kriterion 0.0.1

data/standards/stig_good_mobility_suite_server_windows_phone_6.5.json

@@ -0,0 +1,449 @@
+{
+  "name": "stig_good_mobility_suite_server_windows_phone_6.5",
+  "date": "2011-10-04",
+  "description": "This STIG provides technical security controls required for the use of the Good Mobility Suite with Windows Phone 6.5 devices in the DoD environment.\n\n",
+  "title": "Good Mobility Suite Server (Windows Phone 6.5) Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-24972",
+      "title": "The required smartphone management server or later version must be used.",
+      "description": "Earlier versions of the smartphone management server may have security vulnerabilities or have not implemented required security features. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-24973",
+      "title": "The host server where the smartphone management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Web Server, Apache Tomcat, IIS, etc.). ",
+      "description": "Wireless email services are installed on a Windows Server. The server must be compliant with the Windows STIG and applicable Application STIGs to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the wireless email server.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-24974",
+      "title": "The smartphone management server email system must be set up with the required system components in the required network architecture. ",
+      "description": "The wireless email server architecture must comply with the DoD environment because approval of the smartphone management server is contingent on installation with the correct settings. DoD enclaves could be at risk of penetration or DoD data could be compromised if the smartphone management server is not installed as required.",
+      "severity": "high"
+    },
+    {
+      "id": "V-24975",
+      "title": "The smartphone management server host-based or appliance firewall must be installed and configured as required.",
+      "description": "A smartphone user could get access to unauthorized network resources (application and content servers, etc.) if the smartphone management server host firewall is not set up as required.",
+      "severity": "high"
+    },
+    {
+      "id": "V-24978",
+      "title": "Smartphone user accounts must not be assigned to the default security/IT policy. ",
+      "description": "The smartphone default security/IT policy on the smartphone management server does not include most DoD required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned the default (or other non-STIG compliant) security/IT policy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-24987",
+      "title": "“Re-challenge for CAC PIN every” must be set.",
+      "description": "A user’s CAC PIN or software certificate PIN is cached in memory on the device for a short period of time so a user does not have to re-enter his/her PIN every time the user’s digital certificates are required for an S/MIME operation. The cached memory is cleared after a set period of time to limit exposure of the digital certificates to unauthorized use.  Otherwise, a hacker may be able to gain access to the device while the PIN is still cached in memory and access the Good application and gain access to sensitive DoD information.",
+      "severity": "low"
+    },
+    {
+      "id": "V-24988",
+      "title": "Handheld password will be set as required.",
+      "description": "Long used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the iPhone/iPad and sensitive DoD data stored on the iPhone/iPad.",
+      "severity": "low"
+    },
+    {
+      "id": "V-24989",
+      "title": "Previously used passwords must be disallowed for security/email client on smartphone.",
+      "description": "Previously used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the smartphone and sensitive DoD data stored on the smartphone.",
+      "severity": "low"
+    },
+    {
+      "id": "V-24990",
+      "title": "Password minimum length must be set as required for the smartphone security/email client.",
+      "description": "Short passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-24991",
+      "title": "Repeated password characters must be disallowed for the Good app.",
+      "description": "Repeated password characters reduces the strength of a password to withstand attacks by password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.",
+      "severity": "low"
+    },
+    {
+      "id": "V-24992",
+      "title": "Maximum invalid password attempts must be set as required for the smartphone security/email client.",
+      "description": "A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-24993",
+      "title": "Data must be wiped after maximum password attempts reached for the smartphone security/email client.",
+      "description": "A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-24994",
+      "title": "Inactivity lock must be set as required for the smartphone security/email client.",
+      "description": "Sensitive DoD data could be exposed to unauthorized viewing or use if lost or stolen smartphone screen was not locked.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-24995",
+      "title": "\"Do not allow data to be copied from the Good application\" must be checked.",
+      "description": "Sensitive data could be saved in the non-FIPS 140-2 validated area of memory on the smartphone, which would violate DoD policy and may expose sensitive DoD data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-24998",
+      "title": "The Over-The-Air (OTA) device provisioning PIN must have expiration set.",
+      "description": "The time period that a device can be provisioned via Over-The-Air (OTA) provisioning needs to be controlled to ensure unauthorized people do not have the capability to setup rogue devices on the network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-24999",
+      "title": "OTA Provisioning PIN reuse must not be allowed.",
+      "description": "The reuse of the OTA PIN can allow a hacker to provision an unauthorized device on the system.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25030",
+      "title": "If access is enabled to the Good app contacts lists by the smartphone, the list of contact information must be limited. ",
+      "description": "Sensitive contact information could be exposed.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25032",
+      "title": "Password access to the Good app on the smartphone must be enabled. ",
+      "description": "A hacker could gain access to sensitive data in the smartphone application and gain an attack vector to the enclave if the password access control/authentication feature of the application is not enabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25754",
+      "title": "The PKI digital certificate installed on the wireless email management server must be a DoD PKI-issued certificate. ",
+      "description": "When a self signed PKI certificate is used, a rogue wireless email management server can impersonate the DoD wireless email management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.",
+      "severity": "low"
+    },
+    {
+      "id": "V-26093",
+      "title": "The following Bluetooth configuration must be set as required: General Audio/Video Distribution Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26094",
+      "title": "The following Bluetooth configuration must be set as required: Personal Area Networking Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26095",
+      "title": "The following Bluetooth configuration must be set as required: Serial Port Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26096",
+      "title": "The following Bluetooth configuration must be set as required: Enable discovery.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26097",
+      "title": "The following Bluetooth configuration must be set as required: Generic Object (Exchange) Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26098",
+      "title": "The following Bluetooth configuration must be set as required: Common ISDN Access Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26099",
+      "title": "The following Bluetooth configuration must be set as required: Dial Up Network Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26100",
+      "title": "The following Bluetooth configuration must be set as required: Fax Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26101",
+      "title": "The following Bluetooth configuration must be set as required: LAN Access Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26102",
+      "title": "The following Bluetooth configuration must be set as required: Cordless Telephony Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26103",
+      "title": "The following Bluetooth configuration must be set as required: Intercom Profile. \t\n",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26104",
+      "title": "The following Bluetooth configuration must be set as required: Wireless Application Protocol Bearer.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26105",
+      "title": "The following Bluetooth configuration must be set as required: Active Sync. \t\n",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26106",
+      "title": "The following Bluetooth configuration must be set as required: Advanced Audio Distribution Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26107",
+      "title": "The following Bluetooth configuration must be set as required: Basic Imaging Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26108",
+      "title": "The following Bluetooth configuration must be set as required: Basic Printing. Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26109",
+      "title": "The following Bluetooth configuration must be set as required: OBEX File Transfer Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26110",
+      "title": "The following Bluetooth configuration must be set as required: Object Push Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26111",
+      "title": "The following Bluetooth configuration must be set as required: Synchronization Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26112",
+      "title": "The following Bluetooth configuration must be set as required: Phone Book Access Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26113",
+      "title": "The following Bluetooth configuration must be set as required: Video Distribution Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26114",
+      "title": "The following Bluetooth configuration must be set as required: Video Conferencing Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26115",
+      "title": "The following Bluetooth configuration must be set as required: Message Access Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26116",
+      "title": "The following Bluetooth configuration must be set as required: External Service Discovery Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26117",
+      "title": "The following Bluetooth configuration must be set as required: Device ID Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26118",
+      "title": "The following Bluetooth configuration must be set as required: Service Discovery Application Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26119",
+      "title": "The following Bluetooth configuration must be set as required: Unrestricted Digital Information.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26120",
+      "title": "The following Bluetooth configuration must be set as required: Audio / Video Remote Control Transport Protocol.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26121",
+      "title": "The following Bluetooth configuration must be set as required: HeadSet and Hands Free Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26122",
+      "title": "The following Bluetooth configuration must be set as required: Human Interface Device Profile (Service and Host).",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26123",
+      "title": "The following Bluetooth configuration must be set as required: Hard Copy Cable Replacement Profile.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26124",
+      "title": "The following Bluetooth configuration must be set as required: SIM Access.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26125",
+      "title": "The Infrared radio must be disabled.",
+      "description": "The Infrared radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26126",
+      "title": "The following Storage Card configuration must be set as required: Wipe storage card when wiping data.",
+      "description": "Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on external data storage cards (e.g., MicroSD, etc.).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26127",
+      "title": "The following Storage Card configuration must be set as required: Enable storage card encryption.",
+      "description": "Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on external data storage cards (e.g., MicroSD, etc.).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26128",
+      "title": "The following Storage Card configuration must be set as required: Allow encrypted storage cards to work only with handheld that originally encrypted them.",
+      "description": "Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on external data storage cards (e.g., MicroSD, etc.).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26129",
+      "title": "The following Data Encryption configuration must be set as required: My Music.",
+      "description": "Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26130",
+      "title": "The following Data Encryption configuration must be set as required: My Pictures.",
+      "description": "Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26131",
+      "title": "The following Data Encryption configuration must be set as required: Personal.",
+      "description": "Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26132",
+      "title": "The following Data Encryption configuration must be set as required: My Music.",
+      "description": "Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26133",
+      "title": "following Data Encryption configuration must be set as required: My Pictures.",
+      "description": "Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26134",
+      "title": "The following Data Encryption configuration must be set as required: Personal.",
+      "description": "Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26135",
+      "title": "Password complexity must be set as required.",
+      "description": "Non-complex passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26144",
+      "title": "A list of Windows Mobile Pocket PC blocked apps must be set up on the Good server.",
+      "description": "Malware could be installed on the smartphone if required controls are not followed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26145",
+      "title": "A list of Windows Mobile Smartphone blocked apps must be set up on the Good server.",
+      "description": "Malware could be installed on the smartphone if required controls are not followed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26146",
+      "title": "The following Good Mobile Access configuration must be set as required: Enable Good Mobile Access.",
+      "description": "The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26148",
+      "title": "The following Good Mobile Access configuration must be set as required: Require user to authenticate via NTLM.",
+      "description": "The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26149",
+      "title": "The following Good Mobile Access configuration must be set as required: Route both Intranet and Internet traffic through Good Mobile Access.",
+      "description": "The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26150",
+      "title": "The following Good Mobile Access configuration must be set as required: Allow internet access on handheld when Good Mobile Access is not running.",
+      "description": "The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26151",
+      "title": "The following Good Mobile Access configuration must be set as required: Route only Intranet traffic through Good Mobile Access.",
+      "description": "The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26152",
+      "title": "S/MIME must be enabled on the Good server. ",
+      "description": "Sensitive DoD data could be exposed if the required setting is not configured on the Good server. If S/MIME support is not configured on the server, the user will not be able to view critical encrypted email or be able to encrypt email with sensitive DoD information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26560",
+      "title": "Either CAC or password authentication must be enabled for user access to the Good app on the smartphone.",
+      "description": "Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good application stores sensitive DoD information.  A hacker with access to the smartphone could easily gain access to the Good application if the required authentication control is not set.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26561",
+      "title": "“Require CAC to be present” must be set.",
+      "description": "Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented.  The Good applications stores sensitive DoD information.  A hacker with access to the smartphone could easily gain access to the Good application if the required authentication control is not set.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26564",
+      "title": "Authentication on system administration accounts for wireless management servers must be configured.",
+      "description": "CTO 07-15Rev1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced.",
+      "severity": "high"
+    }
+  ]
+}

data/standards/stig_goodenterprise_8.x.json

@@ -0,0 +1,401 @@
+{
+  "name": "stig_goodenterprise_8.x",
+  "date": "2014-08-18",
+  "description": "Developed by Good Technology in coordination with DISA for the DoD.",
+  "title": "Good for Enterprise 8.x Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-53019",
+      "title": "The Good Mobility Suite must implement separation of administrator duties by requiring a specific role to be assigned to each administrator account.",
+      "description": "Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system and the authority to delete any record of those changes.\nThis requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of a role is intended to address those situations where an access control policy, such as Role-Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and a non-privileged account.\nIt is recommended that the following or similar roles be supported:  \n1) Good Mobility Suite administrative account administrator is responsible for server installation, initial configuration, and maintenance functions.\n2) Security configuration policy administrator (IA technical professional) is responsible for security configuration of the server and setting up and maintenance of mobile device security policies.\n3) Device management administrator (Technical operator) is responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion.\n4) Auditor (internal auditor or reviewer) is responsible for reviewing and maintaining server and mobile device audit logs.",
+      "severity": "high"
+    },
+    {
+      "id": "V-53027",
+      "title": "The Good Mobility Suite server must accept alerts from the mobile operating system when the mobile OS has detected integrity check failures.",
+      "description": "Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner.  Alerting a Good Mobility Suite mitigates the potential for attacks triggering integrity failures to have further consequences to the enterprise.",
+      "severity": "high"
+    },
+    {
+      "id": "V-53029",
+      "title": "The Good Mobility Suite server must perform required actions when a security-related alert is received.",
+      "description": "Incident response functions are intended to monitor, detect, and alarm on defined events occurring on the system or on the network.  A large part of their functionality is accurate and timely notification of events.  Notifications can be made more efficient by the creation of notification groups containing members who would be responding to a particular alarm or event.  Types of actions the Good Mobility Suite must be able to perform after a security alert include:  log the alert, send email to a system administrator, wipe the managed mobile device, lock the mobile device account on the Good Mobility Suite, disable the security container, wipe the security container, and delete an unapproved application.  Security alerts include any alert from the MDIS or MAM component of the Good Mobility Suite.",
+      "severity": "high"
+    },
+    {
+      "id": "V-53031",
+      "title": "The Good Mobility Suite server must detect and report the version of the operating system, device drivers, and application software for managed mobile devices.",
+      "description": "Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report this information to designated organizational officials with information security responsibilities (e.g., senior information security officers, information system security managers, information systems security officers).  To support this requirement, an automated process or mechanism is required.  This mechanism also ensures the network configuration is known for risk mitigation when known issues are found with certain versions of the operating system or applications.",
+      "severity": "high"
+    },
+    {
+      "id": "V-53033",
+      "title": "The Good Mobility Suite email client must support retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes.",
+      "description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data.  Strong encryption must be used to protect the integrity and confidentiality of the data.  In this case, the requirement stated that the email client must support retrieving certificates not stored in the local trust anchor store.",
+      "severity": "low"
+    },
+    {
+      "id": "V-53035",
+      "title": "The Good Mobility Suite email client must provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP.",
+      "description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data.  Strong encryption must be used to protect the integrity and confidentiality of the data.  In this case, the requirement states that the email client must validate certificates through a trusted OCSP, CRL, or SCVP.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53037",
+      "title": "The Good Mobility Suite email client must provide the mobile device user the capability to decrypt incoming email messages using software- or hardware-based digital certificates.",
+      "description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data.  Strong encryption must be used to protect the integrity and confidentiality of the data.  In this case, the requirement states that the email client must be able to decrypt incoming email messages.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53039",
+      "title": "The Good Mobility Suite email client must provide the mobile device user the capability to digitally sign and encrypt outgoing email messages using software- or hardware-based digital certificates.",
+      "description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data.  Strong encryption must be used to protect the integrity and confidentiality of the data.  In this case, the requirement states that the email client must be able to sign and/or encrypt outgoing messages.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53041",
+      "title": "The Good Mobility Suite email client must set the Smart Card or Certificate Store Password caching timeout period to 120 minutes.",
+      "description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data.  Strong encryption must be used to protect the integrity and confidentiality of the data.  In this case, the requirement states that Smart Card/Certificate Store password caching must time out.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53043",
+      "title": "The Good Mobility Suite email client S/MIME must be fully interoperable with DoD PKI and CAC/PIV.  CAC/PIV (hard token) and PKCS#12 (soft token) certificate stores must be supported.",
+      "description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data.  Strong encryption must be used to protect the integrity and confidentiality of the data.  In this case, the CAC is the required mechanism for that protection.",
+      "severity": "low"
+    },
+    {
+      "id": "V-53045",
+      "title": "The Good Mobility Suite email client must be capable of providing S/MIME v3 (or later version) encryption of email.",
+      "description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data.  Strong encryption must be used to protect the integrity and confidentiality of the data.  In this case, S/MIME is the required mechanism for encryption of email.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53047",
+      "title": "The Good Mobility Suite email client must restrict contact list data elements transferred to the phone application.",
+      "description": "The contact list data elements may contain sensitive or PII information; therefore, the data elements accessed outside the security container must be limited so sensitive data is not exposed.",
+      "severity": "low"
+    },
+    {
+      "id": "V-53049",
+      "title": "The Good Mobility Suite server must disable copying data from inside a security container to a non-secure data area on a mobile device via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.  If this control is not available, sensitive DoD data stored inside the security container could be exposed if it is copied to a non-secure area on the device.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53051",
+      "title": "The Good Mobility Suite server must specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user.",
+      "description": "DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources.  Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source.  To prevent access to unapproved sources, the operating system, in most cases, can be configured to disable user access to public application stores. In some cases, some applications are required for secure operation of the mobile devices controlled by the Good Mobility Suite.  In these cases, the ability for users to remove the application is needed to ensure proper secure operations of the device.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53053",
+      "title": "The Good Mobility Suite server must configure the mobile device agent to prohibit the download of software from a non-DoD approved source.",
+      "description": "DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources.  Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source.  To prevent access to unapproved sources, the operating system, in most cases, can be configured to disable user access to public application stores.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53055",
+      "title": "The Good Mobility Suite server must prohibit the mobile device user from installing unapproved applications on the mobile device.",
+      "description": "The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization.  The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system.  Preventing a user from installing unapproved applications mitigates this risk.  All OS core applications, third-party applications, and carrier-installed applications must be approved.  In this case, applications include any applets, browse channel apps, and icon apps.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53057",
+      "title": "The Good Mobility Suite server application white list for managed mobile devices must be set to Deny All by default when no applications are listed.",
+      "description": "The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system.  If the system administrator has control over what applications are downloaded, then the system administrator can check that only known good programs are installed, which significantly mitigates the risk posed by malicious software.",
+      "severity": "high"
+    },
+    {
+      "id": "V-53059",
+      "title": "The Good Mobility Suite server must configure the Good Mobility Suite agent to prohibit the download of applications on mobile operating system devices without system administrator control.",
+      "description": "The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system.  If the system administrator has control over what applications are downloaded, then the system administrator can check that only known good programs are installed, which significantly mitigates the risk posed by malicious software.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53061",
+      "title": "The Good Mobility Suite server must enable iOS Force encrypted backups via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53063",
+      "title": "The Good Mobility Suite server must disable iOS Allow diagnostic data to be sent to Apple via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53065",
+      "title": "The Good Mobility Suite server must disable iOS Auto-fill via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53067",
+      "title": "The Good Mobility Suite server must disable iOS Allow documents from unmanaged apps in managed apps via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53069",
+      "title": "The Good Mobility Suite server must disable iOS Allow documents from managed apps in unmanaged apps via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53071",
+      "title": "The Good Mobility Suite server must disable iOS Touch ID to unlock device via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53073",
+      "title": "The Good Mobility Suite server must disable the iOS Today View in lock screen via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53075",
+      "title": "The Good Mobility Suite server must disable iOS Airdrop via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53077",
+      "title": "The Good Mobility Suite server must disable the iOS notification center in lock screen via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53079",
+      "title": "The Good Mobility Suite server must disable iOS voice dialing via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53081",
+      "title": "The Good Mobility Suite server must disable iOS Siri while the device is locked via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53083",
+      "title": "The Good Mobility Suite server must enable iOS force limited ad tracking via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53085",
+      "title": "The Good Mobility Suite server must disable iOS iCloud documents and data via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53087",
+      "title": "The Good Mobility Suite server must disable iOS iCloud backup via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53089",
+      "title": "The Good Mobility Suite server must disable iOS iCloud keychain sync via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53091",
+      "title": "The Good Mobility Suite server must disable iOS photo streams via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53093",
+      "title": "The Good Mobility Suite server must disable iOS shared photo streams via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53095",
+      "title": "The Good Mobility Suite server must disable iOS screenshots via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53097",
+      "title": "The Good Mobility Suite email client must either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device.",
+      "description": "HTML code embedded in emails can contain links to malicious sites. Requiring that all emails are viewed in plain text helps remediate phishing attempts.",
+      "severity": "low"
+    },
+    {
+      "id": "V-53099",
+      "title": "The Good Mobility Suite must transfer audit logs from managed mobile devices to the Good Mobility Suite.",
+      "description": "Good Mobility Suite auditing capability is critical for accurate forensic analysis.  The ability to transfer audit logs often is necessary to quickly isolate them, protect their integrity, and analyze their contents.",
+      "severity": "high"
+    },
+    {
+      "id": "V-53101",
+      "title": "The Good Mobility Suite email client must notify the user if it cannot verify the revocation status of the certificate.",
+      "description": "If the user is aware that the revocation status of a certificate could not be verified, the user is better prepared to identify suspicious behavior that indicates an IA incident is in progress.  Failure to notify the user of this occurrence makes it more likely that an adversary can use revoked certificates without detection.",
+      "severity": "low"
+    },
+    {
+      "id": "V-53103",
+      "title": "The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if it cannot verify the certificates revocation status.",
+      "description": "When additional assurance is required, the system should deny acceptance of a certificate if it cannot verify its revocation status.  Otherwise, there is the potential that it is accepting the credentials of an unauthorized system.  Allowing the operating system or user to deny certificates with unverified revocation status mitigates the risk associated with the acceptance of such certificates.",
+      "severity": "low"
+    },
+    {
+      "id": "V-53105",
+      "title": "The Good Mobility Suite email client must alert the user if it receives a public-key certificate issued from an untrusted certificate authority.",
+      "description": "If the user is aware that a certificate has been issued from an untrusted certificate authority, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress.  Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53107",
+      "title": "The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the certificate was issued by an untrusted certificate authority.",
+      "description": "When the operating system accepts the use of certificates issued from untrusted certificate authorities, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity.  When additional assurance is required, the system must deny acceptance of a certificate if it was issued by an untrusted certificate authority.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53109",
+      "title": "The Good Mobility Suite email client must alert the user if it receives an invalid public-key certificate.",
+      "description": "If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress.  Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53111",
+      "title": "The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid.",
+      "description": "When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity.  When additional assurance is required, the system must deny acceptance of invalid certificates.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53113",
+      "title": "The Good Mobility Suite email client must not accept certificate revocation information without verifying its authenticity.",
+      "description": "If the operating system does not verify the authenticity of revocation information, there is the potential that an authorized system is providing false information.  Acceptance of the false information could result in the installation of unauthorized software or connection to rogue networks, depending on the use for which the certificate is intended.  Verifying the authenticity of revocation information mitigates this risk.",
+      "severity": "low"
+    },
+    {
+      "id": "V-53115",
+      "title": "The Good Mobility Suite email client must verify all digital certificates in the certificate chain when performing PKI transactions.",
+      "description": "If an adversary is able to compromise one of the certificates in the certificate chain, the adversary may be able to sign lower-level certificates in the chain.  This would enable the adversary to masquerade as other users or systems.  By providing the mobile user with such false assurance, the adversary may be able obtain DoD information, capture authentication credentials, and perform other unauthorized functions.  Verifying all digital certificates in the chain mitigates this risk.",
+      "severity": "low"
+    },
+    {
+      "id": "V-53117",
+      "title": "The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified.",
+      "description": "When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity.  When additional assurance is required, the system must deny acceptance of invalid certificates.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53125",
+      "title": "The Good Mobility Suite email client must alert the user if it receives a public-key certificate with a non-FIPS approved algorithm.",
+      "description": "If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress.  Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53127",
+      "title": "The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm.",
+      "description": "When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity.  When additional assurance is required, the system must deny acceptance of invalid certificates.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53129",
+      "title": "The Good Mobility Suite email client must alert the user if it receives an unverified public-key certificate.",
+      "description": "If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress.  Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53133",
+      "title": "The Good Mobility Suite must be configured to provide the administrative functionality to transmit a remote Data Wipe command, including removable media cards, to a managed mobile device.",
+      "description": "Without a Data Wipe capability, the data on the mobile device can be compromised in the event of a lost or stolen device.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53135",
+      "title": "The Good Mobility Suite must enforce the minimum password length for the device unlock password via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53137",
+      "title": "The Good Mobility Suite server must set the device inactivity timeout to 15 minutes via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53143",
+      "title": "The Good Mobility Suite server must set the device inactivity timeout grace period to be immediate via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53145",
+      "title": "The Good Mobility Suite server must disable the mobile device users access to an application store or repository via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53149",
+      "title": "The Good Mobility Suite server must block access to specific web sites via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53153",
+      "title": "The Good Mobility Suite server must force the display of a warning banner on the mobile device via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.  \nThe warning banner must be displayed before or immediately after the user successfully unlocks the mobile device or unlocks a secure application where sensitive DoD data is stored:  \"I've read & consent to terms in IS user agreement.\"  (Wording must be exactly as specified.)",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53155",
+      "title": "The Good Mobility Suite server must set the number of incorrect password attempts before a data wipe procedure is initiated to 10 via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53157",
+      "title": "The Good Mobility Suite server must enable a Good Mobility Suite agent password via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53161",
+      "title": "The Good Mobility Suite server must enable the Good Mobility Suite agent password length to be six or more characters.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53163",
+      "title": "The Good Mobility Suite must set the Good Mobility Suite agent inactivity timeout to 15 minutes via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53165",
+      "title": "The Good Mobility Suite server must disable the automatic removal of the iOS configuration profile via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53167",
+      "title": "The Good Mobility Suite server must disable the use of simple values within the iOS Good Mobility Server agent password via centrally managed policy.",
+      "description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls.  If these controls are not implemented, the system may be vulnerable to a variety of attacks.  The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages.  This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls.  It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53251",
+      "title": "The Good Mobility Suite email client must alert the user if the certificate uses an unverified CRL.",
+      "description": "If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53253",
+      "title": "The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified.",
+      "description": "If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.",
+      "severity": "medium"
+    }
+  ]
+}