CCI-000048 in U Apple iOS-iPadOS 16 V2R1

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
PP-MDF-323160
Group ID
V-254599
Rule Version
AIOS-16-008400
Rule Title
Apple iOS/iPadOS 16 must be configured to display the DoD advisory warning message at startup or each time the user unlocks the device.
Rule ID
SV-254599r958390_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Before granting access to the system, the mobile operating system is required to display the DoD-approved system use notification message or banner that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DoD can audit and monitor the activities of mobile device users without legal restriction.

System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click-through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".

The approved DoD text must be used exactly as required in the Knowledge Service referenced in DoDI 8500.01. For devices accommodating banners of 1300 characters, the banner text is:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

For devices with severe character limitations, the banner text is:

I've read & consent to terms in IS user agreem't.

The administrator must configure the banner text exactly as written without any changes.

SFR ID: FMT_SMF_EXT.1.1 #36

Documentable
False
Check Content

The DoD warning banner can be displayed by either of the following methods (required text is found in the Vulnerability Discussion):

1. By placing the DoD warning banner text in the user agreement signed by each iPhone and iPad user (preferred method).

2. By creating a background picture with the relevant information and configuring that picture as the background for the lock screen via the Apple iOS/iPadOS management tool (only available for supervised devices).

Determine which method is used at the iOS device site and follow the appropriate validation procedure below.

Validation Procedure for Method #1:

Review the signed user agreements for several iOS device users and verify the agreement includes the required DoD warning banner text.

Validation Procedure for Method #2:

- In the Apple iOS/iPadOS management tool, verify a picture of the DoD warning banner text has been configured as the background for the lock screen.

- On the iOS device, verify a picture of the DoD warning banner text is shown as the background for the locked screen.

If, for Method #1, the required warning banner text is not on all signed user agreements reviewed, or for Method #2, the DoD warning banner text is not set as the locked screen background, this is a finding.

Check System
C-58210r862051_chk
Fix Reference
F-58156r862190_fix
Fix Text

Configure the DoD warning banner by either of the following methods (required text is found in the Vulnerability Discussion):

1. By placing the DoD warning banner text in the user agreement signed by each iOS device user (preferred method).

2. By creating a background picture with the relevant information and configuring that picture as the background for the lock screen via the Apple iOS/iPadOS management tool.

Identities
CCI-000048

Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.

  • 800-53 :: AC-8 a
  • 800-53 Rev. 4 :: AC-8 a
  • 800-53 Rev. 5 :: AC-8 a
  • 800-53A :: AC-8.1 (ii)
Group Title
PP-MDF-990000
Group ID
V-254619
Rule Version
AIOS-16-011700
Rule Title
Apple iOS/iPadOS 16 must implement the management setting: Not share location data through iCloud.
Rule ID
SV-254619r959010_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Sharing of location data is an operational security (OPSEC) risk because it potentially allows an adversary to determine a DoD user's location, movements, and patterns in those movements over time. An adversary could use this information to target the user or gather intelligence on the user's likely activities. Using commercial cloud services to store and handle location data could leave the data vulnerable to breach, particularly by sophisticated adversaries. Disabling the use of such services mitigates this risk.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm "Share My Location" is disabled. Note that this is a User-Based Enforcement (UBE) control, which cannot be managed by an MDM server.

This check procedure is performed on the iPhone and iPad only.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "Privacy & Security".

3. Tap "Location Services".

4. If the authorizing official (AO) has not approved use of personal iCloud accounts on the device, verify "Share My Location" is grayed out (cannot be selected).

5. If the AO has approved the use of personal iCloud accounts on the device, tap "Share My Location".

6. Verify "Share My Location" is off.

If "Share My Location" is not grayed out (cannot be selected) when the AO has not approved use of personal iCloud accounts on the device, this is a finding.

If "Share My Location" is toggled to the right and appears green on the iPhone and iPad when the AO has approved the use of personal iCloud accounts, this is a finding.

Check System
C-58230r862111_chk
Fix Reference
F-58176r862112_fix
Fix Text

The user must configure Apple iOS/iPadOS to disable location sharing through iCloud.

Identities
CCI-000048

Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.

  • 800-53 :: AC-8 a
  • 800-53 Rev. 4 :: AC-8 a
  • 800-53 Rev. 5 :: AC-8 a
  • 800-53A :: AC-8.1 (ii)
UNCLASSIFIED