The organization must make a risk-based determination on the impacts of a mobile application prior to its distribution and installation.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-MPOL-003 | SRG-MPOL-003 | SRG-MPOL-003_rule | Medium |
| Description |
|---|
| CMD applications can be written and published very quickly without a thorough life cycle management process or security assessment. It is critical that all applications that reside on CMDs go through the same rigorous security evaluation as a typical COTs product, so as not to introduce malware or other risks to DoD information and networks. If an application is utilized that has not been approved for use, and a risk based determination has not been made by the appropriate approving authority, DoD has no way of knowing what type of risk the application may pose to DoD information systems or data. |
| STIG | Date |
|---|---|
| Mobile Policy Security Requirements Guide | 2012-10-10 |
Details
| Check Text ( C-SRG-MPOL-003_chk ) |
|---|
| Review the organization's CMD policy to determine if it states that all applications are reviewed and a risk-based determination is made prior to approval. If the organization's CMD policy does not provide for a risk-based determination and approval, prior to installation on a CMD, this is a finding. |
| Fix Text (F-SRG-MPOL-003_fix) |
|---|
| Ensure the organization's CMD policy includes a risk-based determination for applications prior to installation on a CMD. |