The organization must establish standard operating procedures for provisioning mobile devices.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35979	SRG-MPOL-061	SV-47295r1_rule		Medium

Description
A trusted provisioning process must be the foundation for installation of the mobile operating system and applications on the device during provisioning (whether tethered or over-the-air (OTA)). Provisioning data includes operating system configuration, key material, and other initialization data. It may be sensitive and therefore must be adequately protected. An adversary within the general proximity of the mobile device can eavesdrop on OTA transactions, making them particularly vulnerable to attack if confidentiality protections are not in place. Proper use of cryptography provides strong assurance that provisioning data is protected against confidentiality attacks. It may be possible for an adversary within the general proximity of the mobile device to hijack provisioning sessions and modify data transmitted during the provisioning process.

Description

A trusted provisioning process must be the foundation for installation of the mobile operating system and applications on the device during provisioning (whether tethered or over-the-air (OTA)). Provisioning data includes operating system configuration, key material, and other initialization data. It may be sensitive and therefore must be adequately protected. An adversary within the general proximity of the mobile device can eavesdrop on OTA transactions, making them particularly vulnerable to attack if confidentiality protections are not in place. Proper use of cryptography provides strong assurance that provisioning data is protected against confidentiality attacks. It may be possible for an adversary within the general proximity of the mobile device to hijack provisioning sessions and modify data transmitted during the provisioning process.

STIG	Date
Mobile Policy Security Requirements Guide	2013-07-03

Details

Check Text ( C-44216r1_chk )
Review the organization's policy and procedures for provisioning mobile operating systems and applications. Determine if there are requirements to ensure integrity mechanisms protecting the confidentiality of OTA provisioning. Appropriate integrity mechanisms generally involve the use of FIPS-validated cryptographic modules implementing algorithms that provide integrity services. If there are no requirements in the policies or procedural documentation for these mechanisms, this is a finding.

Check Text ( C-44216r1_chk )

Review the organization's policy and procedures for provisioning mobile operating systems and applications. Determine if there are requirements to ensure integrity mechanisms protecting the confidentiality of OTA provisioning. Appropriate integrity mechanisms generally involve the use of FIPS-validated cryptographic modules implementing algorithms that provide integrity services. If there are no requirements in the policies or procedural documentation for these mechanisms, this is a finding.

Fix Text (F-40506r1_fix)
Establish standard operating procedures for provisioning mobile devices to include integrity mechanisms protecting the confidentiality of OTA provisioning.