UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The operating system must install software updates automatically.


Overview

Finding ID Version Rule ID IA Controls Severity
V-33181 SRG-OS-000190-NA SV-43579r1_rule Medium
Description
Security faults with software applications and operating systems are discovered daily and vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security relevant software updates (e.g., patches, service packs, hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, must also be addressed expeditiously. Rationale for non-applicability: This IA control conflicts with another IA requirement that users must accept software updates, thereby precluding full automation. In some instances, software updates must be downloaded directly from vendors without DoD evaluation. In this environment, fully automated updates pose an IA risk because the updates could contain malware that circumvents other IA controls. In the mobility context, the mechanism for enforcing currency of IA-related patches is to prohibit a mobile device from accessing DoD information resources if it does not have DoD-required security updates. This capability would typically be implemented using automated MDM features and enables DoD to decide which security updates are mandatory independently from the release schedule of patches from mobile OS vendors.
STIG Date
Mobile Operating System Security Requirements Guide 2013-07-03

Details

Check Text ( C-41442r1_chk )
This requirement is NA for the Mobile OS SRG.
Fix Text (F-37082r1_fix)
The requirement is NA. No fix is required.