The organization must make a risk-based determination, prior to installation of CMD applications on non-enterprise activated CMDs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-MPOL-055	SRG-MPOL-055	SRG-MPOL-055_rule		Medium

Description
CMD applications can be written and published very quickly without a thorough life cycle management process or security assessment. It is critical that all applications that reside on CMDs go through the same rigorous security evaluation as a typical COTs product, so as not to introduce malware or additional risk to DoD information and networks. Installation of an application should only happen after a risk-based determination by the CIO, has been made.

Description

CMD applications can be written and published very quickly without a thorough life cycle management process or security assessment. It is critical that all applications that reside on CMDs go through the same rigorous security evaluation as a typical COTs product, so as not to introduce malware or additional risk to DoD information and networks. Installation of an application should only happen after a risk-based determination by the CIO, has been made.

STIG	Date
Mobile Policy Security Requirements Guide	2012-10-10

Details

Check Text ( C-SRG-MPOL-055_chk )
Review documentation showing a security risk analysis was performed by the CIO prior to approving applications for use on non-enterprise activated CMDs. If CMD applications are installed on non-enterprise activated CMDs that have not been approved by the CIO, this is a finding.

Fix Text (F-SRG-MPOL-055_fix)
Ensure only CMD applications approved by the CIO, after a risk-based determination, are installed on non-enterprise activated CMDs.