Title

Apple Vision Pro hardware must not be modified to use the Developer Strap unless use is approved on a case-by-case basis by the authorizing official (AO). (Cat III impact)

Discussion

The Apple Developer Strap provides a USB connector on the AVP and is used to download content on the AVP from a Mac. Using the Developer Strap without authorization is considered an unauthorized modification to the DOD owned AVP. The Developer Strap is sold by Apple only to registered Apple developers but can also be bought online. Data cannot be downloaded from the AVP to a connected Mac and does not currently provide access to an AVP enterprise network to the connected Mac. Only unmanaged apps can be uploaded to an AVP via the Developer Strap. Unauthorized unmanaged apps can be downloaded to the AVP from the connected Mac. SFR ID: FMT_MOF_EXT.1.2 #47

Check Content

Interview the site information system security officer (ISSO) and AVP users. Determine if the AVP Developer Strap is used at the site. If yes, verify the AO has approved its use by reviewing approval documentation. Verify AVP users are trained to not use the AVP developer Strap without AO approval (AVOS-02-011900). If the AVP Developer Strap is used at the site without AO approval, this is a finding.

Fix Text

Train AVP users to not connect and use the Developer Strap unless the AO has approved its use for a specific use case (refer to AVOS-02-011900). AO use approval must be documented and must detail specific use cases for which its use is approved.

Additional Identifiers

Rule ID: SV-276416r1146744_rule

Vulnerability ID: V-276416

Group Title: PP-MDF-993300

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.