The organization must periodically conduct manual audits of CMDs to verify the CMD is not running unauthorized software or has otherwise not been modified in an unauthorized manner.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35963	SRG-MPOL-045	SV-47279r1_rule		Low

Description
The organization's access control procedures and security policies establish the requirement to control the use of various mobile devices and connected or imbedded capabilities. These policies and procedures are ineffective if there is no process in place ensuring the policies and procedures are being followed. A process of randomly inspecting or reviewing the various mobile devices, to include connected or imbedded capabilities, can be effective in ensuring compliance with the organization’s mobile device policies and procedures.

Description

The organization's access control procedures and security policies establish the requirement to control the use of various mobile devices and connected or imbedded capabilities. These policies and procedures are ineffective if there is no process in place ensuring the policies and procedures are being followed. A process of randomly inspecting or reviewing the various mobile devices, to include connected or imbedded capabilities, can be effective in ensuring compliance with the organization’s mobile device policies and procedures.

STIG	Date
Mobile Policy Security Requirements Guide	2013-07-03

Details

Check Text ( C-44200r1_chk )
Review the organization's access control and security policy and documentation for manual inspections of non-enterprise activated mobile devices. Organizational personnel responsible for reviewing/inspecting non-enterprise activated CMDs and organizational personnel using the CMDs, will be interviewed. Ensure the organization has established a requirement for CMDs to be manually reviewed/inspected to ensure compliance with the organization's access control policy regarding the use of mobile devices within its facilities, to include determination if unauthorized software is, or has been, running on the device or if the device OS has been modified (e.g., rooted or jailbroken). If a policy or procedure is not in place for manual reviews or inspections, this is a finding.

Check Text ( C-44200r1_chk )

Review the organization's access control and security policy and documentation for manual inspections of non-enterprise activated mobile devices. Organizational personnel responsible for reviewing/inspecting non-enterprise activated CMDs and organizational personnel using the CMDs, will be interviewed. Ensure the organization has established a requirement for CMDs to be manually reviewed/inspected to ensure compliance with the organization's access control policy regarding the use of mobile devices within its facilities, to include determination if unauthorized software is, or has been, running on the device or if the device OS has been modified (e.g., rooted or jailbroken).

If a policy or procedure is not in place for manual reviews or inspections, this is a finding.

Fix Text (F-40490r1_fix)
Manually audit non-enterprise activated CMDs, in person, to determine if unauthorized software is, or has been, running on the device, or if the device OS has been modified (e.g., rooted or jailbroken), when centralized over-the-air auditing is unavailable.