UCF STIG Viewer Logo

Mobile Application Security Requirements Guide


Overview

Date Finding Count (314)
2013-01-04 CAT I (High): 15 CAT II (Med): 286 CAT III (Low): 13
STIG Description
The Mobile Application Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-35262 High The mobile application must not execute unsigned DoD Mobile Code Policy Category 1A or 2 mobile code.
V-35524 High The mobile application must employ NSA-approved cryptography to protect classified information.
V-35531 High The mobile application must provide integrity protection for the classification attributes bound to the transmitted data if it transmits classified data.
V-35084 High The mobile application must not permit any classification attribute to be modified to a lower level of classification if it processes classified data.
V-35164 High The mobile application must not modify, request, or assign values for operating system parameters unless necessary to perform application functions.
V-35166 High The mobile application must not execute as a privileged operating system process unless necessary to perform any application functions.
V-35083 High The mobile application must store an associated data attribute corresponding to the highest classification of data in the file it stores classified data.
V-35087 High The mobile application must assign the classification corresponding to the highest classification of its elements whenever it combines data elements classified at multiple levels.
V-35085 High The mobile application must include classification attributes with transmitted data if it transmits classified data.
V-35264 High The mobile application must not permit DoD Mobile Code Policy Category 2 mobile code to access any resource not dedicated to the mobile application.
V-35265 High The mobile application must not use mobile code technology that is not yet categorized in accordance with the DoD Mobile Code Policy.
V-35263 High The mobile application must validate the signature on DoD Mobile Code Policy Category 1A and 2 mobile code before executing such code.
V-35801 High The mobile application source code must not contain known malware.
V-35755 High The mobile application must not record or forward sensor data unless explicitly authorized to do so.
V-35348 High The mobile application code must not include embedded interpreters for prohibited mobile code.
V-35756 Medium The mobile application installation package must be digitally signed in accordance with FIPS 186-3.
V-35124 Medium The application must monitor for unauthorized connections of mobile devices to organizational information systems.
V-35754 Medium The mobile application must initialize all parameter values on start up.
V-35126 Medium The mobile application must not permit execution of code without user direction unless the code is sourced from an organization-defined list of approved network resources.
V-35459 Medium The application must support organizational requirements to enforce minimum password length.
V-35458 Medium Applications must support organizational requirements to disable user accounts after an organization-defined time period of inactivity.
V-35750 Medium The mobile application must not be vulnerable to integer arithmetic vulnerabilities.
V-35122 Medium Applications must support the capability to disable network protocols deemed by the organization to be nonsecure except for explicitly identified components in support of specific operational requirements.
V-35455 Medium Applications managing network connectivity must have the capability to authenticate devices before establishing network connections by using bidirectional authentication that is cryptographically based.
V-35457 Medium Web services applications establishing identities at run-time for previously unknown entities must dynamically manage identifiers, attributes, and associated access authorizations.
V-35290 Medium The application must produce audit records that contain sufficient information to establish the outcome (success or failure) of the events.
V-35288 Medium The application must produce audit records containing sufficient information to establish where the events occurred.
V-35289 Medium The application must produce audit records containing sufficient information to establish the sources of the events.
V-35553 Medium The application must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
V-35518 Medium Mobile applications involved in the production, control, and distribution of symmetric cryptographic keys must use NIST approved or NSA approved key management technology and processes.
V-35519 Medium Mobile applications involved in the production, control, and distribution of asymmetric cryptographic keys must use NIST approved or NSA approved key management technology and processes.
V-35638 Medium Applications must, for organization-defined information system components, load and execute the operating environment from hardware-enforced, read-only media.
V-35280 Medium The application must provide audit record generation capability for defined auditable events within defined application components.
V-35281 Medium The application must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system.
V-35282 Medium Applications must generate audit records for the DoD selected list of auditable events.
V-35283 Medium The application must initiate session auditing upon start up.
V-35284 Medium The application must provide the capability to capture, record, and log all content related to a user session.
V-35285 Medium The application must provide the capability to remotely view/hear all content related to an established user session in real time.
V-35286 Medium The application must produce audit records containing sufficient information to establish what type of events occurred.
V-35287 Medium The application must produce audit records containing sufficient information to establish when (date and time) the events occurred.
V-35594 Medium Applications must meet organizational requirements to implement an information system isolation boundary that minimizes the number of non-security functions included within the boundary containing security functions.
V-35291 Medium The application must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
V-35597 Medium The application must employ automated mechanisms to alert security personnel of inappropriate or unusual activities with security implications.
V-35414 Medium The application must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-35591 Medium The application must automatically terminate emergency accounts after an organization defined time period for each type of account.
V-35592 Medium Applications must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.
V-35466 Medium The application must support organizational requirements to enforce password complexity by the number of numeric characters used.
V-35751 Medium The mobile application must not call functions vulnerable to buffer overflows.
V-35712 Medium Applications providing malicious code protection must support organizational requirements to configure malicious code protection mechanisms to perform real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy.
V-35211 Medium Applications must provide the ability to enforce security policies regarding information on interconnected systems.
V-35210 Medium Applications must provide the ability to prohibit the transfer of unsanctioned information in accordance with security policy.
V-35245 Medium Applications must enforce information flow control on metadata.
V-35352 Medium Applications must use internal system clocks to generate time stamps for audit records.
V-35350 Medium Applications must provide a report generation capability for audit reduction data.
V-35171 Medium When the mobile application supports multiple persona (e.g., DoD work and non-DoD personal or public), the mobile application must enforce a non-discretionary access control policy that prohibits a user from accessing DoD data when operating in a persona not authorized for access to data categorized at that level.
V-35356 Medium The application must protect audit information from unauthorized modification.
V-35357 Medium The application must protect audit information from unauthorized deletion.
V-35354 Medium The application must protect audit information from any type of unauthorized access.
V-35722 Medium Applications providing notifications regarding suspicious events must include the capability to notify an organization-defined list of response personnel who are identified by name and/or by role.
V-35130 Medium Applications must provide automated mechanisms for supporting user account management. The automated mechanisms may reside within the application itself or may be offered by the operating system or other infrastructure providing automated account management.
V-35247 Medium Applications providing information flow control must uniquely authenticate destination domains when transferring information.
V-35339 Medium The application must alert designated organizational officials in the event of an audit processing failure.
V-35725 Medium The application must enforce organizational requirements to protect information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion.
V-35411 Medium Applications using multifactor authentication when accessing privileged accounts via the network must provide one of the factors by a device that is separate from the information system gaining access.
V-35729 Medium The application must notify appropriate individuals when accounts are created.
V-35728 Medium The application must use cryptographic mechanisms to protect the integrity of audit tools
V-35110 Medium Applications providing remote access connectivity must use cryptography to protect the integrity of the remote access session.
V-35631 Medium The application must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.
V-35528 Medium Software and/or firmware used for collaborative computing devices must prohibit remote activation excluding the organization-defined exceptions where remote activation is to be allowed.
V-35469 Medium The application must support organizational requirements to enforce password encryption for storage.
V-35635 Medium Applications required to be non-modifiable must support organizational requirements to provide components that contain no writeable storage capability. These components must be persistent across restart and/or power on/off.
V-35242 Medium Applications must enforce information flow control using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions.
V-35521 Medium Mobile applications involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 or class 4 certificates and hardware tokens that protect the users private key.
V-35520 Medium Mobile applications involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 certificates or prepositioned keying material.
V-35523 Medium Applications must employ FIPS-validated cryptography to protect unclassified information.
V-35522 Medium The mobile application must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
V-35525 Medium Applications must employ FIPS-validated cryptography to protect unclassified information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.
V-35527 Medium The application must protect the integrity and availability of publicly available information and applications.
V-35526 Medium The mobile application must shut down or take an alternative organization defined action when it determines that one of its required security functions is unavailable.
V-35249 Medium Applications must support organizational requirements to implement separation of duties through assigned information access authorizations.
V-35160 Medium The application must employ automated mechanisms enabling authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.
V-35407 Medium The application must use multifactor authentication for local access to privileged accounts.
V-35206 Medium Applications providing flow control must identify data type, specification and usage when transferring information between different security domains so that policy restrictions may be applied.
V-35207 Medium Applications, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms.
V-35208 Medium When the mobile application supports multiple persona (e.g., DoD work and non-DoD personal or public), the mobile application must implement or incorporate policy filters that constrain data objects and structure attributes according to organizational security policy statements.
V-35209 Medium Applications designed to control information flow must provide the ability to detect unsanctioned information being transmitted across security domains.
V-35536 Medium Applications must support organizational requirements to issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider.
V-35731 Medium The application must notify appropriate individuals when account disabling actions are taken.
V-35732 Medium The application must notify appropriate individuals when accounts are terminated.
V-35530 Medium The mobile application must associate security attributes with information exchanged between information systems.
V-35268 Medium In order to inform the user of the number of successful login attempts made with the users account, the application must notify the user of the number of successful logins/accesses occurring during an organization-defined time period.
V-35471 Medium Applications must enforce password minimum lifetime restrictions.
V-35538 Medium Applications designed to address malware issues and/or enforce policy pertaining to organizational use of mobile code must implement detection and inspection mechanisms to identify unauthorized mobile code
V-35147 Medium Applications must support the requirement to automatically audit account creation.
V-35146 Medium The application must be capable of automatically disabling accounts after a 35 day period of account inactivity.
V-35145 Medium The application must provide a mechanism to automatically terminate accounts designated as temporary or emergency accounts after an organization-defined time period.
V-35382 Medium Configuration management applications must employ automated mechanisms to centrally apply configuration settings.
V-35385 Medium Configuration management applications must employ automated mechanisms to centrally respond to unauthorized changes to configuration settings.
V-35386 Medium Configuration management solutions must track unauthorized, security-relevant configuration changes.
V-35388 Medium The application must enforce requirements for remote connections to the information system.
V-35149 Medium Applications must support the requirement to automatically audit account modification.
V-35517 Medium The application must establish a trusted communications path between the user and organization-defined security functions within the information system.
V-35259 Medium Applications must configure their auditing to reduce the likelihood of storage capacity being exceeded.
V-35510 Medium The application must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
V-35467 Medium The application must support organizational requirements to enforce password complexity by the number of special characters used.
V-35511 Medium The application must employ strong identification and authentication techniques when establishing non-local maintenance and diagnostic sessions
V-35468 Medium The application must support organizational requirements to enforce the number of characters that get changed when passwords are changed.
V-35239 Medium Applications providing information flow control must track problems associated with the binding of security attributes to data.
V-35512 Medium The application must terminate all sessions and network connections when non-local maintenance is completed.
V-35256 Medium Applications must display an approved system use notification message or banner before granting access to the system.
V-35513 Medium Applications employed to write data to portable digital media must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
V-35231 Medium The application must bind security attributes to information to facilitate information flow policy enforcement.
V-35230 Medium Applications must uniquely identify destination domains for information transfer.
V-35543 Medium Applications utilizing mobile code must meet policy requirements regarding the acquisition, development, and/or use of mobile code.
V-35541 Medium Applications designed to address malware issues and/or enforce policy pertaining to organizational use of mobile code must take corrective actions, when unauthorized mobile code is identified.
V-35548 Medium The application must separate user functionality (including user interface services) from information system management functionality.
V-35547 Medium Applications designed to enforce policy pertaining to the use of mobile code must prevent the automatic execution of mobile code in organization-defined software applications and require organization-defined actions prior to executing the code.
V-35708 Medium Malicious code protection applications must update malicious code protection mechanisms only when directed by a privileged user.
V-35545 Medium Applications designed to enforce policy pertaining to organizational use of mobile code must prevent the download and execution of prohibited mobile code.
V-35258 Medium Applications must display an approved system use notification message or banner before granting access to the system.
V-35705 Medium The application must support organizational requirements to employ automated patch management tools to facilitate flaw remediation to organization-defined information system components. Patch management tools must be automated.
V-35704 Medium Applications serving to determine the state of information system components with regard to flaw remediation (patching) must use automated mechanisms to make that determination. The automation schedule must be determined on an organization-defined basis.
V-35255 Medium Applications, when the maximum number of unsuccessful attempts are exceeded, must automatically lock the account/node for an organization-defined time period or lock the account/node until released by an administrator IAW organizational policy.
V-35706 Medium The application must automatically update malicious code protection mechanisms, including signature definitions. Examples include anti-virus signatures and malware data files employed to identify and/or block malicious software from executing.
V-35253 Medium The application must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.
V-35252 Medium Applications must have the capability to limit the number of failed login attempts based upon an organization defined number of consecutive invalid attempts occurring within an organization defined time period.
V-35251 Medium Applications must be able to function within separate processing domains (virtualized systems), when specified, so as to enable finer-grained allocation of user privileges.
V-35154 Medium The application must automatically audit account termination and notify appropriate individuals.
V-35155 Medium Applications must support the organizational requirement to automatically monitor on atypical usage of accounts.
V-35111 Medium The application must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
V-35658 Medium The mobile application must validate the correctness of data inputs.
V-35703 Medium Applications providing patch management capabilities must support the organizational requirements to install software updates automatically.
V-35152 Medium The application must automatically audit account disabling actions and notify appropriate individuals
V-35399 Medium The application must support and must not impede organizational requirements to conduct backups of information system documentation including security-related documentation per organization-defined frequency.
V-35396 Medium The mobile application must implement transaction recovery if it is transaction based.
V-35397 Medium Backup / Disaster Recovery oriented applications must be capable of backing up user-level information per a defined frequency.
V-35651 Medium Applications must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.
V-35250 Medium Application users must utilize a separate, distinct administrative account when accessing application security functions or security-relevant information. Non-privileged accounts must be utilized when accessing non-administrative application functions.
V-35158 Medium Service Oriented Architecture (SOA) based applications must dynamically manage user privileges and associated access authorizations.
V-35656 Medium The mobile application must prevent XML injection.
V-35655 Medium The application must be capable of implementing host-based boundary protection mechanisms for servers, workstations, and mobile devices.
V-35391 Medium The mobile application must not include source code never invoked during operation, except for software components and libraries from approved third-party products.
V-35515 Medium Application software used to detect the presence of unauthorized software must employ automated detection mechanisms and notify designated organizational officials in accordance with the organization-defined frequency.
V-35119 Medium The application must ensure remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited.
V-35228 Medium The mobile application must identify the persona from which data is coming before permitting transfer to or from a DoD persona when the mobile application supports multiple personas.
V-35229 Medium A mobile application must authenticate the persona from which data is coming before permitting transfer to or from a DoD persona when the mobile application supports multiple personas.
V-35246 Medium Applications must use security policy filters as a basis for making information flow control decisions.
V-35462 Medium The application must support organizational requirements to enforce password complexity by the number of upper case characters used.
V-35550 Medium The application must prevent the presentation of information system management-related functionality at an interface utilized by general (i.e., non-privileged) users.
V-35730 Medium The application must notify appropriate individuals when accounts are modified.
V-35718 Medium Applications providing malware and/or firewall protection must monitor inbound and outbound communications for unauthorized activities or conditions.
V-35719 Medium Applications that detect and alarm on security events such as Intrusion Detection, Firewalls, Anti-Virus, or Malware must provide near real-time alert notification.
V-35555 Medium The application must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
V-35364 Medium The application must have the capability to produce audit records on hardware-enforced, write-once media.
V-35557 Medium The application must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.
V-35558 Medium Applications that collectively provide name/address resolution service for an organization must implement internal/external role separation.
V-35713 Medium Applications providing malicious code protection must support organizational requirements to be configured to perform organization-defined action(s) in response to malicious code detection.
V-35710 Medium Applications providing malicious code protection must support organizational requirements to update malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration
V-35711 Medium Applications scanning for malicious code must support organizational requirements to configure malicious code protection mechanisms to perform periodic scans of the information system on an organization-defined frequency.
V-35717 Medium For those instances where the organization requires encrypted traffic to be visible to information system monitoring tools, the application transmitting the encrypted traffic must make provisions to allow that traffic to be visible to specific system monitoring.
V-35714 Medium Applications providing malicious code protection must support organizational requirements to address the receipt of false positives during malicious code detection, eradication efforts, and the resulting potential impact on the availability of the information system.
V-35243 Medium Applications must prevent encrypted data from bypassing content-checking mechanisms.
V-35648 Medium Applications must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-35418 Medium The mobile application must authenticate devices using bidirectional cryptographic authentication if it manages wireless network connections for other devices.
V-35470 Medium The application must support organizational requirements to enforce password encryption for transmission.
V-35169 Medium The application must enforce dual authorization, based on organizational policies and procedures for organization-defined privileged commands.
V-35168 Medium A mobile application must not call APIs or otherwise invoke resources external to the mobile application unless such activity serves the documented purposes of the mobile application.
V-35413 Medium The application must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.
V-35412 Medium Applications using multifactor authentication when accessing non-privileged accounts via the network must provide one of the factors by a device separate from the information system gaining access.
V-35644 Medium Applications must not share resources used to interface with systems operating at different security levels.
V-35394 Medium To support the requirements and principles of least functionality, the application must support organizational requirements regarding the use of automated mechanisms preventing program execution on the information system in accordance with the organization defined specifications.
V-35646 Medium Applications must protect against or limit the effects of the organization-defined or referenced types of Denial of Service (DoS) attacks.
V-35416 Medium Applications required to identify devices must uniquely identify and authenticate an organization-defined list of specific and/or types of devices before establishing a connection.
V-35650 Medium Applications must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
V-35392 Medium The mobile application must not utilize ports or protocols in a manner inconsistent with DoD Ports and Protocols guidance.
V-35474 Medium The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
V-35115 Medium The application must monitor for unauthorized remote connections to the information system on an organization-defined frequency.
V-35359 Medium The application must protect audit tools from unauthorized access.
V-35507 Medium Applications that are designed and intended to address incident response scenarios must provide a configurable capability to automatically disable an information system if any of the organization defined security violations are detected.
V-35295 Medium The application must provide a real-time alert when organization-defined audit failure events occur.
V-35095 Medium The mobile application must maintain the binding of classification attributes to information with sufficient assurance that the information/attribute association can be used as the basis for automated policy actions if it transmits classified data.
V-35097 Medium The mobile application must enable the user of the mobile device to assign a classification level to any data the user creates while using the mobile device, unless the application concept of operations requires that all data be handled at a single classification level.
V-35294 Medium Applications themselves, or the logging mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.
V-35297 Medium The application must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds.
V-35570 Medium The mobile application must fail to an initial state when the application unexpectedly terminates, unless it maintains a secure state at all times.
V-35093 Medium The application must provide the capability to specify administrative users and grant them the right to change application security attributes pertaining to application data.
V-35675 Medium Boundary protection applications must be capable of preventing public access into the organizations internal networks except as appropriately mediated by managed interfaces.
V-35278 Medium Applications that utilize Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user.
V-35677 Medium Any software application designed to function as a firewall must be capable employing a default deny all configuration.
V-35405 Medium The application must use multifactor authentication for network access to non-privileged accounts.
V-35402 Medium The application must use multifactor authentication for network access to privileged accounts.
V-35568 Medium Applications must generate unique session identifiers with organization defined randomness requirements.
V-35673 Medium Boundary protection applications must fail securely in the event of an operational failure.
V-35401 Medium The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-35271 Medium The application must protect against an individual falsely denying having performed a particular action.
V-35270 Medium Applications must notify users of organization-defined security-related changes to the users account occurring during the organization-defined time period.
V-35273 Medium If the mobile application processes digitally signed data or code, then it must validate the digital signature.
V-35561 Medium Applications must terminate user sessions upon user logout or any other organization or policy defined session termination events, such as idle time limit exceeded.
V-35274 Medium Applications must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
V-35563 Medium Applications providing a login capability must also provide a logout functionality to allow the user to manually terminate the session.
V-35276 Medium Applications utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
V-35077 Medium Applications must ensure that users can directly initiate session lock mechanisms which prevent further access to the system.
V-35076 Medium The application must support the requirement to initiate a session lock after an organization defined time period of system or application inactivity has transpired.
V-35506 Medium The application must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-35072 Medium The application must be able to define the maximum number of concurrent sessions for an application account globally, by account type, by account, or a combination thereof.
V-35560 Medium Application must ensure authentication of both client and server during the entire session. An example of this is SSL Mutual Authentication.
V-35179 Medium Applications providing information flow control must use explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
V-35177 Medium Applications providing information flow control must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.
V-35174 Medium Applications providing information flow control must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy.
V-35172 Medium The application must enforce a Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both.
V-35173 Medium The application must prevent access to organization-defined security-relevant information except during secure, non-operable system states.
V-35078 Medium The application must have the ability to retain a session lock remaining in effect until the user re-authenticates using established identification and authentication procedures.
V-35800 Medium Applications must enforce information flow using dynamic control based on policy that allows or disallows information flow based on changing conditions or operational considerations.
V-35351 Medium Applications must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.
V-35707 Medium The application must prevent non-privileged users from circumventing malicious code protection capabilities.
V-35753 Medium The mobile application must not be vulnerable to race conditions.
V-35383 Medium Configuration management applications must employ automated mechanisms to centrally verify configuration settings.
V-35688 Medium Applications providing remote connectivity must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communications path with resources in external networks.
V-35363 Medium The application must protect audit tools from unauthorized deletion.
V-35360 Medium The application must protect audit tools from unauthorized modification.
V-35367 Medium The application must protect the audit records generated as a result of remote accesses to privileged accounts and the execution of privileged functions.
V-35365 Medium The application must support the requirement to back up audit data and records onto a different system or media than the system being audited on an organization-defined frequency.
V-35275 Medium The application must validate the binding of the reviewers identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.
V-35369 Medium The mobile application must not change the file permissions of any files other than those dedicated to its own operation.
V-35086 Medium The mobile application must assign a classification attribute to any newly created data file or stream if it stores, processes, or transmits classified data.
V-35640 Medium Applications must support organizationally-defined requirements to load and execute from hardware-enforced, read-only media.
V-35473 Medium The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
V-35279 Medium The application must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
V-35579 Medium The application must disable network access by unauthorized components/devices or notify designated organizational officials.
V-35666 Medium The mobile application must not be vulnerable to command injection.
V-35475 Medium Applications must ensure that PKI-based authentication maps the authenticated identity to the user account.
V-35665 Medium The mobile application must not contain format string vulnerabilities.
V-35668 Medium The mobile application must prevent SQL injection.
V-35629 Medium Applications must meet organizational requirements to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers
V-35574 Medium Applications must enforce requirements regarding the connection of mobile devices to organizational information systems.
V-35551 Medium The application must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.
V-35715 Medium Intrusion detection software must be able to interconnect using standard protocols to create a system wide intrusion detection system.
V-35720 Medium Applications providing IDS and prevention capabilities must prevent non-privileged users from circumventing intrusion detection and prevention capabilities.
V-35587 Medium Applications handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information that is at rest unless otherwise protected by alternative physical measures.
V-35100 Medium The mobile application must display the classification of the data in human readable form whenever it displays any data to the user of the mobile device if it processes, stores, or transmits classified data.
V-35106 Medium Applications providing remote access capabilities must utilize approved cryptography to protect the confidentiality of remote access sessions.
V-35726 Medium The application must either implement compensating security controls or the organization explicitly accepts the risk of not performing the verification as required.
V-35417 Medium Applications managing devices must authenticate devices before establishing remote network connections using bidirectional authentication between devices that are cryptographically based.
V-35113 Medium Applications providing remote access must have capabilities that allow all remote access to be routed through managed access control points.
V-35670 Medium Boundary protection applications must prevent discovery of specific system components (or devices) composing a managed interface.
V-35672 Medium Applications designed to enforce protocol formats must employ automated mechanisms to enforce strict adherence to protocol format.
V-35410 Medium Applications authenticating users must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
V-35514 Medium Applications must support organizational requirements to employ cryptographic mechanisms to protect information in storage.
V-35370 Medium The mobile application must implement automated mechanisms to enforce access control restrictions which are not provided by the operating system
V-35565 Medium Applications must generate a unique session identifier for each session.
V-35372 Medium The application must support the employment of automated mechanisms supporting the auditing of enforcement actions.
V-35374 Medium Applications must prevent the installation of organization-defined critical software programs not signed with a certificate that has been recognized and approved by the organization.
V-35375 Medium The application must support the enforcement of a two-person rule for changes to organization-defined application components and system-level information.
V-35377 Medium The mobile application must not enable other applications or non-privileged processes to modify software libraries.
V-35378 Medium Applications must automatically implement organization-defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately.
V-35379 Medium Configuration management applications must employ automated mechanisms to centrally manage configuration settings.
V-35642 Medium The mobile application must not write data to persistent memory accessible to other applications.
V-35460 Medium The application must support organizational requirements to prohibit password reuse for the organization-defined number of generations.
V-35700 Medium The mobile application must not include sensitive information in system logs not necessary for IA functions.
V-35566 Medium Applications must recognize only system-generated session identifiers.
V-35465 Medium The application must support organizational requirements to enforce password complexity by the number of lower case characters used.
V-35699 Medium The mobile application must identify potentially security-relevant error conditions.
V-35698 Medium The mobile application must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission.
V-35697 Medium Applications must provide automated support for the management of distributed security testing.
V-35696 Medium Applications utilized for integrity verification must detect unauthorized changes to software and information.
V-35694 Medium Applications that are utilized to address the issue of spam and provide protection from spam must automatically update any and all spam protection measures including signature definitions.
V-35693 Medium Applications that serve to protect organizations and individuals from spam messages must incorporate update mechanisms updating protection mechanisms and signature updates when new application releases are available in accordance with organizational configuration management policies and procedures.
V-35692 Medium Applications performing extrusion detection must be capable of denying network traffic and auditing internal users (or malicious code) posing a threat to external information systems.
V-35690 Medium Proxy applications must support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Proxy applications must also be configurable with o
V-35748 Medium The mobile application must clear or overwrite memory blocks used to process sensitive data.
V-35709 Medium The mobile application must provide notification of failed automated security tests.
V-35298 Medium The application must invoke a system shutdown in the event of an audit failure, unless an alternative audit capability exists.
V-35277 Medium The application must provide the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.
V-35509 Medium Applications used for non-local maintenance sessions must protect those sessions through the use of a strong authenticator tightly bound to the user.
V-35508 Medium Applications related to incident tracking must support organizational requirements to employ automated mechanisms to assist in the tracking of security incidents.
V-35293 Medium To support DoD requirements to centrally manage the content of audit records, applications must provide the ability to write specified audit record content to a centralized audit log repository.
V-35292 Medium Applications must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
V-35505 Medium The application must use mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
V-35504 Medium The application must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
V-35296 Medium The application must enforce configurable traffic volume thresholds representing auditing capacity for network traffic.
V-35746 Medium The mobile application code must not contain hardcoded references to resources external to the application.
V-35585 Medium Applications must take needed steps to protect data at rest and ensure confidentiality and integrity of application data.
V-35261 Medium Applications scanning for malicious code must scan all media used for system maintenance prior to use.
V-35583 Medium Applications must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission. When transmitting data, applications need to leverage transmission protection mechanisms such as TLS, SSL VPN, or IPSEC tunnel.
V-35581 Medium Only a Honey Pot information system and/or application must include components that proactively seek to identify web-based malicious code. Honey Pot systems must be not be shared or used for any other purpose other than described.
V-35408 Medium The application must use multifactor authentication for local access to non-privileged accounts.
V-35653 Medium Applications functioning in the capacity of a firewall must check incoming communications to ensure the communications are coming from an authorized source and routed to an authorized destination.
V-35075 Medium The application must ensure that the screen display is obfuscated when an application session lock event occurs.
V-35589 Medium Applications must isolate security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the integrity of, the hardware, software, and firmware that perform those security functions.
V-35266 Medium Applications upon successful logon, must display to the user the date and time of the last logon (access).
V-35267 Medium In order to inform the user of failed login attempts made with the users account, the application upon successful logon/access must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
V-35181 Medium Applications providing information flow controls must provide the capability for privileged administrators to configure security policy filters to support different organizational security policies.
V-35180 Medium Applications providing information flow control must provide the capability for privileged administrators to enable/disable security policy filters.
V-35349 Medium The application must provide an audit reduction capability.
V-35260 Medium Applications must allocate audit record storage capacity.
V-35472 Medium Applications must enforce password maximum lifetime restrictions.
V-35345 Medium To support audit review, analysis and reporting the application must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
V-35346 Medium Applications must provide the capability to centralize the review and analysis of audit records from multiple components within the system.
V-35340 Medium The application must be capable of taking organization-defined actions upon audit failure (e.g., overwrite oldest audit records, stop generating audit records, cease processing, notify of audit failure).
V-35752 Medium The mobile application must not have canonical representation vulnerabilities.
V-35269 Medium The application must notify the user of the number of unsuccessful login/access attempts occurring during an organization-defined time period.
V-35353 Low The mobile application must use the mobile devices system time for its authoritative time source.
V-35723 Low The mobile application must notify the user or MDM, or shut down if it fails an automated security test.
V-35516 Low The mobile application must close opened network ports at the end of the application session or after an organization defined time period of inactivity.
V-35244 Low The mobile application must enforce organization defined limitations on the embedding of data types within other data types.
V-35702 Low The mobile application must alert the MOS or MDM upon each instance of an application component failure
V-35398 Low The mobile application must not lock or set permissions on application files in a manner such that the operating system or an approved backup application cannot copy the files.
V-35248 Low When the mobile application supports multiple persona (e.g., DoD work and non-DoD personal or public), the application must record a log entry when there is a failed attempt to improperly transfer data from one domain to another.
V-35701 Low The mobile application must not transmit error messages to any entity other than authorized audit logs, the MDM, or the device display.
V-35272 Low The digital signature on the mobile application installation code must identify the entity responsible for the application.
V-35660 Low The mobile application must define a character set for data inputs.
V-35573 Low The mobile application must preserve organization-defined system state information in the event of an application failure.
V-35749 Low The mobile application must remove cookies or information used to track a users identity when it terminates.
V-35747 Low The mobile application must remove temporary files when it terminates.