Mobile apps involved in the production, control, and distribution of asymmetric cryptographic keys must use NIST approved or NSA approved key management technology and processes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000516-MAPP-000039	SRG-APP-000516-MAPP-000039	SRG-APP-000516-MAPP-000039_rule		Medium

Description
Asymmetric cryptographic keys must be managed according to approved processes using approved technology, to ensure malicious intruders do not take advantage of any network resource exposure that may occur as a result of non-standard practices and tools being applied. If non-standard practices are applied to production, control, and distribution of asymmetric cryptographic keys, then the DoD is potentially vulnerable to attack from adversaries who are able to exploit weak encryption keys that have been used by the app and system. In applying this control, the DoD can be assured of a much higher degree of assurance that intruders will not gain access to the network through weaknesses that are mitigated or eradicated through best and approved practices and key management technologies.

Description

Asymmetric cryptographic keys must be managed according to approved processes using approved technology, to ensure malicious intruders do not take advantage of any network resource exposure that may occur as a result of non-standard practices and tools being applied. If non-standard practices are applied to production, control, and distribution of asymmetric cryptographic keys, then the DoD is potentially vulnerable to attack from adversaries who are able to exploit weak encryption keys that have been used by the app and system. In applying this control, the DoD can be assured of a much higher degree of assurance that intruders will not gain access to the network through weaknesses that are mitigated or eradicated through best and approved practices and key management technologies.

STIG	Date
Mobile Application Security Requirements Guide	2014-07-22

Details

Check Text ( C-SRG-APP-000516-MAPP-000039_chk )
For mobile apps involved in the production, control, and distribution of asymmetric cryptographic keys, perform a documentation review to verify NIST SP 800-57 approved technology and processes have been applied to the design of the app. The documentation review will also include assessing if there is a JITC certification of the key management technology's presence in the app. If the documentation review is inconclusive, perform a static program analysis to assess the app for inclusion of functional code, able to execute routines and functions that enable the app to comply with the above requirements. If any of the above requirements cannot be executed by the code, this is a finding. If NSA recommendations for key management are not used or enforced, this is a finding.

Check Text ( C-SRG-APP-000516-MAPP-000039_chk )

For mobile apps involved in the production, control, and distribution of asymmetric cryptographic keys, perform a documentation review to verify NIST SP 800-57 approved technology and processes have been applied to the design of the app. The documentation review will also include assessing if there is a JITC certification of the key management technology's presence in the app. If the documentation review is inconclusive, perform a static program analysis to assess the app for inclusion of functional code, able to execute routines and functions that enable the app to comply with the above requirements. If any of the above requirements cannot be executed by the code, this is a finding. If NSA recommendations for key management are not used or enforced, this is a finding.

Fix Text (F-SRG-APP-000516-MAPP-000039_fix)
Modify the mobile app code to use NIST approved or NSA approved asymmetric key management technology and processes.