Smartphone software updates will only originate from DoD sources.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24964	WIR-SPP-008-02	SV-30701r2_rule	ECWN-1	Low

Description
Users must not accept over-the-air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the IAO. Unauthorized/unapproved software updates could include malware or cause a degradation of the security posture of the smartphone and DoD network infrastructure. All software updates should be reviewed and/or tested by the smartphone system administrator and originate from a DoD source or DoD-approved source. Wireless software updates should be pushed from the smartphone management server, when this feature is available.

Description

Users must not accept over-the-air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the IAO. Unauthorized/unapproved software updates could include malware or cause a degradation of the security posture of the smartphone and DoD network infrastructure. All software updates should be reviewed and/or tested by the smartphone system administrator and originate from a DoD source or DoD-approved source. Wireless software updates should be pushed from the smartphone management server, when this feature is available.

STIG	Date
Smartphone Policy Security Technical Implementation Guide	2011-04-08

Details

Check Text ( C-31127r2_chk )
Detailed Policy Requirements: Smartphone users must be trained to not install OTA software updates that come from non-DoD sources. Smartphone system administrators should push OTA software updates from the smartphone management server, when this feature is available. Check Procedures: Interview the IAO and smartphone management server system administrator. -Verify users have been trained on this requirement (review site user smartphone training documentation or the site User Agreement). -Verify that the site smartphone handheld administrator and the smartphone management server administrator are aware of the requirement. -Determine what procedures are used at the site for installing software updates on site-managed smartphones.

Check Text ( C-31127r2_chk )

Detailed Policy Requirements:
Smartphone users must be trained to not install OTA software updates that come from non-DoD sources.

Smartphone system administrators should push OTA software updates from the smartphone management server, when this feature is available.

Check Procedures:
Interview the IAO and smartphone management server system administrator.

-Verify users have been trained on this requirement (review site user smartphone training documentation or the site User Agreement).

-Verify that the site smartphone handheld administrator and the smartphone management server administrator are aware of the requirement.

-Determine what procedures are used at the site for installing software updates on site-managed smartphones.

Fix Text (F-27598r2_fix)
Ensure smartphone software updates originate from DoD sources or approved non-DoD sources only. Users do not accept over-the-air (OTA) wireless software updates from non-approved sources.