Mobile apps involved in the production, control, and distribution of symmetric cryptographic keys must use NIST approved or NSA approved key management technology and processes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000516-MAPP-000038	SRG-APP-000516-MAPP-000038	SRG-APP-000516-MAPP-000038_rule		Medium

Description
Symmetric cryptographic keys must be managed according to approved processes using approved technology, to ensure malicious intruders do not take advantage of any network resource exposure that may occur as a result of non-standard practices and tools being applied. If non-standard practices are applied to production, control, and distribution of symmetric cryptographic keys, then the DoD is potentially vulnerable to attack from adversaries who are able to exploit weak encryption keys that have been used by the app and system. This control assures the DoD a much higher degree of assurance that intruders will not gain access to the network through weaknesses that are mitigated or eradicated through best and approved practices and key management technologies.

Description

Symmetric cryptographic keys must be managed according to approved processes using approved technology, to ensure malicious intruders do not take advantage of any network resource exposure that may occur as a result of non-standard practices and tools being applied. If non-standard practices are applied to production, control, and distribution of symmetric cryptographic keys, then the DoD is potentially vulnerable to attack from adversaries who are able to exploit weak encryption keys that have been used by the app and system. This control assures the DoD a much higher degree of assurance that intruders will not gain access to the network through weaknesses that are mitigated or eradicated through best and approved practices and key management technologies.

STIG	Date
Mobile Application Security Requirements Guide	2014-07-22

Details

Check Text ( C-SRG-APP-000516-MAPP-000038_chk )
If the mobile app is not involved in the production, control, and distribution of asymmetric cryptography keys, this control is not applicable. For mobile apps involved in the production, control, and distribution of symmetric cryptographic keys, perform a documentation review to verify NIST SP 800-57 approved technology and processes have been applied to the design of the app. The documentation review will also include assessing if there is a JITC certification of the key management technology's presence in the app. If the documentation review is inconclusive, perform a static program analysis to assess the app for inclusion of functional code, able to execute routines and functions that enable the application to comply with the above requirements. If any of the above requirements cannot be executed by the code, this is a finding. If NIST SP 800-57 Recommendation For Key Management is not used or enforced, this is a finding.

Check Text ( C-SRG-APP-000516-MAPP-000038_chk )

If the mobile app is not involved in the production, control, and distribution of asymmetric cryptography keys, this control is not applicable. For mobile apps involved in the production, control, and distribution of symmetric cryptographic keys, perform a documentation review to verify NIST SP 800-57 approved technology and processes have been applied to the design of the app. The documentation review will also include assessing if there is a JITC certification of the key management technology's presence in the app. If the documentation review is inconclusive, perform a static program analysis to assess the app for inclusion of functional code, able to execute routines and functions that enable the application to comply with the above requirements. If any of the above requirements cannot be executed by the code, this is a finding. If NIST SP 800-57 Recommendation For Key Management is not used or enforced, this is a finding.

Fix Text (F-SRG-APP-000516-MAPP-000038_fix)
Modify the mobile app code to use NIST approved or NSA approved symmetric key management technology and processes.