Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-32674 | WIR-SPP-020 | SV-43020r2_rule | ECWN-1 | Medium |
Description |
---|
Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). The DAA or Command IT Configuration Control Board is responsible for setting up procedures to review, test, and approve CMD applications. It is expected the process will be similar to what is used to approve and manage applications on command PCs. |
STIG | Date |
---|---|
Commercial Mobile Device (CMD) Policy Security Technical Implementation Guide (STIG) | 2013-01-17 |
Check Text ( C-41049r3_chk ) |
---|
Core applications are applications included in the CMD operating system. Applications added by the wireless carrier are not considered core applications. All non-core applications on the CMD must be approved by the DAA or the Command IT Configuration Control Board. -Select 3-4 random devices managed by the site to review. -Make a list of non-core applications on each device. --Have the user log into the device. View all App icons on the home screen or in folders on the home screen. --If an App is not in the list of core Apps (see below), then note the name of the App. --Verify the site has written approval to use the App from the DAA or site IT CCB. -Mark as a finding if any App has not been approved. A list of standard core mobile OS applications can be found in the mobile device manual from the handset manual. |
Fix Text (F-36581r1_fix) |
---|
Have DAA or Command IT CCB review and approve all non-core applications on mobile OS devices. |