The mobile operating system must not permit a user to remove organizationally required applications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33057	SRG-OS-000095-MOS-000061	SV-43455r1_rule		Medium

Description
Organizationally required applications are present on the device because they support the organization's mission. Therefore, their absence degrades mission performance. Preventing the removal of such applications provides mission assurance. The primary focus of this control concerns IA applications that monitor the integrity of software on the mobile device and enforce configuration controls. Removal of these applications would significantly degrade the IA posture of the device. Therefore, not permitting a user to remove them is critical to IA. In cases in which such applications cannot be removed, an acceptable alternative to mitigate risk is to prevent access to DoD resources when the required applications are not present.

Description

Organizationally required applications are present on the device because they support the organization's mission. Therefore, their absence degrades mission performance. Preventing the removal of such applications provides mission assurance. The primary focus of this control concerns IA applications that monitor the integrity of software on the mobile device and enforce configuration controls. Removal of these applications would significantly degrade the IA posture of the device. Therefore, not permitting a user to remove them is critical to IA. In cases in which such applications cannot be removed, an acceptable alternative to mitigate risk is to prevent access to DoD resources when the required applications are not present.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41326r1_chk )
Review the mobile operating system configuration to determine if the operating system permits a user to remove organizationally required applications. Identify the list of organizationally required applications and attempt to delete a sample of them to determine if the control is being enforced. If it is possible to remove the application, check that the removal disables access to DoD information resources. If a required application can be removed by a user or if removal does not disable further access to DoD resources, this is a finding.

Check Text ( C-41326r1_chk )

Review the mobile operating system configuration to determine if the operating system permits a user to remove organizationally required applications. Identify the list of organizationally required applications and attempt to delete a sample of them to determine if the control is being enforced. If it is possible to remove the application, check that the removal disables access to DoD information resources. If a required application can be removed by a user or if removal does not disable further access to DoD resources, this is a finding.

Fix Text (F-36957r1_fix)
Configure the operating system to prevent users from removing organizationally required applications or configure the operating system to disable access to DoD information resources when such applications are removed.