The organization must make a risk-based determination, prior to installation of applications on non-enterprise activated CMDs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35986	SRG-MPOL-068	SV-47302r1_rule		Medium

Description
CMD applications can be written and published very quickly without a thorough life cycle management process or security assessment. It is critical that all applications that reside on CMDs go through the same rigorous security evaluation as a typical COTS product, so as not to introduce malware or additional risk to DoD information and networks. Installation of an application should only happen after a risk-based determination by the DAA has been made.

Description

CMD applications can be written and published very quickly without a thorough life cycle management process or security assessment. It is critical that all applications that reside on CMDs go through the same rigorous security evaluation as a typical COTS product, so as not to introduce malware or additional risk to DoD information and networks. Installation of an application should only happen after a risk-based determination by the DAA has been made.

STIG	Date
Mobile Policy Security Requirements Guide	2013-01-24

Details

Check Text ( C-44223r1_chk )
Review documentation (policy, procedure, etc.) showing a security risk analysis was performed by the DAA prior to approving applications for use on non-enterprise activated CMDs. If CMD applications are installed on non-enterprise activated CMDs that have not been approved by the DAA, this is a finding.

Fix Text (F-40513r1_fix)
Develop and publish policies or procedures requiring only applications approved by the DAA, after a risk-based determination, are installed on non-enterprise activated CMDs.