The operating system must verify the correct operation of security functions in accordance with organization defined conditions and in accordance with organization defined frequency (if periodic verification).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33191	SRG-OS-000199-NA	SV-43589r1_rule		Medium

Description
Security functional testing involves testing the operating system for conformance to the operating system security function specifications, as well as, for the underlying security model. The need to verify security functionality applies to all security functions. The conformance criteria state the conditions necessary for the operating system to exhibit the desired security behavior or satisfy a security property for example, successful login triggers an audit entry. Rationale for non-applicability: Resource constraints on mobile devices preclude implementation of this specific IA function. The applicability of this control may be reconsidered at a future date if subsequent generations of mobile devices are better able to support this control. Additionally, the IA control corresponding to CCI-1297 requires that the integrity of the security enforcement mechanisms be validated at startup and every six hours thereafter. This provides reasonable assurance that security functions are performing properly even the functions themselves are not tested at these times.

Description

Security functional testing involves testing the operating system for conformance to the operating system security function specifications, as well as, for the underlying security model. The need to verify security functionality applies to all security functions. The conformance criteria state the conditions necessary for the operating system to exhibit the desired security behavior or satisfy a security property for example, successful login triggers an audit entry. Rationale for non-applicability: Resource constraints on mobile devices preclude implementation of this specific IA function. The applicability of this control may be reconsidered at a future date if subsequent generations of mobile devices are better able to support this control. Additionally, the IA control corresponding to CCI-1297 requires that the integrity of the security enforcement mechanisms be validated at startup and every six hours thereafter. This provides reasonable assurance that security functions are performing properly even the functions themselves are not tested at these times.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41452r1_chk )
This requirement is NA for the Mobile OS SRG.

Fix Text (F-37092r1_fix)
The requirement is NA. No fix is required.