Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-24964 | WIR-SPP-008-02 | SV-30701r5_rule | Low |
Description |
---|
Users must not accept Over-The-Air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the ISSO. Unauthorized/unapproved software updates could include malware or cause a degradation of the security posture of the mobile device and DoD network infrastructure. All software updates should be reviewed and/or tested by the mobile device system administrator and originate from a DoD source or DoD-approved source. Mobile device software updates should be pushed from the mobile device management (MDM) server, when this feature is available. |
STIG | Date |
---|---|
Mobile Device Policy Security Technical Implementation Guide (STIG) | 2019-05-21 |
Check Text ( C-31127r10_chk ) |
---|
Detailed Policy Requirements: Software updates must come from either DoD sources or DoD-approved sources. Mobile device system administrators should push OTA software updates from the MDM server, when this feature is available. Otherwise the site administrator should verify the non-DoD source of the update has been approved by IT management. Check Procedures: Interview the ISSO and MDM server system administrator. -Verify the site mobile device handheld and MDM server administrators are aware of the requirements. -Determine what procedures are used at the site for installing software updates on site-managed mobile devices. If the site does not have procedures in place, so users can down-load software updates from a DoD source or DoD-approved source, this is a finding. |
Fix Text (F-27598r5_fix) |
---|
Ensure mobile device software updates originate from DoD sources or approved non-DoD sources only. Users do not accept Over-The-Air (OTA) wireless software updates from non-approved sources. |