Good Mobility Suite Server (Android OS) V1R1

b

The required smartphone management server or later version must be used.

Medium - V-24972 - SV-30809r2_rule

RMF Control

Severity

M

CCI

Version

WIR-WMS-GD-001

Vuln IDs

V-24972

Rule IDs

SV-30809r2_rule

Earlier versions of the smartphone management server may have security vulnerabilities or have not implemented required security features. System AdministratorECSC-1

Checks: C-31225r1_chk

The required Good Mobile Control (GMC) server version is 1.0.3.95 or later. Click on the Settings tab in the console to view the GMC Version. The required Good Mobile Messaging (GMM) server version is 6.0.3.46 or later. Click on the Servers tab in the console to view the GMM server version. If either server version is not as required, mark as a finding.

Fix: F-27612r1_fix

Upgrade to required (or later) server version.

b

The host server where the smartphone management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Web Server, Apache Tomcat, IIS, etc.).

Medium - V-24973 - SV-30810r2_rule

RMF Control

Severity

M

CCI

Version

WIR-WMS-GD-002

Vuln IDs

V-24973

Rule IDs

SV-30810r2_rule

Wireless email services are installed on a Windows Server. The server must be compliant with the Windows STIG and applicable Application STIGs to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the wireless email server.System AdministratorECSC-1

Checks: C-31226r2_chk

Work with the OS Reviewer or check VMS for last review of each host Good computer asset. The review should include the SQL server and Apache Tomcat. Mark as a finding if the previous or current OS review of the Windows server did not include a review of the SQL server and Apache Tomcat. If IIS is installed, the review should also include IIS.

Fix: F-27613r1_fix

Ensure all applications installed on the host server are STIG compliant.

c

The smartphone management server email system must be set up with the required system components in the required network architecture.

High - V-24974 - SV-30811r2_rule

RMF Control

Severity

H

CCI

Version

WIR-WMS-GD-003

Vuln IDs

V-24974

Rule IDs

SV-30811r2_rule

The wireless email server architecture must comply with the DoD environment because approval of the smartphone management server is contingent on installation with the correct settings. DoD enclaves could be at risk of penetration or DoD data could be compromised if the smartphone management server is not installed as required.System AdministratorECSC-1

Checks: C-31227r2_chk

Verify the Good servers (Good Mobile Control server and Good Mobile Messaging server) are installed with all required components. See the STIG Technology Overview, section 2 for more information. Mark as a finding if the Good server components are not installed in the enclave with the email server.

Fix: F-27615r1_fix

Install required smartphone management server components in required network architecture.

c

The smartphone management server host-based or appliance firewall must be installed and configured as required.

High - V-24975 - SV-30812r2_rule

RMF Control

Severity

H

CCI

Version

WIR-WMS-GD-004

Vuln IDs

V-24975

Rule IDs

SV-30812r2_rule

A smartphone user could get access to unauthorized network resources (application and content servers, etc.) if the smartphone management server host firewall is not set up as required.System AdministratorECSC-1

Checks: C-31229r2_chk

The Good server host-based or appliance firewall must be configured as required. The Good server firewall is configured with the following rules: - Deny all except when explicitly authorized. - Internal traffic from the Good server is limited to internal systems used to host the smartphone services (e.g., email and LDAP servers) and approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized. - Internet traffic from the Good server is limited to only those specified smartphone services (e.g., Good NOC server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the Good server and/or service. - Firewall settings listed in the STIG/ISCG Technology Overview will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trusted IP addresses and subnets. Note: At a minimum, the IP address of the site Internet proxy server must be listed so the Good secure browser can connect to the Internet. Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above. Check Procedures: -Verify the firewall configuration meets approved architecture configuration requirements (or have the Network Reviewer do the review of the firewall). -Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers the Good server connects to should be included on this list. -Mark as a finding if a list of trusted networks by IP address is not configured on the Good server host-based firewall.

Fix: F-27616r2_fix

Install the smartphone management server host-based or appliance firewall and configure as required.

c

Security controls must be implemented on the smartphone management server for connections to back-office servers and applications.

High - V-24976 - SV-30814r1_rule

RMF Control

Severity

H

CCI

Version

WIR-WMS-GD-005

Vuln IDs

V-24976

Rule IDs

SV-30814r1_rule

The secure connection from the smartphone to the smartphone management server can be used by the smartphone user to connect to back-office servers and applications located on the enclave network. These connections bypass network authentication controls setup on the enclave. Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the smartphone system that are not authorized to access the back-office servers and applications.System AdministratorECSC-1

Checks: C-31230r1_chk

Detailed Policy requirements Access to internal Intranet sites via the Good Browser must be blocked. Check Procedures Verify a local security policy has been set up on the Good server to block access to Intranet sites via the Good browser. 1. On the Windows host server for the Good Mobile Messaging Server, browse to Start Menu > Administrative Tools > Local Security Policies. 2. Within Local Security Policies right click on IP Security Policies on Local Computer. 3. Open the policy and verify the following setting has been configured: -Activate the default response rule is unchecked. 4. Go to the properties of the security policy and verify the following rules are included: a. Allow access from the GMM Server to the Default Gateway. b. Allow access from the GMM Server to the DNS Servers. c. Allow access from the GMM Server to the Exchange Servers. d. Allow access from remote workstations to GMM Server in case Terminal Services will be used to manage the server remotely. e. Deny access to everything else. Verify the IP Security policy has been assigned to the Windows server. Mark as a finding if a local security policy has not been set up on the Good server to block access to Internet sites via the good browser or if the policy has not been configured as required.

Fix: F-27617r1_fix

Set up required controls on the smartphone management server for connections to back-office servers.

a

The smartphone management server must be configured to control HTML and RTF formatted email.

Low - V-24977 - SV-30818r1_rule

RMF Control

Severity

L

CCI

Version

WIR-WMS-GD-006

Vuln IDs

V-24977

Rule IDs

SV-30818r1_rule

HTML email and inline images in email can contain malware or links to web sites with malware.System AdministratorECWN-1

Checks: C-31238r1_chk

Detailed Requirements: - Convert HTML and RTF formatted email into text format before sending to a smartphone. - Prevent the smartphone management server from sending email messages with inline images to smartphones. Verify the following Windows registry setting is set on the Good server: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GoodLinkServer\parameters\sync] "htmlEmail"="1" Mark as a finding if the Windows registry key is not configured as required.

Fix: F-27618r1_fix

Configure the smartphone management server to: - Convert HTML and RTF formatted email into text format before sending to a smartphone. - Prevent the smartphone management server from sending email messages with inline images to smartphones.

b

Smartphone user accounts must not be assigned to the default security/IT policy.

Medium - V-24978 - SV-30819r2_rule

RMF Control

Severity

M

CCI

Version

WIR-WMS-GD-007

Vuln IDs

V-24978

Rule IDs

SV-30819r2_rule

The smartphone default security/IT policy on the smartphone management server does not include most DoD required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned the default (or other non-STIG compliant) security/IT policy.System AdministratorECSC-1

Checks: C-31348r2_chk

User accounts will only be assigned a STIG-compliant security/IT policy. Determine which policy sets on the Good server user accounts have been assigned to using the following procedures: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server by using the following procedures: --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non STIG-compliant policy sets be deleted except for a "Provisioning" policy set, which is used for initial setup and software update of the Android device. Note: Other checks will be used to verify the policy sets identified as STIG-compliant are configured correctly. Verify all users are assigned to a STIG policy set. --Log into the Good Mobile Control console. --Click on the Handhelds tab. Mark as a finding if any user account is assigned a policy set identified as not STIG-compliant.

Fix: F-27619r1_fix

User accounts will only be assigned a STIG compliant security/IT policy.

a

“Re-challenge for CAC PIN every” must be set.

Low - V-24987 - SV-30727r2_rule

RMF Control

Severity

L

CCI

Version

WIR-GMMS-004

Vuln IDs

V-24987

Rule IDs

SV-30727r2_rule

A user’s CAC PIN or software certificate PIN is cached in memory on the device for a short period of time so a user does not have to re-enter his/her PIN every time the user’s digital certificates are required for an S/MIME operation. The cached memory is cleared after a set period of time to limit exposure of the digital certificates to unauthorized use. Otherwise, a hacker may be able to gain access to the device while the PIN is still cached in memory and access the Good application and gain access to sensitive DoD information.System AdministratorECSC-1

Checks: C-31142r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone devices and click on Handheld Authentication on the left side. -Verify “Re-challenge for CAC PIN every” is checked and set to 60 minutes or less. (Note: 15 minutes or less is the recommended setting.) Mark as a finding if “Re-challenge for CAC PIN every” is not checked and not set to the required value.

Fix: F-27628r2_fix

Set the “Re-challenge for CAC PIN every” to checked and set to required value.

a

Handheld password must be set as required.

Low - V-24988 - SV-39982r3_rule

RMF Control

Severity

L

CCI

Version

WIR-WMS-GD-009-01

Vuln IDs

V-24988

Rule IDs

SV-39982r3_rule

Long used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the smartphone and sensitive DoD data stored on the mobile device.System AdministratorECWN-1, IAIA-1

Checks: C-39021r1_chk

This check is Not Applicable if “Authenticate with CAC PIN” is checked. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “After X invalid password attempts:” is set to 10 or less. Mark as a finding if “After X invalid password attempts:” is not set to 10 or less. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “Expire password after” is set to 90 days or less.

Fix: F-27629r1_fix

Set handheld password as required.

a

Previously used passwords must be disallowed for security/email client on smartphone.

Low - V-24989 - SV-30822r2_rule

RMF Control

Severity

L

CCI

Version

WIR-WMS-GD-009-02

Vuln IDs

V-24989

Rule IDs

SV-30822r2_rule

Previously used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the smartphone and sensitive DoD data stored on the smartphone.System AdministratorECWN-1, IAIA-1

Checks: C-31242r2_chk

This check is not applicable if “Authenticate with CAC PIN” is checked. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “Disallow previously used passwords” is set to 3 or more. Mark as a finding if “Disallow previously used passwords” is not set to 3 or more.

Fix: F-27630r1_fix

Disallow previously used passwords.

b

Password minimum length must be set as required for the smartphone security/email client.

Medium - V-24990 - SV-30823r2_rule

RMF Control

Severity

M

CCI

Version

WIR-WMS-GD-009-03

Vuln IDs

V-24990

Rule IDs

SV-30823r2_rule

Short passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.System AdministratorECWN-1, IAIA-1

Checks: C-31243r2_chk

This check is not applicable if “Authenticate with CAC PIN” is checked. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “Require minimum length of” is set to 8 or more for the STIG/ISCG Policy Set. Mark as a finding if “Require minimum length of” is not set to 8 or more for the STIG/ISCG Policy Set.

Fix: F-27631r1_fix

Require password minimum length is set as required.

a

Repeated password characters must be disallowed for the Good app.

Low - V-24991 - SV-30824r2_rule

RMF Control

Severity

L

CCI

Version

WIR-WMS-GD-009-04

Vuln IDs

V-24991

Rule IDs

SV-30824r2_rule

Repeated password characters reduces the strength of a password to withstand attacks by password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.System AdministratorECWN-1, IAIA-1

Checks: C-31244r2_chk

This check is not applicable if “Authenticate with CAC PIN” is checked. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “Disallow repeated characters after” is set to 1 or 2. Mark as a finding if “Disallow repeated characters after” is not set to 1 or 2.

Fix: F-27632r1_fix

Disallow repeated password characters.

b

Maximum invalid password attempts must be set as required for the smartphone security/email client.

Medium - V-24992 - SV-30825r2_rule

RMF Control

Severity

M

CCI

Version

WIR-WMS-GD-009-06

Vuln IDs

V-24992

Rule IDs

SV-30825r2_rule

A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.System AdministratorECWN-1, IAIA-1

Checks: C-31245r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “After X invalid password attempts:” is set to 10 or less. Mark as a finding if “After X invalid password attempts:” is not set to 10 or less.

Fix: F-27633r2_fix

Set the maximum invalid password attempts as required.

b

Data must be wiped after maximum password attempts reached for the smartphone security/email client.

Medium - V-24993 - SV-30827r2_rule

RMF Control

Severity

M

CCI

Version

WIR-WMS-GD-009-07

Vuln IDs

V-24993

Rule IDs

SV-30827r2_rule

A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data. System AdministratorECWN-1, IAIA-1

Checks: C-31248r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “After X invalid password attempts:” is set to 10 or less. Mark as a finding if “After X invalid password attempts:” is not set to 10 or less. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “Wipe handheld data” is selected. Mark as a finding if “Wipe handheld data” is not selected.

Fix: F-27634r1_fix

Wipe handheld data after maximum password attempts have been reached.

b

Inactivity lock must be set as required for the smartphone security/email client.

Medium - V-24994 - SV-30826r2_rule

RMF Control

Severity

M

CCI

Version

WIR-WMS-GD-009-05

Vuln IDs

V-24994

Rule IDs

SV-30826r2_rule

Sensitive DoD data could be exposed to unauthorized viewing or use if lost or stolen smartphone screen was not locked.System AdministratorPESL-1

Checks: C-31247r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “Require password when idle for more than” is set to 15 minutes or less. Mark as a finding if “Require password when idle for more than” is not set to 15 minutes or less. .

Fix: F-27635r2_fix

Set the handheld inactivity lock as required.

b

"Do not allow data to be copied from the Good application" must be checked.

Medium - V-24995 - SV-30735r2_rule

RMF Control

Severity

M

CCI

Version

WIR-GMMS-006-01

Vuln IDs

V-24995

Rule IDs

SV-30735r2_rule

Sensitive data could be saved in the non-FIPS 140-2 validated area of memory on the smartphone, which would violate DoD policy and may expose sensitive DoD data.System AdministratorECCR-1

Checks: C-31143r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Messaging on the left side. -Verify “Do not allow data to be copied from the Good application” is checked. Mark as a finding if “Do not allow data to be copied from the Good application” is not checked.

Fix: F-27637r1_fix

Check "Do not allow data to be copied from the Good application" in the Good console.

b

The Over-The-Air (OTA) device provisioning PIN must have expiration set.

Medium - V-24998 - SV-30738r2_rule

RMF Control

Severity

M

CCI

Version

WIR-GMMS-008

Vuln IDs

V-24998

Rule IDs

SV-30738r2_rule

The time period that a device can be provisioned via Over-The-Air (OTA) provisioning needs to be controlled to ensure unauthorized people do not have the capability to setup rogue devices on the network.System AdministratorECWN-1

Checks: C-31148r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Provisioning on the left side. -Verify “OTA Provisioning PIN expires after” is checked and is set to 7 days or less. Mark as a finding if “OTA Provisioning PIN expires after” is not checked or is not set to 7 days or less.

Fix: F-27641r2_fix

Set the Over-the-Air (OTA) device provisioning PIN as required.

a

OTA Provisioning PIN reuse must not be allowed.

Low - V-24999 - SV-30739r2_rule

RMF Control

Severity

L

CCI

Version

WIR-GMMS-009

Vuln IDs

V-24999

Rule IDs

SV-30739r2_rule

The reuse of the OTA PIN can allow a hacker to provision an unauthorized device on the system.System AdministratorECWN-1

Checks: C-31149r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Provisioning on the left side. -Verify “Allow OTA Provisioning PIN reuse” is unchecked. Mark as a finding if “Allow OTA Provisioning PIN reuse” is checked.

Fix: F-27642r1_fix

Do not allow OTA Provisioning PIN reuse.

a

A compliance rule must be set up in the server defining required smartphone hardware versions.

Low - V-25002 - SV-34963r1_rule

RMF Control

Severity

L

CCI

Version

WIR-GMMS-AND-010-01

Vuln IDs

V-25002

Rule IDs

SV-34963r1_rule

Older devices do not support required security features.System AdministratorECWN-1

Checks: C-34842r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. First, ask the site IAO, which models of Android devices are approved for use at the site. Then do the following: 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select a policy set to review and click on the policy. -On the left tab, select Compliance Manager. -Verify the “Android Hardware Verification” rule is listed. (Note: The rule title does not have to be exact.) -Open the rule by checking the box next to the rule, then click on Edit. -Verify the following are set: Platform: Android Check to Run: Hardware Model Verification -Verify only devices approved for use at the site are checked. -Verify "Failure Action" is set to "Quit Good for Enterprise". -Verify "Check Every" is set to "1 hour". Mark as a finding if the “Android Hardware Verification” rule has not been set up or is not configured as required.

Fix: F-27647r1_fix

Set up compliance rules in the server defining required smartphone hardware versions.

b

A compliance rule must be setup in the server implementing jailbreak or rooting detection on smartphones.

Medium - V-25004 - SV-34966r1_rule

RMF Control

Severity

M

CCI

Version

WIR-GMMS-AND-010-03

Vuln IDs

V-25004

Rule IDs

SV-34966r1_rule

DoD-required security policies can be bypassed on jailbroken and rooted smartphone . Jailbroken and rooted devices can expose sensitive DoD data to unauthorized people and could lead to a network attack.System AdministratorECWN-1

Checks: C-34844r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select a policy set to review and click on the policy. -On the left tab, select Compliance Manager. -Verify the "Android Jailbreak Detection" rule is listed. (Note: The rule title does not have to be exact.) -Open the rule by checking the box next to the rule, and then click on Edit. -Verify the following are set as indicated: Check to Run: Jailbreak/Rooted Detection -Verify “Hypervigilant mode” is checked. -Verify "Failure Action" is set to "Wipe Enterprise Data". -Verify "Check Every" is set to "1 hour". Mark as a finding if the “Android Jailbreak Detection” rule has not been set up or is not configured as required.

Fix: F-27653r1_fix

Set up compliance rules in the server implementing jailbreak detection. Devices will be wiped if they have been jail broken.

a

If access is enabled to the Good app contacts lists by the smartphone, the list of contact information must be limited.

Low - V-25030 - SV-30830r1_rule

RMF Control

Severity

L

CCI

Version

WIR-GMMS-007

Vuln IDs

V-25030

Rule IDs

SV-30830r1_rule

Sensitive contact information could be exposed.System AdministratorECWN-1

Checks: C-31251r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. - Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Messaging section on the left side. -If “Enable access to Good Contacts” is checked, click on the Choose Fields button and verify only the following fields are checked: first name, last name, work number, mobile number, and pager number. Mark as a finding if “Enable access to Good Contacts” is checked and more than the following fields are checked: first name, last name, work number, mobile number, and pager number.

Fix: F-27717r1_fix

If access is enabled to the Good app contacts lists by the smartphone OS, limit contact information to only default fields: First name, Last name, Work number, Mobile number, and Pager number.

b

Password access to the Good app on the smartphone must be enabled.

Medium - V-25032 - SV-30832r2_rule

RMF Control

Severity

M

CCI

Version

WIR-GMMS-001

Vuln IDs

V-25032

Rule IDs

SV-30832r2_rule

A hacker could gain access to sensitive data in the smartphone application and gain an attack vector to the enclave if the password access control/authentication feature of the application is not enabled.System AdministratorECWN-1, IAIA-1

Checks: C-31255r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld section on the left side. -Verify S/MIME with password-protected lock screen or CAC PIN (Enables S/MIME) is checked. Mark as a finding if S/MIME with password-protected lock screen or CAC PIN (Enables S/MIME) is not checked.

Fix: F-27719r1_fix

Password access to the Good app on the smartphone shall be enabled.

a

The PKI digital certificate installed on the wireless email management server must be a DoD PKI-issued certificate.

Low - V-25754 - SV-32013r2_rule

RMF Control

Severity

L

CCI

Version

WIR-WMS-GD-010

Vuln IDs

V-25754

Rule IDs

SV-32013r2_rule

When a self signed PKI certificate is used, a rogue wireless email management server can impersonate the DoD wireless email management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.System AdministratorIATS-1

Checks: C-32242r2_chk

Verify that a DoD server certificate has been installed on the Good wireless email management server and that the self-signed certificate, available as an option during the setup of the wireless email management server, has not been installed. Ask the SA to access the Good server using Internet Explorer. Verify no certificate error occurs. Click the Lock icon next to the address bar then select “view certificates”. On the General tab, verify the “Issued to:” and “Issued by:” fields do not show the same value. Then on the Certification Path tab, verify the top certificate is a trusted DoD Root certificate authority (e.g., DoD Root CA 2) and the certificate status field states “This certificate is OK”. If a certificate error occurs, either the default self-signed certificate is still installed, the Good server has not been rebooted since the DoD issued certificate has been installed, or the computer accessing the Good server does not have the DoD Root and Intermediate certificate authorities installed. The reviewer can select the “Continue to this website” option and follow the same procedure above. If the certificate is issued from an approved DoD PKI, ask the SA to run InstallRoot on the computer accessing the Good server. Otherwise, have the SA follow the procedures outlined in the STIG/ISCG to request/install a certificate issued from a trusted DoD PKI. Mark as a finding if a DoD server certificate has not been installed on the Good wireless email management server or that the self-signed certificate has been installed.

Fix: F-28607r1_fix

Use a DoD issued digital certificate on the wireless email management server.

b

Password complexity must be set as required.

Medium - V-26135 - SV-32817r3_rule

RMF Control

Severity

M

CCI

Version

WIR-WMS-GD-009-08

Vuln IDs

V-26135

Rule IDs

SV-32817r3_rule

Non-complex passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.System AdministratorECWN-1, IAIA-1

Checks: C-33493r2_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “Do not allow sequential numbers” is checked for the STIG/ISCG Policy Set.

Fix: F-29190r1_fix

Set password complexity as required.

b

S/MIME must be enabled on the Good server.

Medium - V-26152 - SV-32858r2_rule

RMF Control

Severity

M

CCI

Version

WIR-GMMS-012

Vuln IDs

V-26152

Rule IDs

SV-32858r2_rule

Sensitive DoD data could be exposed if the required setting is not configured on the Good server. If S/MIME support is not configured on the server, the user will not be able to view critical encrypted email or be able to encrypt email with sensitive DoD information.System AdministratorECCR-1

Checks: C-33609r2_chk

This is a Good server configuration check. Log into the Good server management interface, select the Setting tab, and open the Secure Messaging (S/MIME) section. Verify Enable Secure Messaging (S/MIME) is checked. Mark as a finding if Enable Secure Messaging (S/MIME) is not checked.

Fix: F-29209r1_fix

Enable S/MIME on the Good server.

b

Either CAC or password authentication must be enabled for user access to the Good app on the smartphone.

Medium - V-26560 - SV-33567r1_rule

RMF Control

Severity

M

CCI

Version

WIR-GMMS-002

Vuln IDs

V-26560

Rule IDs

SV-33567r1_rule

Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good application stores sensitive DoD information. A hacker with access to the smartphone could easily gain access to the Good application if the required authentication control is not set.System AdministratorIAIA-1

Checks: C-34026r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the mobile OS device devices and click on Handheld Authentication on the left side. -Verify either “Authenticate with CAC PIN” or “Authenticate with password” is selected. Mark as a finding if either of the required settings is not configured in the policy.

Fix: F-29711r1_fix

Set user authentication on the Good app on the smartphone to either CAC or password authentication.

b

“Require CAC to be present” must be set.

Medium - V-26561 - SV-33569r1_rule

RMF Control

Severity

M

CCI

Version

WIR-GMMS-003

Vuln IDs

V-26561

Rule IDs

SV-33569r1_rule

Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good applications store sensitive DoD information. A hacker with access to the smartphone could easily gain access to the Good application if the required authentication control is not set.System AdministratorIAIA-1

Checks: C-34029r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. - If “Authenticate with CAC PIN” is checked (CAC authentication is required) verify “Require CAC to be present” is also checked. Note: if “Authenticate with CAC PIN” is not checked, then “Require CAC to be present” does not need to be checked. Mark as a finding if not set as required.

Fix: F-29713r1_fix

Set “Require CAC to be present” to required value.

b

“Require both letters and numbers” must be set as required for the smartphone security/email client.

Medium - V-26562 - SV-33584r1_rule

RMF Control

Severity

M

CCI

Version

WIR-WMS-GD-009-09

Vuln IDs

V-26562

Rule IDs

SV-33584r1_rule

Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented.System Administrator

Checks: C-34034r1_chk

This check is not applicable if “Authenticate with CAC PIN” is checked. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “Require both letters and numbers” is checked. Mark as a finding if “Require both letters and numbers” is not checked.

Fix: F-29716r1_fix

Set “Require both letters and numbers” as required for the Good app.

b

“Do not allow sequential numbers” must be set as required for the smartphone security/email client.

Medium - V-26563 - SV-33579r1_rule

RMF Control

Severity

M

CCI

Version

WIR-WMS-GD-009-10

Vuln IDs

V-26563

Rule IDs

SV-33579r1_rule

Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented.System AdministratorIAIA-1

Checks: C-34040r1_chk

This check is not applicable if “Authenticate with CAC PIN” is checked. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Handheld Authentication on the left side. -Verify “Do not allow sequential numbers” is checked. Mark as a finding if “Do not allow sequential numbers” is not checked.

Fix: F-29719r1_fix

Set “Do not allow sequential numbers” as required for the Good app.

c

Authentication on system administration accounts for wireless management servers must be configured.

High - V-26564 - SV-33591r1_rule

RMF Control

Severity

H

CCI

Version

WIR-WMS-GD-011

Vuln IDs

V-26564

Rule IDs

SV-33591r1_rule

CTO 07-15Rev1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced.System AdministratorIAIA-1, IATS-1

Checks: C-34053r1_chk

Detailed Policy Requirements: One of the following authentications methods must be enforced for system administrator accounts: 1. CAC authentication. 2. The account password must be compliant with CTO 07-15 Rev1. –Password must be a 14+ character complex password consisting of at least 2 of the following: upper case letter, lower case letter, numbers, and special characters. The password must be changed every 60 days. Check Procedures: The Good messaging server uses Active Directory authentication for admin accounts to the management console. Site admin accounts are usually set up with a user ID/password authentication rather than CAC authentication. Therefore, verify the site AD is set up to require admin accounts to use passwords meeting the requirements of CTO 07-15Rev1. Discuss with the Network and AD reviewer and site IAO to verify compliance. Mark as a finding if site admin accounts do not meet the requirements.

Fix: F-29731r1_fix

Configure required authentication on system administration accounts for wireless management servers.

a

A compliance rule must be set up on the server defining required Good client versions.

Low - V-26728 - SV-34968r1_rule

RMF Control

Severity

L

CCI

Version

WIR-GMMS-AND-010-04

Vuln IDs

V-26728

Rule IDs

SV-34968r1_rule

Older software versions do not support required security features.System AdministratorECWN-1

Checks: C-34845r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. --------------------------- -Launch the Good Mobile Control Web console and click on the Policies tab. -Select a policy set to review and click on the policy. -On the left tab, select Compliance Manager. -Verify the “Client Version Verification” rule is listed. (Note: The rule title does not have to be exact.) -Open the rule by checking the box next to the rule, and then click on Edit. -Verify the following are set: Platform: Android Check to Run: Hardware Model Verification -Verify the client version checked is at least 1.7.x. -Verify "Failure Action" is set to "Quit Good for Enterprise". -Verify "Check Every" is set to "1 hour". Mark as a finding if the “Client Version Verification” rule has not been set up or is not configured as required.

Fix: F-30027r1_fix

Set up a compliance rule to check the version of the Good client.

b

"Do not allow data to be copied into the Good application" must be checked in the Good security policy for the handheld.

Medium - V-26729 - SV-33972r1_rule

RMF Control

Severity

M

CCI

Version

WIR-GMMS-006-02

Vuln IDs

V-26729

Rule IDs

SV-33972r1_rule

Malware could be copied into the secure Good sandbox on the smartphone, which would put sensitive data at risk of being compromised.System AdministratorECCR-1

Checks: C-34498r1_chk

This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure. 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select the policy set for the smartphone and click on Messaging on the left side. -Verify “Do not allow data to be copied into the Good application” is checked. Mark as a finding if “Do not allow data to be copied into the Good application” is not checked.

Fix: F-30028r1_fix

Check "Do not allow data to be copied into the Good application" in the Good console.

Checks: C-31225r1_chk

Fix: F-27612r1_fix

Generate Mitigation Statement:

Checks: C-31226r2_chk

Fix: F-27613r1_fix

Generate Mitigation Statement:

Checks: C-31227r2_chk

Fix: F-27615r1_fix

Generate Mitigation Statement:

Checks: C-31229r2_chk

Fix: F-27616r2_fix

Generate Mitigation Statement:

Checks: C-31230r1_chk

Fix: F-27617r1_fix

Generate Mitigation Statement:

Checks: C-31238r1_chk

Fix: F-27618r1_fix

Generate Mitigation Statement:

Checks: C-31348r2_chk

Fix: F-27619r1_fix

Generate Mitigation Statement:

Checks: C-31142r2_chk

Fix: F-27628r2_fix

Generate Mitigation Statement:

Checks: C-39021r1_chk

Fix: F-27629r1_fix

Generate Mitigation Statement:

Checks: C-31242r2_chk

Fix: F-27630r1_fix

Generate Mitigation Statement:

Checks: C-31243r2_chk

Fix: F-27631r1_fix

Generate Mitigation Statement:

Checks: C-31244r2_chk

Fix: F-27632r1_fix

Generate Mitigation Statement:

Checks: C-31245r2_chk

Fix: F-27633r2_fix

Generate Mitigation Statement:

Checks: C-31248r2_chk

Fix: F-27634r1_fix

Generate Mitigation Statement:

Checks: C-31247r2_chk

Fix: F-27635r2_fix

Generate Mitigation Statement:

Checks: C-31143r2_chk

Fix: F-27637r1_fix

Generate Mitigation Statement:

Checks: C-31148r2_chk

Fix: F-27641r2_fix

Generate Mitigation Statement:

Checks: C-31149r2_chk

Fix: F-27642r1_fix

Generate Mitigation Statement:

Checks: C-34842r1_chk

Fix: F-27647r1_fix

Generate Mitigation Statement:

Checks: C-34844r1_chk

Fix: F-27653r1_fix

Generate Mitigation Statement:

Checks: C-31251r1_chk

Fix: F-27717r1_fix

Generate Mitigation Statement:

Checks: C-31255r2_chk

Fix: F-27719r1_fix

Generate Mitigation Statement:

Checks: C-32242r2_chk

Fix: F-28607r1_fix

Generate Mitigation Statement:

Checks: C-33493r2_chk

Fix: F-29190r1_fix

Generate Mitigation Statement:

Checks: C-33609r2_chk

Fix: F-29209r1_fix

Generate Mitigation Statement:

Checks: C-34026r1_chk

Fix: F-29711r1_fix

Generate Mitigation Statement:

Checks: C-34029r1_chk

Fix: F-29713r1_fix