Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-33057 | SRG-OS-000095-MOS-000061 | SV-43455r1_rule | Medium |
Description |
---|
Organizationally required applications are present on the device because they support the organization's mission. Therefore, their absence degrades mission performance. Preventing the removal of such applications provides mission assurance. The primary focus of this control concerns IA applications that monitor the integrity of software on the mobile device and enforce configuration controls. Removal of these applications would significantly degrade the IA posture of the device. Therefore, not permitting a user to remove them is critical to IA. In cases in which such applications cannot be removed, an acceptable alternative to mitigate risk is to prevent access to DoD resources when the required applications are not present. |
STIG | Date |
---|---|
Mobile Operating System Security Requirements Guide | 2012-10-01 |
Check Text ( C-41326r1_chk ) |
---|
Review the mobile operating system configuration to determine if the operating system permits a user to remove organizationally required applications. Identify the list of organizationally required applications and attempt to delete a sample of them to determine if the control is being enforced. If it is possible to remove the application, check that the removal disables access to DoD information resources. If a required application can be removed by a user or if removal does not disable further access to DoD resources, this is a finding. |
Fix Text (F-36957r1_fix) |
---|
Configure the operating system to prevent users from removing organizationally required applications or configure the operating system to disable access to DoD information resources when such applications are removed. |