STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← CM-6 — Configuration Settings

CCI-000366

Definition

Implement the security configuration settings.

Parent Control

CM-6Configuration SettingsConfiguration Management

Linked STIG Checks (200)

V-237060CAT IIThe A10 Networks ADC, when used for load balancing web servers, must deploy the WAF in active mode.A10 Networks ADC ALG Security Technical Implementation Guide V-237061CAT IIIf the Data Owner requires it, the A10 Networks ADC must be configured to perform CCN Mask, SSN Mask, and PCRE Mask Request checks.A10 Networks ADC ALG Security Technical Implementation Guide V-237063CAT IIThe A10 Networks ADC must protect against TCP SYN floods by using TCP SYN Cookies.A10 Networks ADC ALG Security Technical Implementation Guide V-237064CAT IThe A10 Networks ADC must be a FIPS-compliant version.A10 Networks ADC ALG Security Technical Implementation Guide V-264425CAT IThe A10 Networks ALG must be using a version supported by the vendor.A10 Networks ADC ALG Security Technical Implementation Guide V-255590CAT IIThe A10 Networks ADC must allow only the ISSM (or individuals or roles appointed by the ISSM) Root, Read Write, or Read Only privileges.A10 Networks ADC NDM Security Technical Implementation Guide V-255593CAT IIIThe A10 Networks ADC must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.A10 Networks ADC NDM Security Technical Implementation Guide V-255594CAT IIIThe A10 Networks ADC must back up audit records at least every seven days onto a different system or system component than the system or component being audited.A10 Networks ADC NDM Security Technical Implementation Guide V-255596CAT IIThe A10 Networks ADC must not have any shared accounts (other than the emergency administration account).A10 Networks ADC NDM Security Technical Implementation Guide V-255597CAT IThe A10 Networks ADC must not use the default admin account.A10 Networks ADC NDM Security Technical Implementation Guide V-255601CAT IIThe A10 Networks ADC must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).A10 Networks ADC NDM Security Technical Implementation Guide V-255602CAT IThe A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are created.A10 Networks ADC NDM Security Technical Implementation Guide V-255603CAT IIThe A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are modified.A10 Networks ADC NDM Security Technical Implementation Guide V-255604CAT IIThe A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are disabled.A10 Networks ADC NDM Security Technical Implementation Guide V-255605CAT IIThe A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are removed.A10 Networks ADC NDM Security Technical Implementation Guide V-255607CAT IIThe A10 Networks ADC must notify System Administrators (SAs) and Information System Security Officers (ISSMs) when accounts are created, or enabled when previously disabled.A10 Networks ADC NDM Security Technical Implementation Guide V-255608CAT IIThe A10 Networks ADC must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.A10 Networks ADC NDM Security Technical Implementation Guide V-255610CAT IIIThe A10 Networks ADC must compare internal information system clocks at least every 24 hours with an authoritative time server.A10 Networks ADC NDM Security Technical Implementation Guide V-255611CAT IIIThe A10 Networks ADC must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.A10 Networks ADC NDM Security Technical Implementation Guide V-255612CAT IIThe A10 Networks ADC must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.A10 Networks ADC NDM Security Technical Implementation Guide V-255618CAT IIThe A10 Networks ADC must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW CJCSM 6510.01B.A10 Networks ADC NDM Security Technical Implementation Guide V-255619CAT IIThe A10 Networks ADC must employ centrally managed authentication server(s).A10 Networks ADC NDM Security Technical Implementation Guide V-255620CAT IIThe A10 Networks ADC must use DoD-approved PKI rather than proprietary or self-signed device certificates.A10 Networks ADC NDM Security Technical Implementation Guide V-255623CAT IThe A10 Networks ADC must not use the default enable password.A10 Networks ADC NDM Security Technical Implementation Guide V-264426CAT IThe A10 Networks NDM must be using a version supported by the vendor.A10 Networks ADC NDM Security Technical Implementation Guide V-204697CAT IIIAAA Services must be configured to use their loopback or OOB management interface address as the source address when originating NTP traffic.AAA Services Security Requirements Guide V-204698CAT IIAAA Services used for 802.1x must be configured to use secure Extensible Authentication Protocol (EAP), such as EAP-TLS, EAP-TTLS, and PEAP.AAA Services Security Requirements Guide V-204699CAT IIAAA Services must not be configured with shared accounts.AAA Services Security Requirements Guide V-204700CAT IIAAA Services used to authenticate privileged users for device management must be configured to connect to the management network.AAA Services Security Requirements Guide V-204701CAT IIAAA Services must be configured to use a unique shared secret for communication (i.e. RADIUS, TACACS+) with clients requesting authentication services.AAA Services Security Requirements Guide V-204702CAT IIAAA Services must be configured to use IP segments separate from production VLAN IP segments.AAA Services Security Requirements Guide V-204703CAT IIAAA Services must be configured to place non-authenticated network access requests in the Unauthorized VLAN or the Guest VLAN with limited access.AAA Services Security Requirements Guide V-204704CAT IIAAA Services must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.AAA Services Security Requirements Guide V-243466CAT IMembership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest.Active Directory Domain Security Technical Implementation Guide V-243467CAT IMembership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.Active Directory Domain Security Technical Implementation Guide V-243468CAT IIAdministrators must have separate accounts specifically for managing domain member servers.Active Directory Domain Security Technical Implementation Guide V-243469CAT IIAdministrators must have separate accounts specifically for managing domain workstations.Active Directory Domain Security Technical Implementation Guide V-243470CAT IDelegation of privileged accounts must be prohibited.Active Directory Domain Security Technical Implementation Guide V-243472CAT IISeparate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts.Active Directory Domain Security Technical Implementation Guide V-243473CAT IISeparate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers.Active Directory Domain Security Technical Implementation Guide V-243475CAT IIDomain controllers must be blocked from Internet access.Active Directory Domain Security Technical Implementation Guide V-243476CAT IIAll accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days.Active Directory Domain Security Technical Implementation Guide V-243477CAT IIUser accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.Active Directory Domain Security Technical Implementation Guide V-243478CAT IIDomain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.Active Directory Domain Security Technical Implementation Guide V-243479CAT IIThe Directory Service Restore Mode (DSRM) passwords must be changed on each Domain Controller (DC) at least annually.Active Directory Domain Security Technical Implementation Guide V-243480CAT IIThe domain functional level must be at a Windows Server version still supported by Microsoft.Active Directory Domain Security Technical Implementation Guide V-243481CAT IIAccess to need-to-know information must be restricted to an authorized community of interest.Active Directory Domain Security Technical Implementation Guide V-243482CAT IInterconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts.Active Directory Domain Security Technical Implementation Guide V-243483CAT IA controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks.Active Directory Domain Security Technical Implementation Guide V-243487CAT IIMembership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited.Active Directory Domain Security Technical Implementation Guide V-243488CAT IIIUser accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts.Active Directory Domain Security Technical Implementation Guide V-243489CAT IIRead-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements.Active Directory Domain Security Technical Implementation Guide V-243490CAT IIUsage of administrative accounts must be monitored for suspicious and anomalous activity.Active Directory Domain Security Technical Implementation Guide V-243491CAT IISystems must be monitored for attempts to use local accounts to log on remotely from other systems.Active Directory Domain Security Technical Implementation Guide V-243492CAT IISystems must be monitored for remote desktop logons.Active Directory Domain Security Technical Implementation Guide V-243493CAT IIActive Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.Active Directory Domain Security Technical Implementation Guide V-243494CAT IIIEach cross-directory authentication configuration must be documented.Active Directory Domain Security Technical Implementation Guide V-243496CAT IIAccounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups.Active Directory Domain Security Technical Implementation Guide V-243497CAT IIInter-site replication must be enabled and configured to occur at least daily.Active Directory Domain Security Technical Implementation Guide V-243499CAT IIIActive Directory implementation information must be added to the organization contingency plan where the Risk Management Framework categorization for Availability is moderate or high.Active Directory Domain Security Technical Implementation Guide V-243500CAT IIActive Directory must be supported by multiple domain controllers where the Risk Management Framework categorization for Availability is moderate or high.Active Directory Domain Security Technical Implementation Guide V-243501CAT IIIThe impact of CPCON changes on the cross-directory authentication configuration must be considered and procedures documented.Active Directory Domain Security Technical Implementation Guide V-269097CAT IIWindows Server domain controllers must have Kerberos logging enabled with servers hosting Active Directory Certificate Services (AD CS).Active Directory Domain Security Technical Implementation Guide V-243502CAT IIMembership to the Schema Admins group must be limited.Active Directory Forest Security Technical Implementation Guide V-243503CAT IIAnonymous Access to AD forest data above the rootDSE level must be disabled.Active Directory Forest Security Technical Implementation Guide V-243505CAT IIIChanges to the AD schema must be subject to a documented configuration management process.Active Directory Forest Security Technical Implementation Guide V-269098CAT IWindows Server hosting Active Directory Certificate Services (AD CS) must enforce Certificate Authority (CA) certificate management approval for certificate requests.Active Directory Forest Security Technical Implementation Guide V-269099CAT IWindows Server running Active Directory Certificate Services (AD CS) must be managed by a PAW tier 0.Active Directory Forest Security Technical Implementation Guide V-279050CAT IIColdFusion must be configured with secure and approved server settings to enforce application hardening, input validation, error handling, and protection against common web vulnerabilities.Adobe ColdFusion Security Technical Implementation Guide V-279060CAT IIColdFusion must transmit only encrypted representations of passwords to the mail server.Adobe ColdFusion Security Technical Implementation Guide V-279065CAT IIColdFusion must have sandboxes enabled and defined.Adobe ColdFusion Security Technical Implementation Guide V-279072CAT IIThe ColdFusion error messages must be restricted to only authorized users.Adobe ColdFusion Security Technical Implementation Guide V-279075CAT IColdFusion must control remote access to Exposed Services.Adobe ColdFusion Security Technical Implementation Guide V-279089CAT IIColdFusion must set an organization defined maximum number of cached templates.Adobe ColdFusion Security Technical Implementation Guide V-279102CAT IIInstalled versions of ColdFusion must be supported by the vendor.Adobe ColdFusion Security Technical Implementation Guide V-279103CAT IIColdFusion must execute as a nonprivileged user.Adobe ColdFusion Security Technical Implementation Guide V-279104CAT IIThe ColdFusion Root Administrator account must have a unique username.Adobe ColdFusion Security Technical Implementation Guide V-279105CAT IIColdFusion must protect newly created objects.Adobe ColdFusion Security Technical Implementation Guide V-279106CAT IIColdFusion must be configured to set the cookie settings.Adobe ColdFusion Security Technical Implementation Guide V-279107CAT IIColdFusion must be configured to enable Cross-Origin Resource Sharing (CORS) to allow mobile applications to access resources from different origins securely.Adobe ColdFusion Security Technical Implementation Guide V-279108CAT IIColdFusion must be configured to set the HTTPOnly attribute on session cookies to prevent client-side scripts from accessing the cookies.Adobe ColdFusion Security Technical Implementation Guide V-279109CAT IIColdFusion must be configured to set the Secure attribute on session cookies to ensure that cookies are only transmitted over secure HTTPS connections.Adobe ColdFusion Security Technical Implementation Guide V-279110CAT IIColdFusion must have the Java Runtime Environment (JRE) updated to the latest version.Adobe ColdFusion Security Technical Implementation Guide V-279111CAT IIColdFusion must have CFIDE blocked in the uriworkermap.properties file.Adobe ColdFusion Security Technical Implementation Guide V-76425CAT IIKona Site Defender that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide V-76457CAT IIUpon successful login, the Akamai Luna Portal must notify the administrator of the date and time of the last login.Akamai KSD Service Impact Level 2 NDM Security Technical Implementation Guide V-76459CAT IIThe Akamai Luna Portal must notify the administrator of the number of successful login attempts.Akamai KSD Service Impact Level 2 NDM Security Technical Implementation Guide V-76501CAT IThe Akamai Luna Portal must employ Security Assertion Markup Language (SAML) to automate central management of administrators.Akamai KSD Service Impact Level 2 NDM Security Technical Implementation Guide V-76503CAT IThe Akamai Luna Portal must employ Single Sign On (SSO) with Security Assertion Markup Language (SAML) integration to verify authentication settings.Akamai KSD Service Impact Level 2 NDM Security Technical Implementation Guide V-274016CAT IIAmazon Linux 2023 must require users to provide a password for privilege escalation.Amazon Linux 2023 Security Technical Implementation Guide V-274027CAT IIAmazon Linux 2023 must have the firewalld package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274028CAT IIAmazon Linux 2023 must have the firewalld service active.Amazon Linux 2023 Security Technical Implementation Guide V-274048CAT IIAmazon Linux 2023 SSHD must not allow blank passwords.Amazon Linux 2023 Security Technical Implementation Guide V-274140CAT IIAmazon Linux 2023 must prevent the use of dictionary words for passwords.Amazon Linux 2023 Security Technical Implementation Guide V-274144CAT IIAmazon Linux 2023 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.Amazon Linux 2023 Security Technical Implementation Guide V-274145CAT IIAmazon Linux 2023 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.Amazon Linux 2023 Security Technical Implementation Guide V-268078CAT IINixOS must enable the built-in firewall.Anduril NixOS Security Technical Implementation Guide V-268155CAT IINixOS must require users to reauthenticate for privilege escalation.Anduril NixOS Security Technical Implementation Guide V-268156CAT IINixOS must require users to reauthenticate when changing roles.Anduril NixOS Security Technical Implementation Guide V-268169CAT IINixOS must prevent the use of dictionary words for passwords.Anduril NixOS Security Technical Implementation Guide V-268170CAT IINixOS must enable the use of pwquality.Anduril NixOS Security Technical Implementation Guide V-268171CAT IINixOS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.Anduril NixOS Security Technical Implementation Guide V-268172CAT INixOS must not allow an unattended or automatic logon to the system via the console.Anduril NixOS Security Technical Implementation Guide V-268173CAT IINixOS must be configured to use AppArmor.Anduril NixOS Security Technical Implementation Guide V-268181CAT IINixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.Anduril NixOS Security Technical Implementation Guide V-214231CAT IIThe Apache web server must have system logging enabled.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214271CAT IThe account used to run the Apache web server must not have a valid login shell and password defined.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214272CAT IIIThe Apache web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214273CAT IThe Apache web server software must be a vendor-supported version.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214274CAT IIThe Apache web server htpasswd files (if present) must reflect proper ownership and permissions.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214304CAT IIIThe Apache web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.Apache Server 2.4 UNIX Site Security Technical Implementation Guide V-214309CAT IISystem logging must be enabled.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214357CAT IAll accounts installed with the Apache web server software and tools must have passwords assigned and default passwords changed.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214359CAT IThe Apache web server software must be a vendor-supported version.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214360CAT IIThe Apache web server must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214390CAT IIThe Apache web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services.Apache Server 2.4 Windows Site Security Technical Implementation Guide V-223002CAT IIISTRICT_SERVLET_COMPLIANCE must be set to true.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-223003CAT IIIRECYCLE_FACADES must be set to true.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-223004CAT IIALLOW_BACKSLASH must be set to false.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-223005CAT IIENFORCE_ENCODING_IN_GET_WRITER must be set to true.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-223006CAT IITomcat users in a management role must be approved by the ISSO.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-223007CAT IIIHosted applications must be documented in the system security plan.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-223008CAT IIIConnectors must be approved by the ISSO.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-223009CAT IIIConnector address attribute must be set.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-254578CAT IIIApple iOS/iPadOS 16 must allow the Administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: other methods].Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254580CAT IIApple iOS/iPadOS 16 must not allow backup to remote systems (iCloud document and data synchronization).Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254581CAT IIApple iOS/iPadOS 16 must not allow backup to remote systems (iCloud Keychain).Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254582CAT IIApple iOS/iPadOS 16 must not allow backup to remote systems (My Photo Stream).Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254583CAT IIApple iOS/iPadOS 16 must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Photo Streams).Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254584CAT IIApple iOS/iPadOS 16 must not allow backup to remote systems (managed applications data stored in iCloud).Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254585CAT IIApple iOS/iPadOS 16 must not allow backup to remote systems (enterprise books).Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254586CAT IIApple iOS/iPadOS 16 must [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254587CAT IIApple iOS/iPadOS 16 must [selection: remove Enterprise application, remove all noncore applications (any nonfactory-installed application)] upon unenrollment from MDM.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254589CAT IIApple iOS/iPadOS 16 must be configured to not allow passwords that include more than four repeating or sequential characters.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254593CAT IIApple iOS/iPadOS 16 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store].Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254594CAT IIApple iOS/iPadOS 16 must not include applications with the following characteristics: access to Siri when the device is locked.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254595CAT IIApple iOS/iPadOS 16 allow list must be configured to not include applications with the following characteristics: allow voice dialing when MD is locked.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254596CAT IIApple iOS/iPadOS 16 allowlist must be configured to not include applications with the following characteristics: - Backs up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DoD servers; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254602CAT IIApple iOS/iPadOS 16 must be configured to disable multiuser modes.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254603CAT IIApple iOS/iPadOS 16 must be configured to [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254604CAT IIApple iOS/iPadOS 16 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory installed application)] upon unenrollment from MDM.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254607CAT IIIApple iOS/iPadOS 16 must implement the management setting: limit Ad Tracking.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254608CAT IIIApple iOS/iPadOS 16 must implement the management setting: Not allow automatic completion of Safari browser passcodes.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254609CAT IIApple iOS/iPadOS 16 must implement the management setting: Encrypt iTunes backups/Encrypt local backup.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254610CAT IIIApple iOS/iPadOS 16 must implement the management setting: not allow use of Handoff.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254612CAT IIApple iOS/iPadOS 16 must implement the management setting: Disable Allow MailDrop.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254614CAT IiPhone and iPad must have the latest available iOS/iPadOS operating system installed.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254616CAT IIApple iOS/iPadOS 16 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 16 Mail app.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254617CAT IIApple iOS/iPadOS 16 must implement the management setting: Treat AirDrop as an unmanaged destination.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254618CAT IIIApple iOS/iPadOS 16 must implement the management setting: Not have any Family Members in Family Sharing.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254621CAT IIApple iOS/iPadOS 16 users must complete required training.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254623CAT IIApple iOS/iPadOS 16 must implement the management setting: Enable USB Restricted Mode.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254624CAT IIIApple iOS/iPadOS 16 must not allow managed apps to write contacts to unmanaged contacts accounts.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254625CAT IIIApple iOS/iPadOS 16 must not allow unmanaged apps to read contacts from managed contacts accounts.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254626CAT IIIApple iOS/iPadOS 16 must implement the management setting: Disable AirDrop.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254627CAT IIApple iOS/iPadOS 16 must implement the management setting: Disable paired Apple Watch.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254628CAT IIApple iOS/iPadOS 16 must disable Password AutoFill in browsers and applications.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254629CAT IIApple iOS/iPadOS 16 must disable allow setting up new nearby devices.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254630CAT IIApple iOS/iPadOS 16 must disable password proximity requests.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254631CAT IIApple iOS/iPadOS 16 must disable password sharing.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254632CAT IIIApple iOS/iPadOS 16 must disable Find My Friends in the Find My app.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254633CAT IIThe Apple iOS/iPadOS 16 must be supervised by the MDM.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254634CAT IIApple iOS/iPadOS 16 must disable "Allow USB drive access in Files app" if the authorizing official (AO) has not approved the use of DoD-approved USB storage drives with iOS/iPadOS devices.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254636CAT IIApple iOS must implement the management setting: Not allow a user to remove Apple iOS configuration profiles that enforce DoD security requirements.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254637CAT IIApple iOS/iPadOS 16 must disable "Allow network drive access in Files access".Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254638CAT IIApple iOS/iPadOS 16 must disable connections to Siri servers for the purpose of dictation.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254639CAT IIApple iOS/iPadOS 16 must disable connections to Siri servers for the purpose of translation.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254640CAT IIApple iOS/iPadOS 16 must disable copy/paste of data from managed to unmanaged applications.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-274441CAT IAll Apple iOS/iPadOS 16 installations must be removed.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-257085CAT IIThe EMM system supporting the iOS/iPadOS 16 BYOAD must be configured for autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline.Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-257086CAT IIThe EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to initiate autonomous monitoring, compliance, and validation prior to granting the BYOAD access to DOD information and IT resources.Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-257087CAT IIThe EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to detect if the BYOAD native security controls are disabled.Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-257088CAT IIThe EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to detect if known malicious, blocked, or prohibited applications are installed on the BYOAD (DOD-managed segment only).Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-257089CAT IIThe EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to detect if the BYOAD is configured to access nonapproved third-party applications stores (DOD-managed segment only).Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-257090CAT IIThe EMM detection/monitoring system must use continuous monitoring of enrolled iOS/iPadOS 16 BYOAD.Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-257091CAT IIThe iOS/iPadOS 16 BYOAD must be configured to either disable access to DOD data, IT systems, and user accounts or wipe managed data and apps if the EMM system detects native security controls are disabled.Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-257092CAT IIThe iOS/iPadOS 16 BYOAD must be configured to either disable access to DOD data, IT systems, and user accounts or wipe managed data and apps if the EMM system detects the BYOAD device has known malicious, blocked, or prohibited applications or is configured to access nonapproved managed third-party applications stores.Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-257093CAT IIThe iOS/iPadOS 16 BYOAD must be configured so that managed data and apps are removed if the device is no longer receiving security or software updates.Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-257095CAT IIIThe iOS/iPadOS 16 BYOAD must be configured to protect users' privacy, personal information, and applications.Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-257096CAT IIIThe EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to only wipe managed data and apps and not unmanaged data and apps when the user's access is revoked or terminated, the user no longer has the need to access DOD data or IT, or the user reports a registered device as lost, stolen, or showing indicators of compromise.Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-257100CAT IThe EMM system supporting the iOS/iPadOS 16 BYOAD must be NIAP validated (included on the NIAP list of compliant products or products in evaluation) unless the DOD CIO has granted an approved Exception to Policy (E2P).Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-257101CAT IIIThe User Agreement must include a description of what personal data and information is being monitored, collected, or managed by the EMM system or deployed agents or tools.Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-257136CAT IThe mobile device used for BYOAD must be NIAP validated.Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-274443CAT IAll Apple iOS/iPadOS 16 BYOAD installations must be removed.Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-250919CAT IIIApple iOS/iPadOS 15 must provide the capability for the Administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: other methods].Apple iOS/iPadOS 15 Security Technical Implementation Guide V-250927CAT IIApple iOS/iPadOS 15 must [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.Apple iOS/iPadOS 15 Security Technical Implementation Guide V-250928CAT IIApple iOS/iPadOS 15 must [selection: remove Enterprise application, remove all noncore applications (any nonfactory-installed application)] upon unenrollment from MDM.Apple iOS/iPadOS 15 Security Technical Implementation Guide V-250930CAT IIApple iOS/iPadOS 15 must be configured to not allow passwords that include more than two repeating or sequential characters.Apple iOS/iPadOS 15 Security Technical Implementation Guide V-250934CAT IIApple iOS/iPadOS 15 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store].Apple iOS/iPadOS 15 Security Technical Implementation Guide V-250935CAT IIApple iOS/iPadOS 15 must not include applications with the following characteristics: access to Siri when the device is locked.Apple iOS/iPadOS 15 Security Technical Implementation Guide V-250936CAT IIApple iOS/iPadOS 15 allow list must be configured to not include applications with the following characteristics: voice dialing application if available when MD is locked.Apple iOS/iPadOS 15 Security Technical Implementation Guide V-250937CAT IIApple iOS/iPadOS 15 allowlist must be configured to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);- transmit MD diagnostic data to non-DoD servers; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.Apple iOS/iPadOS 15 Security Technical Implementation Guide V-250943CAT IIApple iOS/iPadOS 15 must be configured to disable multiuser modes.Apple iOS/iPadOS 15 Security Technical Implementation Guide V-250944CAT IIApple iOS/iPadOS 15 must be configured to [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.Apple iOS/iPadOS 15 Security Technical Implementation Guide V-250945CAT IIApple iOS/iPadOS 15 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory installed application)] upon unenrollment from MDM.Apple iOS/iPadOS 15 Security Technical Implementation Guide V-250947CAT IApple iOS/iPadOS 15 must require a valid password be successfully entered before the mobile device data is unencrypted.Apple iOS/iPadOS 15 Security Technical Implementation Guide V-250948CAT IIIApple iOS/iPadOS 15 must implement the management setting: limit Ad Tracking.Apple iOS/iPadOS 15 Security Technical Implementation Guide V-250949CAT IIIApple iOS/iPadOS 15 must implement the management setting: not allow automatic completion of Safari browser passcodes.Apple iOS/iPadOS 15 Security Technical Implementation Guide V-250950CAT IIApple iOS/iPadOS 15 must implement the management setting: Encrypt iTunes backups/Encrypt local backup.Apple iOS/iPadOS 15 Security Technical Implementation Guide V-250951CAT IIIApple iOS/iPadOS 15 must implement the management setting: not allow use of Handoff.Apple iOS/iPadOS 15 Security Technical Implementation Guide