The MDM server must prevent modification of key material except during secure, non-operable system states.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36238	SRG-APP-037-MDM-220-SRV	SV-47642r1_rule		High

Description
Secure, non-operable system states are states in which the information system is not performing mission/business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). If an adversary is able to modify key material, then the adversary may be able to compromise sensitive DoD information. The adversary may also be able to bypass authentication controls on downloaded applications, websites, and network access points depending on the keys modified. This attack could enable the adversary to install unauthorized applications and stage subsequent attacks on other systems. Preventing modification of key material mitigates the risk of this attack. Key material general refers to cryptographic keys and algorithms. There are operations were key material must be modified for proper operation of the cryptographic system.

Description

Secure, non-operable system states are states in which the information system is not performing mission/business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). If an adversary is able to modify key material, then the adversary may be able to compromise sensitive DoD information. The adversary may also be able to bypass authentication controls on downloaded applications, websites, and network access points depending on the keys modified. This attack could enable the adversary to install unauthorized applications and stage subsequent attacks on other systems. Preventing modification of key material mitigates the risk of this attack. Key material general refers to cryptographic keys and algorithms. There are operations were key material must be modified for proper operation of the cryptographic system.

STIG	Date
Mobile Device Manager Security Requirements Guide	2013-01-24

Details

Check Text ( C-44478r1_chk )
Review product configuration to determine whether there are appropriate controls to protect key material. If available, use scanning tools to determine whether keys can be modified by non-privileged users and processes. If such key material can be modified, this is a finding.

Fix Text (F-40768r1_fix)
Configure the MDM server to prevent modification of key material except during secure, non-operable system states.