UCF STIG Viewer Logo

BlackBerry Device Service 6.2 STIG


Overview

Date Finding Count (69)
2013-05-03 CAT I (High): 15 CAT II (Med): 41 CAT III (Low): 13
STIG Description
Developed by Research In Motion Ltd. in coordination with DISA for use in the DoD.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
BBDS-00-000315 High The BlackBerry Device Service server must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
BBDS-00-000131 High The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable two-factor encryption key generation on the mobile device.
BBDS-00-000115 High BlackBerry accounts must not be assigned to the default IT policy on the BlackBerry Device Service server or any other non-STIG compliant IT policy.
BBDS-00-000110 High The BlackBerry Device Service server must prevent the installation of applications that are not digitally signed with an organizationally accepted private key.
BBDS-00-003176 High The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disable any mobile OS service that connects to a cloud storage server.
BBDS-00-003177 High The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Direct all work persona application traffic through the BlackBerry Device Service server.
BBDS-00-000330 High The BlackBerry Device Service server must be able to filter both inbound and outbound traffic based on IP address and UDP/TCP port.
BBDS-00-003131 High The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow mobile device applications the ability to reset the device lock timer.
BBDS-00-000295 High The BlackBerry Device Service server must use organization defined replay-resistant authentication mechanisms for network access to privileged accounts.
BBDS-00-000290 High The BlackBerry Device Service server must require administrators to be authenticated with an individual authenticator prior to using a group authenticator.
BBDS-00-000320 High The BlackBerry Device Service server must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.
BBDS-00-000100 High The BlackBerry Device Service server must implement separation of administrator duties by requiring a specific role be assigned to each administrator account.
BBDS-00-000340 High The BlackBerry Device Service server must detect and report the version of the operating system, device drivers, and application software for managed mobile devices.
BBDS-00-002541 High The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disable copying data from inside a non-secure data area on a mobile device into the security container.
BBDS-00-000156 High The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the transfer of any file-based data via Bluetooth.
BBDS-00-000285 Medium BlackBerry Web Desktop Manager must be configured to disable a user's capability to perform self-service tasks.
BBDS-00-000170 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable MMS messaging.
BBDS-00-000280 Medium The BlackBerry Device Service server must provide the administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user.
BBDS-00-000165 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Bluetooth 128 bit encryption.
BBDS-00-000150 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable Bluetooth.
BBDS-00-000135 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the device inactivity timeout (the following settings must be available, at a minimum: Disable (no timeout), 15 minutes, and 60 minutes).
BBDS-00-000260 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Minimum MDM agent password length of eight or more characters.
BBDS-00-000155 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the Bluetooth discoverable mode.
BBDS-00-000132 Medium If the BlackBerry Device Service server includes a mobile email management capability, the email client S/MIME encryption algorithm must be 3DES or AES. When AES is used, AES 128 bit encryption key length is the minimum requirement; AES 256 desired.
BBDS-00-000130 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable data-at-rest encryption on the mobile device.
BBDS-00-000240 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of upper case letters in the MDM agent password.
BBDS-00-000225 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Perform a "Data Wipe" function whereby all data stored in the security container is erased when the maximum number of incorrect passwords for the security container application has been reached.
BBDS-00-000245 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of numbers in the MDM agent password.
BBDS-00-000220 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable tethering (Wi-Fi, Bluetooth, or USB).
BBDS-00-000205 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable location services.
BBDS-00-000160 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Bluetooth pairing using a randomly generated passkey size of at least 8 digits.
BBDS-00-000175 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable Wi-Fi.
BBDS-00-000195 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the memory card port.
BBDS-00-000190 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the all cameras.
BBDS-00-000200 Medium BlackBerry Web Desktop Manager must be configured to permit users to activate new BlackBerry devices only.
BBDS-00-003178 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow personal persona applications access to the work personas network connection.
BBDS-00-003179 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow hyperlinks within work persona applications from opening within the personal persona browser application.
BBDS-00-000140 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the mobile device Bluetooth stack.
BBDS-00-000305 Medium The BlackBerry Device Service server must support administrator authentication to the server via the Enterprise Authentication Mechanism's authentication.
BBDS-00-000166 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Bluetooth radio range.
BBDS-00-000300 Medium The BlackBerry Device Service server must be configured to accept only trusted connections to back-office enclave application or web push servers. Push servers are set up to push content to BlackBerry users.
BBDS-00-000270 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the MDM agent inactivity timeout (the following settings must be available, at a minimum: Disable (no timeout), 15 minutes, and 60 minutes).
BBDS-00-000145 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable any supported Bluetooth profile.
BBDS-00-000120 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Perform a "Data Wipe" function whereby all data stored in user addressable memory on the mobile device and the removable memory card is erased when the maximum number of incorrect passwords for device unlock has been reached.
BBDS-00-000250 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of special characters in the MDM agent password.
BBDS-00-000105 Medium The BlackBerry Device Service server must deploy operating system and application updates via over-the-air (OTA) provisioning for managed mobile devices.
BBDS-00-000265 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Maximum MDM agent password history (3 previous passwords checked is the recommended setting).
BBDS-00-000255 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Maximum MDM agent password age (e.g., 30 days, 90 days, or 180 days).
BBDS-00-000230 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of incorrect password attempts before a data wipe procedure is initiated (minimum requirement is 3-10).
BBDS-00-000215 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the USB Port mass storage mode.
BBDS-00-000235 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable an MDM agent password.
BBDS-00-000210 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the video recorder.
BBDS-00-002543 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disable access to the work persona via any device-to-device bridging application.
BBDS-00-000185 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the near-field communications (NFC) radio.
BBDS-00-000180 Medium The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the Voice recorder.
BBDS-00-000275 Medium The BlackBerry Device Service server must configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or BlackBerry Device Service server).
BBDS-00-000287 Low The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow any native applications pertaining to billing on a managed mobile device.
BBDS-00-000310 Low The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default.
BBDS-00-002431 Low The BlackBerry Device Service server must protect audit information on a managed mobile device from unauthorized distribution.
BBDS-00-003180 Low The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of allowed repeated characters in the mobile device unlock password.
BBDS-00-003110 Low The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable device unlock password.
BBDS-00-003130 Low The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Device inactivity timeout whereby the user must reenter their user password or Smart Card PIN to unlock the device.
BBDS-00-000335 Low The BlackBerry Device Service server must be configured so the connection between the BlackBerry Device Service server and the mobile device is initiated based on an out-bound connection request from the BlackBerry Device Service server only.
BBDS-00-003185 Low The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow sequential numbers in the mobile device unlock password.
BBDS-00-000325 Low The server PKI digital certificate installed on the BlackBerry Device Service (BDS) Server to support BlackBerry Administration Service and BlackBerry Web Desktop Manager (BWDM) authentication must be a DoD PKI issued certificate. A self signed certificate will not be used.
BBDS-00-000286 Low BlackBerry Device Service must be configured to disable a user's capability to perform a user initiated backup or restore of the work persona of a managed mobile device.
BBDS-00-002542 Low The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Allow only work persona contacts to be read from a native personal persona application.
BBDS-00-000288 Low The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow any native applications pertaining to billing on a managed mobile device.
BBDS-00-003120 Low The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Minimum password length for the device unlock password is configured to the organizationally defined value when DoD sensitive data is being protected.