kriterion 0.0.1

data/standards/stig_blackberry_enterprise_mobility_server_2.x.json

@@ -0,0 +1,149 @@
+{
+  "name": "stig_blackberry_enterprise_mobility_server_2.x",
+  "date": "2017-12-11",
+  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
+  "title": "BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-79003",
+      "title": "The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from any type of unauthorized read access.",
+      "description": "If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to his or her advantage.\n\nApplication servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow unfettered access to those records. Application servers also write log data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access.\n\nLog information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized read access.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79005",
+      "title": "The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from unauthorized modification.",
+      "description": "If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to his or her advantage.\n\nApplication servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow unfettered access to those records.  Application servers also write log data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access.\n\nLog information includes all information (e.g., log records, log settings, transaction logs and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized modification.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79007",
+      "title": "The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from unauthorized deletion.",
+      "description": "If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. \n\nApplication servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow for unfettered access to those records. Application servers also write log data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access.\n\nLog information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized deletion.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79009",
+      "title": "The BlackBerry Enterprise Mobility Server (BEMS) platform must be protected by a DoD-approved firewall.",
+      "description": "Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Unneeded services and processes provide additional threat vectors and avenues of attack to the information system. BEMS is a critical component of the mobility architecture and must be configured to enable only those ports, protocols, and services (PPS) necessary to support functionality. All others must be expressly disabled or removed. A DoD-approved firewall implements the required network restrictions. A host-based firewall is appropriate where BEMS runs on a standalone platform. Network firewalls or other architectures may be preferred where BEMS runs in a cloud or virtualized solution.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79011",
+      "title": "The firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BEMS functions.",
+      "description": "Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since BEMS is a critical component of the mobility architecture and must be configured to enable only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A firewall installed on BEMS provides a protection mechanism to ensure unwanted service requests do not reach BEMS and outbound traffic is limited to only BEMS functionality.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79013",
+      "title": "The firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured so that only DoD-approved ports, protocols, and services are enabled. See the DoD Ports, Protocols, Services Management (PPSM) Category Assurance Levels (CAL) list for DoD-approved ports, protocols, and services.",
+      "description": "All ports, protocols, and services used on DoD networks must be approved and registered via the DoD PPSM process. This is to ensure that a risk assessment has been completed before a new port, protocol, or service is configured on a DoD network and has been approved by proper DoD authorities. Otherwise, the new port, protocol, or service could cause a vulnerability to the DoD network, which could be exploited by an adversary.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79015",
+      "title": "The BlackBerry Enterprise Mobility Server (BEMS) must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.",
+      "description": "Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS).\n\nTransmission of data can take place between the application server and a large number of devices/applications external to the application server. Examples are a web client used by a user, a backend database, a log server, or other application servers in an application server cluster.\n\nIf data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.\n\nFIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\nTLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79017",
+      "title": "The BlackBerry Enterprise Mobility Server (BEMS) must remove all export ciphers to protect the confidentiality and integrity of transmitted information.",
+      "description": "During the initial setup of a Transport Layer Security (TLS) connection to the application server, the client sends a list of supported cipher suites in order of preference. The application server will reply with the cipher suite it will use for communication from the client list. If an attacker can intercept the submission of cipher suites to the application server and place, as the preferred cipher suite, a weak export suite, the encryption used for the session becomes easy for the attacker to break, often within minutes to hours.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79019",
+      "title": "The BlackBerry Enterprise Mobility Server (BEMS) must be configured to have at least one user in the following Administrator roles: Server primary administrator, auditor.",
+      "description": "Having several administrative roles for the BEMS supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise.\n\n- Server primary administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. \n- Auditor: Responsible for reviewing and maintaining server and mobile device audit logs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79021",
+      "title": "The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use Windows Authentication for the database connection.",
+      "description": "To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79023",
+      "title": "The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use HTTPS.",
+      "description": "Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission to web applications. This is usually achieved through the use of HTTPS.",
+      "severity": "high"
+    },
+    {
+      "id": "V-79025",
+      "title": "The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use DoD certificates for SSL.",
+      "description": "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79027",
+      "title": "The BlackBerry Enterprise Mobility Server (BEMS) must be configured with an inactivity timeout of 15 minutes or less.",
+      "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79029",
+      "title": "If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.",
+      "description": "To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79031",
+      "title": "If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Integrated Authentication for the Exchange connection.",
+      "description": "To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79033",
+      "title": "If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP when using LDAP Lookup for users.",
+      "description": "Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS) or SSL.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79035",
+      "title": "If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP for certificate directory lookup.",
+      "description": "Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS) or SSL.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79037",
+      "title": "If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.",
+      "description": "To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79039",
+      "title": "If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable SSL support for BlackBerry Proxy and use only DoD approved certificates.",
+      "description": "Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS) or SSL. Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79041",
+      "title": "If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.",
+      "description": "To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79043",
+      "title": "If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use NTLM authentication.",
+      "description": "To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79045",
+      "title": "If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use SSL for LDAP lookup to connect to the Office Web App Server (e.g., SharePoint).",
+      "description": "Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS) or SSL.",
+      "severity": "high"
+    },
+    {
+      "id": "V-79047",
+      "title": "If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable audit logs.",
+      "description": "Logging must be used in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_blackberry_enterprise_server,_part_1.json

@@ -0,0 +1,35 @@
+{
+  "name": "stig_blackberry_enterprise_server,_part_1",
+  "date": "2012-09-21",
+  "description": "BlackBerry Enterprise Server STIG, Part 1 in XCCDF format.\nPart 1:  BES architecture and training requirements.\nPart 2:  BES configuration requirements.\nPart 3:  BES IT Policy configuration requirements.\n",
+  "title": "BlackBerry Enterprise Server, Part 1 Security Technical Implementation Guide",
+  "version": "2",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-11870",
+      "title": "Onset Technologies METAmessage software must not be installed on DoD BlackBerry devices or on the BES.\n",
+      "description": "Onset Technologies METAmessage software is production software which may introduce a virus or other malicious code on the system.  This software is not approved for use on DoD systems.",
+      "severity": "high"
+    },
+    {
+      "id": "V-14021",
+      "title": "Only the BlackBerry Enterprise Server (BES) email solution is used.  ",
+      "description": " If the required BlackBerry system is not used, DoD networks are at risk of being penetrated or DoD data could be exposed.",
+      "severity": "high"
+    },
+    {
+      "id": "V-14199",
+      "title": "The host server where the BlackBerry Enterprise Server (BES) is installed must be hardened in accordance with the appropriate SQL, Apache Web Server, and IIS STIGs when required. ",
+      "description": "Wireless email services are installed on a Windows Server. The server must be compliant with the Windows STIG, SQL STIG, Apache Web Server STIG, and IIS STIG to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the wireless email server.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19191",
+      "title": "Required version of the BlackBerry Enterprise Server (BES) must be installed.",
+      "description": "Earlier versions of the BES have security vulnerabilities. CYBERCOM IAVA directs all DoD installations upgrade to required version due to RIM ending support for version 4.1.6 and 4.1.7 as of 2 July 2011.",
+      "severity": "high"
+    }
+  ]
+}

data/standards/stig_blackberry_enterprise_server,_part_2.json

@@ -0,0 +1,155 @@
+{
+  "name": "stig_blackberry_enterprise_server,_part_2",
+  "date": "2012-10-01",
+  "description": "BlackBerry Enterprise Server STIG, Part 2 in XCCDF format.\nPart 1:  BES architecture and training requirements.\nPart 2:  BES configuration requirements.\nPart 3:  BES IT Policy configuration requirements.\n",
+  "title": "BlackBerry Enterprise Server, Part 2 Security Technical Implementation Guide",
+  "version": "2",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-11877",
+      "title": "The Device Transport Key must be configured on the BES for AES encryption. ",
+      "description": "AES encryption provides a higher level of security for BlackBerry data.",
+      "severity": "low"
+    },
+    {
+      "id": "V-14022",
+      "title": "The BlackBerry wireless email system must be set up with the required system components and software installed on the handheld device. ",
+      "description": "The wireless email server architecture must comply with the DoD environment because approval of the BES is contingent on installation with the correct settings.  DoD enclaves could be at risk of penetration or DoD data could be compromised if BES is not installed as required.",
+      "severity": "high"
+    },
+    {
+      "id": "V-16341",
+      "title": "An Application White List software configuration must be assigned to all BES user accounts.",
+      "description": "The primary BlackBerry malware control is to set up one or more Application White List software configurations on the BES.  Every user and group account must be assigned at least one Application White List software configuration.  In an Application White List, the use of all non-core applications is denied unless an application is expressly allowed.",
+      "severity": "high"
+    },
+    {
+      "id": "V-16343",
+      "title": "The BES must be configured to disable the capability of the BES to proxy a user’s authentication to back-office application, web, and content servers. Users must authenticate directly to back-office servers using a USCYBERCOM CTO 07-15Rev1 authorized method.\n",
+      "description": "User authentication credentials should not be proxied by the BES, because the BES would then be saving DoD user authentication credentials in its database.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18394",
+      "title": "The BES must be configured to convert HTML and RTF formatted email into text format before sending to a BlackBerry smartphone and prevent the BES from sending email messages with inline images to BlackBerry smartphones. ",
+      "description": "HTML email and inline images in email can contain malware or links to web sites with malware.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19192",
+      "title": "The BES host-based or appliance firewall must be configured as required.",
+      "description": "BlackBerry user could get access to unauthorized network resources (application and content servers, etc.) if the BES firewall is not set up as required.",
+      "severity": "high"
+    },
+    {
+      "id": "V-19201",
+      "title": "The BES must be configured to accept only trusted connections to back-office enclave application or web push servers. Push servers are set up to push content to BlackBerry users (e.g., Remedy ticket notification system).\t\n",
+      "description": "Only authorized servers should be able to push content to BlackBerry devices.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19202",
+      "title": "Non-core applications used on the BlackBerry must be approved.",
+      "description": "Unapproved applications could include malware or introduce other vulnerabilities to the BlackBerry system and enclave.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19203",
+      "title": "An Application Control Policy must be assigned to each application listed in any Application White List software configuration assigned to user accounts on the BES.\n\nNote:  This check applies to BES 4.1.x only.  On BES 5, an application control policy is automatically assigned when an application is selected for a software configuration. ",
+      "description": "Applications must only have access to BlackBerry resources (e.g., microphone, address book, browser, email messages, etc.) they need for their function; otherwise, sensitive data could be exposed to unauthorized users or the BlackBerry system could be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19206",
+      "title": "Security controls must be set up on the BES for connections to “back-office” servers.",
+      "description": "Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the BlackBerry system that are not authorized to access the server.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19215",
+      "title": "The BlackBerry Bluetooth Smart Card Reader (SCR) used with site PCs must be compliant with requirements.\n",
+      "description": "Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19224",
+      "title": "Required security controls must be used when BlackBerry Wi-Fi is used by the site to connect to a DoD Wi-Fi network. Required security controls are in Table 2, BlackBerry STIG Configuration Tables. ",
+      "description": "If BlackBerry Wi-Fi controls are not implemented, DoD data can be compromised.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19226",
+      "title": "BlackBerry accounts must not be assigned to the default IT policy on the BES or any other non-STIG compliant IT policy. Accounts will only be assigned a STIG compliant IT policy.",
+      "description": "The BlackBerry default policy on the BES does not include many DoD required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned the default (or other non-STIG compliant) IT policy.",
+      "severity": "high"
+    },
+    {
+      "id": "V-22042",
+      "title": "Each Application White List software configuration assigned to each user account must be configured with top-level default “disallow” for all applications.  Applications must be specifically allowed at a lower level.",
+      "description": "The primary BlackBerry malware control is to set up an Application White List where the use of all applications is denied unless an application is expressly allowed. Otherwise, malware could be installed on the BlackBerry.",
+      "severity": "high"
+    },
+    {
+      "id": "V-22055",
+      "title": "Application repositories must be located on a DoD-controlled server within a DoD enclave. If not set up, this check is Not Applicable.",
+      "description": "A DoD application repository must contain only authorized applications and only approved and unaltered versions of those applications.  If DoD application repositories are not on DoD controlled servers inside DoD enclaves, the integrity of those applications could be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-22056",
+      "title": "All user and or group accounts must have an Access Control Rule assigned to the account. \n\t\n",
+      "description": "The BES MDS Connection Service  allows BlackBerry users to search the enclave for files and documents of interest to the user without any authentication requirements to the enclave.  Access control requirements of the network can be bypassed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-22102",
+      "title": "The BlackBerry Administration Server (BAS) must be configured for Active Directory authentication with a CTO 07-15Rev1 compliant administrator password. ",
+      "description": "The BAS provides the administrator interface for the BES. CTO 07-15Rev1 requires administrator accounts use either CAC authentication or use complex passwords to ensure storing access control is enforced.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-22164",
+      "title": "The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default. ",
+      "description": "The key store password protects the server digital authentication certificates from unauthorized use.  ",
+      "severity": "low"
+    },
+    {
+      "id": "V-22165",
+      "title": "The BlackBerry Administration Service must be configured to disable a user from creating an activation password via BWDM. ",
+      "description": "The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. Users must be prohibited from performing the following administrative tasks using the BlackBerry Web Desktop Manager: \n-Specify an enterprise activation password for a BlackBerry device.\n-Specify a new device password and lock a device.\n-Delete all device data and deactivate a device.\n-Assign a new device to a user account.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-22703",
+      "title": "All Access Control Rules assigned to user and group accounts must be configured to deny access to all file shares.  ",
+      "description": "The BES MDS Connection Service allows BlackBerry users to search the enclave for files and documents of interest to the user without any authentication requirements to the enclave. Access control requirements of the network can be bypassed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25430",
+      "title": "BlackBerry Web Desktop Manager must be configured to disable a user’s capability to perform self-service tasks.",
+      "description": "The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When this configuration is not set as required, users may have the capability to activate unauthorized BlackBerry devices.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25431",
+      "title": "BlackBerry Web Desktop Manager must be configured to permit users to activate new BlackBerry devices only. ",
+      "description": "The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When this configuration is not set as required, users may have the capability to activate unauthorized BlackBerry devices.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25548",
+      "title": "The server PKI digital certificate installed on the BES to support BAS and BWDM authentication must be a DoD PKI issued certificate. A self signed certificate will not be used.",
+      "description": "When a self signed PKI certificate is used, a rogue BES can impersonate the DoD BES during SA connections to the BlackBerry Administration Service (BAS) or when a BlackBerry user uses BlackBerry Web Desktop Manager (BWDM) to connect to the BAS.  In addition, DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.",
+      "severity": "low"
+    },
+    {
+      "id": "V-7078",
+      "title": "The BlackBerry MDS Integration Service must not be installed on a production BES.",
+      "description": "The BlackBerry Enterprise Service MDS Integration Service is a software development platform and should not be installed on a production BES. The service, if not properly configured, can allow unsecured connections between the BlackBerry and BES and between the BES and back-office run-time application servers.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_blackberry_enterprise_server,_part_3.json

@@ -0,0 +1,647 @@
+{
+  "name": "stig_blackberry_enterprise_server,_part_3",
+  "date": "2012-10-01",
+  "description": "BlackBerry Enterprise Server STIG, Part 3 in XCCDF format.\nPart 1:  BES architecture and training requirements.\nPart 2:  BES configuration requirements.\nPart 3:  BES IT Policy configuration requirements.\n",
+  "title": "BlackBerry Enterprise Server, Part 3 Security Technical Implementation Guide",
+  "version": "2",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-11876",
+      "title": "IT Policy rule “Maximum Security Timeout” (Device-Only policy group) must be set as required.",
+      "description": "Handheld may not lock after the specified period of inactivity and DoD data could be exposed.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-12164",
+      "title": "Data-at-Rest encryption (Content Protection) must be enabled on BlackBerry devices. IT Policy rule “Content Protection Strength” (Security policy group) must be set as required.\n",
+      "description": "DoD 8500 policy requires data-at-rest protection be enabled on all IT devices containing sensitive data in case the device is lost or stolen.  This protection normally involves password or pin protected access.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14198",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Bluetooth” (Bluetooth policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user.  DoD data would then be vulnerable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14478",
+      "title": "Wireless email device users must not install or remove applications and/or software on their handheld device unless under the direction and supervision of an authorized system administrator.  IT Policy rule “Show Application Loader” (Desktop-Only policy group) must be is set as required. ",
+      "description": "The wireless email server can be configured to prevent users from installing or removing applications.  These configuration settings must be set at the enterprise level to prevent users from downloading, using desktop software, unauthorized software, or harmful code.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-16058",
+      "title": "IT Policy rule Disable Wi-Fi must be set as required. ",
+      "description": "Improperly configured WLAN systems can expose the BlackBerry device and DoD network to attack.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19234",
+      "title": "BlackBerry devices must be protected by authenticated login procedures to unlock the device. Either CAC or Password authentication is required. IT Policy rule “Minimum Password Length” (Device Only policy group) must be set as required. ",
+      "description": "Authenticated device unlock is a key security control for the BlackBerry system to restrict access to\nDoD data by unauthorized individuals.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-19235",
+      "title": "BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “User Can Disable Passwords” (Device Only policy group) must be set as required. ",
+      "description": "Authenticated device unlock is a key security control for the BlackBerry system to restrict access to\nDoD data by unauthorized individuals.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-19236",
+      "title": "BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Maximum Password Age” (Device Only policy group) must be set as required. ",
+      "description": "Authenticated device unlock is a key security control for the BlackBerry system to restrict access to\nDoD data by unauthorized individuals.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19238",
+      "title": "BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Set Password Timeout” (Password policy group) must be set as required. ",
+      "description": "Authenticated device unlock is a key security control for the BlackBerry system to restrict access to\nDoD data by unauthorized individuals.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19239",
+      "title": "BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Set Maximum Password Attempts” (Password policy group) must be set as required. ",
+      "description": "Authenticated device unlock is a key security control for the BlackBerry system to restrict access to\nDoD data by unauthorized individuals.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-19240",
+      "title": "BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Suppress Password Echo” (Password policy group) must be set as required. ",
+      "description": "Authenticated device unlock is a key security control for the BlackBerry system to restrict access to\nDoD data by unauthorized individuals.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19241",
+      "title": "BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Maximum Password History” (Password policy group) must be set as required. ",
+      "description": "Authenticated device unlock is a key security control for the BlackBerry system to restrict access to\nDoD data by unauthorized individuals.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19242",
+      "title": "BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Forbidden Passwords” (Password policy group) must be set as required. ",
+      "description": "Authenticated device unlock is a key security control for the BlackBerry system to restrict access to\nDoD data by unauthorized individuals.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19243",
+      "title": "BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule Reset to Factory Defaults on Wipe (Security policy group) must be set as required. ",
+      "description": "Authenticated device unlock is a key security control for the BlackBerry system to restrict access to\nDoD data by unauthorized individuals.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-19244",
+      "title": "All PDAs and smartphones must display the required banner during device unlock/logon. The IT Policy rule “Lock Owner Info” must be set as required.",
+      "description": "DoD CIO memo requires all PDAs, BlackBerrys, and smartphones to have a consent banner\ndisplayed during logon/device unlock to ensure user understands their responsibilities to safeguard DoD data.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19245",
+      "title": "All PDAs and smartphones must display the required banner during device unlock/ logon. The IT Policy rule “Set Owner Info” must be set as required.",
+      "description": "DoD CIO memo requires all PDAs, BlackBerrys, and smartphones to have a consent banner\ndisplayed during logon/device unlock to ensure users understand their responsibilities to safeguard DoD data.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19257",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Pairing” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19258",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Headset Profile” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19259",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Handsfree Profile” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19260",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Serial Port Profile” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19261",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Discoverable Mode” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19263",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Address Book Transfer” (Bluetooth Only policy group) will be set as required. \n",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user.  DoD data would then be vulnerable.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19264",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Desktop Connectivity” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19265",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Wireless Bypass” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user.  DoD data would then be vulnerable.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19266",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Require Password for Enabling Bluetooth Support” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user.  DoD data would then be vulnerable.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19267",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Require Password for Discoverable Mode” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19268",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Require Encryption” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19269",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable File Transfer” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19270",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Require LED Connection Indicator” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19271",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Dial-Up Networking” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19272",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Force CHAP Authentication Bluetooth Link” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19273",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Advanced Audio Distribution Profile” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19274",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Audio/Video Remote Control Profile” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19276",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Limit Discoverable Time” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19278",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable SIM Access Profile” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19282",
+      "title": "Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other message required by DoD policy. IT Policy rule “Disable Revoked Certificate Use” (Security policy group) must be set as required. \n\n",
+      "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19283",
+      "title": "Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “Disable Key Store Low Security” (Security policy group) must be set as required. \n",
+      "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19284",
+      "title": "Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “Certificate Status Cache Timeout” (Security policy group) must be set as required. \n",
+      "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19285",
+      "title": "Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “Disable Invalid Certificate Use” (Security policy group) must be set as required. \n",
+      "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19286",
+      "title": "Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “Disable Weak Certificate Use” (Security policy group) must be set as required. \n",
+      "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19287",
+      "title": "Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “Certificate Status Maximum Expiry Time” (Security policy group) must be set as required. \n",
+      "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19288",
+      "title": "Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “Disable Unverified CRLs” (Security policy group) must be set as required. \n",
+      "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19289",
+      "title": "Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “S/MIME Minimum Strong RSA Key Length” (S/MIME Application policy group) must be set as required. \n",
+      "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19290",
+      "title": "Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “S/MIME Minimum Strong DH Key Length” (S/MIME Application policy group) must be set as required. \n",
+      "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19291",
+      "title": "Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “S/MIME Minimum Strong ECC Key Length” (S/MIME Application policy group) must be to “163”.",
+      "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19292",
+      "title": "Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “S/MIME Allowed Content Ciphers” (S/MIME Application policy group) must be set as required.",
+      "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19293",
+      "title": "Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “S/MIME Minimum Strong DSA Key Length” (S/MIME Application policy group) must be set as required. \n",
+      "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19294",
+      "title": "Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “Entrust Messaging Server (EMS) Email Address” (S/MIME Application policy group) must be set as required. \n",
+      "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19295",
+      "title": "Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “S/MIME Allowed Encryption Types” (S/MIME Application policy group) must be set as required. \n",
+      "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19304",
+      "title": "Security requirements for Instant Messaging (IM) must be followed. IT Policy rule “Allow Public Yahoo! Messenger Services” (Service Exclusivity policy group) must be set as required. ",
+      "description": "Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-19305",
+      "title": "Security requirements for Instant Messaging (IM) must be followed. IT Policy rule “Allow Public AIM Services” (Service Exclusivity policy group) must be set as required. ",
+      "description": "Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-19306",
+      "title": "Security requirements for Instant Messaging (IM) must be followed. IT Policy rule “Allow Public ICQ Services” (Service Exclusivity policy group) must be set as required. ",
+      "description": "Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19307",
+      "title": "Security requirements for Instant Messaging (IM) must be followed. IT Policy rule “Allow Public IM Services” (Service Exclusivity policy group) must be set as required. ",
+      "description": "Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19308",
+      "title": "Security requirements for Instant Messaging (IM) must be followed. IT Policy rule “Allow Public Google Talk Services” (Service Exclusivity policy group) must be set as required. ",
+      "description": "Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-19309",
+      "title": "Security requirements for Instant Messaging (IM) must be followed. IT Policy rule “Allow Public WLM Services” (Service Exclusivity policy group) must be set as required. \n",
+      "description": "Non-DoD instant messaging servers can be located anywhere in the world and can expose the DoD BlackBerry system and enclave to malware and attack. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-19315",
+      "title": "IT Policy rule “Maximum Bluetooth Range (BlackBerry Smart Card Reader policy group) must be set as required.",
+      "description": "Insecure Bluetooth SCR could make the BlackBerry vulnerable to compromise via a Bluetooth attack.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19317",
+      "title": "IT Policy rule “Maximum PC Disconnect Timeout (BlackBerry Smart Card Reader policy group) must be set as required.",
+      "description": "Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19318",
+      "title": "IT Policy rule “Maximum Number of PC Pairings (BlackBerry Smart Card Reader policy group) must be set as required.",
+      "description": "Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19337",
+      "title": "All Internet browsers must be disabled and removed from the BlackBerry\ndevice except for the BlackBerry internet browser.   IT Policy rule “Allow IBS Browser” (Browser policy group) is set as required.\n",
+      "description": "The BlackBerry Browser forces all Internet browsing to go through the site Internet gateway, which provides additional security over the carrier's browser.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19339",
+      "title": "All Internet browsers must be disabled and removed from the BlackBerry\ndevice except for the BlackBerry internet browser.  IT Policy rule “Allow Hotspot Browser” (Browser policy group) is set as required.\n",
+      "description": "The BlackBerry Browser forces all Internet browsing to go through the site Internet gateway, which provides additional security over the carrier's browser.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19343",
+      "title": "All Internet browsers must be disabled from the BlackBerry device except for the BlackBerry Internet browser.   IT Policy rule “Allow Other Browser Services” (Services Exclusivity policy group) is set as required.\n\n",
+      "description": "Requiring the use of the BlackBerry browser forces all Internet browsing to go through the enclave web proxy.  Therefore, all Internet use will be filtered and protected by enclave malware protection services.  Otherwise, BlackBerry Internet browsing would make the BlackBerry handheld and the enclave more vulnerable to malware that could be downloaded from the Internet.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19718",
+      "title": "IT Policy rule “Force Load Count” (Desktop-Only policy group) must be set as required. \n",
+      "description": "Required software update may not be installed, resulting in un-patched system.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19719",
+      "title": "IT Policy rule “Force Load Message” (Desktop-Only policy group) must be set as required.",
+      "description": "Required software update may not be installed, resulting in un-patched system.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19721",
+      "title": "IT Policy rule “Set Owner Name” (Common policy group) must be set as required.",
+      "description": "If not set correctly, BlackBerry may be identified as a DoD BlackBerry when found after being lost or stolen.  This is an operational security issue.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19723",
+      "title": "IT Policy rule “Keystore Password Maximum Timeout” (Security policy group) must be set as required.",
+      "description": "Encryption keys and certificates stored in the keystore may be exposed to compromise if the keystore is not locked after a set period of inactivity.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19724",
+      "title": "IT Policy rule “Allow Split-Pipe connections” (Security policy group) must be set as required. \t\n",
+      "description": "BlackBerry  could be at risk if an application is able to open an internal and external connection on the BlackBerry at the same time.  The BlackBerry could be exposed to Malware.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19726",
+      "title": "IT Policy rule “Minimal Signing Key Store Security Level” (Security policy group) must be set as required. \t\n",
+      "description": "If not set correctly, the keystore, when encryption keys and digital certificates are stored, may not be encrypted with a strong encryption key.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19727",
+      "title": "IT Policy rule “Minimal Encryption Key Store Security Level” (Security policy group) must be set as required. \n",
+      "description": "If not set correctly, the keystore, when encryption keys and digital certificates are stored, may not be encrypted with a strong encryption key.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19728",
+      "title": "IT Policy rule “Force Content Protection of Master Keys” (Security policy group) must be set as required. \n",
+      "description": "Master keys (used for data encryption) will be stored on the BlackBerry in un-encrypted form and could be compromised. \n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19729",
+      "title": "IT Policy rule “Force LED Blinking When Microphone Is On” (Security policy group) must be set as required. \n",
+      "description": "User not aware that sensitive conversations are being recorded and/or transmitted.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19731",
+      "title": "IT Policy rule “Password Required for Application Download” (Security policy group) must be set as required. \n",
+      "description": "Malware or unauthorized applications could be downloaded inadvertently by user if control not set.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19733",
+      "title": "BES IT Policy rule must be configured as required.  IT Policy rule “Disable Public Photo Sharing Applications” (Security group policy) must be set as required.",
+      "description": "Public photo sharing web sites are known to be malware infested.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19734",
+      "title": "BES IT Policy rule must be configured as required.  IT Policy rule “Security Transcoder Cod File Hashes” (Security policy group) must be set as required. \n",
+      "description": "Third party applications can act as transcoders and use the transcoder API and can impact the security posture of the BlackBerry.  A transcoder is used to translate specific types of content into a format for transmission to a BlackBerry and can cause changes to normally secure connections between the BlackBerry and web sites.  See http://blog.masabi.com/2009/01/how-do-transcoders-affect-https.html for more details.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19735",
+      "title": "BES IT Policy rule must be configured as required.  IT Policy rule “Disable Public Social Networking Applications” (Security policy group) must be set as required. \n",
+      "description": "Public Social Networking Applications and sites are known to be infested with malware.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19736",
+      "title": "BES IT Policy rule must be configured as required.  IT Policy rule “TLS Restrict FIPS Ciphers” (TLS policy group) must be set as required. \n",
+      "description": "Only DoD FIPS encryption ciphers (e.g., AES) are authorized.  Otherwise, the encrypted data in web connections may be susceptible to being analyzed by a hacker. \n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19737",
+      "title": "BES IT Policy rule must be configured as required.  IT Policy rule “WTLS Restrict FIPS Ciphers” (WTLS policy group) must be set as required. \n",
+      "description": "Only DoD FIPS encryption ciphers (e.g., AES) are authorized.  Otherwise the encrypted data in web connections may be susceptible being analyzed by a hacker. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-19738",
+      "title": "BES IT Policy rule must be configured as required. IT Policy rule “Allow Application Download Services” (Browser policy group) must be set as required. ",
+      "description": "Disables and removes icons placed on the BlackBerry by carriers (e.g., Verizon Wireless, AT&T, etc.) that are used to connect to carriers’ web sites where applications are sold.  Unapproved applications can cause security issues to the DoD BlackBerry system.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19739",
+      "title": "BES IT Policy rule must be configured as required.  IT Policy rule “Verify BlackBerry MDS Integration Service Certificate” (BlackBerry MDS Integration Service policy group) must be set as required.",
+      "description": "Un-authenticated connection will be made between the BlackBerry and the BES MDS Integration Service, which could degrade security in the enclave.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19740",
+      "title": "BES IT Policy rule must be configured as required.  IT Policy rule “Disable Activation With Public BlackBerry MDS Integration Service” (BlackBerry MDS Integration Service policy group) must be set as required. \n",
+      "description": "User can connect to public BlackBerry MDS Integration Services to access public content, web, and application servers.  These servers are not DoD approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19745",
+      "title": "BES IT Policy rule must be configured as required.  IT Policy rule “Disable Application Center” (Application Center policy group) must be set as required. \n",
+      "description": "Application Center is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry.  Most applications are not DoD approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19746",
+      "title": "BES IT Policy rule must be configured as required.  IT Policy rule “Disable Carrier Directory” (Application Center policy group) must be set as required. ",
+      "description": "Disables the carrier’s application center directory on a BlackBerry device.  Application Center is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry.  Most applications are not DoD approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19747",
+      "title": "BES IT Policy rule must be configured as required.  IT Policy rule “Desktop Allow Device Switch” (Desktop policy group) must be set as required.",
+      "description": "Stops a user from changing BlackBerry devices without the approval of the BlackBerry Administrator.  BlackBerry security software (S/MIME, etc.)  may not be installed correctly and other required provisioning steps may not be completed.  BlackBerry device and system could be vulnerable to attack by hackers or malware.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19753",
+      "title": "BES IT Policy rule must be configured as required.  IT Policy rule “Disallow File Transfer Types” (Instant Messaging policy group) must be set as required. \n",
+      "description": "Insecure file types are transferred to BlackBerry via IM, increasing the risk of malware being downloaded on the BlackBerry and being transferred to the DoD enclave.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19754",
+      "title": "BES IT Policy rule must be configured as required.  IT Policy rule “Disable BlackBerry Unite! Applications” (BlackBerry Unite! policy group) must be set as required. \n",
+      "description": "BlackBerry Unite! is a public data sharing service where groups of BlackBerry users can share photos, calendar information, and other data.  This service allows other users to see sensitive DoD data stored on a DoD BlackBerry.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19755",
+      "title": "BES IT Policy rule must be configured as required.  IT Policy rule “Disable Download Manager” (BlackBerry Unite! policy group) must be set as required. \n",
+      "description": "BlackBerry Unite! is a public data sharing service where groups of BlackBerry users can share photos, calendar information, and other data.  This service allows other users to see sensitive DoD data stored on a DoD BlackBerry.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-19767",
+      "title": "BlackBerrys with removable memory cards (e.g., MicroSD) must be compliant with requirements. IT Policy rule \"External File System Encryption Level\" (Security policy group) must be set as required. ",
+      "description": "Malware could be downloaded from the memory card to the PC if not compliant. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19775",
+      "title": "BES IT Policy rule must be configured as required.  IT Policy rule “Disable User Initiated Activation With Public BlackBerry MDS Integration Service” (BlackBerry MDS Integration Service policy group) must be set as required.",
+      "description": "Users can connect to public BlackBerry MDS Integration Services to access public content, web,\nand application servers. These servers are not DoD approved and may contain malware that\ncould be downloaded on a BlackBerry and transferred to the DoD enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-22047",
+      "title": "IT Policy rule “Allow BlackBerry Desktop Software Statistics” (Desktop policy group) must be set as required.",
+      "description": "This rule could allow software statistics on DoD BlackBerry devices to be automatically sent to the BlackBerry vendor, Research In Motion, which may expose OPSEC information.",
+      "severity": "low"
+    },
+    {
+      "id": "V-22048",
+      "title": "IT Policy rule “Allow Discovery by User” (MDS Integration Service policy group) must be set as required.",
+      "description": "This rule allows a user to search for and install BlackBerry MDS Runtime Applications on a BlackBerry device.  This could lead to the installation of unapproved applications and possible malware.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-22049",
+      "title": "IT Policy rule “Disable BlackBerry App World” (Security policy group) must be set as required.",
+      "description": "This rule allows the user to download unapproved applications from the BlackBerry application store.  Some of these applications may have the capability to expose DoD sensitive information to unauthorized people or expose the BlackBerry to other attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-22050",
+      "title": "IT Policy rule “Encryption on On-Board Device Memory Media Files” (Security policy group) must be set as required.\n\n",
+      "description": "If a media card is inserted in the BlackBerry® device, this rule specifies whether the media files that are located in the media card are encrypted to the user password and the device-generated key.  If data is not encrypted, sensitive DoD data could be exposed to unauthorized people.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-22051",
+      "title": "IT Policy rule “Allow T-Mobile Mobile Backup Contact Sync” (Service Exclusivity policy group) must be set as required.",
+      "description": "This rule specifies whether T-Mobile® Mobile Backup can run on a BlackBerry® device, which permits a BlackBerry device user to synchronize only the contacts that are included in the user's MyFaves plan with the T-Mobile Mobile Backup.  Use of this service may allow the storage of DoD sensitive data on a T-Mobile server and expose the data to non-DoD personnel. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-22052",
+      "title": "IT Policy rule “Allow User Feedback” (User Feedback policy group) must be set as required.",
+      "description": "This rule specifies whether a user can provide feedback to Research In Motion via a system message.  This capability may provide RIM OPSEC information about a DoD BlackBerry system or device.",
+      "severity": "low"
+    },
+    {
+      "id": "V-22053",
+      "title": "IT Policy rule “Disable organizer data access for social networking applications” (RIM Value-Added Applications policy group) must be set as required.",
+      "description": "This rule specifies whether a BlackBerry® device must prevent social networking applications from accessing organizer data.  BlackBerry organizer  (calendar, notes, and contacts) may contain sensitive DoD information that could be exposed to the public if social networking applications had access to it.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25873",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Message Access Profile” (Bluetooth policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25874",
+      "title": "BES IT Policy rule must be configured as required. IT Policy rule “Disable App World” (BlackBerry App World policy group) must be set as required. ",
+      "description": "BlackBerry App World is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25875",
+      "title": "BES IT Policy rule is configured as required. IT Policy rule “Application Restriction Rule” (BlackBerry App World policy group) will be set as required. ",
+      "description": "BlackBerry App World is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25876",
+      "title": "BES IT Policy rule must be configured as required. IT Policy rule “Category Restriction Rule” (BlackBerry App World policy group) must be set as required. ",
+      "description": "BlackBerry App World is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-25877",
+      "title": "BES IT Policy rule must be configured as required. IT Policy rule “Disable Application Purchasing” (BlackBerry App World policy group) must be set as required. ",
+      "description": "BlackBerry App World is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25878",
+      "title": "BES IT Policy rule must be configured as required. IT Policy rule “Content Protection Usage” (Security policy group) must be set as required.",
+      "description": "DoD 8500 policy requires data-at-rest protection be enabled on all IT devices containing sensitive data in case the device is lost or stolen. This protection normally involves password or pin protected access.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25879",
+      "title": "BES IT Policy rule is configured as required. IT Policy rule “Disable Browsing Of Remote Shared Folders” (Security policy group) must be set as required.",
+      "description": "When not configured properly, users can access data on the DoD network in shared folders without required CAC authentication to the network.  ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25880",
+      "title": "BES IT Policy rule is configured as required. IT Policy rule “Disable Browsing Of Remote Shared Folders” (Security policy group) must be  set as required.",
+      "description": "If not configured as specified, a user could download a non-DoD approved software update or application, which could adversely impact the security baseline of the BlackBerry system. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-26507",
+      "title": "BES Bluetooth controls must be compliant with requirements. IT Policy rule “Minimum Encryption Key Length” (Bluetooth Only policy group) must be set as required.",
+      "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30295",
+      "title": "BES IT Policy rule is configured as required. IT Policy rule “Application Restriction List” (BlackBerry App World policy group) must be set as required. ",
+      "description": "BlackBerry App World is the public BlackBerry application store where BlackBerry applications can be purchased and then downloaded on the BlackBerry. Most applications are not DoD approved and may contain malware that could be downloaded on a BlackBerry and transferred to the DoD enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30767",
+      "title": "BES IT Policy rule is configured as required. IT Policy rule “BlackBerry Playbook Log Submission” (Companion Devices policy group) must be set as required. ",
+      "description": "Sensitive DoD information could be exposed if Playbook log information was sent to RIM.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3545",
+      "title": "BlackBerry devices must be protected by authenticated login procedures to unlock the device. Either CAC or Password authentication is required. IT Policy rule “Password Required” (Device Only policy group) must be set to “Yes” or “True”. ",
+      "description": "Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.",
+      "severity": "high"
+    }
+  ]
+}