UCF STIG Viewer Logo

Apple iOS 5 Security Technical Implementation Guide (STIG)


Overview

Date Finding Count (53)
2012-07-20 CAT I (High): 5 CAT II (Med): 36 CAT III (Low): 12
STIG Description
This STIG contains technical security controls required for the use of Apple iOS 5 devices (iPhone and iPad) in the DoD environment when managed by an approved mobile management server.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-32716 High The mobile operating system must employ a DoD approved anti-virus application or otherwise prevent a malware application from installing and executing.
V-32698 High MDM, MAM, and integrity validation agent(s) must be installed and operate at all times on the mobile OS device.
V-32699 High The mobile operating system must not permit a user to disable or modify the security policy or enforcement mechanisms on the device.
V-32700 High The mobile operating system must provide mutual authentication between the provisioning server and the provisioned device during a trusted over-the-air (OTA) provisioning session.
V-32705 High The mobile operating system PKI certificate store must encrypt contents using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired).
V-32713 Medium The mobile operating system must require a valid password be successfully entered before the mobile device data is unencrypted.
V-32712 Medium The mobile operating system must encrypt all data on the mobile device using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired).
V-32711 Medium The mobile operating system must prevent a user from using a browser that does not direct its traffic to a DoD proxy server.
V-32695 Medium Allow Diagnostic Data to be Sent to Apple must be disabled.
V-32715 Medium The mobile operating system must re-encrypt all device data when the device is locked.
V-25007 Medium Mobile devices must be configured to require a password/passcode for device unlock.
V-25011 Medium Passcode maximum failed attempts must be set to required value.
V-27635 Medium Remote full device wipe must be enabled.
V-25013 Medium Users must enable iOS application download.
V-32697 Medium All wireless PDA client VPN authentication credential cache timeout must be set to 2 hours or less.
V-32696 Medium All wireless PDA client VPNs must timeout an inactive session after a set period of inactivity.
V-25015 Medium Mobile device screen capture must not be allowed.
V-25016 Medium The device minimum password/passcode length must be set.
V-25017 Medium Apple iOS Auto-Lock must be set.
V-25010 Medium The mobile device must be set to lock the device after a set period of user inactivity.
V-32693 Medium Allow Photo Stream must be disabled.
V-32690 Medium Allow iCloud Backup must be disabled.
V-32691 Medium Allow Document Syncing must be disabled.
V-25006 Medium iOS devices must be configured to require a password to remove the iOS configuration profile, if a configuration profile is used.
V-32701 Medium The mobile operating system must protect the confidentiality of the provisioning data downloaded to the handheld device during a trusted over-the-air (OTA) provisioning session.
V-32702 Medium The mobile operating system must protect the integrity of the provisioning data downloaded to the handheld device during a trusted over-the-air (OTA) provisioning session.
V-32704 Medium The mobile operating system must encrypt all data in transit using AES encryption when communicating with DoD information resources (128-bit key length is the minimum requirement; 256-bit desired).
V-32706 Medium The cryptographic module supporting encryption of data in transit (including email and attachments) must be FIPS 140-2 validated.
V-32707 Medium The cryptographic module supporting encryption of data at rest must be FIPS 140-2 validated.
V-32708 Medium The cryptographic module supporting encryption of the certificate store must be FIPS 140-2 validated.
V-25012 Medium Access to public application stores must be disabled.
V-19899 Medium All wireless PDA client VPNs must have split tunneling disabled.
V-19898 Medium All wireless PDA clients used for remote access to DoD networks must have a VPN supporting CAC authentication.
V-19897 Medium All wireless PDA clients used for remote access to DoD networks must have a VPN supporting AES encryption.
V-32686 Medium iOS Siri application must be disabled.
V-32689 Medium Adding Game Center Friends must be disabled.
V-32688 Medium iOS Multiplayer Gaming must be disabled.
V-25022 Medium All mobile devices must display the required banner during device unlock/logon.
V-25003 Medium Mobile devices must have required operating system software version installed.
V-24983 Medium S/MIME must be installed on mobile device, so users can sign/encrypt email
V-18627 Medium The VPN client on wireless clients (PDAs, smartphones) used for remote access to DoD networks must be FIPS 140-2 validated.
V-25033 Low iOS Safari must be disabled.
V-25018 Low The smartphone passcode history setting must be set.
V-25092 Low The iOS device Wi-Fi setting Ask to Join Networks must be set to On at all times (User Based Enforcement (UBE)).
V-32703 Low The mobile operating system must support the capability for the system administrator to disable over-the-air (OTA) provisioning.
V-25020 Low The mobile device Wi-Fi radio must be disabled as the default setting and is enabled only when Wi-Fi connectivity is required.
V-25756 Low Encrypted smartphone backups must be enabled.
V-25755 Low Access to online application purchases must be disabled.
V-25009 Low Maximum passcode age must be set.
V-24982 Low Smart Card Readers (SCRs) used with smartphones must have required software version installed.
V-25014 Low Mobile device cameras must be used only if documented approval is in the site physical security policy.
V-24985 Low The browser must direct all traffic to a DoD Internet proxy gateway.
V-24984 Low If mobile device email auto signatures are used, the signature message must not disclose the email originated from a smartphone (e.g., Sent From My Wireless Handheld).