End User Device Configurations

For Steps 1a- 1d, all TLS-Protected Servers shall be configured properly according to the requirements found in this CP.

17.4 E

U

D

C

This section contains a procedure to ensure that the configurations for all the EUDs in the MA solution follow the requirements given in this CP.

Requirements being tested: MA-EU-1 through MA-EU-50, MA-RD-1 through MA-RD-4, MA-DM-9 Procedure Description:

1) For the EUD, verify in the policy the following:

a) Ensure that, if the implementing organization’s policy allows local storage of user data of classified information on the EUD, the EUDwill be treated as classified if it does not have a NSA-approved DAR. (MA-EU-1)

b) Inspect the implementing organization’s policy that EUDs which implement an NSA-approved DAR solution comply with handling requirements specified for the DAR solution. (MA-EU-2) c) Verify through policy that for EUDs which do not allow for local user storage that the EUD is

treated as unclassified when powered down. (MA-EU-3) d) Verify the EUD does not allow split tunneling. (MA-EU-7)

e) Ensure that the implementing organization’s policy states that all Remote Access users must sign an organization-defined user agreement prior to using an EUD. (MA-EU-15)

f) Verify that the implementing organization has a training program in place for Remote Access users operating an EUD. (MA-EU-16)

g) Verify that the implementing organization has a user agreement for EUD users and also policies for each element within their user agreement document. (MA-EU-17)

h) Ensure that the implementing organization’s policy states that the EUD is dedicated for use within the MA Solution. (MA-EU-18)

i) Ensure that the implementing organization’s policy states that the EUD is to be remotely administered. (MA-EU-19)

j) Ensure that the implementing organization’s policy states that the EUDs will have their certificates revoked and resident image removed prior to disposal. (MA-EU-24)

Mobile Access Capability Package

105 INFORMATION ASSURANCE DIRECTORATE 06/11/2015

k) Verify that the Security Administrator has an organizational security policy for the EUDs. (MA-DM-9)

2) For the EUD, perform the following:

a) Inspect the EUD configuration setting to verify that Firmware-Over-the-Air updates are disabled from the cellular carrier. (MA-EU-21)

b) Inspect the EUD configuration setting has incoming cellular services are disabled. (MA-EU-23) c) Inspect the EUD configuration setting to verify that the wireless interfaces not passing through

the VPN Client are disabled. (MA-EU-22)

d) Verify that Red network services do not transmit any classified data to the EUD until user authentication succeeds. (MA-EU-12, MA-EU-13)

e) Inspect the EUD’s configuration to ensure that Global Positioning System and location services are disabled except for those authorized by the AO. (MA-EU-20)

3) For each EUD that directly connects to a Black network, perform the following:

a) Inspect the Outer VPN Client and Inner Encryption Clients on the EUD and verify that separate private key stores are used. (MA-EU-4)

b) Verify that the Inner and Outer VPN Clients on the EUD are implemented on separate IP stacks, and that the two IP stacks are not the IPv4 and IPv6 implementations on the same operating system. (MA-EU-5)

4) If the EUD is not remotely administrated, verify that the procedure given in MA-EU-6 is followed and/or is currently in place.

5) Verify that the procedures given in 8, 9, 10, 11, 27, MA-EU-29, MA-EU-31 and MA-EU-32 are followed and/or currently in place.

6) Verify that the password length for Mobile Platform complies with MA-EU-25.

7) For Solutions that are using a Retransmission Device, perform the following:

a) Attempt to connect an unauthorized RD to the EUD to verify that the EUD will not connect to the RD. (MA-RD-1).

b) Ensure that the only connection between the EUD and the Mobile Access Solution is only via Wi-Fi or Ethernet. (MA-RD-2)

Mobile Access Capability Package

106 INFORMATION ASSURANCE DIRECTORATE 06/11/2015

c) If the RD is using Wi-Fi, verify through configuration file that the Wi-Fi network is using WPA2 PSK or certificate-based authentication. (MA-RD-3)

d) Verify that the placement of the RD between the Outer VPN Gateway and the Inner Encryption Component. (MA-RD-4)

8) Verify the EUDs use a unique X.509 v3 device certificate, signed by the Outer CA for mutual authentication with Outer VPN Gateways. (MA-EU-33)

9) Verify TLS EUDs use a unique X.509 v3 device certificate, signed by either the Inner CA, or a unique X.509 v3 user certificate signed by an authorized enterprises service CA for mutual authentication with TLS-Protected Servers. (MA-EU-34)

10) Verify VPN EUDs use a unique X.509 v3 device certificate, signed by the Inner CA for mutual authentication with Inner VPN Gateways. (MA-EU-35)

11) Verify that, during provisioning:

a) All unnecessary keys are destroyed from the EUD secure key storage. (MA-EU-44) b) All unnecessary X.509 certificates are removed from the EUD Trust Anchor Database.

(MA-EU-45) 12) If applicable,

a) Confirm use of Domestic Cellular Service as a Black Transport Network.

b) Ensure the EUDs use an Access Point Name (APN) provided by a domestic cellular carrier private network. (MA-EU-36)

13) Verify the EUDs are configured for all IP traffic, with the exception of IKE, network address configuration, time synchronization, and name resolution traffic required to establish the IPsec tunnel, to flow through the IPsec VPN client. (MA-EU-37)

14) If applicable, verify the EUDs are configured for all IP traffic, with the exception of IKE, to flow through the IPsec VPN Client.

15) Verify the EUDs are configured as follows:

a) Maximum password life time shall be less than 181 days. (MA-EU-39) b) Screen shall lock after three minutes of inactivity. (MA-EU-40)

c) Shall perform a wipe of all protected data after no more than 10 authentication failures. (MA-EU-41)

Mobile Access Capability Package

107 INFORMATION ASSURANCE DIRECTORATE 06/11/2015

d) If feasible, display notifications shall be disabled while in a locked state. (MA-EU-46) e) If feasible, USB mass storage shall be disabled. (MA-EU-47)

f) USB data transfer shall be disabled, if feasible. (MA-EU-48) 16) Ensure VPN protection is enabled across the EUD. (MA-EU-42).

17) Ensure a security policy is in place on EUDs specific to each RD and/or Government Private Wireless network to which the EUD is to be connected. (MA-EU-43)

18) Where feasible, ensure the EUDs use an Access Point Name (APN) provided by a domestic Cellular carrier Private Network when using Domestic Cellular Service as the Black Transport Network.

(MA-EU-36)

19) Ensure the system software digital signatures are verified prior to the Application Processor system software is updated. (MA-EU-49)

20) Ensure application digital signatures are verified prior to installing new applications. (MA-EU-50).

Expected Result:

For steps 1-3, all EUDs shall be configured properly. For steps 4, a remotely administrated EUD shall only be rekeyed over the MA solution network prior to the expiration of keys. If this cannot be accomplished, the EUD must be re-provisioned. For Step 5, the implementing organization should have policies in place in order to address the requirements identified. For Step 6, Mobile Platform passwords shall be verified.

For Step 7, an organization using a RD will ensure that the RD is configured in accordance with this CP.

For steps 8-10, unique X.509 v3 certificates are used for each layer. For step 11, only keys and

certificates required for operation are on the EUD. Step 12, all traffic flows through the IPsec VPN client, unless it is required to establish the IPsec tunnel. Step 13 - 20, the EUDs are configured in accordance with this CP.