CCI-000048 in U Apple iOS-iPadOS 18 V1R1

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
PP-MDF-333160
Group ID
V-268007
Rule Version
AIOS-18-008400
Rule Title
Apple iOS/iPadOS 18 must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device.
Rule ID
SV-268007r1031187_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DOD can audit and monitor the activities of mobile device users without legal restriction.

System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click-through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".

The approved DOD text must be used exactly as required in the Knowledge Service referenced in DODI 8500.01. For devices accommodating banners of 1300 characters, the banner text is:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

For devices with severe character limitations, the banner text is:

I've read & consent to terms in IS user agreem't.

The administrator must configure the banner text exactly as written without any changes.

SFRID: FMT_SMF.1.1 #36

Documentable
False
Check Content

The DOD warning banner can be displayed by either of the following methods (required text is found in the Vulnerability Discussion):

1. By placing the DOD warning banner text in the user agreement signed by each iPhone and iPad user.

2. By installing a Lock Screen Message payload with the required text (preferred method).

Determine which method is used at the iOS device site and follow the appropriate validation procedure below.

Validation Procedure for Method #1:

Review the signed user agreements for several iOS device users and verify the agreement includes the required DOD warning banner text.

Validation Procedure for Method #2:

In the Apple iOS/iPadOS management tool, verify a Lock Screen Message payload has been installed on each managed device. The LockScreenFootnote string should include required text.

If, for Method #1, the required warning banner text is not on all signed user agreements reviewed, or for Method #2, the DOD warning banner text is not set as the lock screen footnote, this is a finding.

Check System
C-71931r1030772_chk
Fix Reference
F-71834r1030773_fix
Fix Text

Configure the DOD warning banner by either of the following methods (required text is found in the Vulnerability Discussion):

1. By placing the DOD warning banner text in the user agreement signed by each iOS device user.

2. By installing a Lock Screen Message payload with the required text (preferred method).

Identities
CCI-000048

Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.

  • 800-53 :: AC-8 a
  • 800-53 Rev. 4 :: AC-8 a
  • 800-53 Rev. 5 :: AC-8 a
  • 800-53A :: AC-8.1 (ii)
Group Title
PP-MDF-993300
Group ID
V-268039
Rule Version
AIOS-18-011700
Rule Title
Apple iOS/iPadOS 18 must implement the management setting: not share location data through iCloud.
Rule ID
SV-268039r1031219_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Sharing of location data is an operational security (OPSEC) risk because it potentially allows an adversary to determine a DOD user's location, movements, and patterns in those movements over time. An adversary could use this information to target the user or gather intelligence on the user's likely activities. Using commercial cloud services to store and handle location data could leave the data vulnerable to breach, particularly by sophisticated adversaries. Disabling the use of such services mitigates this risk.

SFRID: FMT_SMF.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm "Share My Location" is disabled. Note that this is a User-Based Enforcement (UBE) control, which cannot be managed by an MDM server.

This check procedure is performed on the iPhone and iPad only.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "Privacy & Security".

3. Tap "Location Services".

4. If the authorizing official (AO) has not approved use of personal iCloud accounts on the device, verify "Share My Location" is grayed out (cannot be selected).

5. If the AO has approved the use of personal iCloud accounts on the device, tap "Share My Location".

6. Verify "Share My Location" is off.

If "Share My Location" is not grayed out (cannot be selected) when the AO has not approved use of personal iCloud accounts on the device, this is a finding.

If "Share My Location" is toggled to the right and appears green on the iPhone and iPad when the AO has approved the use of personal iCloud accounts, this is a finding.

Check System
C-71963r1030868_chk
Fix Reference
F-71866r1030869_fix
Fix Text

The user must configure Apple iOS/iPadOS to disable location sharing through iCloud.

Identities
CCI-000048

Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.

  • 800-53 :: AC-8 a
  • 800-53 Rev. 4 :: AC-8 a
  • 800-53 Rev. 5 :: AC-8 a
  • 800-53A :: AC-8.1 (ii)
UNCLASSIFIED