The organization must develop policy that ensures CMDs' software updates originate from only approved DoD sources.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-MPOL-050 | SRG-MPOL-050 | SRG-MPOL-050_rule | Medium |
| Description |
|---|
| Users must not accept over-the-air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and DoD approved. Unauthorized/unapproved software updates could include malware or cause a degradation of the security posture of the smartphone and DoD network infrastructure. All software updates should be reviewed and/or tested by the smartphone system administrator and originate from an approved DoD source. Wireless software updates should be pushed from the smartphone management server, when this feature is available. Otherwise the site administrator should verify the non-DoD source of the update has been approved by IT management. |
| STIG | Date |
|---|---|
| Mobile Policy Security Requirements Guide | 2012-10-10 |
Details
| Check Text ( C-SRG-MPOL-050_chk ) |
|---|
| Review the site's procedure/policy on software updates for smartphones and ensure it includes a requirement for updates to be obtained from an approved DoD source. Verify the site smartphone handheld administrator and the smartphone management server administrator are aware of the requirement. Determine what procedures are used at the site for installing software updates on site-managed smartphones. If the site does not have procedures in place for users to down-load software updates from only a DoD approved source, this is a finding. |
| Fix Text (F-SRG-MPOL-050_fix) |
|---|
| Ensure smartphone software updates originate from approved DoD sources. |