Mobile device software updates must only originate from approved DoD sources.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24964	WIR-SPP-008-02	SV-30701r2_rule	ECWN-1	Low

Description
Users must not accept Over-The-Air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the IAO. Unauthorized/unapproved software updates could include malware or cause a degradation of the security posture of the smartphone and DoD network infrastructure. All software updates should be reviewed and/or tested by the smartphone system administrator and originate from a DoD source or DoD-approved source. Wireless software updates should be pushed from the smartphone management server, when this feature is available.

Description

Users must not accept Over-The-Air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the IAO. Unauthorized/unapproved software updates could include malware or cause a degradation of the security posture of the smartphone and DoD network infrastructure. All software updates should be reviewed and/or tested by the smartphone system administrator and originate from a DoD source or DoD-approved source. Wireless software updates should be pushed from the smartphone management server, when this feature is available.

STIG	Date
Smartphone Policy Security Technical Implementation Guide	2012-10-09

Details

Check Text ( C-31127r3_chk )
Detailed Policy Requirements: Software updates must come from either DoD sources or DoD approved sources. Smartphone system administrators should push OTA software updates from the smartphone management server, when this feature is available. Otherwise the site administrator should verify the non-DoD source of the update has been approved by IT management. Check Procedures: Interview the IAO and smartphone management server system administrator. -Verify the site mobile device handheld administrator and the mobile device management server administrator are aware of the requirements. -Determine what procedures are used at the site for installing software updates on site-managed smartphones. Mark as a finding if the site does not have procedures in place, so users can down-load software updates from a DoD source or DoD approved source.

Check Text ( C-31127r3_chk )

Detailed Policy Requirements:
Software updates must come from either DoD sources or DoD approved sources. Smartphone system administrators should push OTA software updates from the smartphone management server, when this feature is available. Otherwise the site administrator should verify the non-DoD source of the update has been approved by IT management.

Check Procedures:
Interview the IAO and smartphone management server system administrator.

-Verify the site mobile device handheld administrator and the mobile device management server administrator are aware of the requirements.

-Determine what procedures are used at the site for installing software updates on site-managed smartphones.

Mark as a finding if the site does not have procedures in place, so users can down-load software updates from a DoD source or DoD approved source.

Fix Text (F-27598r2_fix)
Ensure smartphone software updates originate from DoD sources or approved non-DoD sources only. Users do not accept Over-The-Air (OTA) wireless software updates from non-approved sources.