The organization must not use DoD-issued software certificates for Non-enterprise activated CMDs.

From Mobile Policy Security Requirements Guide

Part of SRG-MPOL-058

Associated with: CCI-000082

SV-47292r1_rule The organization must not use DoD-issued software certificates for Non-enterprise activated CMDs.

Vulnerability discussion

If DoD issued certificates are utilized, the device may be able to connect to sites/systems that are otherwise prohibited without the certificate. Non-enterprise activated CMDs are not authorized to access DoD information. In addition, the certificate store will not be protected with AES encryption or be FIPS validated. DoD PKI certificates would be at risk of being compromised.

Check content

Review the organization's published implementation guidance on the use of non-enterprise activated CMDs to determine if DoD software certificates are prohibited from being utilized on the devices. If DoD software certificates are not prohibited, this is a finding.

Fix text

Publish the organization’s implementation guidance prohibiting the use of DoD-issued software certificates on non-enterprise activated CMDs.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer