| V-267992 | | Apple iOS/iPadOS 18 must be configured to enforce a passcode reuse prohibition of at least two generations. | iOS-iPadOS 17 and later versions include a feature that allows the previous passcode to be valid for 72 hours after a passcode change. If the previous... |
| V-268024 | | Apple iOS/iPadOS 18 must require a valid password be successfully entered before the mobile device data is unencrypted. | Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may... |
| V-268034 | | iPhone and iPad must have the latest available iOS/iPadOS operating system installed. | Required security features are not available in earlier OS versions. In addition, earlier versions may have known vulnerabilities.
SFRID: FMT_SMF.1.1... |
| V-272169 | | Apple iOS/iPadOS 18 must disable the ability to hide apps. | Hidden apps cannot be seen by enterprise management applications (e.g., MDM server), and therefore, unauthorized apps or apps with embedded malware co... |
| V-267958 | | Apple iOS/iPadOS 18 must not allow backup to remote systems (iCloud). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-267959 | | Apple iOS/iPadOS 18 must not allow backup to remote systems (iCloud document and data synchronization). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-267960 | | Apple iOS/iPadOS 18 must not allow backup to remote systems (iCloud Keychain). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-267961 | | Apple iOS/iPadOS 18 must not allow backup to remote systems (Cloud Photo Library). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-267962 | | Apple iOS/iPadOS 18 must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Stream or Shared Photo Stream). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-267963 | | Apple iOS/iPadOS 18 must not allow backup to remote systems (managed applications data stored in iCloud). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-267964 | | Apple iOS/iPadOS 18 must not allow backup to remote systems (enterprise books). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-267987 | | Apple iOS/iPadOS 18 must be configured to enforce a minimum password length of six characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a ... |
| V-267988 | | Apple iOS/iPadOS 18 must be configured to not allow passwords that include more than four repeating or sequential characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or s... |
| V-267990 | | Apple iOS/iPadOS 18 must be configured to lock the display after 15 minutes (or less) of inactivity. | The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the wi... |
| V-267991 | | Apple iOS/iPadOS 18 must be configured to not allow more than 10 consecutive failed authentication attempts. | The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on ... |
| V-267993 | | Apple iOS/iPadOS 18 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store]. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being insta... |
| V-267995 | | Apple iOS/iPadOS 18 must not include applications with the following characteristics: access to Siri when the device is locked. | Requiring all authorized applications to be in an application allow list prevents the execution of any applications (e.g., unauthorized, malicious) th... |
| V-267997 | | The Apple iOS/iPadOS 18 allow list must be configured to not include applications with the following characteristics:
- Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services);
- Transmits MD diagnostic data to non-DOD servers;
- Allows synchronization of data or applications between devices associated with user;
- Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers;
- Backs up its own data to a remote system; and
- Uses artificial intelligence (AI), which processes data in the cloud (off device). Exception: Apple Intelligence Private Cloud Compute (PCC). | Requiring all authorized applications to be in an application allow list prevents the execution of any applications (e.g., unauthorized, malicious) th... |
| V-267998 | | Apple iOS/iPadOS 18 must be configured to not display notifications when the device is locked. | Many mobile devices display notifications on the lock screen so users can obtain relevant information in a timely manner without having to frequently ... |
| V-267999 | | Apple iOS/iPadOS 18 must not display notifications (calendar information) when the device is locked. | Many mobile devices display notifications on the lock screen so users can obtain relevant information in a timely manner without having to frequently ... |
| V-268013 | | Apple iOS/iPadOS 18 must be configured to not allow backup of [all applications, configuration data] to locally connected systems. | Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed u... |
| V-268017 | | Apple iOS/iPadOS 18 must not allow non-DOD applications to access DOD data. | App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant ri... |
| V-268018 | | Apple iPadOS 18 must be configured to disable multiuser modes. | Multiuser mode allows multiple users to share a mobile device by providing a degree of separation between user data. To date, no mobile device with mu... |
| V-268019 | | Apple iOS/iPadOS 18 must be configured to [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM. | When a mobile device is no longer going to be managed by MDM technologies, its protected/sensitive data must be sanitized because it will no longer be... |
| V-268020 | | Apple iOS/iPadOS 18 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory-installed application)] upon unenrollment from MDM. | When a mobile device is no longer going to be managed by MDM technologies, its protected/sensitive data must be sanitized because it will no longer be... |
| V-268022 | | Apple iOS/iPadOS 18 must be configured to disable ad hoc wireless client-to-client connection capability. | Ad hoc wireless client-to-client connections allow mobile devices to communicate with each other directly, circumventing network security policies and... |
| V-268028 | | Apple iOS/iPadOS 18 must implement the management setting: encrypt backups/Encrypt local backup. | If iCloud backups are not encrypted, this could lead to the unauthorized disclosure of DOD sensitive information if non-DOD personnel are able to acce... |
| V-268033 | | Apple iOS/iPadOS 18 must implement the management setting: disable Allow MailDrop. | MailDrop allows users to send large attachments (up to 5 GB) via iCloud. Storing data with a non-DOD cloud provider may leave the data vulnerable to b... |
| V-268035 | | Apple iOS/iPadOS 18 must implement the management setting: use SSL for Exchange ActiveSync. | Exchange email messages are a form of data in transit and thus are vulnerable to eavesdropping and man-in-the-middle attacks. Secure Sockets Layer (SS... |
| V-268036 | | Apple iOS/iPadOS 18 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 18 Mail app. | The Apple iOS/iPadOS Mail app can be configured to support multiple email accounts concurrently. These email accounts are likely to involve content of... |
| V-268037 | | Apple iOS/iPadOS 18 must implement the management setting: treat AirDrop as an unmanaged destination. | AirDrop is a way to send contact information or photos to other users with AirDrop enabled. This feature enables a possible attack vector for adversar... |
| V-268039 | | Apple iOS/iPadOS 18 must implement the management setting: not share location data through iCloud. | Sharing of location data is an operational security (OPSEC) risk because it potentially allows an adversary to determine a DOD user's location, moveme... |
| V-268041 | | Apple iOS/iPadOS 18 users must complete required training. | The security posture on iOS devices requires the device user to configure several required policy rules on their device. User-Based Enforcement (UBE) ... |
| V-268042 | | A managed photo app must be used to take and store work-related photos. | The iOS Photos app is unmanaged and may sync photos with a device or user's personal iCloud account. Therefore, work-related photos must not be taken ... |
| V-268044 | | Apple iOS/iPadOS 18 must implement the management setting: enable USB Restricted Mode. | The USB port on an iOS device can be used to access data on the device. The required settings ensure the Apple device password is entered before a pre... |
| V-268047 | | Apple iOS/iPadOS 18 must implement the management setting: disable AirDrop. | AirDrop is a way to send contact information or photos to other users with this same feature enabled. This feature enables a possible attack vector fo... |
| V-268048 | | Apple iOS/iPadOS 18 must implement the management setting: disable paired Apple Watch. | Sensitive DOD information could be exposed if an unauthorized Apple Watch is paired to a DOD iPhone.
SFRID: FMT_SMF.1.1 #47... |
| V-268049 | | Apple iOS/iPadOS 18 must implement the management setting: approved Apple Watches must be managed by an MDM. | Authorizing official (AO) approval is required before an Apple Watch (DOD-owned or personally owned) can be paired with a DOD-owned iPhone to ensure t... |
| V-268050 | | Apple iOS/iPadOS 18 must disable "Password AutoFill" in browsers and applications. | The AutoFill functionality in browsers and applications allows the user to complete a form that contains sensitive information, such as PII, without p... |
| V-268051 | | Apple iOS/iPadOS 18 must disable "Allow setting up new nearby devices". | This control allows Apple device users to request passwords from nearby devices. This could lead to a compromise of the device password with an unauth... |
| V-268052 | | Apple iOS/iPadOS 18 must disable password proximity requests. | This control allows one Apple device to be notified to share its password with a nearby device. This could lead to a compromise of the device password... |
| V-268053 | | Apple iOS/iPadOS 18 must disable password sharing. | This control allows sharing passwords between Apple devices using AirDrop. This could lead to a compromise of the device password with an unauthorized... |
| V-268055 | | The Apple iOS/iPadOS 18 must be supervised by the MDM. | When an iOS/iPadOS is not supervised, the DOD mobile service provider cannot control when new iOS/iPadOS updates are installed on site-managed devices... |
| V-268056 | | Apple iOS/iPadOS 18 must disable "Allow USB drive access in Files app" if the authorizing official (AO) has not approved the use of DOD-approved USB storage drives with iOS/iPadOS devices. | Unauthorized use of USB storage drives could lead to the introduction of malware or unauthorized software into the DOD IT infrastructure and compromis... |
| V-268058 | | Apple iOS must implement the management setting: not allow a user to remove Apple iOS configuration profiles that enforce DOD security requirements. | Configuration profiles define security policies on Apple iOS devices. If a user is able to remove a configuration profile, the user can then change th... |
| V-268059 | | Apple iOS/iPadOS 18 must disable "Allow network drive access in Files access". | Allowing network drive access by the Files app could lead to the introduction of malware or unauthorized software into the DOD IT infrastructure and c... |
| V-268060 | | Apple iOS/iPadOS 18 must disable connections to Siri servers for the purpose of dictation. | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-268061 | | Apple iOS/iPadOS 18 must disable connections to Siri servers for the purpose of translation. | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-268062 | | Apple iOS/iPadOS 18 must disable copy/paste of data from managed to unmanaged applications. | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-268063 | | Apple iOS/iPadOS 18 must have DOD root and intermediate PKI certificates installed. | DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed t... |
| V-268064 | | Apple iOS/iPadOS 18 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch. | Auto Unlock allows an Apple Watch to automatically unlock an iPhone or Mac when in close proximity (not available for iPad). This feature allows the i... |
| V-268065 | | Apple iOS/iPadOS 18 must disable the installation of alternative marketplace apps. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being insta... |
| V-268066 | | Apple iOS/iPadOS 18 must disable app installation from a website. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being insta... |
| V-268067 | | Apple iOS/iPadOS 18 must delete eSIM content when the device is erased. | An eSIM may contain sensitive DOD data and must be wiped of data when the mobile device is wiped to protect sensitive data from exposure.
SFRID: FMT_... |
| V-268068 | | Apple iOS/iPadOS 18 must disable ChatGPT and other external AI app connections in Apple Intelligence. | The ChatGPT feature of Apple Intelligence allows DOD information to be downloaded from the DOD iPhone/iPad and processed by the ChatGPT application in... |
| V-269568 | | Apple iOS/iPadOS 18 must disable the download of iOS/iPadOS beta updates. | Beta operating system updates may contain features that could lead to the compromise of sensitive DOD information or provide a vector for the attack o... |
| V-272170 | | Apple iOS/iPadOS 18 must disable recording cell phone calls on the iPhone. | Cell phone recordings are saved as unmanaged recordings in the Notes app, which may be accessible to unmanaged apps. There is a risk that sensitive DO... |
| V-272171 | | Apple iOS/iPadOS 18 must disable iPhone Mirroring on Mac. | iPhone Mirroring allows managed data on a DOD iPhone to be manipulated by an unmanaged Mac. In certain situations, this may lead to the exposure of s... |
| V-276196 | | DOD Apple iOS/iPadOS 18 devices must disable FaceTime. | FaceTime is considered a personal use feature.... |
| V-276197 | | DOD Apple iOS/iPadOS 18 devices must disable eSIM transfers. | eSIM transfers could lead to the unauthorized use of DOD paid cellular service.... |
| V-276198 | | DOD Apple iOS/iPadOS 18 devices must disable screenshots and screen recordings. | A screenshot or screen recording of sensitive DOD information could lead to the inadvertent exposure of that information.... |
| V-276199 | | Apple iOS/iPadOS 18 must disable the ability of the user to wipe the device. | This feature must be disabled to comply with DOD electronic records retention requirements for mobile devices. Otherwise, mobile device users could wi... |
| V-276203 | | Apple iOS/iPadOS 18 must disable automatic downloads of apps purchased on other Apple devices. | The automatic download of apps to a DOD mobile device could cause the exposure of sensitive DOD information when an unauthorized app is installed.
SF... |
| V-276204 | | Apple iOS/iPadOS 18 must disable pairing with a host Mac or PC. | The connection of a DOD iPhone to a Mac or PC could cause the exposure of sensitive DOD information.
SFR ID: FMT_MOF_EXT.1.2 #47... |
| V-276214 | | DOD Apple iOS/iPadOS 18 devices must have a Mobile Threat Detection (MTD) app installed. | DOD mobile devices are at constant risk of cyber threats. MTD apps mitigate these risks by providing real-time threat detection, malware prevention, a... |
| V-276224 | | Apple iOS/iPadOS 18 must implement the management setting: disable Camera. | Authorizing Official (AO) approval is required before the Apple device camera can be enabled for a specific user or group of users, based on a risk as... |
| V-267937 | | Apple iOS/iPadOS 18 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: on a per-app basis, on a per-group of applications processes basis]. | The system administrator must have the capability to configure VPN access to meet organization-specific policies based on mission needs. Otherwise, a ... |
| V-268007 | | Apple iOS/iPadOS 18 must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device. | Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner th... |
| V-268026 | | Apple iOS/iPadOS 18 must implement the management setting: limit Ad Tracking. | Ad Tracking refers to the advertisers' ability to categorize the device and spam the user with ads that are most relevant to the user's preferences. B... |
| V-268027 | | Apple iOS/iPadOS 18 must implement the management setting: not allow automatic completion of Safari browser passcodes. | The AutoFill functionality in the Safari web browser allows the user to complete a form that contains sensitive information, such as PII, without prev... |
| V-268029 | | Apple iOS/iPadOS 18 must implement the management setting: not allow use of Handoff. | Handoff permits a user of an iPhone and iPad to transition user activities from one device to another. Handoff passes sufficient information between t... |
| V-268030 | | Apple iOS/iPadOS 18 must implement the management setting: not allow use of iPhone widgets on Mac. | iPhone widgets on Mac use Handoff. Handoff permits a user of an iPhone and iPad to transition user activities from one device to another. Handoff pass... |
| V-268031 | | Apple iOS/iPadOS 18 must implement the management setting: require the user to enter a password when connecting to an AirPlay-enabled device. | When a user is allowed to use AirPlay without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than th... |
| V-268032 | | Apple iOS/iPadOS 18 must implement the management setting: require passcode for incoming Airplay connection requests. | When an incoming AirPlay request is allowed without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other t... |
| V-268038 | | Apple iOS/iPadOS 18 must implement the management setting: not have any Family Members in Family Sharing. | Apple's Family Sharing service allows Apple iOS/iPadOS users to create a Family Group whose members have several shared capabilities, including the ab... |
| V-268040 | | Apple iOS/iPadOS 18 must implement the management setting: force Apple Watch wrist detection. | Because Apple Watch is a personal device, it is key that any sensitive DOD data displayed on the Apple Watch cannot be viewed when the watch is not in... |
| V-268045 | | Apple iOS/iPadOS 18 must not allow managed apps to write contacts to unmanaged contacts accounts. | Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but ar... |
| V-268046 | | Apple iOS/iPadOS 18 must not allow unmanaged apps to read contacts from managed contacts accounts. | Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but ar... |
| V-268054 | | Apple iOS/iPadOS 18 must disable "Find My Friends" in the "Find My" app. | This control does not share a DOD user's location but encourages location sharing between DOD mobile device users, which can lead to operational secur... |
| V-268057 | | The Apple iOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. | Many software systems automatically send diagnostic data to the manufacturer or a third-party. This data enables the developers to understand real-wor... |
| V-276200 | | Apple iOS/iPadOS 18 must disable the use of voice assistant (Siri) unless required to meet Section 508 compliance requirements. | The use of voice assistants could expose sensitive DOD data to cloud-based servers during the processing of assistant requests.
SFR ID: FMT_MOF_EXT.1... |
| V-276201 | | Apple iOS/iPadOS 18 must disable the use of voice assistant (Show user-generated content in Siri) unless required to meet Section 508 compliance requirements. | The use of voice assistants could expose sensitive DOD data to cloud-based servers during the processing of assistant requests.
SFR ID: FMT_MOF_EXT.1... |
| V-276202 | | Apple iOS/iPadOS 18 must disable the use of voice assistant (Siri suggestions) unless required to meet Section 508 compliance requirements. | The use of voice assistants could expose sensitive DOD data to cloud-based servers during the processing of assistant requests.
SFR ID: FMT_MOF_EXT.1... |
| V-276205 | | Apple iOS/iPadOS 18 must disable AirPrint. | AirPrint allows the printing of sensitive DOD documents to non-DOD controlled printers, which may lead to the exposure of sensitive DOD information.
... |
| V-276206 | | Apple iOS/iPadOS 18 must disable AirPrint: Allow discovery of AirPrint printers using iBeacons. | AirPrint allows the printing of sensitive DOD documents to non-DOD controlled printers, which may lead to the exposure of sensitive DOD information.
... |
| V-276207 | | Apple iOS/iPadOS 18 must disable AirPrint: Allow storage of AirPrint credentials in Keychain. | AirPrint allows the printing of sensitive DOD documents to non-DOD controlled printers, which may lead to the exposure of sensitive DOD information.
... |
| V-276208 | | Apple iOS/iPadOS 18 must enable AirPrint feature: Disallow AirPrint to destinations with untrusted certificates. | AirPrint allows the printing of sensitive DOD documents to non-DOD controlled printers, which may lead to the exposure of sensitive DOD information.
... |
| V-276209 | | Apple iOS/iPadOS 18 must disable Allowed Content Ratings (Movies). | There is no known mission need for this personal use feature.
SFR ID: FMT_MOF_EXT.1.2 #47... |
| V-276210 | | Apple iOS/iPadOS 18 must disable Allowed Content Ratings (TV Shows). | There is no known mission need for this personal use feature.
SFR ID: FMT_MOF_EXT.1.2 #47... |
| V-276211 | | Apple iOS/iPadOS 18 must disable the Apple Intelligence feature: Image Wand. | The security of the Apple Intelligence system has not been vetted by the DOD, and the risk to DOD sensitive information is not known at this time. The... |
| V-276212 | | Apple iOS/iPadOS 18 must disable the Apple Intelligence feature: Image Generation. | The security of the Apple Intelligence system has not been vetted by the DOD, and the risk to DOD sensitive information is not known at this time. The... |
| V-276213 | | Apple iOS/iPadOS 18 must disable the Apple Intelligence feature: generate new Genmoji. | The security of the Apple Intelligence system has not been vetted by the DOD, and the risk to DOD sensitive information is not known at this time. The... |
