Check: AIOS-06-080001
Apple iOS 8 ISCG:
AIOS-06-080001
(in version v1 r1)
Title
The Apple iOS app used to support the DoD notice and consent banner must display the DoD notice and consent banner exactly as specified at start-up device unlock. (Cat III impact)
Discussion
To ensure notice of and consent to the terms of the DoD standard user agreement, the iOS device must contain an app that displays the DoD notice and consent banner. To best ensure the investigative and prosecutorial purposes of notice and consent are met, the wording of the banner must be exactly as specified. Deviations from the wording have the potential to hinder DoD's ability to monitor or search the device. Additional information is found in DoD Instruction 8500.01. SFR ID: FMT_SMF.1.1 #42
Check Content
To ensure notice of and consent to the terms of the DoD standard user agreement, the iOS device must contain an app that displays the DoD notice and consent banner, or a hand receipt of consent has been authorized. To best ensure the investigative and prosecutorial purposes of notice and consent are met, the wording of the banner must be exactly as specified. Deviations from the wording have the potential to hinder DoD's ability to monitor or search the device. Additional information is found in DoD Instruction 8500.01. This check procedure is performed on the iOS device only. On the iOS device: 1. Ask the MDM administrator to identify the iOS app used to fulfill the requirement. 2. Launch the app. 3. Verify the app displays the notice and consent banner text exactly as designated below: [Use this banner for apps accommodating banners of 1300 characters.] "DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) information system (IS) that is provided for USG-authorized use only. By using this IS, you consent to the following conditions: -The USG routinely monitors communications occurring on this IS, and any device attached to this IS, for purposes including, but not limited to, penetration testing, COMSEC monitoring, network defense, quality control, and employee misconduct, law enforcement, and counterintelligence investigations. -At any time, the USG may inspect and/or seize data stored on this IS and any device attached to this IS. -Communications occurring on or data stored on this IS, or any device attached to this IS, are not private. They are subject to routine monitoring and search. -Any communications occurring on or data stored on this IS, or any device attached to this IS, may be disclosed or used for any USG-authorized purpose. -Security protections may be utilized on this IS to protect certain interests that are important to the USG. For example, passwords, access cards, encryption or biometric access controls provide security for the benefit of the USG. These protections are not provided for your benefit or privacy and may be modified or eliminated at the USG's discretion." [For apps with severe character limitations.] "I've read & consent to terms in IS user agreem't." If the MDM administrator is unable to identify an app fulfilling this requirement, or there is not a hand receipt of consent authorized, or there is no banner, or the banner's wording does not match the approved wording, this is a finding.
Fix Text
Enforce the DoD notice and consent banner exactly as specified either via an app or obtaining authorization to consent via a hand receipt.
Additional Identifiers
Rule ID:
Vulnerability ID: V-54297
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000048 |
The information system displays an organization-defined system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
CCI-000366 |
The organization implements the security configuration settings. |