AirWatch recently announced that its MDM Software 6.5 Security Technical Implementation Guide (STIG) Version 1 has been approved by the Defense Information Systems Agency’s (DISA) Field Service Operations division. The certification validates that AirWatch meets security requirements for installation on Department of Defense (DOD) networks. The requirements cover cybersecurity policy, technical standards and software architecture. AirWatch is one of only two MDM providers to meet these requirements with an approved STIG.
To view the AirWatch STIG, visit the DISA STIG page.
How was the AirWatch STIG created?
Williams: When the Defense Information System Agency (DISA) released its MDM security requirements guide (SRG) last March, AirWatch’s government solutions team immediately began addressing the 294 requirements. The NIST SP 800-53 requirements, as listed in the DISA MDM Security Requirements Guide (SRG), require MDM providers to outline a technical guide on product configuration. The AirWatch Government Solutions team worked directly with DISA to outline product configuration for each of the 294 requirements.
After that was complete, the AirWatch Government Solutions team built a lab for validation testing of the product. DISA representatives came to the lab, which simulated a DOD on-premise network deployment configured the same way it would be for a STIG environment. We tested each of the 294 requirements one by one, over the course of a few days.
The lead author of the AirWatch STIG joined the AirWatch Government Solutions team after spending a number of years in the U.S. Air Force, where he was trained in military-grade information assurance at the highest level. He worked closely with a DISA representative to write the STIG.
Why is the STIG a significant achievement for AirWatch?
Williams: DISA released its Security Requirements Guide (SRG) for MDM right around the time government entities began to look at mobile device options outside of BlackBerry. The AirWatch STIG supports government bodies who want to move to multi-OS mobility strategies. Today, the process for finding an MDM to support other devices within a military unit looks a little like this: A commander will become interested in a particular product, and then both information assurance and a contracting team must validate the product. The first thing the information assurance manager does is look to see if the product has a STIG. AirWatch is one of only two MDM providers today who has a STIG.
What is an SRG? What is it for?
Williams: A Security Requirements Guide (SRG) is a type of document released by DISA to provide guidelines for vendors of IT products. There is a specific SRG for each type of product. DISA released its MDM Security Requirements Guide (SRG) in March 2013. The document outlines the security, technical and architectural requirements MDM software providers must meet. Before MDM software can be installed on a DOD network, the MDM provider must prove its product meets all requirements and undergo rigorous validation testing.
Who should follow the AirWatch STIG?
Williams: Any military unit installing AirWatch must follow the STIG. Additionally, organizations that provide solutions to the government that are transacting government data on mobile devices must use STIG-approved MDM solutions. It’s a good practice for any security-conscious organization, especially those in highly regulated industries, to use STIG-approved technologies. A STIG provides assurance that the highest levels of government-approved security are being maintained.
Which devices does the AirWatch STIG support?
Williams: The DOD only allows devices that include FIPS 140-2 validated cryptographic modules. Currently that includes iOS and Samsung KNOX devices. AirWatch enables the FIPS 140-2 cryptographic modules on these devices and tracks them for usage. So if a user disabled the encryption, the AirWatch compliance engine would catch it, notify the administrator and automatically trigger a response, which in most cases is an enterprise wipe. Additionally, the AirWatch Secure Content Locker is enabled with FIPS 140-2 encryption, so content can be protected on devices that do not have FIPS 140-2 validated cryptographic modules. In some instances, organizations need FIPS 140-2 validation to protect their content but do not store sensitive content anywhere else on the device.
What about encryption requirements for the servers where AirWatch is installed?
Williams: Servers are hardened in conjunction with their own STIGs. So if AirWatch was installed on a Microsoft server, that server would be hardened in conjunction with Microsoft Server’s STIG after AirWatch was installed.