The organization must not use DoD-issued software certificates for Non-enterprise activated CMDs.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35976 | SRG-MPOL-058 | SV-47292r1_rule | High |
| Description |
|---|
| If DoD issued certificates are utilized, the device may be able to connect to sites/systems that are otherwise prohibited without the certificate. Non-enterprise activated CMDs are not authorized to access DoD information. In addition, the certificate store will not be protected with AES encryption or be FIPS validated. DoD PKI certificates would be at risk of being compromised. |
| STIG | Date |
|---|---|
| Mobile Policy Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-44213r1_chk ) |
|---|
| Review the organization's published implementation guidance on the use of non-enterprise activated CMDs to determine if DoD software certificates are prohibited from being utilized on the devices. If DoD software certificates are not prohibited, this is a finding. |
| Fix Text (F-40503r1_fix) |
|---|
| Publish the organization’s implementation guidance prohibiting the use of DoD-issued software certificates on non-enterprise activated CMDs. |