular data network) and does not provide access to local applications or data. SFR ID: FMT_SMF_EXT.1.1 #23
Checks: C-66345r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry does not allow protocols supporting wireless remote access connections. This procedure is performed only on the BES console. Note: If an organization has multiple configuration profiles, then the Implementation procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Device Functionality” group of IT policy rules. 6. Verify "Allow transfer of work files using Bluetooth OPP or a Wi-Fi Direct connection" is not selected. If the BES IT policy rule "Allow transfer of work files using Bluetooth OPP or a Wi-Fi Direct connection" is selected, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71733r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Device Functionality” group of IT policy rules. 7. Unselect the check box next to the IT Policy "Allow transfer of work files using Bluetooth OPP or a Wi-Fi Direct connection". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must not allow use of developer modes.
CM-7 - Medium - CCI-000381 - V-65693 - SV-80183r1_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
BB10-3X-000190
Vuln IDs
  • V-65693
Rule IDs
  • SV-80183r1_rule
Developer modes expose features of the BlackBerry device that are not available during standard operation. When the Development Mode is enabled on BlackBerry 10 OS devices, the user has the capability to sideload apps to either the Work Space or Personal Space. Disabling this feature removes the capability for a user to sideload apps. An adversary may leverage a vulnerability inherent in a developer mode to compromise the confidentiality, integrity, and availability of DoD-sensitive information. Disabling developer modes mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #24
Checks: C-66347r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry does not allow developer modes. This procedure is performed on both the BES console and on a managed mobile device. Note: If an organization has multiple configuration profiles, then the Implementation procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Setting” and “BlackBerry” tabs. 5. Scroll down to the “Security and Privacy” group of IT policy rules. 6. Verify "Allow development mode access to work space" is not selected. 7. Verify "Restrict development mode" is selected. On the BlackBerry device: 1. From either the Work Space or Personal Space, navigate to Settings >> Security and Privacy >> Development Mode. 2. Verify "Development Mode" is toggled to the left (off) and not accessible. If the BES IT policy rule "Restrict development mode" is not selected or the BlackBerry device "Development Mode" is toggled to the right (on) or accessible, this is a finding. Note: The BES IT Policy rule "Allow development mode access to work space" may not be visible once the BES IT Policy rule "Restrict development mode" is selected. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71735r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and Privacy” group of IT policy rules. 7. Unselect the check box next to the IT policy "Allow development mode access to work space". 8. Select the check box next to the IT Policy "Restrict Development Mode". 9. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

c
BlackBerry OS 10.3 must protect data at rest on removable storage media. The requirement applies only to Work - Only Activation types.
SC-28 - High - CCI-001199 - V-65695 - SV-80185r1_rule
RMF Control
SC-28
Severity
High
CCI
CCI-001199
Version
BB10-3X-000210
Vuln IDs
  • V-65695
Rule IDs
  • SV-80185r1_rule
The BlackBerry device must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. SFR ID: FMT_SMF_EXT.1.1 #26
Checks: C-66349r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry protects data at rest on removable storage media. This procedure is performed on both the BES console and on a managed mobile device. Note: If an organization has multiple configuration profiles, then the Implementation procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and Privacy” group of the IT policy. 6. Verify "Force media card encryption" is checked". On the BlackBerry device: 1. Ensure a media card is installed in the BlackBerry. 2. Navigate to Settings >> Security and Privacy >> Encryption. 3. Verify that "Media Card Encryption" is not a listed option. If the BES IT policy rule "Force media card encryption" is not selected or the BlackBerry device "Media Card Encryption" is a listed option, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71737r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and Privacy” group of IT policy rules. 7. Select the check box next to the IT Policy "Force card encryption". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

a
BlackBerry OS 10.3 must display the DoD advisory warning message each time the device restarts. This requirement does not apply to Work and personal - Corporate.
AC-8 - Low - CCI-000048 - V-65697 - SV-80187r1_rule
RMF Control
AC-8
Severity
Low
CCI
CCI-000048
Version
BB10-3X-000240
Vuln IDs
  • V-65697
Rule IDs
  • SV-80187r1_rule
The BlackBerry OS 10.3 is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DoD can audit and monitor the activities of mobile device users without legal restriction. System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner shall be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating “OK.” The approved DoD text must be used exactly as required in the KS referenced in DoDI 8500.01. For devices accommodating banners of 1300 characters, the banner text is: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. For devices with severe character limitations, the banner text is: I've read & consent to terms in IS user agreem't. The administrator must configure the banner text exactly as written without any changes. SFR ID: FMT_SMF_EXT.1.1 #36
Checks: C-66351r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry displays the DoD advisory warning message at start-up or each time the user unlocks the device. This procedure is performed on both the BES console and on a managed mobile device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and privacy” group of IT policy rules. 6. Verify "Display organization notice after device restart" is selected. On the BlackBerry device: 1. From either the Work Space or Personal Space, while holding the Power button, select "Restart" to reboot the device. 2. When the device restarts, ensure the required DoD warning banner (see VulDescription) is displayed on the lock screen. If the BES IT policy rule "Display Organization Notice After Device Restart" is not selected or on the BlackBerry device the required banner is not displayed after the device restarts, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71739r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and privacy” group of IT policy rules. 7. Select the check box next to the IT Policy "Display organization notice after device restart". 8. Click "Save". Note: If the organization Notice or the device profile does not exist, complete the following. Create an Organizational Notice: 1. On the menu bar, click “Settings”. 2. In the left pane, expand “General settings”. 3. Click “Organization notices”. 4. Click "+" at the right side of the screen. 5. In the “Name” field, type a name for the organization notice. 6. In the “Device language” drop-down list, select the language to use as the default language for the organization notice. 7. In the “Organization notice” field, type the DoD banner found in the VulDescription. 8. If additional languages are required, click "Add an additional language" to post the organization notice in more languages. 9. If you post the organization notice in more than one language, select the Default language option below one of the messages to make it the default language. 10. Click "Save". 11. Assign the organization notice to all applicable device profiles. Create a device profile: 1. On the menu bar, click "Policies and Profiles". 2. Click "+" beside "Device". 3. Type a name and description for the profile. Each device profile must have a unique name. 4. Click "BlackBerry". 5. In the “Assign organization notice” drop-down list, select the organization notice that you want to display on devices. 6. Click "Add". Add the Device Profile to all applicable groups: 1. On the menu bar, click "GROUPS". 2. For all applicable groups, select the group from the group list. 3. Click "Settings" tab. 4. Click "+" beside "IT policy and profiles". 5. Select "Device" from menu. 6. Select the appropriate Device profile from the drop down menu". 7. Click "Assign".

b
BlackBerry OS 10.3 must not allow the USB mass storage mode.
CM-7 - Medium - CCI-000381 - V-65699 - SV-80189r1_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
BB10-3X-000250
Vuln IDs
  • V-65699
Rule IDs
  • SV-80189r1_rule
USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a potential vector for malware and unauthorized data exfiltration. Prohibiting USB mass storage mode mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #39
Checks: C-66353r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry does not allow a USB mass storage mode. This procedure is performed on both the BES console and on a managed mobile device. Note: If an organization has multiple configuration profiles, then the Implementation procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Device functionality” group of IT policy rules. 6. Verify "Allow USB OTG mass storage" is not selected. On the BlackBerry device: 1. On the BlackBerry device attach a Micro USB OTG to USB 2.0 adapter cable to the BlackBerry Micro USB port. 2. Connect USB drive to the adapter cable. 3. Open file manager icon on the BlackBerry. 4. Tap the three horizontal lines on the bottom left of the screen. 5. Verify the USB drive is not listed. If the BES IT policy rule "USB OTG Mass Storage" is selected or the BlackBerry device file manager application displays a USB drive, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71741r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Device functionality” group of IT policy rules. 7. Unselect the check box next to the IT Policy "Allow USB OTG mass storage". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

a
BlackBerry OS 10.3 must disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.
CM-7 - Low - CCI-000381 - V-65701 - SV-80191r1_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
BB10-3X-000290
Vuln IDs
  • V-65701
Rule IDs
  • SV-80191r1_rule
Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DoD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach BlackBerry OS 10.3 smartphone security. Disabling automatic transfer of such information mitigates this risk. SFR ID: FMT_SMF_EXT.1.1#45
Checks: C-66355r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry disables automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. This procedure is performed on only on the BES console. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Apps” group of IT policy rules. 6. Verify "Allow wireless service provider apps" is not selected. If the BES IT policy rule "Allow wireless service provider apps" is selected, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71743r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Apps” group of IT policy rules. 7. Unselect the check box next to the IT Policy "Allow wireless service provider apps". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 work space whitelist must not include applications with the following characteristics: (See Vulnerability Discussion for list).
CM-6 - Medium - CCI-000366 - V-65703 - SV-80193r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-000330
Vuln IDs
  • V-65703
Rule IDs
  • SV-80193r1_rule
Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. List of characteristics: -backup MD data to non-DoD cloud servers (including user and application access to cloud backup services); -transmit MD diagnostic data to non-DoD servers; -voice assistant application if available when MD is locked; -voice dialing application if available when MD is locked; -allows synchronization of data or applications between devices associated with user; -payment processing; and -allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs, display screens (screen mirroring), or printers. SFR ID: FMT_SMF_EXT.1.1 #10b
Checks: C-66357r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry contains applications with the following characteristics: -backup MD data to non-DoD cloud servers (including user and application access to cloud backup services); -transmit MD diagnostic data to non-DoD servers; -voice assistant application if available when MD is locked; -voice dialing application if available when MD is locked; -allows synchronization of data or applications between devices associated with user; -payment processing; and -allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs, display screens (screen mirroring), or printers. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "APPS” tab at the top of the screen. 2. Scroll through the list of applications. 3. Verify that there are no applications installed with the following Characteristics: -backup MD data to non-DoD cloud servers (including user and application access to cloud backup services); -transmit MD diagnostic data to non-DoD servers; -voice assistant application if available when MD is locked; -voice dialing application if available when MD is locked; -allows synchronization of data or applications between devices associated with user; -payment processing; and -allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs, display screens (screen mirroring), or printers. On the BlackBerry device: 1. From the Work Space and Personal Space (on applicable activation types), swipe through the application windows. 2. Verify that there are no applications installed with the following Characteristics: -backup MD data to non-DoD cloud servers (including user and application access to cloud backup services); -transmit MD diagnostic data to non-DoD servers; -voice assistant application if available when MD is locked; -voice dialing application if available when MD is locked; -allows synchronization of data or applications between devices associated with user; -payment processing; and -allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs, display screens (screen mirroring), or printers. If on the BES12 console, any applications are listed that contain the prohibited characteristics, or on the BlackBerry device, if any applications containing the prohibited characteristics are installed, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71745r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "APPS” tab at the top of the screen. 2. Select the check box next to all applications to be removed. 3. Select the trashcan icon in the upper left to delete the selected applications. 4. Select "Delete" when prompted. On the BlackBerry Device: 1. Select and hold the icon for the application to be deleted until the icons begin to pulse. 2. Select the trashcan icon next to the application to be deleted. 3. Select "Delete" when prompted. 4. Repeat for additional applications to be deleted. 5. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), and SPP (Serial Port Profile).
CM-6 - Medium - CCI-000366 - V-65705 - SV-80195r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-000340
Vuln IDs
  • V-65705
Rule IDs
  • SV-80195r1_rule
Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore should be disabled. SFR ID: FMT_SMF_EXT.1.1 #20
Checks: C-66359r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry is configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), and SPP (Serial Port Profile). This procedure is performed on only on the BES console. Note: If an organization has multiple configuration profiles, then the Implementation procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Device functionality” group of IT policy rules. 6. Verify the following IT Policies are not selected: - Allow Bluetooth file transfer using OBEX - Allow Bluetooth MAP - Allow transfer work messages using Bluetooth MAP without prompt - Allow Bluetooth PAN profile - Allow transfer of work messages using Bluetooth MAP - Allow Bluetooth Contacts Transfer Using PBAP - Allow Transfer of Work Contacts Using Bluetooth PBAP or HFP If any of the following the BES IT policy rules is selected , this is a finding: - Allow Bluetooth file transfer using OBEX - Allow Bluetooth MAP - Allow transfer work messages using Bluetooth MAP without prompt - Allow Bluetooth PAN profile - Allow transfer of work messages using Bluetooth MAP - Allow Bluetooth Contacts Transfer Using PBAP - Allow Transfer of Work Contacts Using Bluetooth PBAP or HFP Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71747r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and Privacy” group of IT policy rules. 7. Unselect the check box next to the following IT Policies: - Allow Bluetooth file transfer using OBEX - Allow transfer work messages using Bluetooth MAP without prompt - Allow Bluetooth MAP - Allow Bluetooth PAN profile - Allow transfer of work messages using Bluetooth MAP - Allow Bluetooth Contacts Transfer Using PBAP - Allow Transfer of Work Contacts Using Bluetooth PBAP or HFP. 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must be configured to prevent non-approved updates of system software.
CM-6 - Medium - CCI-000366 - V-65707 - SV-80197r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-000380
Vuln IDs
  • V-65707
Rule IDs
  • SV-80197r1_rule
FOTA allows the user to download and install firmware updates over-the-air. These updates can include OS upgrades, security patches, bug fixes, new features and applications. Since the updates are controlled by the carriers, DoD will not have an opportunity to review and update policies prior to update availability to end users. Disabling FOTA will mitigate the risk of allowing users access to applications that could compromise DoD sensitive data. After reviewing the update and adjusting any necessary policies (i.e., disabling applications determined to pose risk), the administrator can re-enable FOTA. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66361r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry is configured to prevent non-approved updates of system software. This procedure is performed only on the BES console. Note: If an organization has multiple configuration profiles, then the Implementation procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Device functionality” group of IT policy rules. 6. Verify "Allow wireless software updates" is set to "allow". 7. Verify a Device SR requirement profile is assigned to every user: -Click on "Users and Devices" tab at the top of the screen. -Select at least 5 random users in-turn -Select the user -Verify a Device SR requirement profile is listed under IT policy and profile Note: Step 7 above will, by default, verify "Maximum software release version" has a value. If the BES IT policy rule "Allow wireless software updates" is not selected and a Device SR requirement profile has not been assigned to all users, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71749r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Device functionality” group of IT policy rules. 7. Select the check box next to the IT Policy "Allow wireless software updates". 8. Assign SR requirement profile to every user. 9. Click "Save". Note: If an SR requirements profile does not exist, you must create one before it can be assigned. To create a device SR requirements profile: 1. Select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Select the "+" beside Device SR requirements in the menu. 3. Type a name and description for the profile. 4. Type a name and description for the profile. 5. Select the "Make update required" check box. 6. In the "Minimum software release version" drop-down list, select the minimum software version that a BlackBerry 10 device must be running. 7. In the "Maximum software release version" drop-down list, select the maximum software version that a BlackBerry 10 device must be running. 8. Click "Save". 9. Click "Add". To Assign the SR requirements policy to a user: 1. On the menu bar, click "USER AND DEVICES". 2. For all applicable users, select the user from the list. 3. Click "+" beside "IT policy and profiles". 4. Select "Device SR requirements" from menu. 5. Select the appropriate Device SR requirements profile from the drop down menu". 6. Click "Assign". To Assign the SR requirements policy to a group: 1. On the menu bar, click "GROUPS". 2. For all applicable groups, select the group from the list. 3. Click "Settings" tab. 4. Click "+" beside "IT policy and profiles". 5. Select "Device SR requirements" from menu. 6. Select the appropriate Device SR requirements profile from the drop down menu". 7. Click "Assign". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must implement the management setting: limit Work Space contact data available in Personal space.
CM-6 - Medium - CCI-000366 - V-65709 - SV-80199r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-000930
Vuln IDs
  • V-65709
Rule IDs
  • SV-80199r1_rule
The contact database often contains a significant amount of information beyond each person's name and phone number. The records may contain addresses and other identifying or sensitive information that should not be revealed. There may be cases in which an organization has determined it is an acceptable risk to distribute parts of a person's contact record but not others. Enabling the system administrator to select which fields are available outside the contact database application (or to applications outside the work persona in the case of a dual persona device) assists with management of the risk. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66363r4_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry limits Work Space contact data available in Personal space. This procedure is performed on only on the BES console. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the "IT policies" tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and Privacy” group of IT policy rules. 6. Verify "Allow personal apps to access work contacts" is set to "Only BlackBerry Apps". If the BES IT policy rule "Allow personal apps to access work contacts" is not set to "Only BlackBerry Apps", this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71751r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and Privacy” group of IT policy rules. 7. Set the IT Policy "Allow personal apps to access work contacts" to "BlackBerry Apps Only". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must implement the management setting: must bind removable storage media cards to the mobile device via centrally managed policy. This requirement is applicable to Work space only activation Type.
CM-6 - Medium - CCI-000366 - V-65711 - SV-80201r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-000950
Vuln IDs
  • V-65711
Rule IDs
  • SV-80201r1_rule
The removable media card is an extension of the embedded device media. In order to protect sensitive data stored on the media card, the data must be encrypted and bound to the device such that it cannot be read by other mobile devices and computers. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66365r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry implements the management setting: must bind removable storage media cards to the mobile device via centrally managed policy. This procedure is performed on both the BES console and on a managed mobile device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and Privacy” group of IT policy rules. 6. Verify "Force media card encryption" is selected. On the BlackBerry device: 1. Navigate to Settings >> Security and Privacy >> Encryption. 2. Verify "Media Card Encryption" is not a listed option. If the BES IT policy rule "Force media card encryption" is not selected or on the BlackBerry device the "Media Card Encryption" is listed as an option, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71753r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Device Functionality” group of IT policy rules. 7. Select the check box next to the IT Policy "Force card encryption". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must implement the management setting: disable Bluetooth Discoverable Mode via centrally managed policy. This requirement only applies to Work space only and Work and personal - Regulated activation types.
CM-6 - Medium - CCI-000366 - V-65713 - SV-80203r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-000970
Vuln IDs
  • V-65713
Rule IDs
  • SV-80203r1_rule
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. Disabling Discoverable mode reduces the risk of a non-authorized Bluetooth device connecting the DoD BlackBerry. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66367r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry implements the management setting: disable Bluetooth Discoverable Mode via centrally managed policy. This procedure is performed on both the BES console and on a managed mobile device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Device Functionality” group of IT policy rules. 6. Verify "Allow Bluetooth discoverable mode" is not selected. On the BlackBerry device: 1. From either the Work Space or Personal Space, navigate to "Settings" >> "Network and Connections" >> "Bluetooth”. 2. Turn on Bluetooth. 3. Verify "Discoverable Mode" is set to "off" and greyed out. If the BES IT policy rule "Allow Bluetooth discoverable mode" is selected or on the BlackBerry device the "Discoverable Mode" is not set to "off" and greyed out, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71755r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Device Functionality” group of IT policy rules. 7. Unselect the check box next to the IT Policy "Allow Bluetooth discoverable mode". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must implement the management setting: disable the transfer of any file-based data via Bluetooth.
CM-6 - Medium - CCI-000366 - V-65715 - SV-80205r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-000980
Vuln IDs
  • V-65715
Rule IDs
  • SV-80205r1_rule
Bluetooth data transfers, except when using an approved smart card reader, do not use FIPS validated encryption. Therefore data transfer via Bluetooth must be disabled to mitigate the possible loss of sensitive DoD information. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66371r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry implements the management setting: disable the transfer of any file-based data via Bluetooth. This procedure is performed on only on the BES console. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users, in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Device Functionality” group of IT policy rules. 6. Verify "Allow transfer of work files using Bluetooth OPP or a Wi-Fi Direct connection" is not selected. If the BES IT policy rule "Allow transfer of work files using Bluetooth OPP or a Wi-Fi Direct connection" is selected, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71759r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Device Functionality” group of IT policy rules. 7. Unselect the check box next to the IT Policy "Allow transfer of work files using Bluetooth OPP or a Wi-Fi Direct connection". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must implement the management setting: disable the transfer of any file-based data via Near Field Communication (NFC) via centrally managed policy.
CM-6 - Medium - CCI-000366 - V-65717 - SV-80207r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-000990
Vuln IDs
  • V-65717
Rule IDs
  • SV-80207r1_rule
NFC data transfers do not use FIPS validated encryption. Therefore data transfer via NFC must be disabled to mitigate the possible loss of sensitive DoD information. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66373r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry implements the management setting: disable the transfer of any file-based data via Near Field Communication (NFC) via centrally managed policy. This procedure is performed on only on the BES console. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Device Functionality” group of IT policy rules. 6. Verify "Allow transfer of work data using NFC" is not selected. If the BES IT policy rule "Allow transfer of work data using NFC" is selected, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71761r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Device Functionality” group of IT policy rules. 7. Unselect the check box next to the IT Policy "Transfer Work Data Using NFC". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must implement the management setting: enforce the minimum password length for the Personal Space password to 4 digits. This requirement does not apply to the Work space only activation type.
CM-6 - Medium - CCI-000366 - V-65719 - SV-80209r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-001000
Vuln IDs
  • V-65719
Rule IDs
  • SV-80209r1_rule
Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. A password is required for the Personal Space to stop access to the BlackBerry desktop by an unauthorized person. This is a mobile security best practice control. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66375r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry implements the management setting: enforce the minimum password length for the Personal Space password to 4 digits. This procedure is performed on both the BES console and on a managed mobile device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. This requirement can be enforced by two methods: Method 1: Have the user set a personal space password of at least 4 characters. Method 2: Force the Personal Space password to be the same as the Work Space password. For Method 1: On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Password” group of IT policy rules. 6. Verify "Require full device password" is selected. 7. Verify "Define work space and device password behavior" is set to "Different" or "User Choice". On the BlackBerry Device: 8. Have user unlock the BlackBerry device. 9. Verify the user enters a password of at least 4 characters. For Method 2: On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Password” group of IT policy rules. 6. Verify "Require full device password" is selected. 7. Verify "Define work space and device password behavior" is set to "Same". If the user is using a Personal Space password of less than 4 characters (for method 1) or the BES IT Policy rule "Require full device password" is not selected (for method 2), this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71763r3_fix

On the BES 12, do the following: For Method 1: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Password” group of IT policy rules. 7. Select the check box next to the IT Policy "Require full device password". 8. Set "Define work space and device password behavior" to "Different" or "User Choice" using the drop-down menu. 9. Have user unlock the BlackBerry device. 10. Verify the user enters a password of at least 4 characters. 11. Click "Save". For Method 2: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Password” group of IT policy rules. 7. Select the check box next to the IT Policy "Require full device password". 8. Set "Define work space and device password behavior" to "Same" using the drop-down menu. 9. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must implement the management setting: disallow Personal Space applications access to the Work Space network connection. This requirement does not apply to the Work space only activation type.
CM-6 - Medium - CCI-000366 - V-65721 - SV-80211r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-001010
Vuln IDs
  • V-65721
Rule IDs
  • SV-80211r1_rule
Allowing movement of files and data from the personal Space to the Work Space will result in both personal data and sensitive DoD data being placed in the same space. This can potentially result in DoD data being transmitted to non-authorized recipients via personal email accounts or social applications, or transmission of malicious files to DoD accounts. Disabling this feature mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66377r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry implements the management setting: disallow Personal Space applications access to the Work Space network connection. This procedure is performed on only on the BES console. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and privacy” group of IT policy rules. 6. Verify "Allow personal apps to use work networks" is not selected. If the BES IT Policy rule "Allow personal apps to use work networks" is selected, this is a finding.

Fix: F-71765r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and privacy” group of IT policy rules. 7. Unselect the check box next to the IT Policy "Allow personal apps to use work networks". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must implement the management setting: disable BlackBerry Bridge.
CM-6 - Medium - CCI-000366 - V-65723 - SV-80213r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-001040
Vuln IDs
  • V-65723
Rule IDs
  • SV-80213r1_rule
BlackBerry Bridge is used to view information on the BlackBerry via the BlackBerry Playbook tablet. Use of the BlackBerry Playbook is not allowed in the DoD, therefore BlackBerry Bridge must be disabled. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66379r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry implements the management setting: disable BlackBerry Bridge. This procedure is performed on only on the BES console. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and Privacy” group of IT policy rules. 6. Verify "Allow BlackBerry Bridge to access the work space" is not selected. If the BES IT Policy rule "Allow BlackBerry Bridge to access the work space" is selected, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71767r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Edit. 6. Scroll down to the “Security and Privacy” group of IT policy rules. 7. Unselect the check box next to the IT Policy "Allow BlackBerry Bridge to access the work space". 8. Click "Save". Note: Procedures above are for BES 12 only.

b
BlackBerry OS 10.3 must implement the management setting: disable lock screen preview of work content.
CM-6 - Medium - CCI-000366 - V-65725 - SV-80215r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-001050
Vuln IDs
  • V-65725
Rule IDs
  • SV-80215r1_rule
Sensitive data could be viewed if the preview of data on the locked screen is not disabled and could be exposed to unauthorized viewers. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66381r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry implements the management setting: disable lock screen preview of work content. This procedure is performed on both the BES console and on a managed mobile device. Note: If an organization has multiple configuration profiles, then the Implementation procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and Privacy” group of IT policy rules. 6. Verify "Allow lock screen preview of work content" is not selected. On the BlackBerry device: 1. While holding the Power button from either the Work Space or Personal Space, select "Lock" to lock the device. 2. Verify the Work Space content is not visible on the lock screen. If the BES IT policy rule "Allow lock screen preview of work content" is selected or on the BlackBerry device the Work Space content is visible on the lock screen, this is a finding. Note: Procedures above are for BES 12 only.

Fix: F-71769r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and Privacy” group of IT policy rules. 7. Unselect the check box next to the IT Policy "Allow lock screen preview of work content". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different

a
The BlackBerry MDM Agent must be configured to operate in a NIAP Common Criteria mode of operation, to enable generation of audit records of required events: (See Vulnerability Discussion for list). This requirement only applies to Work space only and Work and personal - Regulated activation types.
CM-6 - Low - CCI-000366 - V-65727 - SV-80217r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
BB10-3X-020200
Vuln IDs
  • V-65727
Rule IDs
  • SV-80217r1_rule
Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security. Required audit events: a. Start-up and shutdown of the audit functions; b. Change in MDM policy; c. Device modification commanded by the MDM server; d. Specifically defined auditable events in Table 7 of MDM Agent EP v.2.0. SFR ID: FAU_GEN.1.1(2) Refinement, MDM Agent EP
Checks: C-66383r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry is configured to operate in a NIAP Common Criteria mode of operation, to enable generation of an audit record of required events for Start-up and shutdown of the audit functions, Change in MDM policy, Device modification commanded by the MDM server, and Specifically defined auditable events in Table 7 of MDM Agent EP v.2.0. This procedure is performed on only on the BES console. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and Privacy” group of IT policy rules. 6. Verify "Enable NIAP Common Criteria functionality" is selected. If the BES IT policy rule "Enable NIAP Common Criteria functionality" is not selected, this is a finding. Note: Procedures above are for BES 12 only, and is not available on BES 10.

Fix: F-71771r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and Privacy” group of IT policy rules. 7. Select the check box next to the IT Policy "Enable NIAP Common Criteria functionality". 8. Click "Save". Note: Procedures above are for BES 12 only, and is not available on BES 10.

a
The BlackBerry MDM Agent must be configured to generate an audit record of required events: (See Vulnerability Discussion for list). This requirement only applies to Work space only and Work and personal - Regulated activation types and to version 10.3.3 and later of the BlackBerry OS.
CM-6 - Low - CCI-000366 - V-65731 - SV-80221r2_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
BB10-3X-020210
Vuln IDs
  • V-65731
Rule IDs
  • SV-80221r2_rule
Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security. Required audit events: a. Start-up and shutdown of the audit functions; b. Change in MDM policy; c. Device modification commanded by the MDM server; d. Specifically defined auditable events in Table 7 of MDM Agent EP v.2.0. SFR ID: FAU_GEN.1.1(2) Refinement, MDM Agent EP
Checks: C-66387r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry is configured to generate an audit record of required events for Start-up and shutdown of the audit functions, Change in MDM policy, Device modification commanded by the MDM server, and Specifically defined auditable events in Table 7 of MDM Agent EP v.2.0. This procedure is performed on only on the BES console. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and Privacy” group of IT policy rules. 6. Verify "Event logging" is selected. If the BES IT policy rule "Event logging" is not selected, this is a finding. Note: Procedures above are for BES 12 only, and is not available on BES 10.

Fix: F-71775r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and Privacy” group of IT policy rules. 7. Select the check box next to the IT Policy "Event logging". 8. Click "Save". Note: Procedures above are for BES 12 only, and is not available on BES 10.

a
The BlackBerry MDM Agent must be configured to generate an audit record of successful required events, including: (See Vulnerability Discussion for list). This requirement only applies to Work space only and Work and personal - Regulated activation types and to version 10.3.3 and later of the BlackBerry OS.
CM-6 - Low - CCI-000366 - V-65733 - SV-80223r2_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
BB10-3X-020220
Vuln IDs
  • V-65733
Rule IDs
  • SV-80223r2_rule
Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security. Required events: a. Start-up and shutdown of the audit functions; b. Change in MDM policy; c. Device modification commanded by the MDM server; d. Specifically defined auditable events in Table 7 of MDM Agent EP v.2.0. SFR ID: FAU_GEN.1.1(2) Refinement, MDM Agent EP
Checks: C-66389r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry is configured to generate an audit record of successful required events, including Start-up and shutdown of the audit functions, Change in MDM policy, Device modification commanded by the MDM server, and Specifically defined auditable events in Table 7 of MDM Agent EP v.2.0. This procedure is performed on only on the BES console. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and Privacy” group of IT policy rules. 6. Verify "Successful event logging" is selected. If the BES IT policy rule "Successful event logging" is not selected, this is a finding. Note: Procedures above are for BES 12 only, and is not available on BES 10.

Fix: F-71777r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and Privacy” group of IT policy rules. 7. Select the check box next to the IT Policy "Event logging". 8. Select the check box next to the IT Policy "Successful event logging". 9. Click "Save". Note: Procedures above are for BES 12 only, and is not available on BES 10.

a
The BlackBerry MDM Agent must be configured to generate an audit record of required Informational level events, which may include: (See Vulnerability Discussion for list). This requirement only applies to Work space only and Work and personal - Regulated activation types and to version 10.3.3 and later of the BlackBerry OS.
CM-6 - Low - CCI-000366 - V-65741 - SV-80231r2_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
BB10-3X-020230
Vuln IDs
  • V-65741
Rule IDs
  • SV-80231r2_rule
Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security. Required events: a. Start-up and shutdown of the audit functions; b. Change in MDM policy; c. Device modification commanded by the MDM server; d. Specifically defined auditable events in Table 7 of MDM Agent EP v.2.0. SFR ID: FAU_GEN.1.1(2) Refinement, MDM Agent EP
Checks: C-66409r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry is configured to generate an audit record of required Informational level events, which may include Start-up and shutdown of the audit functions, Change in MDM policy, Device modification commanded by the MDM server, and Specifically defined auditable events in Table 7 of MDM Agent EP v.2.0. This procedure is performed on only on the BES console. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and Privacy” group of IT policy rules. 6. Verify "Info event logging" is selected. If the BES IT policy rule "Info event logging" is not selected, this is a finding. Note: Procedures above are for BES 12 only, and is not available on BES 10.

Fix: F-71797r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and Privacy” group of IT policy rules. 7. Select the check box next to the IT Policy "Event logging". 8. Select the check box next to the IT Policy "Info event logging". 9. Click "Save". Note: Procedures above are for BES 12 only, and is not available on BES 10.

a
The BlackBerry MDM Agent must be configured to generate an audit record of failed required events, which may include: (See Vulnerability Discussion for list). This requirement only applies to Work space only and Work and personal - Regulated activation types and to version 10.3.3 and later of the BlackBerry OS.
CM-6 - Low - CCI-000366 - V-65743 - SV-80233r2_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
BB10-3X-020240
Vuln IDs
  • V-65743
Rule IDs
  • SV-80233r2_rule
Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security. Required events: a. Start-up and shutdown of the audit functions; b. Change in MDM policy; c. Device modification commanded by the MDM server; d. Specifically defined auditable events in Table 7 of MDM Agent EP v.2.0. SFR ID: FAU_GEN.1.1(2) Refinement, MDM Agent EP
Checks: C-66413r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry is configured to generate an audit record of failed required events, which may include Start-up and shutdown of the audit functions, Change in MDM policy, Device modification commanded by the MDM server, and Specifically defined auditable events in Table 7 of MDM Agent EP v.2.0. This procedure is performed on only on the BES console. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and Privacy” group of IT policy rules. 6. Verify "Event logging" is selected functionality" is selected. 7. Verify "Failure event logging" is selected. If the BES IT policy rule "Failure event logging" is not selected, this is a finding. Note: Procedures above are for BES 12 only, and is not available on BES 10.

Fix: F-71801r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and Privacy” group of IT policy rules. 7. Select the check box next to the IT Policy "Event logging". 8. Select the check box next to the IT Policy "Failure event logging". 9. Click "Save". Note: Procedures above are for BES 12 only, and is not available on BES 10.

a
The BlackBerry MDM Agent must be configured to generate an audit record of required error level events, which may include: (See Vulnerability Discussion for list). This requirement only applies to Work space only and Work and personal - Regulated activation types and to version 10.3.3 and later of the BlackBerry OS.
CM-6 - Low - CCI-000366 - V-65745 - SV-80235r2_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
BB10-3X-020250
Vuln IDs
  • V-65745
Rule IDs
  • SV-80235r2_rule
Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security. Required events: a. Start-up and shutdown of the audit functions; b. Change in MDM policy; c. Device modification commanded by the MDM server; d. Specifically defined auditable events in Table 7 of MDM Agent EP v.2.0. SFR ID: FAU_GEN.1.1(2) Refinement, MDM Agent EP
Checks: C-66417r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry is configured to generate an audit record of required error level events, which may include Start-up and shutdown of the audit functions, Change in MDM policy, Device modification commanded by the MDM server, and Specifically defined auditable events in Table 7 of MDM Agent EP v.2.0. This procedure is performed on only on the BES console. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and Privacy” group of IT policy rules. 6. Verify "Error event logging" is selected. If the BES IT policy rule "Error event logging" is not selected, this is a finding. Note: Procedures above are for BES 12 only, and is not available on BES 10.

Fix: F-71805r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and Privacy” group of IT policy rules. 7. Select the check box next to the IT Policy "Event logging". 8. Select the check box next to the IT Policy "Error event logging". 9. Click "Save". Note: Procedures above are for BES 12 only, and is not available on BES 10.

a
The BlackBerry MDM Agent must be configured to generate an audit record of required warning level events, which may include: (See Vulnerability Discussion for list). This requirement only applies to Work space only and Work and personal - Regulated activation types and to version 10.3.3 and later of the BlackBerry OS.
CM-6 - Low - CCI-000366 - V-65747 - SV-80237r2_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
BB10-3X-020260
Vuln IDs
  • V-65747
Rule IDs
  • SV-80237r2_rule
Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security. Required events: a. Start-up and shutdown of the audit functions; b. Change in MDM policy; c. Device modification commanded by the MDM server; d. Specifically defined auditable events in Table 7 of MDM Agent EP v.2.0. SFR ID: FAU_GEN.1.1(2) Refinement, MDM Agent EP
Checks: C-66423r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry is configured to generate an audit record of required warning level events, which may include Start-up and shutdown of the audit functions, Change in MDM policy, Device modification commanded by the MDM server, and Specifically defined auditable events in Table 7 of MDM Agent EP v.2.0. This procedure is performed on only on the BES console. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and Privacy” group of IT policy rules. 6. Verify "Warning event logging" is selected. If the BES IT policy rule "Warning event logging" is not selected, this is a finding. Note: Procedures above are for BES 12 only, and is not available on BES 10.

Fix: F-71811r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and Privacy” group of IT policy rules. 7. Select the check box next to the IT Policy "Event logging". 8. Select the check box next to the IT Policy "Warning event logging". 9. Click "Save". Note: Procedures above are for BES 12 only, and is not available on BES 10.

b
BlackBerry OS 10.3 must force the use of BBM Protected mode.
CM-6 - Medium - CCI-000366 - V-65749 - SV-80239r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-020265
Vuln IDs
  • V-65749
Rule IDs
  • SV-80239r1_rule
BBM Protected mode provides strong data encryption for the Blackberry chat service. If data-in-transit is unencrypted, it is vulnerable to disclosure. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66427r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry forces the use of BBM Protected mode. This procedure is performed on only on the BES console Note: If an organization has multiple configuration profiles, then the Implementation procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and Privacy” group of IT policy rules. 6. Verify "Use BBM Protected" is selected. If the BES IT Policy rule "Use BBM Protected" is not selected, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71815r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and Privacy” group of IT policy rules. 7. Select the check box next to the IT Policy "Use BBM Protected". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

a
The BlackBerry MDM Agent must be configured to synchronize generated audit records of required events every 6 hours or less. This requirement only applies to Work space only and Work and personal - Regulated activation types and to version 10.3.3 and later of the BlackBerry OS.
CM-6 - Low - CCI-000366 - V-65751 - SV-80241r2_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
BB10-3X-020270
Vuln IDs
  • V-65751
Rule IDs
  • SV-80241r2_rule
Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security. SFR ID: FAU_GEN.1.1(2) Refinement, MDM Agent EP
Checks: C-66431r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry is configured to synchronize generated audit records of required events every "6 hours" or less. This procedure is performed on only on the BES console. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and Privacy” group of IT policy rules. 6. Verify "Event log synchronization frequency" is set to "6 hours" or less. If the BES IT policy rule Event log synchronization frequency" is not set to "6 hours" or less, this is a finding. Note: Procedures above are for BES 12 only, and is not available on BES 10.

Fix: F-71819r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and Privacy” group of IT policy rules. 7. Select the check box next to the IT Policy "Event logging". 8. Set "Event log synchronization frequency" to "6 hours" or less. 9. Click "Save". Note: Procedures above are for BES 12 only, and is not available on BES 10.

b
BlackBerry OS 10.3 must implement the management setting: disable Voice Dictation in Work Applications.
CM-6 - Medium - CCI-000366 - V-65753 - SV-80243r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-020275
Vuln IDs
  • V-65753
Rule IDs
  • SV-80243r1_rule
Voice Dictation in Work Applications uses a cloud based services to provide dictation support. Sensitive DoD data could be at risk of exposures if this service is enabled. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66433r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry implements the management setting: disable Voice Dictation in Work Applications. This procedure is performed on only on the BES console Note: If an organization has multiple configuration profiles, then the Implementation procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and Privacy” group of IT policy rules. 6. Verify "Allow voice dictation in work apps" is not selected. If the BES IT Policy rule "Allow voice dictation in work apps" is selected, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71821r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and Privacy” group of IT policy rules. 7. Unselect the check box next to the IT Policy "Allow voice dictation in work apps". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must implement the management setting: display External Email Address Warning Message.
CM-6 - Medium - CCI-000366 - V-65755 - SV-80245r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-020280
Vuln IDs
  • V-65755
Rule IDs
  • SV-80245r1_rule
The "External Email Address Warning Message" allows administrators to enforce a feature on the BlackBerry 10 smartphones to display a warning message for email addresses that are deemed as external to the primary internal mail domain. This feature provides a safeguard for accidently sending sensitive DoD information to email addresses external to the DoD. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66435r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry implements the management setting: display External Email Address Warning Message. This procedure is performed on both the BES console and BlackBerry device. Note: If an organization has multiple configuration profiles, then the Implementation procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Apps” group of IT policy rules. 6. Verify "Display indicator for external email addresses" is selected. On the BlackBerry device: 1. Open the email application and select "Compose". 2. In the "to" field, enter an email address for an external contact. 3. As you type email address, verify "(External Address - Not recommended)" is displayed. 4. After completing email address, email address should be highlighted in red. If the BES IT Policy rule "Display indicator for external email addresses" is not selected, or on the BlackBerry device a warning indicator is not received (as described above), this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71823r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Apps” group of IT policy rules. 7. Select the check box next to the IT Policy "Display indicator for external email addresses". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must implement the management setting: Check certificate expiry for MDM connection.
CM-6 - Medium - CCI-000366 - V-65757 - SV-80247r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-020290
Vuln IDs
  • V-65757
Rule IDs
  • SV-80247r1_rule
Without strong authentication of the MDM, the MDM agent may connect to a rogue MDM and the mobile device could then come under management control of the rogue MDM. This could lead to exposure of sensitive DoD data. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66439r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry implements the management setting: Check certificate expiry for MDM connection. This procedure is performed on only on the BES console. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and privacy” group of IT policy rules. 6. Verify "Check certificate expiry for MDM connection" is selected. If the BES IT Policy rule "Check certificate expiry for MDM connection" is not selected, this is a finding.

Fix: F-71827r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and privacy” group of IT policy rules. 7. Select the check box next to the IT Policy "Check certificate expiry for MDM connection ". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

c
BlackBerry OS 10.3 must protect data at rest on built-in storage media for Personal space. This requirement only applies to Work and Personal Corporate and Work and personal - Regulated activation types.
CM-6 - High - CCI-000366 - V-65759 - SV-80249r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
BB10-3X-020300
Vuln IDs
  • V-65759
Rule IDs
  • SV-80249r1_rule
The BlackBerry device must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read storage media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. SFR ID: FMT_SMF_EXT.1.1 #25
Checks: C-66441r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry protects data at rest on built-in storage media for Personal space. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and privacy” group of IT policy rules. 6. Verify "Force personal space data encryption" is selected. On the BlackBerry device: 1. From either the Work Space or Personal Space, navigate to "Settings" >> "Security and Privacy" >> "Encryption". 2. Verify "Device Encryption" is toggled to the right (on) and not accessible. If the BES IT Policy rule "Force personal space data encryption" is not selected, or on the BlackBerry device if "Device Encryption" is toggled to the left (off) and accessible, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71829r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and privacy” group of IT policy rules. 7. Select the check box next to the IT Policy "Force personal space data encryption ". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must prevent opening links in work email messages in the personal browser. This requirement only applies to Work and personal - Corporate and Work and personal - Regulated activation types.
CM-6 - Medium - CCI-000366 - V-65761 - SV-80251r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-020320
Vuln IDs
  • V-65761
Rule IDs
  • SV-80251r1_rule
If web links in work email were opened using the personal browser, there is a possibility that sensitive DoD data could spill from the Work space to the Personal space, which could lead to public exposure of that data. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66443r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry prevents opening links in work email messages in the personal browser. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Apps” group of IT policy rules. 6. Verify "Allow opening links in work email messages in the personal browser" is not selected. On the BlackBerry device: 1. Create a test email which, includes a link to a web address, and send it to the work email address on the test device. 2. From the Work Space, open the test email and click on the link. 3. Verify the link opens using the work browser, and no other options are available. If the BES IT Policy rule "Allow opening links in work email messages in the personal browser" is selected, or on the BlackBerry device if the link can be opened using the personal browser, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71831r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies’ tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Apps” group of IT policy rules. 7. Unselect the check box next to the IT Policy "Allow opening links in work email messages in the personal browser ". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must prevent untrusted connections to the mail server.
CM-6 - Medium - CCI-000366 - V-65763 - SV-80253r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-020330
Vuln IDs
  • V-65763
Rule IDs
  • SV-80253r1_rule
If an untrusted connection to a mail server is allowed, the device may connect to either a rogue email server or a compromised DoD email server. In either case, sensitive DoD data could be compromised. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66445r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry prevents untrusted connections to the mail server. This procedure is performed on only on the BES console. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Apps” group of IT policy rules. 6. Verify "Allow untrusted connections to the mail server" is not selected. If the BES IT Policy rule "Allow untrusted connections to the mail server" is selected, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71833r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Apps” group of IT policy rules. 7. Unselect the check box next to the IT Policy "Allow untrusted connections to the mail server". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must prevent the use of BlackBerry Protect.
CM-6 - Medium - CCI-000366 - V-65765 - SV-80255r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-020340
Vuln IDs
  • V-65765
Rule IDs
  • SV-80255r1_rule
BlackBerry Protect gives users the ability to remotely lock, wipe, send audible alerts, and locate their BlackBerry device, but can become a maintainability issue for enterprise deployments. If a user forgets their BlackBerry ID password, the device must be sent back to BlackBerry to have the BlackBerry Protect feature disabled. In addition, BlackBerry Protect must be disabled by the user before it can be wiped and transferred to a new user. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66447r2_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry prevents the use of BlackBerry Protect. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Apps” group of IT policy rules. 6. Verify "Allow BlackBerry Protect" is not selected. On the BlackBerry device: 1. From either the Work Space or Personal Space, navigate to "Settings" >> "BlackBerry Protect". 2. Verify "BlackBerry Protect" is toggled to the left (off) and not accessible. If the BES IT Policy rule "Prevent the use of BlackBerry Protect." is selected, or on the BlackBerry device if "BlackBerry Protect" is toggled to the right (on) and accessible, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71835r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Apps” group of IT policy rules. 7. Unselect the check box next to the IT Policy "Allow BlackBerry Protect". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

b
BlackBerry OS 10.3 must prevent third-party apps from using BlackBerry Blend.
CM-6 - Medium - CCI-000366 - V-65773 - SV-80263r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BB10-3X-020350
Vuln IDs
  • V-65773
Rule IDs
  • SV-80263r1_rule
If third party apps are allowed to use BlackBerry Blend, it may be possible for DoD data on the BlackBerry that is being displayed on a PC via the Blend connection to be saved to the PC. Sensitive DoD data could be at risk of compromise in this case. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-66455r3_chk

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry prevents third-party apps from using BlackBerry Blend. This procedure is performed only on the BES console. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Apps” group of IT policy rules. 6. Verify "Allow third-party apps to use BlackBerry Blend" is not selected. If the BES IT Policy rule "Allow third-party apps to use BlackBerry Blend" is selected, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-71843r1_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Apps” group of IT policy rules. 7. Unselect the check box next to the IT Policy "Allow third-party apps to use BlackBerry Blend". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different

a
The BlackBerry OS 10.3 The BlackBerry OS 10.3 smartphone must close the Hotspot Browser connection if the user does not log into the Hotspot Browser after 15 minutes (or less).
Low - V-71491 - SV-86115r1_rule
RMF Control
Severity
Low
CCI
Version
BB10-3X-001060
Vuln IDs
  • V-71491
Rule IDs
  • SV-86115r1_rule
This configuration setting sets the amount of time the hotspot browser remains open without login. The hotspot browser could be at risk of attack by an adversary if it remains open when not being used by the handset user. It is a best practice to close the browser when not in use.System Administrator
Checks: C-71881r2_chk

Review the BlackBerry OS 10.3 smartphone configuration settings to determine if the BlackBerry Hotspot Browser connection closes if the user does not log into the Hotspot Browser after "15" minutes (or less). This procedure is performed on both the BES console and on a managed mobile device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the side of the screen. 2. Expand the "IT policies" tab on the left pane. 3. Select and open each IT policy assigned to users, in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Device Functionality” group of "IT policy" rules 6. Verify "Hotspot Browser timeout " is set to "15" minutes. On the BlackBerry device: 1. From either the Work Space or Personal Space, navigate to "Settings" >> "Networks and Connections" >> "Wi-Fi", and connect to an available mobile hotspot connection. 2. Verify that all browsers are closed on the device. 3. Verify that the mobile hotspot connection disconnects after "15" minutes or less of inactivity. If the BES IT policy rule "Hotspot Browser timeout " is not set to "15" minutes or less, or if the mobile hotspot connection does not disconnect after "15" minutes or less of inactivity, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-77811r2_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the side of the screen. 2. Expand the "IT policies" tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click "pencil icon" (upper right corner) to edit the IT Policy. 6. Scroll down to the “Device Functionality” group of IT policy rules 7. Set "Hotspot Browser timeout" to "15" minutes or less. 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

a
The BlackBerry OS 10.3 smartphone must implement the management setting: Allow use of preloaded trusted root certificates
Low - V-71493 - SV-86117r1_rule
RMF Control
Severity
Low
CCI
Version
BB10-3X-001070
Vuln IDs
  • V-71493
Rule IDs
  • SV-86117r1_rule
This configuration setting specifies whether a BlackBerry device can use preloaded trusted root certificates to establish a trusted certificate chain. If this rule is not selected, the device can use only trusted root certificates that are sent from BES12 for work connections. When not selected, the DoD will be limited in how root certificates can be deployed to BlackBerry handhelds, which may cause an operational issue.
Checks: C-71883r2_chk

Review the BlackBerry OS 10.3 smartphone configuration settings to determine if the BlackBerry implements the management setting: Allow use of preloaded trusted root certificates. This procedure is performed on only on the BES console Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the side of the screen. 2. Expand the "IT policies" tab on the left pane. 3. Select and open each IT policy assigned to users, in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and privacy” group of IT policy rules 6. Verify "Allow use of preloaded trusted root certificates" is selected. If the BES IT policy rule "Allow use of preloaded trusted root certificates" is not selected, this is a finding. Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Fix: F-77813r2_fix

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the side of the screen. 2. Expand the "IT policies" tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click "pencil icon" (upper right corner) to edit the IT Policy. 6. Scroll down to the “Device Functionality” group of IT policy rules 7. Select the checkbox next to the IT Policy "Allow use of preloaded trusted root certificates". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

c
Only authorized versions of BlackBerry OS must be used.
CM-6 - High - CCI-000366 - V-98919 - SV-108023r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
BB10-3X-999999
Vuln IDs
  • V-98919
Rule IDs
  • SV-108023r1_rule
BlackBerry OS is no longer supported by BlackBerry and therefore, may contain security vulnerabilities. BlackBerry OS is not authorized within the DoD.
Checks: C-97755r1_chk

Interview ISSO and site mobile device system administrator. Verify the site is not using the BlackBerry OS on any site mobile devices. If the site is using BlackBerry OS on any site mobile devices, this is a finding.

Fix: F-104595r1_fix

Remove all BlackBerry OS mobile devices from the site and off the Mobile Device Manager (MDM) server.