Security faults with software applications and operating systems are discovered daily and vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security relevant software updates (e.g., patches, service packs, hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, must also be addressed expeditiously.
Rationale for non-applicability: This IA control conflicts with another IA requirement that users must accept software updates, thereby precluding full automation. In some instances, software updates must be downloaded directly from vendors without DoD evaluation. In this environment, fully automated updates pose an IA risk because the updates could contain malware that circumvents other IA controls. In the mobility context, the mechanism for enforcing currency of IA-related patches is to prohibit a mobile device from accessing DoD information resources if it does not have DoD-required security updates. This capability would typically be implemented using automated MDM features and enables DoD to decide which security updates are mandatory independently from the release schedule of patches from mobile OS vendors. |