The organization must make a risk-based determination for applications before they are accredited by the DAA prior to distribution or installation on a CMD.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35912 | SRG-MPOL-003 | SV-47228r1_rule | Medium |
| Description |
|---|
| CMD applications can be written and published very quickly without a thorough life cycle management process or security assessment. It is critical that all applications that reside on CMDs go through the same rigorous security evaluation as a typical COTS product, so as not to introduce malware or other risks to DoD information and networks. If an application is utilized that has not been approved for use, and a risk based determination has not been made by the appropriate approving authority, DoD has no way of knowing what type of risk the application may pose to DoD information systems or data. |
| STIG | Date |
|---|---|
| Mobile Policy Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-44156r1_chk ) |
|---|
| Review the organization's CMD policy to determine if it states that a risk-based determination for applications is performed before they are accredited by the DAA prior to distribution or installation on a CMD. If the organization's CMD policy does not provide for a risk-based determination and approval, prior to installation on a CMD, this is a finding. |
| Fix Text (F-40443r1_fix) |
|---|
| Include a risk-based determination and DAA accreditation for applications prior to installation on a CMD in the CMD policy. |