UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The organization must establish standard operating procedures for provisioning mobile devices.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-MPOL-048 SRG-MPOL-048 SRG-MPOL-048_rule Medium
Description
A trusted provisioning process must be the foundation for installation of the mobile operating system and applications on the device during provisioning (whether tethered or over-the-air). Provisioning data includes operating system configuration, key material, and other initialization data. It may be sensitive and therefore must be adequately protected. An adversary within the general proximity of the mobile device can eavesdrop on OTA transactions, making them particularly vulnerable to attack if confidentiality protections are not in place. Proper use of cryptography provides strong assurance that provisioning data is protected against confidentiality attacks. It may be possible for an adversary within the general proximity of the mobile device to hijack provisioning sessions and modify data transmitted during the provisioning process.
STIG Date
Mobile Policy Security Requirements Guide 2012-10-10

Details

Check Text ( C-SRG-MPOL-048_chk )
Review the organization's policy and procedures for provisioning mobile operating systems and applications. Determine if there are requirements to ensure integrity mechanisms protecting the confidentiality of OTA provisioning. Appropriate integrity mechanisms generally involve the use of FIPS-validated cryptographic modules implementing algorithms that provide integrity services. If there are no requirements in the policies or procedural documentation for these mechanisms, this is a finding.
Fix Text (F-SRG-MPOL-048_fix)
Ensure inclusion of a trusted loading process in the organization's mobile provisioning process.