V-35262 | High | The mobile application must not execute unsigned DoD Mobile Code Policy Category 1A or 2 mobile code. | Use of un-trusted Level 1 and 2 mobile code technologies can introduce security vulnerabilities and malicious code into the client system. Unsigned code is potentially dangerous to use since there... |
V-35524 | High | The mobile application must employ NSA-approved cryptography to protect classified information. | Unclassified information is also at risk to exposure if no encryption is used, or if a non-NSA validated cryptography module is not used. NSA-compliant cryptography must be applied; unapproved... |
V-35531 | High | The mobile application must provide integrity protection for the classification attributes bound to the transmitted data if it transmits classified data. | Data classification attributes include the level of classification (e.g., Secret, Top Secret) and additional handling or program parameters if they exist. Data classification attributes are used... |
V-35084 | High | The mobile application must not permit any classification attribute to be modified to a lower level of classification if it processes classified data. | A classification attribute assures the data is correctly handled and processed according to its sensitivity. If the classification attribute can be modified, then there is a risk to... |
V-35164 | High | The mobile application must not modify, request, or assign values for operating system parameters unless necessary to perform application functions. | An application that operates with the privileges of its host OS is vulnerable to integrity issues and escalated privileges that would affect the entire platform and device. If the application is... |
V-35166 | High | The mobile application must not execute as a privileged operating system process unless necessary to perform any application functions. | An application that operates with the privileges of its host OS will make the OS, device, and other applications vulnerable to such issues as escalated privileges that would affect the entire... |
V-35083 | High | The mobile application must store an associated data attribute corresponding to the highest classification of data in the file it stores classified data. | A classification attribute assures the data is correctly handled and processed according to its sensitivity. If the classification attribute is missing, then there is risk to data... |
V-35087 | High | The mobile application must assign the classification corresponding to the highest classification of its elements whenever it combines data elements classified at multiple levels. | A classification attribute assures the data is correctly handled and processed according to its sensitivity. Data of mixed classification is vulnerable to accidental exposure if it is combined... |
V-35085 | High | The mobile application must include classification attributes with transmitted data if it transmits classified data. | A classification attribute assures the data is correctly handled and processed according to its sensitivity when it is transmitted. Transmitted data is vulnerable to exposure through incorrect... |
V-35264 | High | The mobile application must not permit DoD Mobile Code Policy Category 2 mobile code to access any resource not dedicated to the mobile application. | Mobile code cannot conform to traditional installation and configuration safeguards. The use of local operating system resources and spawning of network connections introduce harmful and uncertain... |
V-35265 | High | The mobile application must not use mobile code technology that is not yet categorized in accordance with the DoD Mobile Code Policy. | Mobile code does not require any traditional software acceptance testing or security validation. Mobile code needs to follow sound policy to maintain a reasonable level of trust. Mobile code that... |
V-35263 | High | The mobile application must validate the signature on DoD Mobile Code Policy Category 1A and 2 mobile code before executing such code. | Untrusted mobile code may contain malware or malicious code and digital signatures provide a source of the content which is crucial to authentication and trust of the data. Category 2 mobile code... |
V-35801 | High | The mobile application source code must not contain known malware. | Malware will compromise the application data, device, and system to every possible compromising scenario. Under no circumstances will any code that is known to contain malware be used. The... |
V-35755 | High | The mobile application must not record or forward sensor data unless explicitly authorized to do so. | Sensors include the GPS, gyroscope, accelerometer, camera, and microphone. When sensor data is either recorded locally or sent to a remote server, the potential exists for an adversary to obtain... |
V-35348 | High | The mobile application code must not include embedded interpreters for prohibited mobile code. | Embedding interpreters for prohibited code will expose the device and stored data to all forms of malicious attacks. Prohibited code is intentionally not used in order to maintain the security and... |
V-35756 | Medium | The mobile application installation package must be digitally signed in accordance with FIPS 186-3. | One of the biggest risks on a mobile device is that it will execute malware that will compromise sensitive data on the device or enable subsequent attacks on other DoD information systems. One... |
V-35124 | Medium | The application must monitor for unauthorized connections of mobile devices to organizational information systems. | Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g.,... |
V-35754 | Medium | The mobile application must initialize all parameter values on start up. | An application could be compromised, providing an attack vector to it if the application initialization process is not designed to keep the application in both a secure and functional state. Any... |
V-35126 | Medium | The mobile application must not permit execution of code without user direction unless the code is sourced from an organization-defined list of approved network resources. | Unapproved and thus untrusted code presents a very high risk for malicious action by network and device intruders. Some mobile applications enable adware and other real time execution of code. If... |
V-35459 | Medium | The application must support organizational requirements to enforce minimum password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to... |
V-35458 | Medium | Applications must support organizational requirements to disable user accounts after an organization-defined time period of inactivity. | Users are often the first line of defense within an application. Active users take notice of system and data conditions and are usually the first to notify systems administrators when they notice... |
V-35750 | Medium | The mobile application must not be vulnerable to integer arithmetic vulnerabilities. | Integer overflows occur when an integer has not been properly checked and is used in memory allocation, copying, and concatenation. Also, when incrementing integers past their maximum possible... |
V-35122 | Medium | Applications must support the capability to disable network protocols deemed by the organization to be nonsecure except for explicitly identified components in support of specific operational requirements. | This control is related to remote access but more specifically to the networking protocols allowing systems to communicate. Remote access is any access to an organizational information system by a... |
V-35455 | Medium | Applications managing network connectivity must have the capability to authenticate devices before establishing network connections by using bidirectional authentication that is cryptographically based. | Device authentication is a solution enabling an organization to manage both users and devices. It is an additional layer of authentication ensuring only specific pre-authorized devices operated by... |
V-35457 | Medium | Web services applications establishing identities at run-time for previously unknown entities must dynamically manage identifiers, attributes, and associated access authorizations. | Web services are web applications providing a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data. The... |
V-35290 | Medium | The application must produce audit records that contain sufficient information to establish the outcome (success or failure) of the events. | Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes but is not... |
V-35288 | Medium | The application must produce audit records containing sufficient information to establish where the events occurred. | Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps,... |
V-35289 | Medium | The application must produce audit records containing sufficient information to establish the sources of the events. | Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes but is not... |
V-35553 | Medium | The application must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems. | A recursive resolving or caching Domain Name System (DNS) server is an example of an information system providing name/address resolution service for local clients. Authoritative DNS servers are... |
V-35518 | Medium | Mobile applications involved in the production, control, and distribution of symmetric cryptographic keys must use NIST approved or NSA approved key management technology and processes. | Symmetric cryptographic keys must be managed according to approved processes using approved technology, to ensure malicious intruders do not take advantage of any network resource exposure that... |
V-35519 | Medium | Mobile applications involved in the production, control, and distribution of asymmetric cryptographic keys must use NIST approved or NSA approved key management technology and processes. | Asymmetric cryptographic keys must be managed according to approved processes using approved technology, to ensure malicious intruders do not take advantage of any network resource exposure that... |
V-35638 | Medium | Applications must, for organization-defined information system components, load and execute the operating environment from hardware-enforced, read-only media. | Organizations may require the information system to load the operating environment from hardware enforced read-only media. The term operating environment is defined as the code upon which... |
V-35280 | Medium | The application must provide audit record generation capability for defined auditable events within defined application components. | Audit records can be generated from various components within the information system. (e.g. network interface, hard disk, modem etc.). From an application perspective, certain specific application... |
V-35281 | Medium | The application must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system. | Audit records can be generated from various components within the information system, such as network interfaces, hard disks, modems, etc. From an application perspective, certain specific... |
V-35282 | Medium | Applications must generate audit records for the DoD selected list of auditable events. | Audit records can be generated from various components within the information system. The list of audited events is the set of events for which audits are to be generated. This set of events is... |
V-35283 | Medium | The application must initiate session auditing upon start up. | Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or... |
V-35284 | Medium | The application must provide the capability to capture, record, and log all content related to a user session. | While a great deal of effort is made to secure applications so as to prevent unauthorized access, in certain instances there can be valid requirements to capture, record and log all content... |
V-35285 | Medium | The application must provide the capability to remotely view/hear all content related to an established user session in real time. | While a great deal of effort is made to secure applications so as to prevent unauthorized access, in certain instances there can be valid requirements to listen/hear or view all content related to... |
V-35286 | Medium | The application must produce audit records containing sufficient information to establish what type of events occurred. | Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps,... |
V-35287 | Medium | The application must produce audit records containing sufficient information to establish when (date and time) the events occurred. | Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps,... |
V-35594 | Medium | Applications must meet organizational requirements to implement an information system isolation boundary that minimizes the number of non-security functions included within the boundary containing security functions. | The information system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the... |
V-35291 | Medium | The application must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event. | Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps,... |
V-35597 | Medium | The application must employ automated mechanisms to alert security personnel of inappropriate or unusual activities with security implications. | Applications will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within the application. This information can then be used for diagnostic purposes,... |
V-35414 | Medium | The application must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts. | An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to... |
V-35591 | Medium | The application must automatically terminate emergency accounts after an organization defined time period for each type of account. | Emergency application accounts are typically created due to an unforeseen operational event or could ostensibly be used in the event of a vendor support visit where a support representative... |
V-35592 | Medium | Applications must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions. | Application functionality is typically broken down into modules that perform various tasks or roles. Examples of non-privileged application functionality include, but are not limited to,... |
V-35466 | Medium | The application must support organizational requirements to enforce password complexity by the number of numeric characters used. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that... |
V-35751 | Medium | The mobile application must not call functions vulnerable to buffer overflows. | Buffer overflow attacks occur when improperly validated input is passed to an application overwriting of memory. Buffer overflow errors stop execution of the application causing a minimum of... |
V-35712 | Medium | Applications providing malicious code protection must support organizational requirements to configure malicious code protection mechanisms to perform real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy. | Malicious code protection mechanisms include but are not limited to anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be caused... |
V-35211 | Medium | Applications must provide the ability to enforce security policies regarding information on interconnected systems. | The application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Information flow... |
V-35210 | Medium | Applications must provide the ability to prohibit the transfer of unsanctioned information in accordance with security policy. | The application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Information flow... |
V-35245 | Medium | Applications must enforce information flow control on metadata. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
V-35352 | Medium | Applications must use internal system clocks to generate time stamps for audit records. | Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Time stamps generated by the information system... |
V-35350 | Medium | Applications must provide a report generation capability for audit reduction data. | In support of Audit Review, Analysis, and Reporting requirements, audit reduction is a technique used to reduce the volume of audit records in order to facilitate a manual review. Before a... |
V-35171 | Medium | When the mobile application supports multiple persona (e.g., DoD work and non-DoD personal or public), the mobile application must enforce a non-discretionary access control policy that prohibits a user from accessing DoD data when operating in a persona not authorized for access to data categorized at that level. | If a device supports multiple persona, the potential exists for data to migrate from one domain to another in an unauthorized or inadvertent manner. In the case of a dual persona device that... |
V-35356 | Medium | The application must protect audit information from unauthorized modification. | If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity... |
V-35357 | Medium | The application must protect audit information from unauthorized deletion. | If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity... |
V-35354 | Medium | The application must protect audit information from any type of unauthorized access. | If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In... |
V-35722 | Medium | Applications providing notifications regarding suspicious events must include the capability to notify an organization-defined list of response personnel who are identified by name and/or by role. | Incident response applications are by their nature designed to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is... |
V-35130 | Medium | Applications must provide automated mechanisms for supporting user account management. The automated mechanisms may reside within the application itself or may be offered by the operating system or other infrastructure providing automated account management. | A comprehensive application account management process that includes automation helps to ensure that accounts designated as requiring attention are consistently and promptly addressed. Examples... |
V-35247 | Medium | Applications providing information flow control must uniquely authenticate destination domains when transferring information.
| Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
V-35339 | Medium | The application must alert designated organizational officials in the event of an audit processing failure. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include; software/hardware errors, failures... |
V-35725 | Medium | The application must enforce organizational requirements to protect information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion. | Intrusion monitoring applications are by their nature designed to monitor and record network and system traffic and activity. They can accumulate a significant amount of sensitive data, examples... |
V-35411 | Medium | Applications using multifactor authentication when accessing privileged accounts via the network must provide one of the factors by a device that is separate from the information system gaining access. | Multifactor authentication is defined as: using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g.,... |
V-35729 | Medium | The application must notify appropriate individuals when accounts are created.
| Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create... |
V-35728 | Medium | The application must use cryptographic mechanisms to protect the integrity of audit tools | Protecting the integrity of the tools used for auditing purposes is a critical step to ensuring the integrity of audit data. Audit data includes all information (e.g., audit records, audit... |
V-35110 | Medium | Applications providing remote access connectivity must use cryptography to protect the integrity of the remote access session. | Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the... |
V-35631 | Medium | The application must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission. | Information can be subjected to unauthorized changes (e.g., malicious and/or unintentional modification) at information aggregation or protocol transformation points. It is therefore imperative... |
V-35528 | Medium | Software and/or firmware used for collaborative computing devices must prohibit remote activation excluding the organization-defined exceptions where remote activation is to be allowed. | Collaborative computing devices include, networked white boards, cameras, and microphones. Collaborative software examples include instant messaging or chat clients.
Rationale for... |
V-35469 | Medium | The application must support organizational requirements to enforce password encryption for storage. | Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission.
Rationale for non-applicability:
The MAPP SRG does not require... |
V-35635 | Medium | Applications required to be non-modifiable must support organizational requirements to provide components that contain no writeable storage capability. These components must be persistent across restart and/or power on/off. | Organizations may require applications or application components to be non-modifiable or to be stored and executed on non-writeable storage. Use of non-modifiable storage ensures the integrity of... |
V-35242 | Medium | Applications must enforce information flow control using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
V-35521 | Medium | Mobile applications involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 or class 4 certificates and hardware tokens that protect the users private key. | Class 3 and 4 certificates are issued by individuals, organizations, servers, devices, and administrators for CAs and root authorities (RAs). A hardware token offers an additional layer of... |
V-35520 | Medium | Mobile applications involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 certificates or prepositioned keying material. | Class 3 certificates are issued to individuals, organizations, servers, devices, and administrators for CAs and root authorities (RAs). Class 3 certificates undergo independent verification and... |
V-35523 | Medium | Applications must employ FIPS-validated cryptography to protect unclassified information. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
V-35522 | Medium | The mobile application must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. | Cryptographic protection assures all data at rest and in transit is protected from malicious intruders. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to... |
V-35525 | Medium | Applications must employ FIPS-validated cryptography to protect unclassified information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to... |
V-35527 | Medium | The application must protect the integrity and availability of publicly available information and applications. | The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications with such protection likely being implemented as part of... |
V-35526 | Medium | The mobile application must shut down or take an alternative organization defined action when it determines that one of its required security functions is unavailable. | While mobile applications primarily rely on MOS security controls, a mobile application may contain security functions that enable the device and user to operate in a secure manner. For example,... |
V-35249 | Medium | Applications must support organizational requirements to implement separation of duties through assigned information access authorizations. | Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system including the operating system and in applications. It serves... |
V-35160 | Medium | The application must employ automated mechanisms enabling authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared. | User based collaboration and information sharing applications present challenges regarding classification and dissemination of information generated and shared among the application users. These... |
V-35407 | Medium | The application must use multifactor authentication for local access to privileged accounts. | Multifactor authentication is defined as: using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g.,... |
V-35206 | Medium | Applications providing flow control must identify data type, specification and usage when transferring information between different security domains so that policy restrictions may be applied. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
V-35207 | Medium | Applications, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
V-35208 | Medium | When the mobile application supports multiple persona (e.g., DoD work and non-DoD personal or public), the mobile application must implement or incorporate policy filters that constrain data objects and structure attributes according to organizational security policy statements. | Transferring data between various personas, such as DoD, non-DoD, personal or public etc., subjects the data to both accidental exposure and malicious intruders able to gain access to the device... |
V-35209 | Medium | Applications designed to control information flow must provide the ability to detect unsanctioned information being transmitted across security domains. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
V-35536 | Medium | Applications must support organizational requirements to issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider. | For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key... |
V-35731 | Medium | The application must notify appropriate individuals when account disabling actions are taken. | When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves.... |
V-35732 | Medium | The application must notify appropriate individuals when accounts are terminated. | When application accounts are terminated, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes... |
V-35530 | Medium | The mobile application must associate security attributes with information exchanged between information systems. | When data is exchanged between information systems, security attributes must be associated with this data. Security attributes are an abstraction representing the basic properties or... |
V-35268 | Medium | In order to inform the user of the number of successful login attempts made with the users account, the application must notify the user of the number of successful logins/accesses occurring during an organization-defined time period. | Users need to be aware of activity that occurs regarding their application account. Providing users with information regarding the number of successful attempts made to login to their account... |
V-35471 | Medium | Applications must enforce password minimum lifetime restrictions. | Password minimum lifetime is defined as: the minimum period of time, (typically in days) a user's password must be in effect before the user can change it. Restricting this setting limits the... |
V-35538 | Medium | Applications designed to address malware issues and/or enforce policy pertaining to organizational use of mobile code must implement detection and inspection mechanisms to identify unauthorized mobile code | Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code... |
V-35147 | Medium | Applications must support the requirement to automatically audit account creation. | Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply... |
V-35146 | Medium | The application must be capable of automatically disabling accounts after a 35 day period of account inactivity. | Users are often the first line of defense within an application. Active users take notice of system and data conditions and are usually the first to notify systems administrators when they notice... |
V-35145 | Medium | The application must provide a mechanism to automatically terminate accounts designated as temporary or emergency accounts after an organization-defined time period. | Temporary application accounts could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic... |
V-35382 | Medium | Configuration management applications must employ automated mechanisms to centrally apply configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
V-35385 | Medium | Configuration management applications must employ automated mechanisms to centrally respond to unauthorized changes to configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
V-35386 | Medium | Configuration management solutions must track unauthorized, security-relevant configuration changes. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
V-35388 | Medium | The application must enforce requirements for remote connections to the information system. | Applications that provide remote access to information systems must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy... |
V-35149 | Medium | Applications must support the requirement to automatically audit account modification. | Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify... |
V-35517 | Medium | The application must establish a trusted communications path between the user and organization-defined security functions within the information system. | The application user interface must provide an unspoofable and faithful communication channel between the user and any entity trusted to manipulate authorities on the user's behalf. A trusted path... |
V-35259 | Medium | Applications must configure their auditing to reduce the likelihood of storage capacity being exceeded. | Applications need to be cognizant of potential audit log storage capacity issues. During the installation and/or configuration process, applications should detect and determine if adequate storage... |
V-35510 | Medium | The application must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications. | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
V-35467 | Medium | The application must support organizational requirements to enforce password complexity by the number of special characters used. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how... |
V-35511 | Medium | The application must employ strong identification and authentication techniques when establishing non-local maintenance and diagnostic sessions | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
V-35468 | Medium | The application must support organizational requirements to enforce the number of characters that get changed when passwords are changed. | Passwords need to be changed at specific policy based intervals. If the information system or application allows the user to consecutively reuse extensive portions of their password when they... |
V-35239 | Medium | Applications providing information flow control must track problems associated with the binding of security attributes to data.
| Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
V-35512 | Medium | The application must terminate all sessions and network connections when non-local maintenance is completed. | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
V-35256 | Medium | Applications must display an approved system use notification message or banner before granting access to the system. | Applications are required to display an approved system use notification message or banner before granting access to the system providing privacy and security notices consistent with applicable... |
V-35513 | Medium | Applications employed to write data to portable digital media must use cryptographic mechanisms to protect and restrict access to information on portable digital media. | When data is written to portable digital media such as thumb drives, floppy diskettes, compact disks, magnetic tape etc, there is risk of data loss. An organizational assessment of risk guides the... |
V-35231 | Medium | The application must bind security attributes to information to facilitate information flow policy enforcement. | The application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Information flow... |
V-35230 | Medium | Applications must uniquely identify destination domains for information transfer. | The application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Information flow... |
V-35543 | Medium | Applications utilizing mobile code must meet policy requirements regarding the acquisition, development, and/or use of mobile code. | Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code... |
V-35541 | Medium | Applications designed to address malware issues and/or enforce policy pertaining to organizational use of mobile code must take corrective actions, when unauthorized mobile code is identified. | Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code... |
V-35548 | Medium | The application must separate user functionality (including user interface services) from information system management functionality. | Information system management functionality includes, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The... |
V-35547 | Medium | Applications designed to enforce policy pertaining to the use of mobile code must prevent the automatic execution of mobile code in organization-defined software applications and require organization-defined actions prior to executing the code. | Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code... |
V-35708 | Medium | Malicious code protection applications must update malicious code protection mechanisms only when directed by a privileged user. | Malicious code protection software must be protected to prevent a non-privileged user or malicious piece of software from manipulating the protection update mechanism. Malicious code includes,... |
V-35545 | Medium | Applications designed to enforce policy pertaining to organizational use of mobile code must prevent the download and execution of prohibited mobile code. | Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code... |
V-35258 | Medium | Applications must display an approved system use notification message or banner before granting access to the system. | Applications must display an approved system use notification message or banner before granting access to the system. The banner shall be formatted in accordance with the DoD policy "Use of DoD... |
V-35705 | Medium | The application must support organizational requirements to employ automated patch management tools to facilitate flaw remediation to organization-defined information system components. Patch management tools must be automated. | The organization (including any contractor to the organization) shall promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during... |
V-35704 | Medium | Applications serving to determine the state of information system components with regard to flaw remediation (patching) must use automated mechanisms to make that determination. The automation schedule must be determined on an organization-defined basis. | Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report... |
V-35255 | Medium | Applications, when the maximum number of unsuccessful attempts are exceeded, must automatically lock the account/node for an organization-defined time period or lock the account/node until released by an administrator IAW organizational policy. | Anytime an authentication method is exposed so as to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access. To defeat these... |
V-35706 | Medium | The application must automatically update malicious code protection mechanisms, including signature definitions. Examples include anti-virus signatures and malware data files employed to identify and/or block malicious software from executing. | Anti-virus and malicious software detection applications utilize signature definitions in order to identify viruses and other malicious software. These signature definitions need to be constantly... |
V-35253 | Medium | The application must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted. | Anytime an authentication method is exposed, so as to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access. To aid in defeating... |
V-35252 | Medium | Applications must have the capability to limit the number of failed login attempts based upon an organization defined number of consecutive invalid attempts occurring within an organization defined time period. | Anytime an authentication method is exposed so as to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access. To defeat these... |
V-35251 | Medium | Applications must be able to function within separate processing domains (virtualized systems), when specified, so as to enable finer-grained allocation of user privileges.
| Applications must employ the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in... |
V-35154 | Medium | The application must automatically audit account termination and notify appropriate individuals. | When application accounts are terminated, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes... |
V-35155 | Medium | Applications must support the organizational requirement to automatically monitor on atypical usage of accounts. | Atypical account usage is behavior that is not part of normal usage cycles. For example, user account activity occurring after hours or on weekends. A comprehensive account management process will... |
V-35111 | Medium | The application must employ automated mechanisms to facilitate the monitoring and control of remote access methods. | Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will occur over the public Internet. Remote access is any... |
V-35658 | Medium | The mobile application must validate the correctness of data inputs. | Inputs may come from users or other processes. Absence of input validation opens an application to improper application functioning, the risk of manipulation of data by an adversary and the... |
V-35703 | Medium | Applications providing patch management capabilities must support the organizational requirements to install software updates automatically. | Security faults with software applications and operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security... |
V-35152 | Medium | The application must automatically audit account disabling actions and notify appropriate individuals | When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves.... |
V-35399 | Medium | The application must support and must not impede organizational requirements to conduct backups of information system documentation including security-related documentation per organization-defined frequency. | Information system backup is a critical step in maintaining data assurance and availability. Information system and security related documentation contains information pertaining to system... |
V-35396 | Medium | The mobile application must implement transaction recovery if it is transaction based. | Transaction based systems must have transaction rollback and transaction journaling, or technical equivalents implemented to ensure the system can recover from an attack or faulty transaction... |
V-35397 | Medium | Backup / Disaster Recovery oriented applications must be capable of backing up user-level information per a defined frequency. | Information system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. In order to... |
V-35651 | Medium | Applications must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority. | Priority protection helps prevent a lower-priority process from delaying or interfering with the information system servicing any higher-priority process. This control does not apply to components... |
V-35250 | Medium | Application users must utilize a separate, distinct administrative account when accessing application security functions or security-relevant information. Non-privileged accounts must be utilized when accessing non-administrative application functions. | This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control... |
V-35158 | Medium | Service Oriented Architecture (SOA) based applications must dynamically manage user privileges and associated access authorizations. | Web services are web applications providing a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data. The... |
V-35656 | Medium | The mobile application must prevent XML injection. | XML injection may result in an immediate loss of integrity of the data. Any vulnerability associated with a DoD Information system, the exploitation of which, by a risk factor, will directly and... |
V-35655 | Medium | The application must be capable of implementing host-based boundary protection mechanisms for servers, workstations, and mobile devices. | A host-based boundary protection mechanism is a host-based firewall. Host-based boundary protection mechanisms are employed on mobile devices, such as notebook/laptop computers, and other types of... |
V-35391 | Medium | The mobile application must not include source code never invoked during operation, except for software components and libraries from approved third-party products. | Unused software and libraries increase a program size without any benefits and furthermore, may contain malicious code that would be later executed, and compromise the application and all stored... |
V-35515 | Medium | Application software used to detect the presence of unauthorized software must employ automated detection mechanisms and notify designated organizational officials in accordance with the organization-defined frequency. | Scanning software is purpose built to check for vulnerabilities in the information system and hosted applications and is also used to enumerate platforms, software flaws, and improper... |
V-35119 | Medium | The application must ensure remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited. | Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the... |
V-35228 | Medium | The mobile application must identify the persona from which data is coming before permitting transfer to or from a DoD persona when the mobile application supports multiple personas. | Transfer of data from one persona to another on a device that supports multiple personas poses two significant risks. First, malware present in one persona could migrate to another persona. In... |
V-35229 | Medium | A mobile application must authenticate the persona from which data is coming before permitting transfer to or from a DoD persona when the mobile application supports multiple personas. | Transfer of data from one persona to another on a device that supports multiple personas poses two significant risks. First, malware present in one persona could migrate to another persona. In... |
V-35246 | Medium | Applications must use security policy filters as a basis for making information flow control decisions. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
V-35462 | Medium | The application must support organizational requirements to enforce password complexity by the number of upper case characters used. | Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that... |
V-35550 | Medium | The application must prevent the presentation of information system management-related functionality at an interface utilized by general (i.e., non-privileged) users. | Information system management functionality includes, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The... |
V-35730 | Medium | The application must notify appropriate individuals when accounts are modified. | Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify... |
V-35718 | Medium | Applications providing malware and/or firewall protection must monitor inbound and outbound communications for unauthorized activities or conditions. | Unusual/unauthorized activities or conditions include internal traffic indicating the presence of malicious code within an information system or propagating among system components, the... |
V-35719 | Medium | Applications that detect and alarm on security events such as Intrusion Detection, Firewalls, Anti-Virus, or Malware must provide near real-time alert notification. | When an intrusion detection security event occurs it is imperative the application that has detected the event immediately notify the appropriate support personnel so they can respond accordingly.... |
V-35555 | Medium | The application must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems. | A recursive resolving or caching Domain Name System (DNS) server is an example of an information system providing name/address resolution service for local clients. Authoritative DNS servers are... |
V-35364 | Medium | The application must have the capability to produce audit records on hardware-enforced, write-once media. | Applications are typically designed to incorporate their audit logs into the auditing sub-system hosted by the operating system. However, in some instances application developers may decide to... |
V-35557 | Medium | The application must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service. | A recursive resolving or caching Domain Name System (DNS) server is an example of an information system providing name/address resolution service for local clients. Authoritative DNS servers are... |
V-35558 | Medium | Applications that collectively provide name/address resolution service for an organization must implement internal/external role separation. | A Domain Name System (DNS) server is an example of an information system providing name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are... |
V-35713 | Medium | Applications providing malicious code protection must support organizational requirements to be configured to perform organization-defined action(s) in response to malicious code detection. | Malicious code protection mechanisms include but are not limited to anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be caused... |
V-35710 | Medium | Applications providing malicious code protection must support organizational requirements to update malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration | Malicious code protection mechanisms include, but are not limited to, anti-virus and malware detection software. In order to minimize potential negative impact to the organization caused by... |
V-35711 | Medium | Applications scanning for malicious code must support organizational requirements to configure malicious code protection mechanisms to perform periodic scans of the information system on an organization-defined frequency. | Malicious code protection mechanisms include but are not limited to anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be caused... |
V-35717 | Medium | For those instances where the organization requires encrypted traffic to be visible to information system monitoring tools, the application transmitting the encrypted traffic must make provisions to allow that traffic to be visible to specific system monitoring. | There is a recognized need to balance encrypting traffic versus the need to have insight into the traffic from a monitoring perspective. For some organizations, the need to ensure the... |
V-35714 | Medium | Applications providing malicious code protection must support organizational requirements to address the receipt of false positives during malicious code detection, eradication efforts, and the resulting potential impact on the availability of the information system.
| In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Malicious code includes,... |
V-35243 | Medium | Applications must prevent encrypted data from bypassing content-checking mechanisms. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
V-35648 | Medium | Applications must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. | When it comes to DoS attacks most of the attention is paid to ensuring that systems and applications are not victims of these attacks. While it is true that those accountable for systems want to... |
V-35418 | Medium | The mobile application must authenticate devices using bidirectional cryptographic authentication if it manages wireless network connections for other devices. | If a wireless device authenticates on a network without using encryption to protect the authentication data, then the device is vulnerable to intruders who will perform either replay or... |
V-35470 | Medium | The application must support organizational requirements to enforce password encryption for transmission. | Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission.
Rationale for non-applicability:
The MAPP SRG does not have a... |
V-35169 | Medium | The application must enforce dual authorization, based on organizational policies and procedures for organization-defined privileged commands. | Dual authorization requires 2 distinct approving authorities to approve the use of an application command prior to it being invoked. This capability is typically reserved for specific application... |
V-35168 | Medium | A mobile application must not call APIs or otherwise invoke resources external to the mobile application unless such activity serves the documented purposes of the mobile application. | An application that does not operate within what should be an appropriate sandbox will expose the device and all stored data inadvertently to non-secure domains, as well as, provide a path for a... |
V-35413 | Medium | The application must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts. | An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to... |
V-35412 | Medium | Applications using multifactor authentication when accessing non-privileged accounts via the network must provide one of the factors by a device separate from the information system gaining access. | Multifactor authentication is defined as: using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g.,... |
V-35644 | Medium | Applications must not share resources used to interface with systems operating at different security levels. | The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on... |
V-35394 | Medium | To support the requirements and principles of least functionality, the application must support organizational requirements regarding the use of automated mechanisms preventing program execution on the information system in accordance with the organization defined specifications. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
V-35646 | Medium | Applications must protect against or limit the effects of the organization-defined or referenced types of Denial of Service (DoS) attacks. | A variety of technologies exist to limit, or in some cases, eliminate the effects of DoS attacks. For example, boundary protection devices can filter certain types of packets to protect devices on... |
V-35416 | Medium | Applications required to identify devices must uniquely identify and authenticate an organization-defined list of specific and/or types of devices before establishing a connection. | Device authentication is a solution enabling an organization to manage both users and devices. It is an additional layer of authentication ensuring only specific pre-authorized devices operated by... |
V-35650 | Medium | Applications must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks. | In the case of application DoS attacks, care must be taken when designing the application so as to ensure that the application makes the best use of system resources. SQL queries have the... |
V-35392 | Medium | The mobile application must not utilize ports or protocols in a manner inconsistent with DoD Ports and Protocols guidance. | Failure to comply with DoD Ports, Protocols Services Management (PPSM) Category Assurance List (CAL) and associated vulnerability assessments may result in compromise of mobile protections or... |
V-35474 | Medium | The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key. | The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and... |
V-35115 | Medium | The application must monitor for unauthorized remote connections to the information system on an organization-defined frequency. | Organizations need to monitor for unauthorized remote access connections to information systems in order to determine if break-in attempts or other unauthorized activity is occurring. There are... |
V-35359 | Medium | The application must protect audit tools from unauthorized access. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may... |
V-35507 | Medium | Applications that are designed and intended to address incident response scenarios must provide a configurable capability to automatically disable an information system if any of the organization defined security violations are detected. | When responding to a security incident a capability must exist allowing authorized personnel to disable a particular system if the system exhibits a security violation and the organization... |
V-35295 | Medium | The application must provide a real-time alert when organization-defined audit failure events occur. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include: software/hardware errors, failures... |
V-35095 | Medium | The mobile application must maintain the binding of classification attributes to information with sufficient assurance that the information/attribute association can be used as the basis for automated policy actions if it transmits classified data. | Losing a data classification attribute bind or using a weak bind offers a very high potential for this data to be misclassified once it has been received and further distributed as a result of its... |
V-35097 | Medium | The mobile application must enable the user of the mobile device to assign a classification level to any data the user creates while using the mobile device, unless the application concept of operations requires that all data be handled at a single classification level. | Data at rest or data in transit is at risk to exposure if improperly classified; IA controls not in place as a result of incorrect or non-labeling can result in non-secure transmission and storage... |
V-35294 | Medium | Applications themselves, or the logging mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include: software/hardware errors, failures... |
V-35297 | Medium | The application must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds. | It is critical when a system is at risk of failing to process audit logs as required; actions are automatically taken to mitigate the failure or risk of failure. One method used to thwart the... |
V-35570 | Medium | The mobile application must fail to an initial state when the application unexpectedly terminates, unless it maintains a secure state at all times. | An application maintains a secure state when there is strong assurance that each of its state transitions is consistent with the application's security policy. For many mobile applications, the... |
V-35093 | Medium | The application must provide the capability to specify administrative users and grant them the right to change application security attributes pertaining to application data. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. Security attributes... |
V-35675 | Medium | Boundary protection applications must be capable of preventing public access into the organizations internal networks except as appropriately mediated by managed interfaces. | Access into an organization's internal network and to key internal boundaries must be tightly controlled and managed. Applications monitoring and/or controlling communications at the external... |
V-35278 | Medium | Applications that utilize Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user. | DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write).... |
V-35677 | Medium | Any software application designed to function as a firewall must be capable employing a default deny all configuration. | A firewall default deny is a firewall configuration setting that will force the administrator to explicitly allow network or application traffic rather than allowing all traffic by default. The... |
V-35405 | Medium | The application must use multifactor authentication for network access to non-privileged accounts. | Multifactor authentication is defined as: using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g.,... |
V-35402 | Medium | The application must use multifactor authentication for network access to privileged accounts. | Multifactor authentication is defined as: using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g.,... |
V-35568 | Medium | Applications must generate unique session identifiers with organization defined randomness requirements. | This requirement focuses on communications protection at the application session, versus network packet level. The intent of this control is to establish grounds for confidence at each end of a... |
V-35673 | Medium | Boundary protection applications must fail securely in the event of an operational failure. | Fail secure is a condition achieved by the application of a set of information system mechanisms to ensure that in the event of an operational failure of a boundary protection device at a managed... |
V-35401 | Medium | The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To assure accountability and prevent unauthorized access, organizational users shall be identified and authenticated. Organizational users include organizational employees or individuals the... |
V-35271 | Medium | The application must protect against an individual falsely denying having performed a particular action. | Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message,... |
V-35270 | Medium | Applications must notify users of organization-defined security-related changes to the users account occurring during the organization-defined time period. | Some organizations may define certain security events as events requiring user notification. An organization may define an event such as a password change to a user's account occurring outside of... |
V-35273 | Medium | If the mobile application processes digitally signed data or code, then it must validate the digital signature. | Mobile code and data files created by an untrusted source may contain malware or malicious code as a result of the source's nature. Though digital signatures provide a level of authenticity which... |
V-35561 | Medium | Applications must terminate user sessions upon user logout or any other organization or policy defined session termination events, such as idle time limit exceeded. | This requirement focuses on communications protection at the application session, versus network packet level. Session IDs are tokens generated by web applications to uniquely identify an... |
V-35274 | Medium | Applications must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released. | Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received... |
V-35563 | Medium | Applications providing a login capability must also provide a logout functionality to allow the user to manually terminate the session. | An application that will not allow the user the ability to log out will leave the application and all stored data vulnerable to unauthorized access in the event an adversary is able to unlock the... |
V-35276 | Medium | Applications utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights. | Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in... |
V-35077 | Medium | Applications must ensure that users can directly initiate session lock mechanisms which prevent further access to the system. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the... |
V-35076 | Medium | The application must support the requirement to initiate a session lock after an organization defined time period of system or application inactivity has transpired. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the... |
V-35506 | Medium | The application must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | Non-organizational users include all information system users other than organizational users which include organizational employees or individuals the organization deems to have equivalent status... |
V-35072 | Medium | The application must be able to define the maximum number of concurrent sessions for an application account globally, by account type, by account, or a combination thereof. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the... |
V-35560 | Medium | Application must ensure authentication of both client and server during the entire session. An example of this is SSL Mutual Authentication. | This control focuses on communications protection at the session, versus packet, level. At the application layer, session IDs are tokens generated by web applications to uniquely identify an... |
V-35179 | Medium | Applications providing information flow control must use explicit security attributes on information, source, and destination objects as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
V-35177 | Medium | Applications providing information flow control must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
V-35174 | Medium | Applications providing information flow control must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy. | Information flow control regulates where information is allowed to travel within an information system, and between information systems (as opposed to who is allowed to access the information),... |
V-35172 | Medium | The application must enforce a Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both. | Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices,... |
V-35173 | Medium | The application must prevent access to organization-defined security-relevant information except during secure, non-operable system states. | Security-relevant information is any information within the information system that can potentially impact the operation of security functions in a manner possibly resulting in failure to enforce... |
V-35078 | Medium | The application must have the ability to retain a session lock remaining in effect until the user re-authenticates using established identification and authentication procedures. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the... |
V-35800 | Medium | Applications must enforce information flow using dynamic control based on policy that allows or disallows information flow based on changing conditions or operational considerations. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
V-35351 | Medium | Applications must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria. | Audit reduction is used to reduce the volume of audit records in order to facilitate manual review. Before a security review information systems and/or applications with an audit reduction... |
V-35707 | Medium | The application must prevent non-privileged users from circumventing malicious code protection capabilities. | Malicious code protection software must be protected so as to prevent a non-privileged user or malicious piece of software from disabling the protection mechanism. A common tactic of malware is to... |
V-35753 | Medium | The mobile application must not be vulnerable to race conditions. | A race condition occurs when an application receives two or more actions on the same resource in an unanticipated order which causes a conflict. Sometimes, the resource is locked by different... |
V-35383 | Medium | Configuration management applications must employ automated mechanisms to centrally verify configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
V-35688 | Medium | Applications providing remote connectivity must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communications path with resources in external networks. | This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings that are not configurable by the user of that device. An example of a... |
V-35363 | Medium | The application must protect audit tools from unauthorized deletion. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may... |
V-35360 | Medium | The application must protect audit tools from unauthorized modification. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may... |
V-35367 | Medium | The application must protect the audit records generated as a result of remote accesses to privileged accounts and the execution of privileged functions. | Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place. Auditing might not be reliable... |
V-35365 | Medium | The application must support the requirement to back up audit data and records onto a different system or media than the system being audited on an organization-defined frequency. | Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an... |
V-35275 | Medium | The application must validate the binding of the reviewers identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain. | This non-repudiation control enhancement is intended to mitigate the risk that information could be modified between review and transfer/release particularly when transfer is occurring between... |
V-35369 | Medium | The mobile application must not change the file permissions of any files other than those dedicated to its own operation. | A file's access level is pivotal to a mobile application and its data's security. The modification of a file's permission must be strictly controlled in an effort to maintain the integrity and... |
V-35086 | Medium | The mobile application must assign a classification attribute to any newly created data file or stream if it stores, processes, or transmits classified data. | A classification attribute assures the data is correctly stored, transmitted, handled, and processed according to its sensitivity. Stored, processed, or transmitted data is vulnerable to exposure... |
V-35640 | Medium | Applications must support organizationally-defined requirements to load and execute from hardware-enforced, read-only media. | Use of non-modifiable storage ensures the integrity of the software program from the point of creation of the read-only image. Organizations may require the information system to load specified... |
V-35473 | Medium | The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor. | A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When... |
V-35279 | Medium | The application must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. | Audits records can be generated from various components within the information system. The list of audited events is the set of events for which audits are to be generated. This set of events is... |
V-35579 | Medium | The application must disable network access by unauthorized components/devices or notify designated organizational officials. | Maintaining system and network integrity requires all systems on the network are identified and accounted for. Without an accurate accounting of systems utilizing the network, the opportunity... |
V-35666 | Medium | The mobile application must not be vulnerable to command injection. | Format string vulnerabilities usually occur when invalidated input is entered and is directly written into the format string used to format data in the print style family of C/C++ functions. If an... |
V-35475 | Medium | Applications must ensure that PKI-based authentication maps the authenticated identity to the user account. | The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information.
Rationale... |
V-35665 | Medium | The mobile application must not contain format string vulnerabilities. | Format string vulnerabilities usually occur when invalidated input is entered and is directly written into the format string used to format data in the print style family of C/C++ functions. If an... |
V-35668 | Medium | The mobile application must prevent SQL injection. | Format string vulnerabilities usually occur when invalidated input is entered and is directly written into the format string used to format data in the print style family of C/C++ functions. If an... |
V-35629 | Medium | Applications must meet organizational requirements to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers | The information system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the... |
V-35574 | Medium | Applications must enforce requirements regarding the connection of mobile devices to organizational information systems. | Applications designed to manage the connection of mobile devices to information systems must be able to enforce organizational connectivity requirements or work in conjunction with enterprise... |
V-35551 | Medium | The application must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries. | This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the... |
V-35715 | Medium | Intrusion detection software must be able to interconnect using standard protocols to create a system wide intrusion detection system. | When utilizing intrusion detection software, monitoring components are usually dispersed throughout the network, such as, when utilizing HIDS and multiple NIDS sensors. In order to leverage the... |
V-35720 | Medium | Applications providing IDS and prevention capabilities must prevent non-privileged users from circumventing intrusion detection and prevention capabilities.
| Any application providing intrusion detection and prevention capabilities must be architected and implemented so as to prevent non-privileged users from circumventing such protections. This can be... |
V-35587 | Medium | Applications handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information that is at rest unless otherwise protected by alternative physical measures.
| This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to... |
V-35100 | Medium | The mobile application must display the classification of the data in human readable form whenever it displays any data to the user of the mobile device if it processes, stores, or transmits classified data. | Unlabeled, sensitive data could easily be mixed with unclassified data and misclassified data could be transmitted on a no secure network. Unless the application informs the user of the... |
V-35106 | Medium | Applications providing remote access capabilities must utilize approved cryptography to protect the confidentiality of remote access sessions. | Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the... |
V-35726 | Medium | The application must either implement compensating security controls or the organization explicitly accepts the risk of not performing the verification as required. | Application security functional testing involves testing the application for conformance to the applications security function specifications, as well as, for the underlying security model. The... |
V-35417 | Medium | Applications managing devices must authenticate devices before establishing remote network connections using bidirectional authentication between devices that are cryptographically based. | Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices operated by specific... |
V-35113 | Medium | Applications providing remote access must have capabilities that allow all remote access to be routed through managed access control points. | This requirement relates to the use of applications providing remote access services. Remote access is any access to an organizational information system by a user (or an information system)... |
V-35670 | Medium | Boundary protection applications must prevent discovery of specific system components (or devices) composing a managed interface. | Firewall control requirement for isolating and preventing the discovery of management interfaces. This control enhancement is intended to protect the network addresses of information system... |
V-35672 | Medium | Applications designed to enforce protocol formats must employ automated mechanisms to enforce strict adherence to protocol format. | Automated mechanisms used to enforce protocol formats include, deep packet inspection firewalls and XML gateways. These devices verify adherence to the protocol specification (e.g., IEEE) at the... |
V-35410 | Medium | Applications authenticating users must ensure users are authenticated with an individual authenticator prior to using a group authenticator. | To assure individual accountability and prevent unauthorized access, application users (and any processes acting on behalf of users) must be individually identified and authenticated. A group... |
V-35514 | Medium | Applications must support organizational requirements to employ cryptographic mechanisms to protect information in storage. | When data is written to digital media such as, hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and... |
V-35370 | Medium | The mobile application must implement automated mechanisms to enforce access control restrictions which are not provided by the operating system | Applications often have additional access control requirements beyond those provided by the operating system. For example, a contact or key database may contain particular sensitive records that... |
V-35565 | Medium | Applications must generate a unique session identifier for each session. | This requirement focuses on communications protection at the application session, versus network packet level. The intent of this control is to establish grounds for confidence at each end of a... |
V-35372 | Medium | The application must support the employment of automated mechanisms supporting the auditing of enforcement actions. | Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.... |
V-35374 | Medium | Applications must prevent the installation of organization-defined critical software programs not signed with a certificate that has been recognized and approved by the organization. | Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.... |
V-35375 | Medium | The application must support the enforcement of a two-person rule for changes to organization-defined application components and system-level information. | Regarding access restrictions for changes made to organization defined information system components and system level information. Any changes to the hardware, software, and/or firmware components... |
V-35377 | Medium | The mobile application must not enable other applications or non-privileged processes to modify software libraries. | Many applications often leverage software libraries to perform application functions. If the application makes these library files world writeable or otherwise allows unauthorized changes, then... |
V-35378 | Medium | Applications must automatically implement organization-defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately. | Any changes to the application components of the information system can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized... |
V-35379 | Medium | Configuration management applications must employ automated mechanisms to centrally manage configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
V-35642 | Medium | The mobile application must not write data to persistent memory accessible to other applications. | Persistent memory is memory that retains data even when the device is no longer powered on. It is often referred to as non-volatile memory and is typically used for file storage. If the... |
V-35460 | Medium | The application must support organizational requirements to prohibit password reuse for the organization-defined number of generations.
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to... |
V-35700 | Medium | The mobile application must not include sensitive information in system logs not necessary for IA functions. | The application must only generate messages that provide information necessary for corrective actions and without revealing organization defined sensitive or potentially harmful information. Any... |
V-35566 | Medium | Applications must recognize only system-generated session identifiers. | This requirement focuses on communications protection at the application session, versus network packet level. The intent of this control is to establish grounds for confidence at each end of a... |
V-35465 | Medium | The application must support organizational requirements to enforce password complexity by the number of lower case characters used. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that... |
V-35699 | Medium | The mobile application must identify potentially security-relevant error conditions. | The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the application is able to identify and handle error... |
V-35698 | Medium | The mobile application must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission. | Unencrypted sensitive application data could be intercepted in transit. Encryption of data in transit will protect the data from being extricated, modified or being used for malicious purposes.... |
V-35697 | Medium | Applications must provide automated support for the management of distributed security testing. | The need to verify security functionality applies to all security functions. For those security functions that are not able to execute automated self-tests the organization either implements... |
V-35696 | Medium | Applications utilized for integrity verification must detect unauthorized changes to software and information. | Organizations are required to employ integrity verification applications on information systems to look for evidence of information tampering, errors, and omissions. The organization is also... |
V-35694 | Medium | Applications that are utilized to address the issue of spam and provide protection from spam must automatically update any and all spam protection measures including signature definitions. | Originators of spam emails are constantly changing their source email addresses in order to defeat spam countermeasures; therefore, spam software must be constantly updated to address the changing... |
V-35693 | Medium | Applications that serve to protect organizations and individuals from spam messages must incorporate update mechanisms updating protection mechanisms and signature updates when new application releases are available in accordance with organizational configuration management policies and procedures. | Senders of spam messages are continually modifying their tactics and source email addresses in order to elude protection mechanisms. To stay up-to-date with the changing threat and to identify... |
V-35692 | Medium | Applications performing extrusion detection must be capable of denying network traffic and auditing internal users (or malicious code) posing a threat to external information systems. | Detecting internal actions that may pose a security threat to external information systems is sometimes termed extrusion detection. Extrusion detection at the information system boundary includes... |
V-35690 | Medium | Proxy applications must support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Proxy applications must also be configurable with o
| External networks are networks outside the control of the organization. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource... |
V-35748 | Medium | The mobile application must clear or overwrite memory blocks used to process sensitive data. | Sensitive data in memory should be cleared or overwritten to protect data that may be available to an attacker seeking ways to gain access to data that otherwise appears erased. Unless an... |
V-35709 | Medium | The mobile application must provide notification of failed automated security tests. | Automated security tests may include checking the cryptographic hash of key application files, and verifying the presence of critical MOS services, the presence of a VPN connection, correct file... |
V-35298 | Medium | The application must invoke a system shutdown in the event of an audit failure, unless an alternative audit capability exists. | It is critical when a system is at risk of failing to process audit logs as required; it takes action to mitigate the failure. If the system were to continue processing without auditing enabled,... |
V-35277 | Medium | The application must provide the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance. | Audit generation and audit records can be generated from various components within the information system. The list of audited events is the set of events for which audits are to be generated.... |
V-35509 | Medium | Applications used for non-local maintenance sessions must protect those sessions through the use of a strong authenticator tightly bound to the user. | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
V-35508 | Medium | Applications related to incident tracking must support organizational requirements to employ automated mechanisms to assist in the tracking of security incidents. | Incident tracking is a method of monitoring networks and systems for activity indicative of viral infection or system attack. Monitoring for this type of activity provides the organization with... |
V-35293 | Medium | To support DoD requirements to centrally manage the content of audit records, applications must provide the ability to write specified audit record content to a centralized audit log repository. | Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes but is not... |
V-35292 | Medium | Applications must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject. | Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps,... |
V-35505 | Medium | The application must use mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and... |
V-35504 | Medium | The application must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. | To prevent the compromise of authentication information such as passwords during the authentication process, the feedback from the information system shall not provide any information that would... |
V-35296 | Medium | The application must enforce configurable traffic volume thresholds representing auditing capacity for network traffic. | It is critical when a system is at risk of failing to process audit logs as required; actions are automatically taken to mitigate the failure. Audit processing failures include: software/hardware... |
V-35746 | Medium | The mobile application code must not contain hardcoded references to resources external to the application. | Hardcoded resources include URLs and path references to files outside of the application environment. If an adversary is aware of such references, they can attack the application by breaching the... |
V-35585 | Medium | Applications must take needed steps to protect data at rest and ensure confidentiality and integrity of application data. | This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to... |
V-35261 | Medium | Applications scanning for malicious code must scan all media used for system maintenance prior to use. | There are security-related issues arising from software brought into the information system specifically for diagnostic and repair actions. (e.g., a software packet sniffer installed on a system... |
V-35583 | Medium | Applications must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission. When transmitting data, applications need to leverage transmission protection mechanisms such as TLS, SSL VPN, or IPSEC tunnel. | Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during... |
V-35581 | Medium | Only a Honey Pot information system and/or application must include components that proactively seek to identify web-based malicious code. Honey Pot systems must be not be shared or used for any other purpose other than described. | A Honey Pot is an organization designated information system and/or application that includes components specifically designed to be the target of malicious attacks for the purpose of detecting,... |
V-35408 | Medium | The application must use multifactor authentication for local access to non-privileged accounts. | Multifactor authentication is defined as: using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g.,... |
V-35653 | Medium | Applications functioning in the capacity of a firewall must check incoming communications to ensure the communications are coming from an authorized source and routed to an authorized destination. | In regards to boundary controls such as routers and firewalls, examples of restricting and prohibiting communications are: restricting external web traffic only to organizational web servers... |
V-35075 | Medium | The application must ensure that the screen display is obfuscated when an application session lock event occurs.
| A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the... |
V-35589 | Medium | Applications must isolate security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the integrity of, the hardware, software, and firmware that perform those security functions. | Security functions are defined as "the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and... |
V-35266 | Medium | Applications upon successful logon, must display to the user the date and time of the last logon (access). | Users need to be aware of activity that occurs regarding their application account. Providing users with information regarding the date and time of their last successful login allows the user to... |
V-35267 | Medium | In order to inform the user of failed login attempts made with the users account, the application upon successful logon/access must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access. | Users need to be aware of activity that occurs regarding their application account. Providing users with information regarding the number of unsuccessful attempts made to login to their account... |
V-35181 | Medium | Applications providing information flow controls must provide the capability for privileged administrators to configure security policy filters to support different organizational security policies. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
V-35180 | Medium | Applications providing information flow control must provide the capability for privileged administrators to enable/disable security policy filters. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
V-35349 | Medium | The application must provide an audit reduction capability. | Audit reduction is used to reduce the volume of audit records in order to facilitate manual review. Before a security review information systems and/or applications with an audit reduction... |
V-35260 | Medium | Applications must allocate audit record storage capacity. | In order to ensure applications have a sufficient storage capacity in which to write the audit logs, applications need to be able to allocate audit record storage capacity. The task of allocating... |
V-35472 | Medium | Applications must enforce password maximum lifetime restrictions. | Password maximum lifetime is defined as: the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it. Passwords need to be changed at... |
V-35345 | Medium | To support audit review, analysis and reporting the application must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. | Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a... |
V-35346 | Medium | Applications must provide the capability to centralize the review and analysis of audit records from multiple components within the system. | Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a... |
V-35340 | Medium | The application must be capable of taking organization-defined actions upon audit failure (e.g., overwrite oldest audit records, stop generating audit records, cease processing, notify of audit failure). | It is critical when a system is at risk of failing to process audit logs as required; it detects and takes action to mitigate the failure. Audit processing failures include: software/hardware... |
V-35752 | Medium | The mobile application must not have canonical representation vulnerabilities. | Canonical representation issues arise when the name of a resource is used to control resource access. There are multiple methods of representing resource names on a computer system. An... |
V-35269 | Medium | The application must notify the user of the number of unsuccessful login/access attempts occurring during an organization-defined time period. | Users need to be aware of activity that occurs regarding their application account. Providing users with information regarding the number of unsuccessful attempts made to login to their account... |
V-35353 | Low | The mobile application must use the mobile devices system time for its authoritative time source. | Synchronizing with authorized timing sources enables an application to perform a number of important, back-office functions that require synchronization between the application, the device,... |
V-35723 | Low | The mobile application must notify the user or MDM, or shut down if it fails an automated security test. | System availability is a key tenet of system security. Organizations need to have the flexibility to be able to define the automated actions taken in response to an identified incident. This... |
V-35516 | Low | The mobile application must close opened network ports at the end of the application session or after an organization defined time period of inactivity. | Ports that are not closed upon termination of an application or following a pre-defined period of inactivity leave the device vulnerable to exposure from attacks that exploit ports that remain... |
V-35244 | Low | The mobile application must enforce organization defined limitations on the embedding of data types within other data types. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
V-35702 | Low | The mobile application must alert the MOS or MDM upon each instance of an application component failure | An application that suffers a component failure is vulnerable to exposure that leaves the application, device, and stored data exposed to potential malicious activity. One component that may fail,... |
V-35398 | Low | The mobile application must not lock or set permissions on application files in a manner such that the operating system or an approved backup application cannot copy the files. | If the application is able to lock files or modify file permissions in a manner that prevents higher-level system operations, such as backup and copying to take place, then the potential exists... |
V-35248 | Low | When the mobile application supports multiple persona (e.g., DoD work and non-DoD personal or public), the application must record a log entry when there is a failed attempt to improperly transfer data from one domain to another. | Transferring data between various domains exposes the data to both accidental and malicious intruders able to perform physical attacks. This form of attack will allow an unauthorized user to gain... |
V-35701 | Low | The mobile application must not transmit error messages to any entity other than authorized audit logs, the MDM, or the device display. | Error messages that are transmitted outside of the application environment reveal weaknesses in the application that will offer the potential for exposure to malicious users. By default many error... |
V-35272 | Low | The digital signature on the mobile application installation code must identify the entity responsible for the application. | Any code that a mobile application uses must contain a signature to authenticate the actual publisher in order to prove the source code is not only legitimate, but has also been created by a... |
V-35660 | Low | The mobile application must define a character set for data inputs. | Characters entered in an application's input fields that are undefined can lead to unpredictable results and leave the application's stored data vulnerable. By setting the character set for the... |
V-35573 | Low | The mobile application must preserve organization-defined system state information in the event of an application failure. | Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality,... |
V-35749 | Low | The mobile application must remove cookies or information used to track a users identity when it terminates. | If the application does not remove temporary data, such as authentication data, temporary files containing sensitive data, and cookies, the data can be used again if the device lost or stolen. ... |
V-35747 | Low | The mobile application must remove temporary files when it terminates. | Temporary files left on the system after an application has terminated may contain sensitive information. Such sensitive information includes authentication credentials or session identifiers... |