CCI-000097 in U Apple iOS-iPadOS 16 V2R1

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED

Group Title

PP-MDF-321290

Group ID

V-254580

Rule Version

AIOS-16-003200

Rule Title

Apple iOS/iPadOS 16 must not allow backup to remote systems (iCloud document and data synchronization).

Rule ID

SV-254580r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DoD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DoD sensitive information.

SFR ID: FMT_MOF_EXT.1.2 #40

Documentable

False

Check Content

Note: This requirement is not applicable if the authorizing official (AO) has approved users' full access to the Apple App Store for downloading unmanaged (personal) apps and syncing personal data on the device with personal cloud data storage accounts. The site must have an AO-signed document showing the AO has assumed the risk for users' full access to the Apple App Store.

Review configuration settings to confirm "Allow iCloud documents & data" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Allow iCloud documents & data" is unchecked.

Alternatively, verify the text "<key>allowCloudDocumentSync</key> <false/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the policy.

5. Tap "Restrictions".

6. Verify "Documents in the Cloud not allowed".

Note: This also verifies that iCloud Drive and iCloud Photo Library is disabled.

If "Allow iCloud documents & data" is checked in the Apple iOS/iPadOS management tool, "<key>allowCloudDocumentSync</key> <true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Documents in the Cloud not allowed", this is a finding.

Check System

C-58191r861994_chk

Fix Reference

F-58137r861995_fix

Fix Text

Install a configuration profile to disable iCloud documents and data.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-321290

Group ID

V-254581

Rule Version

AIOS-16-003300

Rule Title

Apple iOS/iPadOS 16 must not allow backup to remote systems (iCloud Keychain).

Rule ID

SV-254581r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

SFR ID: FMT_MOF_EXT.1.2 #40

Documentable

False

Check Content

Review configuration settings to confirm iCloud keychain is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Allow iCloud keychain" is unchecked.

Alternatively, verify the text "<key>allowCloudKeychainSync</key><false/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the management policy.

5. Verify "iCloud Keychain not allowed" is listed.

If "Allow iCloud keychain" is checked in the Apple iOS/iPadOS management tool, "<key>allowCloudKeychainSync</key><true/>" appears in the configuration profile, or "iCloud Keychain not allowed" is not listed on the iPhone and iPad, this is a finding.

Check System

C-58192r861997_chk

Fix Reference

F-58138r861998_fix

Fix Text

Install a configuration profile to disable iCloud keychain.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-321290

Group ID

V-254582

Rule Version

AIOS-16-003400

Rule Title

Apple iOS/iPadOS 16 must not allow backup to remote systems (My Photo Stream).

Rule ID

SV-254582r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

SFR ID: FMT_MOF_EXT.1.2 #40

Documentable

False

Check Content

Review configuration settings to confirm "Allow My Photo Stream" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Allow My Photo Stream" is unchecked.

Alternatively, verify the text "<key>allowPhotoStream</key><false/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Photo Stream not allowed" is listed.

If "Allow Photo Stream" is checked in the Apple iOS/iPadOS management tool, "<key>allowPhotoStream</key> <true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Photo Stream not allowed", this is a finding.

Check System

C-58193r862000_chk

Fix Reference

F-58139r862001_fix

Fix Text

Install a configuration profile to disable My Photo Stream.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-321290

Group ID

V-254583

Rule Version

AIOS-16-003500

Rule Title

Apple iOS/iPadOS 16 must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Photo Streams).

Rule ID

SV-254583r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

SFR ID: FMT_MOF_EXT.1.2 #40

Documentable

False

Check Content

Review configuration settings to confirm "Allow iCloud Photos" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Allow iCloud Photos" is unchecked.

Alternatively, verify the text "<key>allowSharedStream</key><false/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Shared streams not allowed" is listed.

If "Allow iCloud Photos" is checked in the Apple iOS/iPadOS management tool, "<key>allowSharedStream</key><true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Shared streams not allowed", this is a finding.

Check System

C-58194r862003_chk

Fix Reference

F-58140r862004_fix

Fix Text

Install a configuration profile to disable "Allow iCloud Photos".

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-321290

Group ID

V-254584

Rule Version

AIOS-16-003600

Rule Title

Apple iOS/iPadOS 16 must not allow backup to remote systems (managed applications data stored in iCloud).

Rule ID

SV-254584r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

SFR ID: FMT_MOF_EXT.1.2 #40

Documentable

False

Check Content

Review configuration settings to confirm "Allow managed apps to store data in iCloud" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Allow managed apps to store data in iCloud" is unchecked.

Alternatively, verify the text "<key>allowManagedAppsCloudSync</key> <false/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Managed apps cloud sync not allowed" is listed.

If "Allow managed apps to store data in iCloud" is checked in the Apple iOS/iPadOS management tool, "<key>allowManagedAppsCloudSync</key> <true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Managed apps cloud sync not allowed", this is a finding.

Check System

C-58195r862006_chk

Fix Reference

F-58141r862007_fix

Fix Text

Install a configuration profile to prevent DoD applications from storing data in iCloud.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-990000

Group ID

V-254622

Rule Version

AIOS-16-012000

Rule Title

A managed photo app must be used to take and store work-related photos.

Rule ID

SV-254622r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

The iOS Photos app is unmanaged and may sync photos with a device user's personal iCloud account. Therefore, work-related photos must not be taken via the iOS camera app or stored in the Photos app. A managed photo app must be used to take and manage work-related photos.

SFR ID: NA

Documentable

False

Check Content

Review configuration settings to confirm a managed photos app is installed on the iOS device.

This check procedure is performed on the iPhone and iPad.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the DoD Configuration Profile from the Apple iOS/iPadOS management tool.

5. Tap "Apps".

6. Verify a photo capture and management app is listed.

If a managed photo capture and management app is not installed on the iPhone and iPad, this is a finding.

Check System

C-58233r862120_chk

Fix Reference

F-58179r862121_fix

Fix Text

Install a managed photos app to take and manage work-related photos.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

Group Title

PP-MDF-990000

Group ID

V-254623

Rule Version

AIOS-16-012200

Rule Title

Apple iOS/iPadOS 16 must implement the management setting: Enable USB Restricted Mode.

Rule ID

SV-254623r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

The USB lightning port on an iOS device can be used to access data on the device. The required settings ensure the Apple device password is entered before a previously trusted USB accessory can connect to the device.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This is a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Allow USB Restricted Mode" is enabled.

This check procedure is performed on both the device management tool and the iPhone and iPad device.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow USB Restricted Mode" is checked (set to "True").

On the iPhone/iPad device:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify there is no listing for "USB Accessories while locked allowed".

If "Allow USB Restricted Mode" is not enabled in the management tool and there is a restriction in listed the profile on the Apple device, this is a finding.

Note: The default configuration setting for "allow USB Restricted Mode" is "True" in most MDM products. This is the required setting. When set correctly, nothing will be listed in the Restrictions profile, and the user will be able to toggle USB accessories on/off.

Note: "Allow USB Restricted Mode" may be called "Allow USB accessories while device is locked" in some MDM consoles. The required logic is to disable USB accessory connections when the device is locked.

Check System

C-58234r865839_chk

Fix Reference

F-58180r865863_fix

Fix Text

Install a configuration profile to configure "Allow USB Restricted Mode" to "True" in the management tool. This a supervised-only control.

Note: This control is called "Allow USB accessories while device is locked" in Apple Configurator, and the control logic is opposite to what is listed here. Ensure the MDM policy rule is set correctly (to disable USB accessory connections when the device is locked).

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-990000

Group ID

V-254626

Rule Version

AIOS-16-012500

Rule Title

Apple iOS/iPadOS 16 must implement the management setting: Disable AirDrop.

Rule ID

SV-254626r959010_rule

Rule Severity

● Low

Rule Weight

10.0

Vuln Discussion

AirDrop is a way to send contact information or photos to other users with this same feature enabled. This feature enables a possible attack vector for adversaries to exploit. Once the attacker has gained access to the information broadcast by this feature, the attacker may distribute this sensitive information very quickly and without DoD's control or awareness. By disabling this feature, the risk of mass data exfiltration will be mitigated.

Note: If the site uses Apple's optional Automatic Device Enrollment, this control is available as a supervised MDM control.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

Determine if the site authorizing official (AO) has approved the use of AirDrop for unmanaged data transfer. Look for a document showing approval. If AirDrop is not approved, review configuration settings to confirm it is disabled. If approved, this requirement is not applicable.

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding (if the AO has not approved the use of AirDrop for unmanaged data transfer).

If the iPhone or iPad being reviewed is supervised by the MDM, follow these procedures:

This check procedure is performed on both the device management tool and the iPhone and iPad device.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS/iPadOS management tool, verify "Allow AirDrop" is unchecked.

On the iPhone/iPad device:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "AirDrop not allowed" is listed.

If the AO has not approved AirDrop and "AirDrop not allowed" is not listed in the management tool and on the Apple device, this is a finding.

Check System

C-58237r862132_chk

Fix Reference

F-58183r862133_fix

Fix Text

If the AO has not approved the use of AirDrop for unmanaged data transfer, install a configuration profile to disable the AllowAirDrop control in the management tool. This a supervised-only control.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-990000

Group ID

V-254627

Rule Version

AIOS-16-012600

Rule Title

Apple iOS/iPadOS 16 must implement the management setting: Disable paired Apple Watch.

Rule ID

SV-254627r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

Authorizing official (AO) approval is required before an Apple Watch (DoD-owned or personally owned) can be paired with a DoD-owned iPhone to ensure the AO has evaluated the risk in having sensitive DoD data transferred to and stored on an Apple Watch in their operational environment.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

Determine if the site AO has approved the use of Apple Watch with DoD-owned iPhones. Look for a document showing approval. If not approved, review configuration settings to confirm "Allow Paired Watch" is disabled. If approved, this requirement is not applicable.

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding (if the AO has not approved the use of Apple Watch for unmanaged data transfer).

If the iPhone or iPad being reviewed is supervised by the MDM, follow these procedures:

This check procedure is performed on both the device management tool and the iPhone.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow Paired Watch" is unchecked.

On the iPhone:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Paired Apple Watch not allowed" is listed.

If the AO has not approved pairing an Apple Watch with a DoD-owned iPhone and "Paired Apple Watch not allowed" is not listed both in the management tool and on the Apple device, this is a finding.

Check System

C-58238r862135_chk

Fix Reference

F-58184r862136_fix

Fix Text

If the AO has not approved the use of Apple Watch with DoD-owned iPhones, install a configuration profile to disable the Apple Watch control in the management tool. This a supervised-only control.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-990000

Group ID

V-254628

Rule Version

AIOS-16-012700

Rule Title

Apple iOS/iPadOS 16 must disable Password AutoFill in browsers and applications.

Rule ID

SV-254628r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

The AutoFill functionality in browsers and applications allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowing the use of the AutoFill functionality, an adversary who learns a user's iPhone and iPad passcode, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the AutoFill feature to provide information unknown to the adversary. By disabling the AutoFill functionality, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Password AutoFill is not allowed" is disabled.

This check procedure is performed on both the iOS/iPadOS device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS/iPadOS management tool, verify "Password AutoFill is not allowed" is unchecked.

On the iPhone/iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Password AutoFill is not allowed" is listed.

If "Password AutoFill is not allowed" is not enabled both in the iOS/iPadOS management tool and on the Apple device, this is a finding.

Check System

C-58239r862138_chk

Fix Reference

F-58185r862139_fix

Fix Text

Install a configuration profile to disable allow Password AutoFill in the management tool. This a supervised-only control.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-990000

Group ID

V-254629

Rule Version

AIOS-16-012800

Rule Title

Apple iOS/iPadOS 16 must disable allow setting up new nearby devices.

Rule ID

SV-254629r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

This control allows Apple device users to request passwords from nearby devices. This could lead to a compromise of the device password with an unauthorized person or device. DoD Apple device passwords must not be shared.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Allow setting up new nearby devices" is disabled.

This check procedure is performed on both the iOS/iPadOS device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS/iPadOS management tool, verify "Proximity setup to a new device is not allowed" is unchecked.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Proximity setup to a new device is not allowed" is not listed.

If "Proximity setup to a new device is not allowed" is disabled in the iOS/iPadOS management tool and on the Apple device, this is a finding.

Check System

C-58240r862141_chk

Fix Reference

F-58186r862142_fix

Fix Text

Install a configuration profile to disable allow setting up new nearby devices in the management tool. This a supervised-only control.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-990000

Group ID

V-254630

Rule Version

AIOS-16-012900

Rule Title

Apple iOS/iPadOS 16 must disable password proximity requests.

Rule ID

SV-254630r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

This control allows one Apple device to be notified to share its password with a nearby device. This could lead to a compromise of the device password with an unauthorized person or device. DoD Apple device passwords must not be shared.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Allow Password Proximity Requests" is disabled.

This check procedure is performed on both the device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow Password Proximity Requests" is unchecked.

On the iPhone and iPad device:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Proximity password requests not allowed" is listed.

If "Proximity password requests not allowed" is not listed in the management tool and on the Apple device, this is a finding.

Check System

C-58241r939247_chk

Fix Reference

F-58187r862145_fix

Fix Text

Install a configuration profile to disable the allow password proximity requests in the management tool. This a supervised-only control.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-990000

Group ID

V-254631

Rule Version

AIOS-16-013000

Rule Title

Apple iOS/iPadOS 16 must disable password sharing.

Rule ID

SV-254631r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

This control allows sharing passwords between Apple devices using AirDrop. This could lead to a compromise of the device password with an unauthorized person or device. DoD Apple device passwords must not be shared.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Password Sharing is not allowed" is enabled.

This check procedure is performed on both the device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS/iPadOS management tool, verify "Password Sharing is not allowed" is checked.

On the iPhone/iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Password Sharing is not allowed" is listed.

If "Password Sharing is not allowed" is not enabled in the management tool and on the Apple device, this is a finding.

Check System

C-58242r862147_chk

Fix Reference

F-58188r862148_fix

Fix Text

Install a configuration profile to disable the allow password proximity sharing in the management tool. This a supervised-only control.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-990000

Group ID

V-254632

Rule Version

AIOS-16-013100

Rule Title

Apple iOS/iPadOS 16 must disable Find My Friends in the Find My app.

Rule ID

SV-254632r959010_rule

Rule Severity

● Low

Rule Weight

10.0

Vuln Discussion

This control does not share a DoD user's location but encourages location sharing between DoD mobile device users, which can lead to operational security (OPSEC) risks. Sharing the location of a DoD mobile device is a violation of AIOS-16-011700.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Find My Friends" is disabled.

This check procedure is performed on both the device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS/iPadOS management tool, verify "Find My Friends" and "Allow modifying Find My Friends" are unchecked.

On the iPhone/iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Find My Friends" is not listed.

If "Find My Friends" and "Allow modifying Find My Friends" are not disabled in the management tool and on the Apple device, this is a finding.

Check System

C-58243r862150_chk

Fix Reference

F-58189r862151_fix

Fix Text

Install a configuration profile to disable "Find My Friends" in the Find My app and "Allow modifying Find My Friends" in the management tool. This a supervised-only control.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-990000

Group ID

V-254633

Rule Version

AIOS-16-013200

Rule Title

The Apple iOS/iPadOS 16 must be supervised by the MDM.

Rule ID

SV-254633r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

When an iOS/iPadOS is not supervised, the DoD mobile service provider cannot control when new iOS/iPadOS updates are installed on site-managed devices. Most updates should be installed immediately to mitigate new security vulnerabilities, while some sites need to test each update prior to installation to ensure critical missions are not adversely impacted by the update.

Several password and data protection controls can be implemented only when an Apple device is supervised.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

Review configuration settings to confirm site-managed iOS/iPadOS devices are supervised.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify all managed Apple devices are supervised (verification procedure will vary by MDM product).

Note: If the Apple device is not managed by an MDM and supervision is set up via Apple Configurator, this procedure is not applicable.

On the iPhone and iPad:

1. Open the Settings app.

2. Verify a message similar to the following appears on the screen: "This iPad is supervised by (name of site DoD mobile service provider)."

If site-managed iOS/iPadOS devices are not supervised, this is a finding.

Check System

C-58244r862153_chk

Fix Reference

F-58190r862221_fix

Fix Text

Use one of the following methods to supervise iOS and iPadOS devices managed by the DoD mobile service provider.

Method 1:

- Register all current and new iOS and iPadOS devices in the DoD mobile service provider's Automated Device Management/Apple Business Manager (ABM) account.

- Enable supervision of managed iOS/iPadOS devices in the MDM.

Method 2:

- Configure each iOS/iPadOS device using the Apple Configurator tool for Supervision.

- This method is usually only appropriate when MDM management of the DoD Apple device is not appropriate or an older device cannot be registered in ABM.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-990000

Group ID

V-254634

Rule Version

AIOS-16-013300

Rule Title

Apple iOS/iPadOS 16 must disable "Allow USB drive access in Files app" if the authorizing official (AO) has not approved the use of DoD-approved USB storage drives with iOS/iPadOS devices.

Rule ID

SV-254634r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

Unauthorized use of USB storage drives could lead to the introduction of malware or unauthorized software into the DoD IT infrastructure and compromise of sensitive DoD information and systems.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This requirement is not applicable if the AO has approved the use of USB drives to load files to Apple devices. The approval must be in writing and include which USB storage devices are approved for use.

If the AO has not approved the use of USB drives to load files to Apple devices, use the following procedures to verify compliance.

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Allow USB drive access in Files app" is disabled.

This check procedure is performed on both the device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow USB drive access in Files app" is unchecked.

On the iPhone and iPad device:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "USB drives not accessible in Files app" is listed.

If "Allow USB drive access in Files app" is not disabled in the management tool and "USB drives not accessible in Files app" is not listed in the Restrictions profile on the Apple device, this is a finding.

Check System

C-58245r862156_chk

Fix Reference

F-58191r862157_fix

Fix Text

If the AO has not approved the use of USB drives to load files to Apple devices, install a configuration profile to disable "Allow USB drive access in Files app".

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-990000

Group ID

V-254637

Rule Version

AIOS-16-014300

Rule Title

Apple iOS/iPadOS 16 must disable "Allow network drive access in Files access".

Rule ID

SV-254637r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

Allowing network drive access by the Files app could lead to the introduction of malware or unauthorized software into the DoD IT infrastructure and compromise of sensitive DoD information and systems.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

This check procedure is performed on both the device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow network drive access in Files access" is unchecked.

On the iPhone and iPad device:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Network drives not accessible in Files app" is listed.

If "Allow network drive access in Files access" is not disabled in the management tool and "Network drives not accessible in Files app" is not listed in Profile Restrictions on the Apple device, this is a finding.

Check System

C-58248r862165_chk

Fix Reference

F-58194r862166_fix

Fix Text

Install a configuration profile to disable "Allow network drive access in Files access".

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-990000

Group ID

V-254638

Rule Version

AIOS-16-014400

Rule Title

Apple iOS/iPadOS 16 must disable connections to Siri servers for the purpose of dictation.

Rule ID

SV-254638r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Disable connections to Siri servers for the purpose of dictation" is disabled.

This check procedure is performed on the device management tool.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Disable connections to Siri servers for the purpose of dictation" is checked.

If connections to Siri servers are not disabled for dictation, this is a finding.

Check System

C-58249r862168_chk

Fix Reference

F-58195r862229_fix

Fix Text

Configure the Apple iOS configuration profile to disable connections to Siri servers for the purpose of dictation. This a supervised-only control.

The procedure for implementing this control will vary depending on the MDM/EMM used by the mobile service provider.

In the MDM console, select "disable connections to Siri servers for the purpose of dictation".

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-990000

Group ID

V-254639

Rule Version

AIOS-16-014500

Rule Title

Apple iOS/iPadOS 16 must disable connections to Siri servers for the purpose of translation.

Rule ID

SV-254639r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This check procedure is performed on the device management tool.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Disable connections to Siri servers for the purpose of translation" is checked.

If connections to Siri servers are not disabled for translation, this is a finding.

Check System

C-58250r862171_chk

Fix Reference

F-58196r862231_fix

Fix Text

Configure the Apple iOS configuration profile to disable connections to Siri servers for the purpose of translation.

The procedure for implementing this control will vary depending on the MDM/EMM used by the mobile service provider.

In the MDM console, select "disable connections to Siri servers for the purpose of translation".

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

Group Title

PP-MDF-990000

Group ID

V-254640

Rule Version

AIOS-16-014600

Rule Title

Apple iOS/iPadOS 16 must disable copy/paste of data from managed to unmanaged applications.

Rule ID

SV-254640r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Require managed pasteboard" is set to "True".

If "Require managed pasteboard" is not set to "True", this is a finding.

Check System

C-58251r862174_chk

Fix Reference

F-58197r862233_fix

Fix Text

Configure the Apple iOS configuration profile to disable copy/paste of data from managed to unmanaged applications.

The procedure for implementing this control will vary depending on the MDM/EMM used by the mobile service provider.

In the MDM console, set "Require managed pasteboard" to "True".

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

800-53 :: CM-6 (1)
800-53 Rev. 4 :: CM-6 (1)
800-53 Rev. 5 :: CM-6 (1)
800-53A :: CM-6 (1).1

UNCLASSIFIED