Free DISA STIG and SRG Library | Vaulted

V-14021

Only the BlackBerry Enterprise Server (BES) email solution must be used.

Finding ID
WIR1200-01
Rule ID
SV-14632r3_rule
Severity
Cat I
CCE
(None)
Group Title
BlackBerry BES email solution must be used
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If the required BlackBerry system is not used, DoD networks are at risk of being penetrated or DoD data could be exposed.

Fix Text

Only the BlackBerry Enterprise Server (BES) email solution is used.

Check Content

Detailed Policy Requirements: Only the BlackBerry Enterprise Server (BES) email solution must be used in the DoD. The BlackBerry Desktop Redirector, BlackBerry Connect, BlackBerry Express, and BlackBerry Professional Services Software are not authorized for use. Note: The purpose of this requirement is to ensure a STIG compliant IT policy is enforced on all DoD BlackBerry devices. This requirement applies to the DoD (primary) email account received on the BlackBerry device. All DoD BlackBerry devices must be managed via a STIG-compliant IT policy pushed from a BES. Required/approved versions of the BES are as follows: BES 5.0.4 (or later version). Note: An Authorizing Official (AO) may authorize users to connect BlackBerry devices to additional, secondary email accounts (e.g., Verizon email) based on mission needs. Use IT Policy rule Allow Other Message Services, Service Exclusivity policy group to control connections to secondary email accounts. Check Procedures: Interview ISSO and BlackBerry system administrator. - Verify the BES is part of the site’s BlackBerry architecture and the site uses a BES to manage site BlackBerry devices. - Verify BES Express is not used. Interview BES admin. - Determine if the site authorizes users to connect BlackBerry devices to additional, secondary or personal email accounts (e.g., Verizon email, BlackBerry Internet Service (BIS)) based on mission needs. If yes, verify the AO (or designee) has approved this service. Ask to see documentation of AO approval.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1