{
"stig": {
"date": "2012-07-20",
"description": "This STIG contains technical security controls required for the use of Apple iOS 5 devices (iPhone and iPad) in the DoD environment when managed by an approved mobile management server.",
"findings": {
"V-18627": {
"checkid": "C-39120r2_chk",
"checktext": "This check is not applicable if the installed VPN client is not used for remote access to DoD networks. \n\nInterview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and FIPS 140-2 certificate. Verify the VPN client is FIPS 140-2 validated. Check the NIST certificate for the mobile OS or VPN client. Mark as a finding if the VPN is not FIPS 140-2 validated. \n",
"description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN. FIPS validation provides a level of assurance that the encryption of the device has been securely implemented.",
"fixid": "F-37266r1_fix",
"fixtext": "Install a FIPS 140-2 validated VPN client. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-18627",
"ruleID": "SV-40265r2_rule",
"severity": "medium",
"title": "The VPN client on wireless clients (PDAs, smartphones) used for remote access to DoD networks must be FIPS 140-2 validated. ",
"version": "WIR-MOS-iOS-034-01"
},
"V-19897": {
"checkid": "C-35553r2_chk",
"checktext": "This check is not applicable if the installed VPN client is not used for remote access to DoD networks. \n\nInterview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and the configuration of the VPN client. Verify the VPN client supports AES encryption. Verify the VPN client is configured to required AES. Mark as a finding if the VPN does not support AES or is not configured to require AES.",
"description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN.",
"fixid": "F-37263r1_fix",
"fixtext": "Install an AES Encrypted VPN client. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-19897",
"ruleID": "SV-36449r2_rule",
"severity": "medium",
"title": "All wireless PDA clients used for remote access to DoD networks must have a VPN supporting AES encryption. ",
"version": "WIR-MOS-iOS-034-02"
},
"V-19898": {
"checkid": "C-35554r2_chk",
"checktext": "This check is not applicable if the installed VPN client is not used for remote access to DoD networks. \n\nInterview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and verify the VPN client support CAC authentication. Mark as a finding if the VPN does not support CAC authentication.\n",
"description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN.",
"fixid": "F-37265r3_fix",
"fixtext": "Install a VPN client that supports CAC authentication.",
"iacontrols": [
"ECWN-1"
],
"id": "V-19898",
"ruleID": "SV-36450r2_rule",
"severity": "medium",
"title": "All wireless PDA clients used for remote access to DoD networks must have a VPN supporting CAC authentication. ",
"version": "WIR-MOS-iOS-034-03"
},
"V-19899": {
"checkid": "C-41594r1_chk",
"checktext": "This check is not applicable if the installed VPN client is not used for remote access to DoD networks. \n\nInterview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and verify the VPN client supports disabling split tunneling. Verify the VPN client is configured disable split tunneling. Mark as a finding if the VPN does not support disabling split tunneling or it is not disabled on the client.\n",
"description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN. Split tunneling could allow connections from non-secure Internet sites to access data on the DoD network.",
"fixid": "F-37267r1_fix",
"fixtext": "Disable split tunneling on VPN client. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-19899",
"ruleID": "SV-36451r2_rule",
"severity": "medium",
"title": "All wireless PDA client VPNs must have split tunneling disabled. ",
"version": "WIR-MOS-iOS-034-04"
},
"V-24982": {
"checkid": "C-31197r4_chk",
"checktext": "Detailed Policy Requirements:\nIf a Bluetooth smart card reader is used only the following models and firmware versions should be used:\n\nSCR: Biometric Associates, LP (BAL) baiMobile BAL-3000MP Bluetooth Smart Card Reader. Firmware version v2.01.00 or later should be used (version v2.02.00 is recommended).\n\nBluetooth adapter: Biometric Associates, LP (BAL) baiMobile BAL-BTA001 Bluetooth Adapter. Firmware version 2.01.00 or later should be used (version v2.02.00 is recommended).\n\nCheck Procedures:\nSCR: The version of the reader firmware is displayed when the user presses and holds the Action button for a couple of seconds.\n\nBluetooth adapter: Model and firmware are printed on the label attached to the adapter.\n\nFor wired smart card readers, check to see if the vendor has completed JITC PKI interoperability testing. Ask to see a copy of the JITC certification. The firmware version should be the same as listed in the JITC certification (or later version).\n\nMark as a finding if the firmware version on the SCR and adapter are not the approved versions.",
"description": "Required security features are not available in earlier software versions. In addition, there may be known vulnerabilities in earlier versions.",
"fixid": "F-27623r1_fix",
"fixtext": "Install required SCR software version. ",
"iacontrols": [
"ECSC-1"
],
"id": "V-24982",
"ruleID": "SV-30781r2_rule",
"severity": "low",
"title": "Smart Card Readers (SCRs) used with smartphones must have required software version installed.",
"version": "WIR-MOS-iOS-002"
},
"V-24983": {
"checkid": "C-31198r4_chk",
"checktext": "Launch the mobile email client and verify S/MIME is installed in the client. The exact procedures will depend on which mobile email product is being used. Mark as a finding if not compliant.",
"description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy. Without S/MIME users will not be able to read encrypted email and will not be able to encrypt email with sensitive information.",
"fixid": "F-27624r4_fix",
"fixtext": "Provision the mobile email client with S/MIME so users can digitally sign and encrypt emergency and/or critical email notifications.",
"iacontrols": [
"ECSC-1"
],
"id": "V-24983",
"ruleID": "SV-30782r2_rule",
"severity": "medium",
"title": "S/MIME must be installed on mobile device, so users can sign/encrypt email",
"version": "WIR-MOS-iOS-003"
},
"V-24984": {
"checkid": "C-31199r4_chk",
"checktext": "Launch the mobile email client and verify the email auto signature feature is set and it is complaint with the requirement. The exact procedures will depend on which mobile email product is being used. Mark as a finding if not compliant.",
"description": "The disclaimer message may give information which may key an attacker in on the device. ",
"fixid": "F-27625r3_fix",
"fixtext": "Configure the iOS email auto-signature message so it does not disclose the email originated from the iOS device (e.g., Sent From My Wireless Handheld).\n ",
"iacontrols": [
"ECSC-1"
],
"id": "V-24984",
"ruleID": "SV-30783r2_rule",
"severity": "low",
"title": "If mobile device email auto signatures are used, the signature message must not disclose the email originated from a smartphone (e.g., Sent From My Wireless Handheld).\n",
"version": "WIR-MOS-iOS-004"
},
"V-24985": {
"checkid": "C-31201r3_chk",
"checktext": "There are two acceptable implementations for this requirement.\n\n1. The device uses a mobile VPN to route all data traffic to the DoD enclave, which forces all browser traffic to the DoD Internet gateway.\n\n2. The device browser is installed inside an iOS security container and the security container provides the capability to route all browser traffic to the MDM server where it will be routed to the DoD Internet gateway.\n\nUsing a browser without a mobile VPN and installed outside the iOS device security container is not an approved implementation.\n\nVerify one of the approved browser implementations is used. Talk to the user and review 3-4 sample devices.\n\nMark as a finding if a required browser is not used.",
"description": "When using the DoD Internet proxy for iOS device Internet connections, enclave Internet security controls will filter and monitor iOS device Internet connections and reduce the risk that malware could be downloaded on the mobile device.\n",
"fixid": "F-27626r3_fix",
"fixtext": "Use a compliant browser implementation on the iOS device.\n ",
"iacontrols": [
"ECSC-1"
],
"id": "V-24985",
"ruleID": "SV-30784r2_rule",
"severity": "low",
"title": "The browser must direct all traffic to a DoD Internet proxy gateway.\n",
"version": "WIR-MOS-iOS-005"
},
"V-25003": {
"checkid": "C-31332r4_chk",
"checktext": "This is an iOS security policy set check. Recommend all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n\nThe exact procedures will vary based on the MDM product used. For the Good server, verify the following:\n\n-Verify a compliance rule has been set up defining required iOS 5 versions.\n\n-Launch the Good Mobile Control Web console and click on the Policies tab.\n-Select a policy set to review and click on the policy.\n-On the left tab, select Compliance Manager.\n-Verify \u201cOS Version Verification\u201d rule is listed. (Note that the rule title does not have to be exact.)\n-Open the rule by checking the box next to the rule and then click on Edit.\n\n-Verify the following are set:\nPlatform: iPhone\nCheck to Run: OS Version Verification\n\n-Verify the following are checked:\n5.1.1 or later. \n\n-Verify \u201cFailure Action\u201d is set to \u201cQuit Good for Enterprise\u201d.\n\n-Verify \u201cCheck Every\u201d is set to \u201c1 hour\u201d.\n\nMark as a finding if the \u201cOS Version Verification\u201d rule has not been set up or is not configured as required.",
"description": "Unapproved OS versions do not support required security features.",
"fixid": "F-27651r2_fix",
"fixtext": "Install required OS version.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-25003",
"ruleID": "SV-34937r2_rule",
"severity": "medium",
"title": "Mobile devices must have required operating system software version installed.\n",
"version": "WIR-MOS-iOS-030-01"
},
"V-25006": {
"checkid": "C-31206r5_chk",
"checktext": "This requirement only applies if a non-MDM profile is used on an iOS device. An example would be if the Fixmo MDM profile is used to implement iOS security and a Good profile is used to provide email services. In this case, the Good profile would be a non-MDM profile.\n\nThis is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n\nThe profile password will meet CYBERCOM CTO 07-15Rev1 requirements for admin passwords and not be given to the user.\n\n-Verify \u201cRequire password to remove profile\u201d is checked and a complex Super User password is set. \n\nMark as a finding if not configured as required.",
"description": "Sensitive DoD data could be compromised if a security profile is not installed on DoD iPhone/iPad/iPod Touch devices. The profile should only be removed by the system administrator.",
"fixid": "F-27656r2_fix",
"fixtext": "Set smartphone to require a password to remove the device configuration profile if a non-MDM profile is used. Passwords must meet CYBERCOM CTO 07-15Rev1 requirements for admin passwords and not be given to the user.\n",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-25006",
"ruleID": "SV-30788r2_rule",
"severity": "medium",
"title": "iOS devices must be configured to require a password to remove the iOS configuration profile, if a configuration profile is used.\n",
"version": "WIR-MOS-iOS-G-009"
},
"V-25007": {
"checkid": "C-31207r4_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify \u201cRequire passcode\u201d is checked. \n\nMark as a finding if configuration is not set as required.",
"description": "Sensitive DoD data could be compromised if a device unlock passcode is not set up on a DoD iOS device.\n",
"fixid": "F-27657r2_fix",
"fixtext": "Configure the iOS device to require a passcode for device unlock.",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-25007",
"ruleID": "SV-30789r2_rule",
"severity": "medium",
"title": "Mobile devices must be configured to require a password/passcode for device unlock.\n",
"version": "WIR-MOS-iOS-G-010"
},
"V-25009": {
"checkid": "C-31210r4_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify \u201cMaximum passcode age\u201d is checked and set to 120 days or less. \n\nMark as a finding if configuration is not set as required.",
"description": "Sensitive DoD data could be compromised if a strong device unlock passcode is not set up on a DoD iPOS device and the passcode is not changed periodically.\n",
"fixid": "F-27659r1_fix",
"fixtext": "Set maximum passcode age as required.",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-25009",
"ruleID": "SV-30792r2_rule",
"severity": "low",
"title": "Maximum passcode age must be set.",
"version": "WIR-MOS-iOS-G-013"
},
"V-25010": {
"checkid": "C-31213r5_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify \u201cGrace period\u201d is checked and set to 15 minutes or less.\n\nMark as a finding if configuration is not set as required.",
"description": "Sensitive DoD data could be compromised if the smartphone does not automatically lock after 15 minutes of inactivity.",
"fixid": "F-27661r1_fix",
"fixtext": "Set the smartphone inactivity timeout to required value. ",
"iacontrols": [
"PESL-1"
],
"id": "V-25010",
"ruleID": "SV-30795r2_rule",
"severity": "medium",
"title": "The mobile device must be set to lock the device after a set period of user inactivity. ",
"version": "WIR-MOS-iOS-G-016"
},
"V-25011": {
"checkid": "C-31214r4_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy. \n-Verify \u201cMaximum failed attempts\u201d is checked and set to 10 or less. \n\nMark as a finding if configuration is not set as required.",
"description": "A hacker with unlimited attempts can determine the password of an iOS device within a few minutes using password hacking tools, which could lead to unauthorized access to the iOS device and exposure to sensitive DoD data.\n",
"fixid": "F-27662r1_fix",
"fixtext": "Set password/passcode maximum failed attempts to required value.",
"iacontrols": [
"IAIA-1"
],
"id": "V-25011",
"ruleID": "SV-30796r2_rule",
"severity": "medium",
"title": "Passcode maximum failed attempts must be set to required value.",
"version": "WIR-MOS-iOS-G-017"
},
"V-25012": {
"checkid": "C-31215r4_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify \u201cAllow use of iTunes Music Store\u201d is unchecked. \n\nMark as a finding if configuration is not set as required.",
"description": "Strong configuration management of all applications installed on DoD device is required to ensure the security baseline of the system is maintained. Otherwise, sensitive DoD data could be compromised.",
"fixid": "F-27663r1_fix",
"fixtext": "Disable access to public application stores.",
"iacontrols": [
"ECSC-1",
"ECWN-1"
],
"id": "V-25012",
"ruleID": "SV-30797r2_rule",
"severity": "medium",
"title": "Access to public application stores must be disabled.",
"version": "WIR-MOS-iOS-G-019"
},
"V-25013": {
"checkid": "C-31216r4_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n\n-Verify \u201cAllow installing apps\u201d is enabled or checked. \n\nMark as a finding if configuration is not set as required.\n\nNote: With this setting and check WIR-MOS-iOS-G-023, users will be able browse the application store but not purchase and download applications from the store. If a user finds a way to \u201csideload\u201d an unauthorized iOS application without using the app store, the MAM server will alert that an unauthorized application has been identified on the device.\n",
"description": "Application download must be enabled so iOS updates can be installed over-the-air (OTA) and security updates will be installed as soon as possible. This is a key feature of the security baseline for DoD iOS devices. The MAM server will be responsible for scanning the device periodically and alert if the user has downloaded unapproved applications.",
"fixid": "F-27664r2_fix",
"fixtext": "On the MDM server, set \u201cAllow installing apps\u201d to enabled. ",
"iacontrols": [
"ECLP-1",
"ECWN-1"
],
"id": "V-25013",
"ruleID": "SV-30798r2_rule",
"severity": "medium",
"title": "Users must enable iOS application download.\n",
"version": "WIR-MOS-iOS-G-020"
},
"V-25014": {
"checkid": "C-31218r4_chk",
"checktext": "Note: The site has the ability to disable the camera by using the iPhone profile if camera use is not approved or allow the use of the camera and if use is approved and documented in the site physical security policy. Also, the site can state in the site physical security policy that camera use outside the facility is approved, but the camera must be disabled on the phone when brought into the facility. In this case, \u201cAllow use of camera\u201d would not be checked. \n\nThis is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Determine if \u201cAllow use of camera\u201d is unchecked or checked.\nIf checked, verify the site physical security policy allows the use of smartphone cameras.\n\nMark as a finding if \u201cAllow use of camera\u201d is checked and the site physical security policy does not allow the use of smartphone cameras.",
"description": "This is an operational security issue. DoD sensitive information could be compromised if cameras are allowed in areas not authorized by the site physical security plan.",
"fixid": "F-27665r1_fix",
"fixtext": "Allow use of smartphone camera only if documented approval exists in the site physical security policy. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-25014",
"ruleID": "SV-30799r2_rule",
"severity": "low",
"title": "Mobile device cameras must be used only if documented approval is in the site physical security policy.\n",
"version": "WIR-MOS-iOS-G-021"
},
"V-25015": {
"checkid": "C-31219r4_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify \u201cAllow screen capture\u201d is unchecked. \n\nMark as a finding if not set as required.",
"description": "Sensitive data, including FOUO data displayed on the screen, could be saved in unsecure memory on the device.\n",
"fixid": "F-27666r1_fix",
"fixtext": "Do not allow iPhone screen capture.",
"iacontrols": [
"ECWN-1"
],
"id": "V-25015",
"ruleID": "SV-30801r2_rule",
"severity": "medium",
"title": "Mobile device screen capture must not be allowed.\n",
"version": "WIR-MOS-iOS-G-022"
},
"V-25016": {
"checkid": "C-32252r4_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify any non compliant policy sets and STIG/STIG compliant policy sets on the server. \n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Click the Passcode tab. \n-Verify \u201cMinimum length of\" is set to 4 or more in the iOS security policy. \n\nMark as a finding if configuration is not set as required.",
"description": "Sensitive DoD data could be compromised if a device unlock password/passcode is not set to required length on a DoD smartphones. ",
"fixid": "F-27687r1_fix",
"fixtext": "Set the smartphone minimum password/passcode length as required. ",
"iacontrols": [
"ECWN-1",
"IAIA-1"
],
"id": "V-25016",
"ruleID": "SV-32026r2_rule",
"severity": "medium",
"title": "The device minimum password/passcode length must be set. ",
"version": "WIR-MOS-iOS-G-011"
},
"V-25017": {
"checkid": "C-31211r4_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify \u201cAuto-lock\u201d is set to 5 minutes or less. \n\nMark as a finding if configuration is not set as required.\n",
"description": "Sensitive DoD data could be compromised if the iOS device does not automatically lock after a set period of inactivity.",
"fixid": "F-27688r1_fix",
"fixtext": "Set the smartphone Auto-Lock as required.",
"iacontrols": [
"PESL-1"
],
"id": "V-25017",
"ruleID": "SV-30793r2_rule",
"severity": "medium",
"title": "Apple iOS Auto-Lock must be set.",
"version": "WIR-MOS-iOS-G-014"
},
"V-25018": {
"checkid": "C-31212r4_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify Passcode history is set to 3 or more. \n\nMark as a finding if configuration is not set as required.",
"description": "The passcode would be more susceptible to compromise if the user can select frequently used passcodes.",
"fixid": "F-27689r1_fix",
"fixtext": "Set the smartphone passcode history setting as required. ",
"iacontrols": [
"IAIA-1"
],
"id": "V-25018",
"ruleID": "SV-30794r2_rule",
"severity": "low",
"title": "The smartphone passcode history setting must be set.",
"version": "WIR-MOS-iOS-G-015"
},
"V-25020": {
"checkid": "C-31223r3_chk",
"checktext": "This is a User Based Enforcement (UBE) setting.\n\nOn a sample of site-managed iOS devices (pick 3-4 random devices), check that the Wi-Fi radio is turned off.\n\n-Have the user turn on and log into the device.\n-Go to Settings > Wi-Fi. Wi-Fi should be turned off.\n\nMark as a finding if configuration is not set as required.",
"description": "The Wi-Fi radio can be used by a hacker to connect to the smartphone without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
"fixid": "F-27691r2_fix",
"fixtext": "Train user to disable the smartphone Wi-Fi radio unless Wi-Fi connectivity is required.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-25020",
"ruleID": "SV-34931r2_rule",
"severity": "low",
"title": "The mobile device Wi-Fi radio must be disabled as the default setting and is enabled only when Wi-Fi connectivity is required.\n",
"version": "WIR-MOS-iOS-041"
},
"V-25022": {
"checkid": "C-31203r5_chk",
"checktext": "The following banner is required: \n\u201cI've read & consent to terms in IS user agreem't.\u201d \n\nCheck Procedure: \n\nOn the iOS device, complete the following:\nCheck a sample of devices (3-4). The procedure will vary, depending on the MDM server used. For iOS, the banner is only displayed when logging into the security container.\n\nThe banner must exactly match the required phrase.\n\nIf the Good server is used, complete the following:\n1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: \n\n-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. \n--Log into the Good Mobile Control console. \n--Click on the Policies tab. \n--View all policy sets on the server. \n\n-Note: STIG-compliant policy sets should be identified as such in the policy title. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. \n\n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n\n\n-Launch the Good Mobile Control Web console and click on the Policies tab. \n\n-Select a policy set to review and click on the policy. \n\n-On the left tab, select Compliance Manager. \n-Verify a \"Custom\" or \"iOS DoD Login Banner\" rule is listed. (Note the rule title does not have to be exact.) \n-Open the rule by checking the box next to the rule and then click Edit. \n\n-Verify \"Failure Action\" is set to \"Quit Good for Enterprise\".\n\n-Verify \"Check Every\" is set to \"1 hour\".\n\n-Verify Rule File = disclaimer.xml\n\nMark as a finding if configuration is not set as required.",
"description": "DoD CIO memo requires all PDAs, BlackBerrys, and smartphones to have a consent banner displayed during logon/device unlock to ensure users understand their responsibilities to safeguard DoD data. ",
"fixid": "F-27693r1_fix",
"fixtext": "Display the required banner during device unlock/logon. ",
"iacontrols": [
"ECWM-1"
],
"id": "V-25022",
"ruleID": "SV-30786r2_rule",
"severity": "medium",
"title": "All mobile devices must display the required banner during device unlock/logon.\n",
"version": "WIR-MOS-iOS-007"
},
"V-25033": {
"checkid": "C-31256r4_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify \u201cAllow use of Safari\u201d is not checked. \n\nMark as a finding if not set as required.",
"description": "The Safari browser does not support FIPS 140-2 validated encryption and CAC authentication to DoD web sites. FIPS validation provides a level of assurance that encrypted sensitive data will not be compromised.\n",
"fixid": "F-27720r2_fix",
"fixtext": "Disable iOS Safari in all iOS security policies.\n",
"iacontrols": [
"ECSC-1",
"ECWN-1"
],
"id": "V-25033",
"ruleID": "SV-30834r2_rule",
"severity": "low",
"title": "iOS Safari must be disabled.\n",
"version": "WIR-MOS-iOS-G-018-01"
},
"V-25092": {
"checkid": "C-31417r4_chk",
"checktext": "On a sample of site-managed iOS devices (pick 3-4 random devices), have the user turn on and log into the device. \n\n-Go to Settings > Wi-Fi. \n-Touch Wi-Fi.\n-Check the setting of \"Ask to Join Networks\". \n\nVerify it is set to off (not selected).\n\nMark as a finding if not checked.\n",
"description": "The risk of a DoD mobile device being attacked via a rogue Wi-Fi access point is higher than for a rogue cellular access point. Therefore, the mobile device should be configured so it does not automatically connect to a Wi-Fi access point. The user should acknowledge and approve the connection to any Wi-Fi access point to minimize the risk of sensitive data on the device being exposed. \n",
"fixid": "F-27875r2_fix",
"fixtext": "The iOS device Wi-Fi setting \"Ask to Join Networks\" must be set to \"On\" at all times.\n ",
"iacontrols": [
"ECWN-1"
],
"id": "V-25092",
"ruleID": "SV-31000r2_rule",
"severity": "low",
"title": "The iOS device Wi-Fi setting Ask to Join Networks must be set to On at all times (User Based Enforcement (UBE)).\n",
"version": "WIR-iOS-005"
},
"V-25755": {
"checkid": "C-32247r4_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify \u201cAllow In-App Purchases\u201d is unchecked. \n\nMark as a finding if not set as required.",
"description": "Strong configuration management of all applications installed on DoD devise is required to ensure the security baseline of the system is maintained. Otherwise, sensitive DoD data could be compromised.",
"fixid": "F-28612r1_fix",
"fixtext": "Disable access to online application purchases.",
"iacontrols": [
"DCCB-1",
"DCCB-2"
],
"id": "V-25755",
"ruleID": "SV-32021r2_rule",
"severity": "low",
"title": "Access to online application purchases must be disabled.",
"version": "WIR-MOS-iOS-G-023"
},
"V-25756": {
"checkid": "C-32250r4_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify \u201cRequire iTunes backups to be encrypted\u201d is checked.\n\nMark as a finding if not set as required.",
"description": "The act of connecting an iOS device to a PC can put it at risk of attack if the PC is compromised. The iOS device should sync to a minimum number of approved machines. It should not sync to laptops that travel with the device and it should always use encrypted backups.",
"fixid": "F-28613r1_fix",
"fixtext": "Encrypted smartphone backups will be enabled.",
"iacontrols": [
"CODB-3"
],
"id": "V-25756",
"ruleID": "SV-32023r2_rule",
"severity": "low",
"title": "Encrypted smartphone backups must be enabled.",
"version": "WIR-MOS-iOS-G-024"
},
"V-27635": {
"checkid": "C-35072r4_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n\n-Verify \"Enable remote full device wipe\" is checked. \n(Note: \u201cDevice Wipe\u201d will wipe all data and non-core applications off the iOS device.)\n\nMark as a finding if configuration is not set as required.",
"description": "Sensitive DoD data could be compromised if mobile OS device data could not be wiped when directed by the system administrator.",
"fixid": "F-30358r2_fix",
"fixtext": "Enable remote full device wipe on iOS devices.\n",
"iacontrols": [
"ECCR-1",
"ECWN-1"
],
"id": "V-27635",
"ruleID": "SV-35228r2_rule",
"severity": "medium",
"title": "Remote full device wipe must be enabled.",
"version": "WIR-MOS-iOS-G-008"
},
"V-32686": {
"checkid": "C-41051r3_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server. \n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify \u201cAllow Siri\" is not checked.\n\nMark as a finding if not set as required.",
"description": "The Siri application connects to Apple servers and stores information about the device and user inquiries on those servers. The use of Siri could lead to the compromise of sensitive DoD information.\n",
"fixid": "F-36587r1_fix",
"fixtext": "Disable Siri in the iOS security policy.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32686",
"ruleID": "SV-43032r1_rule",
"severity": "medium",
"title": "iOS Siri application must be disabled.\n",
"version": "WIR-MOS-iOS-50-02"
},
"V-32688": {
"checkid": "C-41052r3_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify \u201cAllow multiplayer gaming\" is not checked.\n\nMark as a finding if not set as required.",
"description": "The game function connects to Apple servers and allows the transfer of device data to other iOS devices. The use of the game function could lead to the compromise of sensitive DoD information.",
"fixid": "F-36588r1_fix",
"fixtext": "Disable multiplayer gaming in the iOS security policy.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32688",
"ruleID": "SV-43034r1_rule",
"severity": "medium",
"title": "iOS Multiplayer Gaming must be disabled.\n",
"version": "WIR-MOS-iOS-50-03"
},
"V-32689": {
"checkid": "C-41053r3_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n\n-Verify \u201cAdding Game Center Friends\" is not checked.\n\nMark as a finding if not set as required.",
"description": "The game function connects to Apple servers and allows the transfer of device data to other iOS devices. The use of the game function could lead to the compromise of sensitive DoD information.\n",
"fixid": "F-36589r1_fix",
"fixtext": "Disable Adding Game Center Friends in the iOS security policy.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32689",
"ruleID": "SV-43035r1_rule",
"severity": "medium",
"title": "Adding Game Center Friends must be disabled.\n",
"version": "WIR-MOS-iOS-50-04"
},
"V-32690": {
"checkid": "C-41054r3_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify \u201cAllow iCloud Backup\" is not checked.\n\nMark as a finding if not set as required.",
"description": "The iCloud feature (and associated iCloud setting in iOS) stores iOS device data on Apple controlled servers. Sensitive DoD data saved on the iOS device could be compromised when it is stored on the Apple servers.\n",
"fixid": "F-36590r1_fix",
"fixtext": "Disable iCloud Backup in the iOS security policy.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32690",
"ruleID": "SV-43036r1_rule",
"severity": "medium",
"title": "Allow iCloud Backup must be disabled.\n",
"version": "WIR-MOS-iOS-50-05"
},
"V-32691": {
"checkid": "C-41055r3_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify \u201cAllow Document Syncing\" is not checked.\n\nMark as a finding if not set as required.",
"description": "The iCloud feature (and associated iCloud setting in iOS) stores iOS device data on Apple controlled servers. Sensitive DoD data saved on the iOS device could be compromised when it is stored on the Apple servers.",
"fixid": "F-36591r1_fix",
"fixtext": "Disable Document Syncing in the iOS security policy.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32691",
"ruleID": "SV-43037r1_rule",
"severity": "medium",
"title": "Allow Document Syncing must be disabled.\n",
"version": "WIR-MOS-iOS-50-06"
},
"V-32693": {
"checkid": "C-41056r5_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify \u201cAllow Photo Stream\" is not checked.\n\nMark as a finding if not set as required.",
"description": "The iCloud feature (and associated iCloud setting in iOS) stores iOS device data on Apple controlled servers. Sensitive DoD data saved on the iOS device could be compromised when it is stored on the Apple servers.",
"fixid": "F-36592r1_fix",
"fixtext": "Disable Photo Stream in the iOS security policy.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32693",
"ruleID": "SV-43039r1_rule",
"severity": "medium",
"title": "Allow Photo Stream must be disabled.\n",
"version": "WIR-MOS-iOS-50-07"
},
"V-32695": {
"checkid": "C-41057r4_chk",
"checktext": "This is an iOS security policy set check. Recommend that all checks related to iOS security policy set rules be reviewed using the following procedure. \n\n1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: \n-Have the SA identify STIG compliant and non-compliant policies on the server.\n--Log into the MDM server console. \n--Click on the Policies tab. \n--View all iOS security policies on the server. \n-Note: STIG-compliant policy sets should be identified as such in the policy title. An example is STIG_iOS_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.\n\n2. Select each iOS security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy set. \n-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.\n-Launch the MDM console and click on the Policies tab. \n-Select the iOS security policy.\n-Verify \u201cAllow Diagnostic Data to be Sent to Apple\" is not checked.\n\nMark as a finding if not set as required.",
"description": "Sensitive DoD information could be compromised if this setting is not implemented. DoD mobile device diagnostic data could be considered sensitive data and should not be sent to Apple and reside on Apple servers.\n",
"fixid": "F-36593r1_fix",
"fixtext": "Disable Diagnostic Data to be Sent to Apple in the iOS security policy.\n",
"iacontrols": [
"ECWM-1"
],
"id": "V-32695",
"ruleID": "SV-43041r1_rule",
"severity": "medium",
"title": "Allow Diagnostic Data to be Sent to Apple must be disabled.\n",
"version": "WIR-MOS-iOS-50-08"
},
"V-32696": {
"checkid": "C-41058r3_chk",
"checktext": "This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets. Verify the VPN client is configured to timeout an inactive session after a set period of inactivity. The check procedures will vary depending on the VPN client used.\n\nMark as a finding if the VPN client is not configured to timeout after 4 hours.",
"description": "The data on a DoD iOS device most likely contains sensitive DoD information, therefore, when device data is backed up to a local, approved laptop, the data should be encrypted to prevent compromise of data.\n",
"fixid": "F-36594r3_fix",
"fixtext": "Configure the VPN client to timeout a session after 4 hours of inactivity.",
"iacontrols": [
"ECWN-1"
],
"id": "V-32696",
"ruleID": "SV-43042r1_rule",
"severity": "medium",
"title": "All wireless PDA client VPNs must timeout an inactive session after a set period of inactivity.\n",
"version": "WIR-MOS-iOS-034-05"
},
"V-32697": {
"checkid": "C-41059r2_chk",
"checktext": "This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets. Verify the VPN client is inactive session timeout has been set to 2 hours or less. \n\nMark as a finding if the timeout period is not set as required.\n",
"description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN. User authentication credentials (CAC PIN) may be compromised if a hacker credential cache is not wiped on a periodic basis.",
"fixid": "F-36595r1_fix",
"fixtext": "Configure the VPN client to timeout an inactive session of 2 hours or less.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32697",
"ruleID": "SV-43043r1_rule",
"severity": "medium",
"title": "All wireless PDA client VPN authentication credential cache timeout must be set to 2 hours or less. \n",
"version": "WIR-MOS-iOS-034-06"
},
"V-32698": {
"checkid": "C-41061r3_chk",
"checktext": "Check the list of applications on a sample of 2-3 iOS devices. Verify an MDM, MAM, and integrity validation agent are installed on the device.\n\nNote that one or more agents may be used. Some agents may perform one or more of these functions. Ask the site for the name of the product(s) used. Mark as a finding if the required agent(s) are not installed.",
"description": "The MDM, MAM, and integrity scanning agents all perform various security management functions on the iOS devices (some products integrate all three functions into one agent). If these agents are not on the mobile device, key security controls may not be enforced, which could lead to the compromise of sensitive DoD data.\n",
"fixid": "F-36596r1_fix",
"fixtext": "Install the missing management agents on the iOS device.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32698",
"ruleID": "SV-43044r1_rule",
"severity": "high",
"title": "MDM, MAM, and integrity validation agent(s) must be installed and operate at all times on the mobile OS device.\n",
"version": "WIR-MOS-60"
},
"V-32699": {
"checkid": "C-41062r2_chk",
"checktext": "Review system documentation, operating system configuration, and other IA information resources to determine how the operating system prevents the user from modifying the security policy and related enforcement mechanisms. Items to look for include mandatory access controls, permissions on related operating system files, and authentication for super user access. Examine the operating system configuration. If it is easy to turn off security settings or stop security-related applications from running, this is a finding. \n\nAn alternate and acceptable approach is for the security container agent to wipe the container if it detects the security policy has been deleted, disabled, or modified.",
"description": "The integrity of the security policy and enforcement mechanisms is critical to the IA posture of the operating system. If a user can modify a device's security policy or enforcement mechanisms, then a wide range of subsequent attacks are possible, including unauthorized access to information and networks. Access controls that prevent a user from making modifications such as these mitigate the risk of operating system compromise.\n",
"fixid": "F-36597r2_fix",
"fixtext": "Configure the operating system to prohibit a user from disabling or modifying the security policy or enforcement mechanisms on the device or to wipe the security container if detects the security policy has been deleted, disabled, or modified.",
"iacontrols": [
"ECWN-1"
],
"id": "V-32699",
"ruleID": "SV-43045r1_rule",
"severity": "high",
"title": "The mobile operating system must not permit a user to disable or modify the security policy or enforcement mechanisms on the device.\n",
"version": "WIR-MOS-iOS-65-01"
},
"V-32700": {
"checkid": "C-41063r1_chk",
"checktext": "Review the loading process to determine if it meets the necessary assurance for mutual authentication. If the trusted loading process does not meet the criteria, this is a finding.\n",
"description": "When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. Mutual authentication ensures both that the device is authorized for provisioning and that a rogue provisioning server is not used to obtain software.\n",
"fixid": "F-36598r1_fix",
"fixtext": "Configure the operating system to authenticate the provisioning server prior to accepting provisioned software.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32700",
"ruleID": "SV-43046r1_rule",
"severity": "high",
"title": "The mobile operating system must provide mutual authentication between the provisioning server and the provisioned device during a trusted over-the-air (OTA) provisioning session.\n",
"version": "WIR-MOS-iOS-65-02"
},
"V-32701": {
"checkid": "C-41064r1_chk",
"checktext": "Review system documentation and operating system configuration to determine if there is appropriate cryptography protecting the confidentiality of OTA provisioning. If the provisioning data is not protected by cryptographic means during an OTA provisioning procedure, this is a finding.\n",
"description": "Provisioning data may be sensitive and therefore must be adequately protected. An adversary within the general proximity of the mobile device can eavesdrop on OTA transactions, making them particularly vulnerable to attack if confidentiality protections are not in place. Proper use of cryptography provides strong assurance that provisioning data is protected against confidentiality attacks. \n",
"fixid": "F-36599r1_fix",
"fixtext": "Configure the operating system to use cryptography providing confidentiality for provisioning downloads.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32701",
"ruleID": "SV-43047r1_rule",
"severity": "medium",
"title": "The mobile operating system must protect the confidentiality of the provisioning data downloaded to the handheld device during a trusted over-the-air (OTA) provisioning session.\n",
"version": "WIR-MOS-iOS-65-03"
},
"V-32702": {
"checkid": "C-41065r1_chk",
"checktext": "Review system documentation and operating system configuration to determine if there are appropriate integrity mechanisms protecting the confidentiality of OTA provisioning. Appropriate integrity mechanisms generally involve the use of FIPS validated cryptographic modules implementing algorithms that provide integrity services. If there are no such mechanisms present, this is a finding.\n",
"description": "Provisioning data may be sensitive and therefore must be adequately protected. It may be possible for an adversary within the general proximity of the mobile device to hijack provisioning sessions and modify data transmitted during the provisioning process. Proper use of cryptography provides strong assurance that provisioning data is protected against integrity attacks. \n",
"fixid": "F-36600r1_fix",
"fixtext": "Configure the operating system to use cryptography providing integrity for provisioning downloads.\n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32702",
"ruleID": "SV-43048r1_rule",
"severity": "medium",
"title": "The mobile operating system must protect the integrity of the provisioning data downloaded to the handheld device during a trusted over-the-air (OTA) provisioning session.\n",
"version": "WIR-MOS-iOS-65-04"
},
"V-32703": {
"checkid": "C-41066r2_chk",
"checktext": "Review system documentation and operating system configuration to determine if the system administrator has the ability to disable OTA provisioning. If the operating system does not support OTA provisioning, this also meets the requirement. If the operating system supports OTA but there is no means for the SA to disable that capability, this is a finding.\n\n",
"description": "In some environments, the risk of OTA provisioning may outweigh any convenience benefit it offers. In such cases, the administrator should have the ability to disable OTA provisioning to ensure secure breaches do not occur from use of this technique.\n",
"fixid": "F-36601r2_fix",
"fixtext": "Disable OTA provisioning if threat conditions warrant this action. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-32703",
"ruleID": "SV-43049r1_rule",
"severity": "low",
"title": "The mobile operating system must support the capability for the system administrator to disable over-the-air (OTA) provisioning. \n",
"version": "WIR-MOS-iOS-65-05"
},
"V-32704": {
"checkid": "C-41067r1_chk",
"checktext": "Review the operating system documentation and configuration (and possibly application configuration) to determine if the system uses AES encryption with at least 128-bit keys. If it does not use AES encryption with the required key length, this is a finding.\n",
"description": "If data traffic is sent unencrypted, an adversary may be able to read it to obtain sensitive information. AES encryption with 128-bit (or longer) keys mitigates the risk of unauthorized eavesdropping. This requirement applies to both VPN connections and DoD messaging connections (email and authorized instant messaging applications).\n",
"fixid": "F-36602r1_fix",
"fixtext": "Configure the VPN client, email client, and other applications that communicate with DoD information resources to use AES encryption with 128-bit (or longer) keys.\n",
"iacontrols": [
"DCNR-1"
],
"id": "V-32704",
"ruleID": "SV-43050r1_rule",
"severity": "medium",
"title": "The mobile operating system must encrypt all data in transit using AES encryption when communicating with DoD information resources (128-bit key length is the minimum requirement; 256-bit desired). \n",
"version": "WIR-MOS-iOS-65-06"
},
"V-32705": {
"checkid": "C-41068r1_chk",
"checktext": "Review system documentation and operating system configuration to determine if the operating system uses AES encryption with 128-bit or longer keys to encrypt the contents of the key store. If the key store is not encrypted or does not use AES encryption, this is a finding.\n",
"description": "If an adversary can access the key store, it may be able to use the keys to perform a variety of unauthorized transactions. It may also be able to modify public keys in a way that it can trick the operating system into accepting invalid certificates. Encrypting the key store protects the integrity and confidentiality of keys. AES encryption with adequate key lengths provides assurance that the protection is strong.\n",
"fixid": "F-36603r1_fix",
"fixtext": "Configure the operating system to encrypt the contents of the key with AES encryption using 128-bit or longer keys.\n",
"iacontrols": [
"DCNR-1"
],
"id": "V-32705",
"ruleID": "SV-43051r1_rule",
"severity": "high",
"title": "The mobile operating system PKI certificate store must encrypt contents using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired).\n",
"version": "WIR-MOS-iOS-65-07"
},
"V-32706": {
"checkid": "C-41069r3_chk",
"checktext": "Review system documentation to identify the FIPS 140 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. \n\nIf the operating system cryptographic module is not currently FIPS validated or a third party application that provides a security module protected by a FIPS 140-2 validated encryption module is not used on the mobile device, this is a finding.",
"description": "The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140 validation provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government.\n",
"fixid": "F-36604r2_fix",
"fixtext": "Stop using the operating system until the vendor has obtained FIPS validation or install a third party product that contains a security container with a FIPS validated cryptographic module.",
"iacontrols": [
"DCNR-1"
],
"id": "V-32706",
"ruleID": "SV-43052r1_rule",
"severity": "medium",
"title": "The cryptographic module supporting encryption of data in transit (including email and attachments) must be FIPS 140-2 validated.\n",
"version": "WIR-MOS-iOS-65-08"
},
"V-32707": {
"checkid": "C-41070r1_chk",
"checktext": "Review system documentation to identify the FIPS 140 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. If the module is not currently FIPS validated, this is a finding.\n",
"description": "The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140 validation provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government.\n",
"fixid": "F-36605r1_fix",
"fixtext": "Stop using the operating system until the vendor has obtained FIPS validation or install a third party product that contains a FIPS validated cryptographic module providing the same services in the operating system\u2019s non-FIPS validated implementation of cryptography.\n",
"iacontrols": [
"DCNR-1"
],
"id": "V-32707",
"ruleID": "SV-43053r1_rule",
"severity": "medium",
"title": "The cryptographic module supporting encryption of data at rest must be FIPS 140-2 validated.\n",
"version": "WIR-MOS-iOS-65-09"
},
"V-32708": {
"checkid": "C-41071r1_chk",
"checktext": "Review system documentation to identify the FIPS 140 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. If the module is not currently FIPS validated, this is a finding.\n",
"description": "The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140 validation provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government.\n",
"fixid": "F-36606r1_fix",
"fixtext": "Stop using the operating system until the vendor has obtained FIPS validation or install a third party product that contains a FIPS validated cryptographic module providing the same services in the operating system\u2019s non-FIPS validated implementation of cryptography.\n",
"iacontrols": [
"DCNR-1"
],
"id": "V-32708",
"ruleID": "SV-43054r1_rule",
"severity": "medium",
"title": "The cryptographic module supporting encryption of the certificate store must be FIPS 140-2 validated.\n",
"version": "WIR-MOS-iOS-65-10"
},
"V-32711": {
"checkid": "C-41072r1_chk",
"checktext": "Review the operating system and browser configuration to determine if traffic is forced through DoD proxy servers. If greater assurance is required, access a number of Internet web sites and verify traffic flows through a DoD proxy server by viewing the traffic using a network protocol analyzer or by communicating with personnel that manage the proxy server. If the device accesses any internet resource without being directed through a DoD proxy server, this is a finding.\n",
"description": "Proxy servers can inspect traffic for malware and other signs of a security attack. Allowing a mobile device to access the public Internet without proxy server inspection forgoes the protection that the proxy server would otherwise provide. Malware downloaded onto the device could have a wide variety of malicious consequences, including loss of sensitive DoD information. Forcing traffic to flow through a proxy server greatly mitigates the risk of access to public Internet resources.\n",
"fixid": "F-36607r1_fix",
"fixtext": "Disable browsers that do not support a feature to direct all traffic to a designated proxy server. Configure browsers that support this functionality to direct all traffic to a designated proxy server. \n",
"iacontrols": [
"ECWN-1"
],
"id": "V-32711",
"ruleID": "SV-43057r1_rule",
"severity": "medium",
"title": "The mobile operating system must prevent a user from using a browser that does not direct its traffic to a DoD proxy server. \n",
"version": "WIR-MOS-iOS-65-11"
},
"V-32712": {
"checkid": "C-41073r1_chk",
"checktext": "Review system documentation and operating system configuration to verify the operating system encrypts all data using AES encryption. Validate this includes data on removable memory, such as SD cards. If the operating system does not encrypt data at rest, or does so only selectively, or does so using an encryption algorithm other than AES (for unclassified data), this is a finding. \n",
"description": "If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. AES encryption with appropriate key lengths provides assurance that the cryptography is adequate.\n",
"fixid": "F-36608r1_fix",
"fixtext": "Configure the operating system to encrypt all data on the mobile device using AES encryption.\n",
"iacontrols": [
"DCNR-1"
],
"id": "V-32712",
"ruleID": "SV-43058r1_rule",
"severity": "medium",
"title": "The mobile operating system must encrypt all data on the mobile device using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired). \n",
"version": "WIR-MOS-iOS-65-12"
},
"V-32713": {
"checkid": "C-41074r1_chk",
"checktext": "On a sample of devices known to encrypt information resident on the devices, attempt to access an encrypted file and verify the operating system prompts for a password. In many cases, the transaction may involve the entry of a CAC PIN, which still satisfies the requirement. If data is accessible without entering a password at some point when using the device, this is a finding.\n",
"description": "Encryption is only effective if the decryption procedure is protected. If an adversary can easily access the private key (either directly or through a software application), then sensitive DoD data is likely to be disclosed. Password protection is one method to reduce the likelihood of such an occurrence.\n",
"fixid": "F-36609r1_fix",
"fixtext": "Configure the operating system to require a valid password be successfully entered before the mobile device data is unencrypted.\n",
"iacontrols": [
"IAIA-1"
],
"id": "V-32713",
"ruleID": "SV-43059r1_rule",
"severity": "medium",
"title": "The mobile operating system must require a valid password be successfully entered before the mobile device data is unencrypted.\n",
"version": "WIR-MOS-iOS-65-13"
},
"V-32715": {
"checkid": "C-41075r1_chk",
"checktext": "Review system documentation and other IA information resources to determine how the operating system treats data in memory upon the lock of the device. The operating system may enforce this requirement in a variety of means. The reviewer should focus on the fact that the data is encrypted when the device has been shut down suddenly and not on the timing of the encryption, much of which might occur prior to device lock. If it is determined that unencrypted data still resides on the device after device lock, this is a finding. \n",
"description": "If data is not encrypted upon the lock of the device, there is the potential for an adversary to remove non-volatile memory from the device and read it directly using tools for that purpose. This attack would render other operating system controls useless. Encrypting data provides assurance that it will be protected even when memory is physically removed from the device.\n",
"fixid": "F-36610r1_fix",
"fixtext": "Configure the operating system to re-encrypt all device data in memory when the device is locked. If the operating system does not support this capability, a permanent finding must be assigned to the asset running the operating system.\n",
"iacontrols": [
"DCNR-1"
],
"id": "V-32715",
"ruleID": "SV-43061r1_rule",
"severity": "medium",
"title": "The mobile operating system must re-encrypt all device data when the device is locked. \n",
"version": "WIR-MOS-iOS-65-14"
},
"V-32716": {
"checkid": "C-41076r1_chk",
"checktext": "Review system documentation to determine the approach to malware prevention. This may include secure operating system architectures, mandatory access controls, and high-assurance authentication of code. Inspect the operating system to validate the approach has been implemented as claimed. If the approach has not been implemented, or if the implementation is inadequate, this is a finding. \n",
"description": "In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can result in the disclosure of sensitive information or cause a denial of service. Anti-virus applications are not common on mobile operating systems but one or more methods to mitigate the risk of malware must be in place to protect DoD information and networks.\n",
"fixid": "F-36611r1_fix",
"fixtext": "Configure the operating system to prevent a malware application from installing and executing. \n",
"iacontrols": [
"ECVP-1"
],
"id": "V-32716",
"ruleID": "SV-43062r1_rule",
"severity": "high",
"title": "The mobile operating system must employ a DoD approved anti-virus application or otherwise prevent a malware application from installing and executing. \n",
"version": "WIR-MOS-iOS-65-15"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25006": "true",
"V-25007": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25020": "true",
"V-25022": "true",
"V-25033": "true",
"V-25092": "true",
"V-25755": "true",
"V-25756": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32704": "true",
"V-32705": "true",
"V-32706": "true",
"V-32707": "true",
"V-32708": "true",
"V-32711": "true",
"V-32712": "true",
"V-32713": "true",
"V-32715": "true",
"V-32716": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25006": "true",
"V-25007": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25020": "true",
"V-25022": "true",
"V-25033": "true",
"V-25092": "true",
"V-25755": "true",
"V-25756": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32704": "true",
"V-32705": "true",
"V-32706": "true",
"V-32707": "true",
"V-32708": "true",
"V-32711": "true",
"V-32712": "true",
"V-32713": "true",
"V-32715": "true",
"V-32716": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25006": "true",
"V-25007": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25020": "true",
"V-25022": "true",
"V-25033": "true",
"V-25092": "true",
"V-25755": "true",
"V-25756": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32704": "true",
"V-32705": "true",
"V-32706": "true",
"V-32707": "true",
"V-32708": "true",
"V-32711": "true",
"V-32712": "true",
"V-32713": "true",
"V-32715": "true",
"V-32716": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25006": "true",
"V-25007": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25020": "true",
"V-25022": "true",
"V-25033": "true",
"V-25092": "true",
"V-25755": "true",
"V-25756": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32704": "true",
"V-32705": "true",
"V-32706": "true",
"V-32707": "true",
"V-32708": "true",
"V-32711": "true",
"V-32712": "true",
"V-32713": "true",
"V-32715": "true",
"V-32716": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25006": "true",
"V-25007": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25020": "true",
"V-25022": "true",
"V-25033": "true",
"V-25092": "true",
"V-25755": "true",
"V-25756": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32704": "true",
"V-32705": "true",
"V-32706": "true",
"V-32707": "true",
"V-32708": "true",
"V-32711": "true",
"V-32712": "true",
"V-32713": "true",
"V-32715": "true",
"V-32716": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25006": "true",
"V-25007": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25020": "true",
"V-25022": "true",
"V-25033": "true",
"V-25092": "true",
"V-25755": "true",
"V-25756": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32704": "true",
"V-32705": "true",
"V-32706": "true",
"V-32707": "true",
"V-32708": "true",
"V-32711": "true",
"V-32712": "true",
"V-32713": "true",
"V-32715": "true",
"V-32716": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25006": "true",
"V-25007": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25020": "true",
"V-25022": "true",
"V-25033": "true",
"V-25092": "true",
"V-25755": "true",
"V-25756": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32704": "true",
"V-32705": "true",
"V-32706": "true",
"V-32707": "true",
"V-32708": "true",
"V-32711": "true",
"V-32712": "true",
"V-32713": "true",
"V-32715": "true",
"V-32716": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25006": "true",
"V-25007": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25020": "true",
"V-25022": "true",
"V-25033": "true",
"V-25092": "true",
"V-25755": "true",
"V-25756": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32704": "true",
"V-32705": "true",
"V-32706": "true",
"V-32707": "true",
"V-32708": "true",
"V-32711": "true",
"V-32712": "true",
"V-32713": "true",
"V-32715": "true",
"V-32716": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-18627": "true",
"V-19897": "true",
"V-19898": "true",
"V-19899": "true",
"V-24982": "true",
"V-24983": "true",
"V-24984": "true",
"V-24985": "true",
"V-25003": "true",
"V-25006": "true",
"V-25007": "true",
"V-25009": "true",
"V-25010": "true",
"V-25011": "true",
"V-25012": "true",
"V-25013": "true",
"V-25014": "true",
"V-25015": "true",
"V-25016": "true",
"V-25017": "true",
"V-25018": "true",
"V-25020": "true",
"V-25022": "true",
"V-25033": "true",
"V-25092": "true",
"V-25755": "true",
"V-25756": "true",
"V-27635": "true",
"V-32686": "true",
"V-32688": "true",
"V-32689": "true",
"V-32690": "true",
"V-32691": "true",
"V-32693": "true",
"V-32695": "true",
"V-32696": "true",
"V-32697": "true",
"V-32698": "true",
"V-32699": "true",
"V-32700": "true",
"V-32701": "true",
"V-32702": "true",
"V-32703": "true",
"V-32704": "true",
"V-32705": "true",
"V-32706": "true",
"V-32707": "true",
"V-32708": "true",
"V-32711": "true",
"V-32712": "true",
"V-32713": "true",
"V-32715": "true",
"V-32716": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "apple_ios_5",
"title": "Apple iOS 5 Security Technical Implementation Guide (STIG)",
"version": "1"
}
}