Title

Only the BlackBerry Enterprise Server (BES) email solution must be used. (Cat I impact)

Discussion

If the required BlackBerry system is not used, DoD networks are at risk of being penetrated or DoD data could be exposed.

Check Content

Detailed Policy Requirements: Only the BlackBerry Enterprise Server (BES) email solution must be used in the DoD. The BlackBerry Desktop Redirector, BlackBerry Connect, BlackBerry Express, and BlackBerry Professional Services Software are not authorized for use. Note: The purpose of this requirement is to ensure a STIG compliant IT policy is enforced on all DoD BlackBerry devices. This requirement applies to the DoD (primary) email account received on the BlackBerry device. All DoD BlackBerry devices must be managed via a STIG-compliant IT policy pushed from a BES. Required/approved versions of the BES are as follows: BES 5.0.4 (or later version). Note: An Authorizing Official (AO) may authorize users to connect BlackBerry devices to additional, secondary email accounts (e.g., Verizon email) based on mission needs. Use IT Policy rule Allow Other Message Services, Service Exclusivity policy group to control connections to secondary email accounts. Check Procedures: Interview ISSO and BlackBerry system administrator. - Verify the BES is part of the site’s BlackBerry architecture and the site uses a BES to manage site BlackBerry devices. - Verify BES Express is not used. Interview BES admin. - Determine if the site authorizes users to connect BlackBerry devices to additional, secondary or personal email accounts (e.g., Verizon email, BlackBerry Internet Service (BIS)) based on mission needs. If yes, verify the AO (or designee) has approved this service. Ask to see documentation of AO approval.

Fix Text

Only the BlackBerry Enterprise Server (BES) email solution is used.

Additional Identifiers

Rule ID: SV-14632r3_rule

Vulnerability ID: V-14021

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.