MDM Server Policy Security Technical Implementation Guide (STIG)
Pick two releases to diff their requirements.
Open a previous version of this STIG.
- RMF Control
- Severity
- M
- CCI
- Version
- WIR-SPP-003-01
- Vuln IDs
-
- V-24955
- Rule IDs
-
- SV-30692r6_rule
Checks: C-31114r10_chk
Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or “data spill” occurs when a classified email is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer to include web browser downloads and files transferred through tethered connections. CMDs are not authorized for processing classified data. A data spill also occurs if a classified document is attached to an otherwise unclassified email. For BlackBerry and Good Mobile Messaging systems, a data spill will only occur if the classified attached document is viewed or opened by the CMD user since the CMD system only downloads an attachment on the CMD if the user views or opens the attachment. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for smartphone destruction procedures. Check Procedures: Interview the ISSO. Verify classified incident handling, response, and reporting procedures are documented in site CMD procedures or security policies. If classified incident handling, response, and reporting procedures are not documented in site CMD procedures or security policies, this is a finding. This requirement applies at both sites where CMDs are issued and managed and at sites where the CMD management server is located. - At the CMD management server site, verify Incident Handling and Response procedures include actions to sanitize the CMD management server and email servers (e.g., Exchange, Oracle mail). - At CMD sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified smartphone devices. The following actions will be followed for all CMDs involved in a data spill: If Incident Handling and Response procedures do not include required information, this is a finding.
Fix: F-27582r3_fix
Publish a Classified Message Incident (CMI) procedure or policy for the site.
- RMF Control
- Severity
- H
- CCI
- Version
- WIR-SPP-003-02
- Vuln IDs
-
- V-24957
- Rule IDs
-
- SV-30694r5_rule
Checks: C-31115r8_chk
Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). If a data spill occurs on a CMD, the following actions must be completed: - The CMD management server and email servers (i.e., Exchange, Oracle mail, etc.) are handled as classified systems until they are sanitized according to appropriate procedures. (See NSA/CSS Storage Device Declassification Manual 9-12 for sanitization procedures.) - The CMD is handled as a classified device and destroyed according to DoD guidance for destroying classified equipment or sanitized as directed in Check WIR-SPP-003-01. Check Procedures: Interview the ISSO. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. If the site had a data spill within the previous 24 months and required procedures were not followed, this is a finding.
Fix: F-27583r4_fix
Follow required procedures after a data spill occurs.
- RMF Control
- Severity
- L
- CCI
- Version
- WIR-SPP-007-01
- Vuln IDs
-
- V-24962
- Rule IDs
-
- SV-30699r6_rule
Checks: C-31122r9_chk
Detailed Policy Requirements: The site (location where CMDs are issued and managed and the site where the mobile operating system (OS) based CMD management server is located) must publish procedures to follow if a CMD has been lost or stolen. The procedures should include (as appropriate): - Mobile device user notifies ISSO, SM, and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. - The ISSO notifies the mobile device management server system administrator and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. The site mobile device management server administrator sends a wipe command to the CMD and then disables the user account on the management server or removes the CMD from the user account. - The site will contact the carrier to have the device deactivated on the carrier’s network. Check procedures: Interview the ISSO. Review the site’s Incident Response Plan or other policies to determine if the site has a written plan of action. If the site does not have a written plan of action following a lost or stolen CMD, this is a finding.
Fix: F-27603r2_fix
Publish procedures to follow if a mobile operating system (OS) based CMD is lost or stolen.
- RMF Control
- Severity
- L
- CCI
- Version
- WIR-SPP-007-02
- Vuln IDs
-
- V-24969
- Rule IDs
-
- SV-30706r5_rule
Checks: C-31133r4_chk
Interview the ISSO. Determine if any site mobile devices were reported lost or stolen within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. If the site had a lost or stolen mobile device within the previous 24 months and required procedures were not followed, this is a finding.
Fix: F-27592r3_fix
Follow required actions when a CMD is reported lost or stolen.
- RMF Control
- Severity
- L
- CCI
- Version
- WIR-WMSP-001-01
- Vuln IDs
-
- V-24970
- Rule IDs
-
- SV-30707r6_rule
Checks: C-31134r8_chk
Detailed policy requirements: The MDM server administrator must be trained on the following requirements: - Requirement that administrative service accounts will not be used to log into the CMD management server or any server service. - Activation passwords or PINs will consist of a pseudo-random pattern of at least eight characters consisting of at least two letters and two numbers. A new activation password must be selected each time one is assigned (e.g., the same password cannot be used for all users or for a group of users). - User and group accounts on the MDM server will always be assigned a STIG-compliant security/IT policy. Check procedures: -Verify the MDM server administrator(s) has received the required training. The site should document when the training was completed. If the MDM server administrator did not receive required training, this is a finding.
Fix: F-27604r2_fix
Have MDM server administrator complete and document his/her training.
- RMF Control
- Severity
- L
- CCI
- Version
- WIR-WMSP-001-02
- Vuln IDs
-
- V-28313
- Rule IDs
-
- SV-36041r5_rule
Checks: C-35162r6_chk
The site should document when training was completed. -Verify training is renewed annually. If the MDM server administrator training is not renewed annually, this is a finding.
Fix: F-30410r1_fix
Renew required training annually.