Good for Enterprise 8.x Security Technical Implementation Guide

Developed by Good Technology in coordination with DISA for the DoD.

Details

Version / Release: V1R1

Published: 2014-08-18

Updated At: 2018-09-23 02:43:19

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-67235r1_rule GOOD-00-000010 CCI-000037 HIGH The Good Mobility Suite must implement separation of administrator duties by requiring a specific role to be assigned to each administrator account. Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to
    SV-67243r1_rule GOOD-00-000650 CCI-001274 HIGH The Good Mobility Suite server must accept alerts from the mobile operating system when the mobile OS has detected integrity check failures. Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. Alerting a Good Mobility Suite mitigates the po
    SV-67245r1_rule GOOD-00-000640 CCI-001265 HIGH The Good Mobility Suite server must perform required actions when a security-related alert is received. Incident response functions are intended to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is accurate and timely notification of events. Notifications can be made more efficie
    SV-67247r1_rule GOOD-00-000630 CCI-001233 HIGH The Good Mobility Suite server must detect and report the version of the operating system, device drivers, and application software for managed mobile devices. Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report this information to designated organizational officials with
    SV-67249r1_rule GOOD-00-000620 CCI-001144 LOW The Good Mobility Suite email client must support retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes. Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement stated that the email clien
    SV-67251r1_rule GOOD-00-000610 CCI-001144 MEDIUM The Good Mobility Suite email client must provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP. Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement states that the email clien
    SV-67253r1_rule GOOD-00-000600 CCI-001144 MEDIUM The Good Mobility Suite email client must provide the mobile device user the capability to decrypt incoming email messages using software- or hardware-based digital certificates. Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement states that the email clien
    SV-67255r1_rule GOOD-00-000590 CCI-001144 MEDIUM The Good Mobility Suite email client must provide the mobile device user the capability to digitally sign and encrypt outgoing email messages using software- or hardware-based digital certificates. Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement states that the email clien
    SV-67257r1_rule GOOD-00-000580 CCI-001144 MEDIUM The Good Mobility Suite email client must set the Smart Card or Certificate Store Password caching timeout period to 120 minutes. Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement states that Smart Card/Cert
    SV-67259r1_rule GOOD-00-000570 CCI-001144 LOW The Good Mobility Suite email client S/MIME must be fully interoperable with DoD PKI and CAC/PIV. CAC/PIV (hard token) and PKCS#12 (soft token) certificate stores must be supported. Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the CAC is the required mechanism for that
    SV-67261r1_rule GOOD-00-000560 CCI-001144 MEDIUM The Good Mobility Suite email client must be capable of providing S/MIME v3 (or later version) encryption of email. Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, S/MIME is the required mechanism for encryp
    SV-67263r1_rule GOOD-00-000550 CCI-001090 LOW The Good Mobility Suite email client must restrict contact list data elements transferred to the phone application. The contact list data elements may contain sensitive or PII information; therefore, the data elements accessed outside the security container must be limited so sensitive data is not exposed.
    SV-67265r1_rule GOOD-00-000540 CCI-000370 MEDIUM The Good Mobility Suite server must disable copying data from inside a security container to a non-secure data area on a mobile device via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67267r1_rule GOOD-00-000530 CCI-000370 MEDIUM The Good Mobility Suite server must specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downlo
    SV-67269r1_rule GOOD-00-000520 CCI-000370 MEDIUM The Good Mobility Suite server must configure the mobile device agent to prohibit the download of software from a non-DoD approved source. DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downlo
    SV-67271r1_rule GOOD-00-000510 CCI-000370 MEDIUM The Good Mobility Suite server must prohibit the mobile device user from installing unapproved applications on the mobile device. The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose p
    SV-67273r1_rule GOOD-00-000500 CCI-000370 HIGH The Good Mobility Suite server application white list for managed mobile devices must be set to Deny All by default when no applications are listed. The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. If the system administrator has control over what applications are downloaded, then
    SV-67275r1_rule GOOD-00-000490 CCI-000370 MEDIUM The Good Mobility Suite server must configure the Good Mobility Suite agent to prohibit the download of applications on mobile operating system devices without system administrator control. The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. If the system administrator has control over what applications are downloaded, then
    SV-67277r1_rule GOOD-00-000480 CCI-000370 MEDIUM The Good Mobility Suite server must enable iOS Force encrypted backups via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67279r1_rule GOOD-00-000470 CCI-000370 MEDIUM The Good Mobility Suite server must disable iOS Allow diagnostic data to be sent to Apple via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67281r1_rule GOOD-00-000460 CCI-000370 MEDIUM The Good Mobility Suite server must disable iOS Auto-fill via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67283r1_rule GOOD-00-000450 CCI-000370 MEDIUM The Good Mobility Suite server must disable iOS Allow documents from unmanaged apps in managed apps via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67285r1_rule GOOD-00-000440 CCI-000370 MEDIUM The Good Mobility Suite server must disable iOS Allow documents from managed apps in unmanaged apps via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67287r1_rule GOOD-00-000430 CCI-000370 MEDIUM The Good Mobility Suite server must disable iOS Touch ID to unlock device via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67289r1_rule GOOD-00-000420 CCI-000370 MEDIUM The Good Mobility Suite server must disable the iOS Today View in lock screen via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67291r1_rule GOOD-00-000410 CCI-000370 MEDIUM The Good Mobility Suite server must disable iOS Airdrop via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67293r1_rule GOOD-00-000400 CCI-000370 MEDIUM The Good Mobility Suite server must disable the iOS notification center in lock screen via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67295r1_rule GOOD-00-000390 CCI-000370 MEDIUM The Good Mobility Suite server must disable iOS voice dialing via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67297r1_rule GOOD-00-000380 CCI-000370 MEDIUM The Good Mobility Suite server must disable iOS Siri while the device is locked via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67299r1_rule GOOD-00-000370 CCI-000370 MEDIUM The Good Mobility Suite server must enable iOS force limited ad tracking via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67301r1_rule GOOD-00-000360 CCI-000370 MEDIUM The Good Mobility Suite server must disable iOS iCloud documents and data via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67303r1_rule GOOD-00-000350 CCI-000370 MEDIUM The Good Mobility Suite server must disable iOS iCloud backup via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67305r1_rule GOOD-00-000340 CCI-000370 MEDIUM The Good Mobility Suite server must disable iOS iCloud keychain sync via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67307r1_rule GOOD-00-000330 CCI-000370 MEDIUM The Good Mobility Suite server must disable iOS photo streams via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67309r1_rule GOOD-00-000320 CCI-000370 MEDIUM The Good Mobility Suite server must disable iOS shared photo streams via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67311r1_rule GOOD-00-000310 CCI-000370 MEDIUM The Good Mobility Suite server must disable iOS screenshots via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67313r1_rule GOOD-00-000020 CCI-000086 LOW The Good Mobility Suite email client must either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. HTML code embedded in emails can contain links to malicious sites. Requiring that all emails are viewed in plain text helps remediate phishing attempts.
    SV-67315r1_rule GOOD-00-000030 CCI-000136 HIGH The Good Mobility Suite must transfer audit logs from managed mobile devices to the Good Mobility Suite. Good Mobility Suite auditing capability is critical for accurate forensic analysis. The ability to transfer audit logs often is necessary to quickly isolate them, protect their integrity, and analyze their contents.
    SV-67317r1_rule GOOD-00-000040 CCI-000185 LOW The Good Mobility Suite email client must notify the user if it cannot verify the revocation status of the certificate. If the user is aware that the revocation status of a certificate could not be verified, the user is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more
    SV-67319r1_rule GOOD-00-000050 CCI-000185 LOW The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if it cannot verify the certificates revocation status. When additional assurance is required, the system should deny acceptance of a certificate if it cannot verify its revocation status. Otherwise, there is the potential that it is accepting the credentials of an unauthorized system. Allowing the operating
    SV-67321r1_rule GOOD-00-000060 CCI-000185 MEDIUM The Good Mobility Suite email client must alert the user if it receives a public-key certificate issued from an untrusted certificate authority. If the user is aware that a certificate has been issued from an untrusted certificate authority, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure t
    SV-67323r1_rule GOOD-00-000070 CCI-000185 MEDIUM The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the certificate was issued by an untrusted certificate authority. When the operating system accepts the use of certificates issued from untrusted certificate authorities, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity.
    SV-67325r1_rule GOOD-00-000080 CCI-000185 MEDIUM The Good Mobility Suite email client must alert the user if it receives an invalid public-key certificate. If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it
    SV-67327r1_rule GOOD-00-000090 CCI-000185 MEDIUM The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid. When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity. When additional assurance is require
    SV-67329r1_rule GOOD-00-000100 CCI-000185 LOW The Good Mobility Suite email client must not accept certificate revocation information without verifying its authenticity. If the operating system does not verify the authenticity of revocation information, there is the potential that an authorized system is providing false information. Acceptance of the false information could result in the installation of unauthorized soft
    SV-67331r1_rule GOOD-00-000110 CCI-000185 LOW The Good Mobility Suite email client must verify all digital certificates in the certificate chain when performing PKI transactions. If an adversary is able to compromise one of the certificates in the certificate chain, the adversary may be able to sign lower-level certificates in the chain. This would enable the adversary to masquerade as other users or systems. By providing the mo
    SV-67333r1_rule GOOD-00-000120 CCI-000185 MEDIUM The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified. When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity. When additional assurance is require
    SV-67341r1_rule GOOD-00-000130 CCI-000185 MEDIUM The Good Mobility Suite email client must alert the user if it receives a public-key certificate with a non-FIPS approved algorithm. If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it
    SV-67343r1_rule GOOD-00-000140 CCI-000185 MEDIUM The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm. When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity. When additional assurance is require
    SV-67345r1_rule GOOD-00-000170 CCI-000185 MEDIUM The Good Mobility Suite email client must alert the user if it receives an unverified public-key certificate. If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it
    SV-67349r1_rule GOOD-00-000180 CCI-000370 MEDIUM The Good Mobility Suite must be configured to provide the administrative functionality to transmit a remote Data Wipe command, including removable media cards, to a managed mobile device. Without a Data Wipe capability, the data on the mobile device can be compromised in the event of a lost or stolen device.
    SV-67351r1_rule GOOD-00-000190 CCI-000370 MEDIUM The Good Mobility Suite must enforce the minimum password length for the device unlock password via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67353r1_rule GOOD-00-000200 CCI-000370 MEDIUM The Good Mobility Suite server must set the device inactivity timeout to 15 minutes via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67359r1_rule GOOD-00-000210 CCI-000370 MEDIUM The Good Mobility Suite server must set the device inactivity timeout grace period to be immediate via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67361r1_rule GOOD-00-000220 CCI-000370 MEDIUM The Good Mobility Suite server must disable the mobile device users access to an application store or repository via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67365r1_rule GOOD-00-000230 CCI-000370 MEDIUM The Good Mobility Suite server must block access to specific web sites via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67369r1_rule GOOD-00-000240 CCI-000370 MEDIUM The Good Mobility Suite server must force the display of a warning banner on the mobile device via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67371r1_rule GOOD-00-000250 CCI-000370 MEDIUM The Good Mobility Suite server must set the number of incorrect password attempts before a data wipe procedure is initiated to 10 via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67373r1_rule GOOD-00-000260 CCI-000370 MEDIUM The Good Mobility Suite server must enable a Good Mobility Suite agent password via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67377r1_rule GOOD-00-000270 CCI-000370 MEDIUM The Good Mobility Suite server must enable the Good Mobility Suite agent password length to be six or more characters. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67379r1_rule GOOD-00-000280 CCI-000370 MEDIUM The Good Mobility Suite must set the Good Mobility Suite agent inactivity timeout to 15 minutes via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67381r1_rule GOOD-00-000290 CCI-000370 MEDIUM The Good Mobility Suite server must disable the automatic removal of the iOS configuration profile via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67383r1_rule GOOD-00-000300 CCI-000370 MEDIUM The Good Mobility Suite server must disable the use of simple values within the iOS Good Mobility Server agent password via centrally managed policy. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of att
    SV-67467r1_rule GOOD-00-000150 CCI-000185 MEDIUM The Good Mobility Suite email client must alert the user if the certificate uses an unverified CRL. If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it
    SV-67469r1_rule GOOD-00-000160 CCI-000185 MEDIUM The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified. If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it