The mobile operating system must prevent DoD applications from accessing non-DoD data when the device supports multiple user environments (e.g., work and personal) if such access has not been approved.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33118	SRG-OS-000138-MOS-000076	SV-43516r2_rule		Low

Description
When a device is used for more than one purpose (e.g., work and personal) there is the potential for information from one environment to migrate inappropriately over into another environment. Therefore it is critical for DoD applications and information be restricted from non-DoD applications and information. In many cases, the presence of non-DoD data on DoD information systems violates either local or department guidelines. In the context of this IA control, a DoD application is an application that processes DoD data. The characteristics of being distributed through a DoD application store, or digitally signed or repackaged by a DoD entity do not by themselves make the application a DoD application. For example, a weather or map application signed and distributed from a DoD application store would not be a DoD application unless the weather, map, or other data was considered DoD data. The mobile operating system must prevent this occurrence using appropriate technical controls to mitigate the risk of compromise of sensitive data. The objective is to provide appropriate separation between each environment on the device.

Description

When a device is used for more than one purpose (e.g., work and personal) there is the potential for information from one environment to migrate inappropriately over into another environment. Therefore it is critical for DoD applications and information be restricted from non-DoD applications and information. In many cases, the presence of non-DoD data on DoD information systems violates either local or department guidelines. In the context of this IA control, a DoD application is an application that processes DoD data. The characteristics of being distributed through a DoD application store, or digitally signed or repackaged by a DoD entity do not by themselves make the application a DoD application. For example, a weather or map application signed and distributed from a DoD application store would not be a DoD application unless the weather, map, or other data was considered DoD data. The mobile operating system must prevent this occurrence using appropriate technical controls to mitigate the risk of compromise of sensitive data. The objective is to provide appropriate separation between each environment on the device.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41377r2_chk )
Review the mobile operating system configuration to determine if the device supports multiple user environments. If it does, verify the operating system has controls preventing DoD applications from accessing non-DoD data. If non-DoD data can be accessed from a DoD application and there is no approval for such access, this is a finding.

Fix Text (F-37018r1_fix)
Configure the operating system and applications to prevent DoD applications from inappropriately accessing non-DoD data.