DoD ANNEX FOR MOBILE DEVICE MANAGEMENT (MDM) PROTECTION PROFILE Version 1, Release 1. 14 February 2014



Similar documents
DoD ANNEX TO THE COLLABORATIVE PROTECTION PROFILE (cpp) FOR STATEFUL TRAFFIC FILTER FIREWALLS V1.0. Version 1, Release 2.

Protection Profile for Mobile Device Management

RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release July 2015

Extended Package for Mobile Device Management Agents

OFFICIAL SECURITY CHARACTERISTIC MOBILE DEVICE MANAGEMENT

Estate Agents Authority

UNCLASSIFIED. Trademark Information

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Addressing NIST and DOD Requirements for Mobile Device Management

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

SUSE Linux Enterprise 12 Security Certifications

Mobile First Government

SonicWALL PCI 1.1 Implementation Guide

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Directives and Instructions Regarding Security and Installation of Wireless LAN in DoD Federal Facilities

BlackBerry 10.3 Work and Personal Corporate

e-governance Password Management Guidelines Draft 0.1

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Samsung SDS Co., LTD Samsung SDS CellWe EMM (MDMPP11) Security Target

Directives and Instructions Regarding Wireless LAN in Department of Defense (DoD) and other Federal Facilities

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

SUSE Linux Enterprise 12 Security Certifications Common Criteria, EAL, FIPS, PCI DSS,... What's All This About?

USMC DoDAAD Management. Tom Russell, Wellington Federal Jonathan Miller, One Network

Recommended Wireless Local Area Network Architecture

Seamless and Secure Access (SSA) Manual Configuration Guide for Windows 7

Building Robust Security Solutions Using Layering And Independence

March

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

How To Secure A Voice Over Internet Protocol (Voip) From A Cyber Attack

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Installation Guides - Information required for connection to the Goldfields Institute s (GIT) Wireless Network

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

AT&T Global Network Client Client Features Guide. Version 9.6

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Remote Access Platform. Architecture and Security Overview

Addressing NIST and DOD Requirements for Mobile Device Management (MDM) Essential Capabilities for Secure Mobility.

Phone: Fax: Box: 230

Information Blue Valley Schools FEBRUARY 2015

Mobile Security. Policies, Standards, Frameworks, Guidelines

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Boundary Encryption.cloud Deployment Process Overview

BYOD Guidance: BlackBerry Secure Work Space

COORDINATION DRAFT. FISCAM to NIST Special Publication Revision 4. Title / Description (Critical Element)

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

ProtectDrive. User Manual Revision: B00

Security Control Standards Catalog

Security Guide for the BD Remote Instrument Support Solution BD Biosciences workstations

Welcome to Highlands State Bank Internet Banking Center. Important Information for New Users. System Security and Browser Information

Entrust Certificate Services for Adobe CDS

ONE Mail Direct for Mobile Devices

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

Network and Security Controls

GE Measurement & Control. Cyber Security for NEI 08-09

Critical Controls for Cyber Security.

ANZ TRANSACTIVE GETTING STARTED GUIDE AUSTRALIA & NEW ZEALAND

How To Secure An Rsa Authentication Agent

COLORADO DEPARTMENT OF LABOR AND EMPLOYMENT STANDARD POLICY AND PROCEDURE. Remote Access and Security I. PURPOSE.2 II. BACKGROUND.

USM IT Security Council Guide for Security Event Logging. Version 1.1

Contents Notice to Users

DoDI IA Control Checklist - MAC 2-Sensitive. Version 1, Release March 2008

FISMA / NIST REVISION 3 COMPLIANCE

Tivoli Endpoint Manager for Configuration Management. User s Guide

LAB FORWARD. WITH PROService RMS TECHNOLOGY, ARCHITECTURE AND SECURITY INFORMATION FOR IT PROFESSIONALS

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

How To Set Up Hopkins Wireless On Windows 7 On A Pc Or Mac Or Ipad (For A Laptop) On A Network Card (For Windows 7) On Your Computer Or Ipa (For Mac Or Mac) On An Ipa Or

RSA SecurID Software Token Security Best Practices Guide

Mapping Between Collaborative Protection Profile for Network Devices, Version 1.0, 27-Feb-2015 and NIST SP Revision 4

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

New Security Features

Outlook Express. Make Changes in Red: Open up Outlook Express. From the Menu Bar. Tools to Accounts - Click on Mail Tab.

Edith Cowan University Information Technology Services Centre

How Private Industry Protects Our Country's Secrets. James Kirk

VNC User Guide. Version 5.0. June 2012

Information Technology Branch Access Control Technical Standard

Marimba Client and Server Management from BMC Software Release 6.0.3

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

BlackBerry Web Desktop Manager. Version: 5.0 Service Pack: 4. User Guide

Wave IP 4.5. Wave Spectralink Phone Configuration Guide

How to configure Mac OS X Server

Polycom HDX Systems Deployment Guide for Maximum Security Environments

SysAid MDM User Guide for Android

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Transcription:

DoD ANNEX FOR MOBILE DEVICE MANAGEMENT (MDM) PROTECTION PROFILE Version 1, Release 1 14 February 2014

Trademark Information Names, products, and services referenced within this document may be the trade names, trademarks, or service marks of their respective owners. References to commercial vendors and their products or services are provided strictly as a convenience to our users, and do not constitute or imply endorsement by DISA FSO of any non-federal entity, event, product, service, or enterprise. ii

TABLE OF CONTENTS Page 1. INTRODUCTION...1 1.1 Background...1 1.2 Scope...1 1.3 Relationship to STIGs...1 1.4 Document Revisions...2 2. DOD-MANDATED INFORMATION...3 2.1 DoD Assignments and Selections...3 2.2 Objective/Optional Functions Mandated for DoD...4 2.3 DoD-Mandated Specific Values...4 iii

This page is intentionally left blank. iv

1. INTRODUCTION 1.1 Background A National Information Assurance Program (NIAP) approved Protection Profile (PP) includes requirements to ensure particular functionality is present and can be tested in a commercial product. It is possible there will be cases in which selections meet PP requirements but do not meet DoD-mandated specific values. In accordance with the NIAP Protection Profile for Mobile Device Managements (version 1.0, dated 21 October 2013), selections, assignments, and objective requirements may be included in the NIAP Common Criteria Security Target (ST) such that the product still conforms to the Protection Profile. This document addresses the DoD specificity needed for mobile device management servers to be used within the DoD. As such, any vendor that wishes to be certified for DoD use, must indicate that they are claiming compliance with both the PP and the DoD Annex, and include the specified selections, assignments, and requirements in the ST upon initiation of a NIAP evaluation. While a NIAP certificate can be awarded as long as the product meets all requirements in the PP, for use in the DoD it is also mandated that the product address all requirements listed in this DoD Annex. 1.2 Scope The additional information in this document is applicable to all DoD-administered systems and all systems connected to DoD networks. 1.3 Relationship to STIGs This Annex for Mobile Device Management Protection Profile (MDMPP) addresses the DoD specificity to the NIST SP 800-53 controls identified in the MDMPP. As a result, the Annex, in conjunction with the PP, serves as a single specification, within the DoD, for security of mobile device management servers and supersedes the current DISA MDM SRG Version 1, Release 1. The publication of the Annex does not eliminate the DoD need for a product-specific Security Technical Implementation Guide (STIG); however, the results of the Common Criteria evaluation will be used to formulate a STIG. The benefit of this approach is that at the conclusion of a successful NIAP evaluation, a vendor's product will be certified as meeting the requisite NIST SP 800-53 controls and the information needed for a STIG will be available. The product may then be used within the DoD. STIGs will continue to be published in XCCDF format along with automation where applicable for assessment, as well as baseline configuration guidance for DoD. 1

1.4 Document Revisions Comments or proposed revisions to this document should be sent via email to: disa.letterkenny.fso.mbx.stig-customer-support-mailbox@mail.mil. 2

2. DOD-MANDATED INFORMATION Convention: Underlined text indicates additional text not included in the MDM Protection Profile or selections or assignments that are applicable in the DoD environment. 2.1 DoD Assignments and Selections FAU_ALT_EXT.1.1 FAU_SEL.1.1(1) FAU_SEL.1.1(2) FAU_STG_EXT.1.1 FIA_ENG_EXT.1.2 FMT_SMF.1.1(1) FMT_SMF.1.1(3) [selection: change in enrollment state, any event logged by the mobile device as specified in the MDF PP and DoD Annex] [assignment: all FAU_ALT_EXT.1.1 and FAU_ALT_EXT.2.1 alerts] [assignment: all FAU_ALT_EXT.1.1 alerts] [selection: SNMPv3] [selection: specific devices] enable/disable policy for [assignment: wireless remote access connections to the mobile device, including personal Hotspot service] (30) [assignment: enable/disable Location services, enable/disable [assignment: USB port, USB mass storage mode, USB tethering] ] (48) Note: Personal Hotspot service is defined as the mobile device serving as a Wi-Fi access point providing mobile broadband wireless Internet access to a wirelessly connected device. [assignment: enforces organization-defined limits for consecutive invalid access attempts by an administrator during an organization-defined time period] [assignment: enforces organization-defined time period during which the limit of consecutive invalid access attempts by an administrator is counted] [assignment: automatically locks accounts for an organization-defined time period or must lock the account until released by an administrator IAW organizational policy when the maximum number of unsuccessful attempts is exceeded] [assignment: designated alerts to another enterprise network management application using an IPSec, TLS, or SSL encrypted secure connection] [assignment: supports administrator authentication to the server via the Enterprise Authentication Mechanisms authentication] [assignment: terminates administrator sessions upon administrator logout or any other organization- or policy- 3

FMT_SMR.1.2 defined session termination events such as idle time limit exceeded] [assignment: logout functionality to allow the user to manually terminate the session] [assignment: enable/disable mobile device connections to back-office servers and network shares via the trusted channel between the MDM server and MDM agent] [assignment: MDM Account Administrator [selection: account group name(s)], Security Configuration Policy Administrator [selection: configuration policy name(s)], Device Management Administrator [selection: device identifier(s)], Auditor, additional authorized identified roles] 2.2 Objective/Optional Functions Mandated for DoD The following Optional and/or Objective Security Functional Requirements are mandated for the DoD: FAU_SAR.1.1 FAU_SEL.1.1(1) FAU_STG_EXT.2.1 FTA_TAB.1.1 2.3 DoD-Mandated Specific Values The following value assignments are mandated for the DoD: SFR ID FTA_TAB.1.1 DoD Selections and Values Note: The advisory notice and consent warning message is not required if the General Purpose OS or Network Device displays an advisory notice and consent warning message when the administrator logs into the General Purpose OS or Network Device prior to accessing the MDM server or MDM Server platform. The non-bracketed text below must be used without any changes as the warning banner. [A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating OK. ] 4

FCS FMT_SMF.1.1(3) You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. The TOE must be FIPS 140-2 validated. For function: mobile device connections to back-office servers and network shares via the trusted channel between the MDM server and MDM agent o Disable unless the MDM server can support PKI-based mutual authentication between the network server and the mobile device user For function: MD user's ability to switch devices o Disable For function: enforces organization-defined limits for consecutive invalid access attempts by an administrator during an organizationdefined time period o 3 attempts in 15 minutes For function: automatically locks accounts for an organization-defined time period or must lock the account until released by an administrator IAW organizational policy when the maximum number of unsuccessful attempts is exceeded 5

o Time period defined by local policy 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information