UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The organization must make a risk-based determination for applications before they are accredited by the DAA prior to distribution or installation on a CMD.


Overview

Finding ID Version Rule ID IA Controls Severity
V-35912 SRG-MPOL-003 SV-47228r1_rule Medium
Description
CMD applications can be written and published very quickly without a thorough life cycle management process or security assessment. It is critical that all applications that reside on CMDs go through the same rigorous security evaluation as a typical COTS product, so as not to introduce malware or other risks to DoD information and networks. If an application is utilized that has not been approved for use, and a risk based determination has not been made by the appropriate approving authority, DoD has no way of knowing what type of risk the application may pose to DoD information systems or data.
STIG Date
Mobile Policy Security Requirements Guide 2013-07-03

Details

Check Text ( C-44156r1_chk )
Review the organization's CMD policy to determine if it states that a risk-based determination for applications is performed before they are accredited by the DAA prior to distribution or installation on a CMD. If the organization's CMD policy does not provide for a risk-based determination and approval, prior to installation on a CMD, this is a finding.
Fix Text (F-40443r1_fix)
Include a risk-based determination and DAA accreditation for applications prior to installation on a CMD in the CMD policy.