Title

The site must set up local operating procedures for initial provisioning and subsequent software and application updates using the procedures published in the STIG Overview document. (Cat II impact)

Discussion

Strong configuration management of applications on a smartphone is a key malware control. Most smartphones must have individual commercial web portal (e.g., iTunes, Android Market, etc.) accounts and be connected to the commercial App Store to provision the smartphone. A DoD user can jailbreak a smartphone and bypass smartphone application and malware controls. To ensure strong configuration management of the security baseline of the smartphone, all software loading should be done by the SA.

Check Content

All smartphone provisioning and updates are under the control of the site Android device System Administrator (SA). Interview the site IAO and Android device SA. Verify the site has a procedure for initial provisioning and subsequent updates of site managed Android devices. Review the site procedure and verify they follow the procedures found in the STIG Overview document. Mark as a finding if these procedures are not followed.

Fix Text

Set up local operating procedures for initial provisioning and subsequent software and application updates according to procedures published in the STIG/ISCG Overview document.

Additional Identifiers

Rule ID: SV-35001r1_rule

Vulnerability ID: V-25842

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.