Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
MDM Server Policy Security Technical Implementation Guide (STIG)
MDM Server Policy Security Technical Implementation Guide (STIG)
An XCCDF Benchmark
Details
Profiles
Items
Prose
6 rules organized in 6 groups
Publish data spill procedures for mobile devices
1 Rule
<GroupDescription></GroupDescription>
Publish data spill procedures for mobile devices
Medium Severity
<VulnDiscussion>When a data spill occurs on a mobile device, classified or sensitive data must be protected to prevent disclosure. After a data spill, the mobile device must either be wiped using approved procedures, or destroyed if no procedures are available, so classified or sensitive data is not exposed. If a data spill procedure is not published, the site may not use approved procedures to remediate after a data spill occurs and classified data could be exposed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Other</Responsibility><IAControls></IAControls>
Site must follow required data spill procedures
1 Rule
<GroupDescription></GroupDescription>
If a data spill (Classified Message Incident (CMI)) occurs on a mobile device, the site must follow required data spill procedures.
High Severity
<VulnDiscussion>If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>
Follow lost/stolen mobile device procedures
1 Rule
<GroupDescription></GroupDescription>
The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.
Low Severity
<VulnDiscussion>Sensitive DoD data could be stored in memory on a DoD operated mobile operating system (OS) based mobile device and the data could be compromised if required actions are not followed when a mobile device is lost or stolen. Without procedures for lost or stolen mobile operating system (OS) based mobile devices, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>
Follow lost/stolen mobile device procedures
1 Rule
<GroupDescription></GroupDescription>
Required actions must be followed at the site when a mobile device has been lost or stolen.
Low Severity
<VulnDiscussion>If procedures for lost or stolen mobile devices are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>
MDM server administrator training
1 Rule
<GroupDescription></GroupDescription>
The mobile device management (MDM) server administrator must receive required training.
Low Severity
<VulnDiscussion>The security posture of the MDM server could be compromised if the administrator is not trained to follow required procedures. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>
MDM server administrator training renewed annually
1 Rule
<GroupDescription></GroupDescription>
MDM server administrator training must be renewed annually.
Low Severity
<VulnDiscussion>The MDM server administrator must renew required training annually.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>