FINAL PROJECT 1

Final Project

Emmylou Bice

CSOL 530 Cyber Security Risk Management

University of San Diego

FINAL PROJECT 2

Final Project

Introduction

Company XYZ is a defense contractor with locations all over the world that provides

engineering solutions for the government in an effort to strengthen and protect national security.

Being located across various sites, the company is procuring enterprise cell phones to

disseminate to employees as one of the key assets for remote employees. As a defense contractor,

Company XYZ stores, processes, and transmits sensitive information pertaining to both national

security and the company. Defense contractors are targeted by many different threat actors

including cyber terrorists, insiders, and government sponsored actors. If the company provides

these cell phones to employees, the company must ensure the system is secured at an acceptable

risk level to limit the probably of compromise. This paper discusses the process for assessing and

monitoring the cyber security risk of Company XYZ’s cell phone system throughout the system

lifecycle.

Risk Management Framework

To manage the cyber security risk of systems, including cell phone systems, Company

XYZ uses Risk Management Framework (RMF). RMF is a set of criteria for organizations to

follow to architect, secure, and monitor government-related information systems (Petters, 2021).

With the RMF process, organizations build their systems thoroughly based on mission or

business need and risk tolerance to effectively apply secure implementations of controls and

obtain an authorization to operate (ATO). This framework consists of six main cyclical steps:

categorize, select, implement, assess, authorize, and monitor. At the forefront of all these steps

includes the preparation step. Figure 1 depicts the RMF process or cycle.
FINAL PROJECT 3

Figure 1: Risk Management Framework (Joint Task Force, 2018)

The following sections detail the six main steps in detail as well as the applicability to the

Company XYZ cell phone system.

System Preparation

The preparation step comes before the main RMF steps. This step is meant to prepare

essential activities of the organization at all three organization-wide risk management approach

levels (organization, mission/business process, and information system) to manage the

organization security and privacy risks (Joint Task Force, 2018). In this step, the organization

identifies their business need for the information system, the authorization boundary to limit the

scope of the effort, and the information system types. Lastly, the organization registers their

system in the RMF workflow tool such as XACTA 360 or Enterprise Mission Assurance Support

Service (eMASS) for government related information systems.

Company XYZ identifies the cell phone system as a business need to support remote

employees at various sites. These employees support multiple defense acquisition programs and

store, process, and transmit company and program related information. The authorization

boundary includes two different cell phone information system types, an android (Samsung) and
FINAL PROJECT 4

iPhone. The company will register this system into XACTA to begin the next step in the process,

system categorization.

System Categorization

The first step of the RMF process is system categorization. System categorization is the

process of identifying the adverse impact to an organization’s operations, assets, individuals,

related organizations, and the nation with respect to the compromise of the confidentiality,

integrity, and availability of the organization’s systems and the data (Joint Task Force, 2018).

This step is key to determining the right impact level of the system undergoing risk management

framework. In this step, the organization identifies the data types of the information system and

determine the impact values to determine the overall security categorization of the system.

RMF focuses on three main concepts for categorizing systems to include confidentiality,

integrity, and availability. Confidentiality refers to protecting information or data from the view

of unauthorized individuals. Integrity refers to protecting information or data from the

modification of unauthorized individuals. Availability refers to guaranteeing information or data

is accessible to authorized individuals at all times. The impact values are degree of damage to be

expected if the confidentiality, integrity, or availability are compromised (JTFTI, 2012).

Analyzing Company XYZ’s cell phone, three main data types stored, processed, and

transmitted include intellectual property protected information, research and development

information, and employee training and employment information (Bice, 2021). Table 1 identifies

the information types and the impact values for confidentiality integrity and availability for

Company XYZ’s cell phone system.

Data Type Confidentiality Integrity Availability

Intellectual Property High – The impact of compromised
Protected Information IP with respect to confidentiality
would result in limited adverse
effects on agency operations, assets,
or individuals (Barker, et al., 2008).
The impact rating is high due to the
Moderate – The impact of compromised IP
with respect to integrity is determined
based on the criticality of the specific
program or mission being affected (Barker,
et al., 2008). This information is typically
limited when looking at mission
Low – The impact of
compromised IP
information with respect to
availability would result in
an insignificant delay. This
is the equivalent of limited
FINAL PROJECT 5

information begin sensitive in nature
which could cause severe or
catastrophic adverse effects on the
company and nation.
Research and High – The impact of compromised
Development R&D info with respect to
Information confidentiality would result in
unauthorized individuals obtaining
company knowledge to do harm to
the interests of the government of
the United States (Barker, et al.,
2008). The DoD may lose an
advantage over adversarial nations
since they may derive insights on
countermeasures development which
could result in severe or catastrophic
adverse effects on the company and
nation. (Barker, et al., 2008).
Training and Moderate – If The impact of
Employment compromised R&D info with respect
Information to confidentiality there would be a
serious adverse effect on operations
or individuals. Information may
contain PII of an individual which is
considered sensitive information
which if compromised could put
individuals and the company
reputation in danger.
Table 1: Company XYZ Cell Phone Impact Levels (Bice, 2021)
capabilities, but may result in serious
adverse effects on the company or nation.
Moderate – The impact of compromised
R&D with respect to integrity would be
“disruptive to the progress of research
activities” (Barker, et al., 2008). An
individual that accidently miscalculates or
makes a typo in research documentation
can create delays in the development of
new technologies. There are serious effects
on the company because more time is
needed to fix the error before the research
is complete. There may be a delay in
project development.
Moderate – The impact of unauthorized
modification of training or employment
information would have serious adverse
effects on the organization operations or
individuals. An example includes
modifying the employment start date at a
company which could delay onboarding of
new employees which could be critical in
staffing a program for deployment.
adverse effects. The user
could switch to other
options to view the data.
Low – The impact of
compromised R&D
information with respect to
availability would result in
an insignificant delay. This
is the equivalent of limited
adverse effects. The user
could switch to other
options to view the data.
Low - The impact of
compromised training and
employment information
with respect to availability
would result in an
insignificant delay. This is
the equivalent of limited
adverse effects. The user
could switch to other
options to view the data.

Overall, the categorization of Company XYZ’s cell phone is high, moderate, low for

confidentiality, integrity, and availability with the overall impact value as high (Bice, 2021).

Following this determination, Company XYZ proceeds to the next step in the RMF process.

Control Selection

The second step of the RMF process is control selection. Once the organization

determines the security categorization and corresponding impact level, baseline controls are

selected, tailored, and documented appropriately for the system that are commensurate with the

organizational risk (Joint Task Force, 2018). Using the NIST SP 800-53 R5 and the CNSSI 1253

in combination with the security categorization and impact level, organizations determine the

baseline security controls and then tailor them according to their information system.

With respect to Company XYZ’s cell phone, Table 2 identifies the HML categorization or

high impact level applicable NIST 800-53 R5 controls in accordance with the CNSSI 1253. For

the purposes of this paper, only a subset of the applicable controls for the cell phone is listed.
FINAL PROJECT 6

Control
AC-7 (2) Unsuccessful Login
Attempts | Purge/Wipe Mobile Device
AC-11 Session Lock
AC-18 Wireless Access
AC-19 Access Control for Mobile
Devices
CM-3 Configuration Change Control
CM-11 User-Installed Software
RA-5 Vulnerability Scanning
SC-8 Transmission Confidentiality
and Integrity
SC-28 Protection of Information at
Rest
SI-2 Flaw Remediation
SI-4 Information System Monitoring
SI-7 Software, Firmware, and
Information Integrity
Table 2: Company XYZ Cell Phone Control Selection
(Bice, 2021; Joint Task Force, 2020; Plunkett, 2014)
Short Control Description – See NIST 800-53 r5 for detailed descriptions
The information system purges/wipes information after an organization-defined number
consecutive, unsuccessful device logon attempts.
The information system initiates a session lock after an organization-defined time period of
inactivity.
The organization establishes and authorizes usage restrictions, configuration/connection
requirements, and implementation guidance for wireless access.
The organization establishes and authorizes usage restrictions, configuration requirements,
connection requirements, and implementation guidance for organization-controlled mobile devices.
The organization determines, reviews, documents, implements, retains, and audits the types of
changes to the information system that are configuration-controlled
The organization establishes, enforces, and monitors an organization-defined policy governing the
installation of software by users
The organization scans for vulnerabilities in the information system and hosted applications within
an organization-defined frequency and remediates legitimate vulnerabilities within an organization-
defined response times in accordance with an organizational assessment of risk
The information system protects the confidentiality and integrity of transmitted information.
The information system protects the confidentiality and integrity of information at rest.
The organization Identifies, reports, and corrects information system flaws and tests software and
firmware updates related to flaw remediation for effectiveness and potential side effects before
installation
The organization deploys monitoring devices and monitors the information system to detect attacks
and unauthorized access.
The organization employs integrity verification tools to detect unauthorized changes to software,
firmware, and information of the system.

These controls are appropriate and important for the security of a mobile system because

when implemented appropriately, only authorized individuals would be able to access the device.

Company XYZ would be able to effectively manage and control the security configuration of the

device to limit the probably of device compromise. After the controls are selected, the next step

is to implement the controls into the overall system design.

Security Control Implementation

The third step of the RMF process is security control implementation. Once the

organization identifies the total controls applicable to the system, the organization implements

the controls and documents the baseline configuration (Joint Task Force, 2018). Activities in this

step include engineering specific implementation methods for the applicable controls and

documenting the implementations. Table 3 identifies the control implementations for the

Company XYZ’s cell phone system.

Control Control Implementation

AC-7 (2) Unsuccessful Login IT must enable remote wipe or factory reset the mobile device after failed login attempts. This will
FINAL PROJECT 7

Attempts | Purge/Wipe Mobile
Device
AC-11 Session Lock
AC-18 Wireless Access
AC-19 Access Control for Mobile
Devices
CM-3 Configuration Change
Control
CM-11 User-Installed Software
RA-5 Vulnerability Scanning
SC-8 Transmission Confidentiality
and Integrity
SC-28 Protection of Information at
Rest
SI-2 Flaw Remediation
SI-4 Information System
Monitoring
SI-7 Software, Firmware, and
Information Integrity
Table 3: Company XYZ Cell Phone Control Implementation (Bice, 2021)
reduce the possibility of undisclosed information to unauthorized individuals. For iOS devices, the
number of attempts before the wipe is a fixed value of ten failed attempts (Klein, 2016). For Android
mobile devices, an application such as Locker must be installed. IT can then set the value to 10
attempts (Rosenblatt, 2016).
IT should configure the devices to lock after 15min of inactivity for both iPhones and Androids (STIG
Viewer, 2018, 2020).
IT should configure the device to connect to the Enterprise network automatically using Wi-Fi
Protected Access 3 (WPA3). To ensure only authorized users are on the network, IT should configure
the devices to use active directory (CISA, 2019).
Company XYZ should develop an Acceptable Use Policy that users sign to acknowledge cell phone
usage restrictions and connection requirements.
IT should develop an Enterprise configuration baseline for the cell phone prior to disseminating the
phones. IT should restrict users from downloading new applications and establish a service desk with a
configuration change control policy that users can use to request any additional applications or
modifications.
Same as CM-3.
IT should conduct vulnerability scanning every 30 days using vulnerability scanning software like
Tenable’s Nessus to detect vulnerabilities. Nessus’s “Mobile” tab can be used to enter credentials for
Apple and Microsoft authentication applications to deep scan the device and gather information
(Asadoorian, 2012).
IT should configure the firewall to prevent other devices on the network from finding other devices and
filter both inbound and outbound traffic to only authorized traffic using authorized ports, protocols, and
services (STIG Viewer, 2013).
IT should configure encryption of data on the mobile devices to include data at rest encryption which is
configurable for both iOS and android.
IT should install a Mobile Device Management (MDM) Solution which would allow IT to monitor,
manage, and secure mobile devices (Manage Engine, n.d.). IT admins would be able to add and
remove applications, configure the devices, and monitor the devices on the server from a remote
location (Manage Engine, n.d.).
Same as SI-2.
Same as SI-2.

After the organization applies all the applicable control implementations to the system as

best as possible, the next RMF step can commence.

Security Control Assessment

The fourth step of the RMF process is security control assessment. Once the controls

have been implemented, a security control assessor (SCA) assesses the controls to determine if

they are “implemented correctly, operating as intended, and producing the desired outcome” to

meet the required level indicated by organization and system (Joint Task Force, 2018). The

outcome of this step includes the security assessment report (SAR), documenting findings in the

Plan of Actions and Milestones (POA&M), developing remediation actions. The POA&M

captures and tracks the remediation status of all non-compliant controls identified during the
FINAL PROJECT 8

security assessment (Bice, 2021). For Company XYZ’s cell phone system, Table 4 identifies

these non-compliant controls.

POAM Weakness Description Resources Scheduled Planned Milestones Risk

ID | Required Completio Rating
Controls n Date
V-1 | Unsuccessful Login Sys 3/16/2021 (1) 2021-02-24: Install a mobile management application on High
AC-7 (2) Attempts | Purge/Wipe Admins the cell phones. The enterprise solution for DoD systems is
Mobile Device. the DISA-Managed DoD Mobility Unclassified Capability
Cell phones are not (DISA, 2018).
configured to factory (2) 2021-03-16: Deploy a policy onto the devices to manage
reset after an the number of logins attempts and set the number of attempts
organization required in accordance with organization guidelines and the applicable
number of login STIGs.
attempts. (3) 2021-03-17: Re-assess control.
V-2 | Session Lock. The cell Sys 3/16/2021 (1) 2021-02-24: Install a mobile management application on High
AC-11 phone does not lock the Admins the cell phones. The enterprise solution for DoD systems is
screen after 15 minutes the DISA-Managed DoD Mobility Unclassified Capability
or less. The cell phone (DISA, 2018).
is currently configured (2) 2021-03-16: Deploy a policy onto the devices to manage
to lock after an hour cell phone screen timeout settings. Set the screen timeout
which gives settings to 15 min or less per the Security Technical
adversaries lots of time Implementation Guides (STIGs) (STIG Viewer, 2018, 2020).
if the phone is left Refer to the Apple iOS and Android STIGs for additional
alone. information.
(3) 2021-03-17: Re-assess control.
V-3 | Configuration Change Sys 3/16/2021 (1) 2021-02-24: Install a mobile management application on High
CM-3 Control. The Admins the cell phones. The enterprise solution for DoD systems is
organization does not the DISA-Managed DoD Mobility Unclassified Capability
manage the (DISA, 2018).
configuration of the (2) 2021-03-16: Deploy a policy onto the devices to manage
cell phones or track cell phone screen timeout settings. Set the screen timeout
changes. settings to 15 min or less per the Security Technical
Implementation Guides (STIGs)
(3) 2021-03-17: Re-assess control.
V-4 | SI- Information System Sys 3/16/2021 (1) 2021-02-24: Install a mobile management application on High
4 Monitoring. The Admins the cell phones. The standard for DoD systems is the DISA-
organization does not Managed DoD Mobility Unclassified Capability.
monitor or manage the (2) 2021-03-16: Establish a monitoring policy and procedure
usage of the cell phone. to identify unauthorized software installations and data
transmissions.
(3) 2021-03-17: Re-assess control.
Table 4: POA&M – Company XYZ Cell Phone System (Bice, 2021)

To remediate almost POA&M findings, Company XYZ should deploy an appropriate

MDM Solution as originally identified in the control implementations. The MDM would allow

IT admins to monitor and manage the security configurations on mobile devices to include

monitoring for non-compliant devices, and configuring remote wipe (Mixon, 2020). For

Department of Defense systems, the DISA-Managed DOD Mobility Unclassified Capability

(DMUC) is the enterprise MDM solution which provides an application store, Public-Key

Infrastructure (PKI) authentication capabilities, IT help desk support, endpoint protection,

content management, and app vetting services (DISA, 2018, n.d.). After the assessment and
FINAL PROJECT 9

findings are documented in both the SAR and POA&M, the system goes to the next step in the

RMF process.

System Authorization

The fifth step of the RMF process is system authorization. After the SCA conducts an

assessment, the results are passed on to the authorizing official. The AO reviews the assessment

results and overall authorization package to determine if the security risk to the organization

operations, individuals, assets, other organizations, or the nation is acceptable (Tipton, 2019). A

system with acceptable risk is granted an Authorization to Operate (ATO) allowing it to be

deployed in the field. A system with unacceptable risk can be granted either a Denial ATO

(DATO), conditional ATO, or Interim Approval to Test (IATT). With a DATO, the system is not

allowed to deploy. With a conditional ATO, the system can be deployed for a fixed amount of

time, typically for six months to a year while the organization fixes POA&M items. With an

IATT, the organization has temporary authorization to test within a specific time period (NIST,

n.d.). In all three cases, the organization must fix or mitigate POA&M findings prior to obtaining

a full ATO.

For Company XYZ, the AO originally granted the cell phone system a DATO due to the

lack of an MDM solution which caused the overall risk to be high. After remediating these

critical POA&M liens, the AO would grant an ATO. Once granted an ATO, the system moves

into the final step in the RMF process.

Continuous Monitoring

The last step of the RMF process is continuous monitoring. Once a system obtains an

ATO, it undergoes continuous monitoring. Continuous monitoring is the step to maintain

awareness about the security posture of the system and organization in support of risk
FINAL PROJECT 10

management decisions (Joint Task Force, 2018). Organizations conduct system impact analysis

(SIA) for ongoing changes in the environment, ongoing assessments to verify control

implementations, update the authorization package, and develop a system disposal strategy to

plan for future system decommission. This paper focuses on the continuous monitoring process

for controls and ongoing changes in the system.

For Company XYZ’s cell phone system, IT admins had to had to upgrade the Operating

System (OS) due to security vulnerabilities in an old version. The process to address this

situation includes conducting an SIA, testing within a test environment, and then deploying to

the field. Table 5 details the SIA for this OS system change.

Initiative / Release Name

Project Type Maintenance: Upgrade OS for both android and iOS to the latest Commercial off the Shelf
(COTS) available product.
System Changes Operating System Update
Security Risks Security configuration settings might be reset to default. Additional security vulnerabilities
included with the OS capabilities. Would require additional research to verify feature updates.
Planned Deployment Initiation Date 3/1/2021
Planned Deployment Completion Date 3/15/2021
Systems Impacted by change Cell Phone
Current Security Categorization of H-M-L / High Impact
Impacted System
Table 5: SIA – Company XYZ Cell Phone System (Bice, 2021)

Once the SIA is conducted, Company XYZ identifies and follows a security checklist or

otherwise known as hardening checklist to ensure the OS change does not affect the overall

security posture of the system (NIST, 2011). This checklist is detailed in Table 6.

Step - Description Completion Date

Download OS upgrade package to a non-cell phone system from a legitimate source.  
Verify the integrity of the file via a checksum analysis to determine if the package is corrupted.  
Install the OS on a test cell phone system.  
Download the latest STIG and SCAP benchmarks from the https://public.cyber.mil  that are applicable to  
the new OS.
Run a SCAP scan and vulnerability (IAVM) scan on the new OS.  
Conduct a manual STIG assessment for the remaining STIGs.  
 Verify screen lock is configured. (
 Verify remote wipe is configured after 10 attempts. (
 Verify Data at rest encryption is configured.
Remediate any non-compliant STIGs and any IAVM findings.  
Document instructions for remediating the STIGs and IAVMs in the POA&M.  
Conduct final security scans.  
Conduct regression testing to verify critical functionality still remains.  
If applicable, save the hardened OS off as the new baseline.  
Deploy OS in a phased approach to reduce impact to operations.  
Table 6: Security Verification Checklist for Cell Phone OS Upgrade
FINAL PROJECT 11

Additionally, with these changes, Company XYZ should verify the security status of

previously implemented controls on a periodic basis, if applicable. These controls and their

continuous monitoring frequencies are identified in Table 7.

Control Continuous Monitoring Frequency

RA-5 Vulnerability Scanning Monthly / Annually (FedRAMP, 2018)
SI-2 Flaw Remediation Monthly (FedRAMP, 2018)
SI-4 Information System Monitoring Continuous an ongoing (FedRAMP, 2018)
SI-7 Software, Firmware, and Information Integrity Monthly (FedRAMP, 2018)
Table 7: Continuous Monitoring Control Frequencies

Company XYZ will continue to monitor the security posture of the cell phone system

throughout the system lifecycle. After three years, however, the system will be required to

undergo a full RMF reassessment where the AO will determine if Company XYZ is maintaining

a tolerable risk level.

Conclusion

As Company XYZ develops information systems to support business and mission needs,

security should be a top priority especially with many threat actors targeting defense contractors.

Company XYZ is developing a cell phone system for dissemination to employees. To ensure

these systems are secure and reduce the risk as much as possible, Company XYZ should follow

the risk management framework. RMF will allow the company to accurately, thoroughly, and

effectively implement secure solutions for many security controls. This paper discusses the full

RMF cycle with respect to the Company XYZ cell phone system.
FINAL PROJECT 12

References

Asadoorian, P. (2012, July 19). Detecting Mobile Device Vulnerabilities Using Nessus. From

https://www.tenable.com/blog/detecting-mobile-device-vulnerabilities-using-

nessus#:~:text=The%20new%20%22Mobile%22%20tab%20in,it%2C%20and%20mobile

%20device%20vulnerabilities.

Barker, W., Fahlsing, J., Kissel, R., Lee, A., Stine, K. (2008, August). NIST SP 800-60 Volume II:

Appendices to Guide for Mapping Types of Information and Information Systems to

Security Categories. From

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v2r1.pdf

Bice, E. (2021, January 24). Security Categorization White Paper.

Bice, E. (2021, January 31). Security Controls White Paper.

Bice, E. (2021, February 6). Implementation White Paper.

Bice, E. (2021, February 14). Security Assessment White Paper.

Bice, E. (2021, February 21). Security Authorization.

CISA (2019, November 20). Security Tip (ST18-003): Securing Enterprise Wireless Networks.

From https://us-cert.cisa.gov/ncas/tips/ST18-247

DISA (2018, August 1). DISA expands mobility offering to organizations not using DOD

Enterprise Email. From https://www.disa.mil/NewsandEvents/2018/DISA-expands-

mobility-Enterprise-Email

DISA (n.d). DoD Mobility Unclassified Capability (DMUC). From

https://disa.mil/-/media/Files/DISA/Fact-Sheets/180918-Fact_Sheet-DMUC.ashx
FINAL PROJECT 13

FedRAMP (2018, April 4). FedRAMP Continuous Monitoring Strategy Guide. From

https://www.fedramp.gov/assets/resources/documents/CSP_Continuous_Monitoring_Strate

gy_Guide.pdf

Joint Task Force. (2018, December). NIST SP 800-37 R2: Risk Management Framework for

Information Systems and Organizations: A System Life Cycle Approach for Security and

Privacy. From https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

Joint Task Force. (2020, September). NIST SP 800-53 Rev 5: Security and Privacy Controls for

Information Systems and Organizations. From

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

Joint Task Force Transformation Initiative (JTFTI). (2012, September). NIST SP 800-30r1:

Information Security. From

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Klein, M. (2016, July 28). How to Erase Your iOS Device After Too Many Failed Passcode

Attempts. From https://www.howtogeek.com/264369/how-to-erase-your-ios-device-after-

too-many-failed-passcode-attempts/

Manage Engine. (n.d.). What is Mobile Device Management (MDM)? From

https://www.manageengine.com/mobile-device-management/what-is-mdm.html

Mixon, E. (2020, April). mobile device management (MDM). From

https://searchmobilecomputing.techtarget.com/definition/mobile-device-management

NIST. (2011, September). NIST Special Publication 800-137 Information Security Continuous

Monitoring (ISCM) for Federal Information Systems and Organizations. From

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf
FINAL PROJECT 14

NIST. (n.d.). interim authorization to test (IATT). From

https://csrc.nist.gov/glossary/term/interim_authorization_to_test

Petters, J. (2021, January 29). Risk Management Framework (RMF): An Overview. From

https://www.varonis.com/blog/risk-management-framework/

Plunkett, D. (2014, March 27). CNSSI No. 1253: Security Categorization and Control Selection

for National Security Systems. From

https://www.dcsa.mil/portals/91/documents/ctp/nao/CNSSI_No1253.pdf

Rosenblatt, S. (2016, March 11). How to FBI-proof your Android. From https://the-

parallax.com/2016/03/11/how-to-fbi-proof-your-android/

STIG Viewer. (2013, January 24). Mobile Device Manager Security Requirements Guide. From

https://www.stigviewer.com/stig/mobile_device_manager_security_requirements_guide/20

13-01-24/

STIG Viewer. (2018, November 28). Apple iOS must be configured to lock the display after 15

minutes (or less) of inactivity. From https://www.stigviewer.com/stig/apple_ios_12/2018-

11-28/finding/V-81759

STIG Viewer. (2020, February 24). Samsung Android must be configured to lock the display

after 15 minutes (or less) of inactivity. From

https://www.stigviewer.com/stig/samsung_os_9_with_knox_3.x_cobo_use_case_kpeae_de

ployment/2020-02-24/finding/V-92879

Tipton, S. (2019, December 10). How to Apply the Risk Management Framework (RMF). From

https://www.tripwire.com/state-of-security/featured/applying-risk-management-

framework/