Title

Required procedures must be followed for the disposal of CMDs. (Cat III impact)

Discussion

If appropriate procedures are not followed prior to disposal of a CMD, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device that might facilitate a subsequent attack.

Check Content

This requirement applies to mobile operating system (OS) CMDs. Prior to disposing of a CMD (for example, if a CMD is transferred to another DoD or government agency), follow the disposal procedures found in the mobile operating system STIG Supplemental document. Interview the ISSO. Verify proper procedures are being followed and the procedures are documented. Check to see how retired, discarded, or transitioned CMDs were disposed of during the previous 6 – 12 months and verify compliance with requirements. If procedures are not documented or if documented, they were not followed, this is a finding.

Fix Text

Follow required procedures prior to disposing of a CMD or transitioning it to another user.

Additional Identifiers

Rule ID: SV-30695r6_rule

Vulnerability ID: V-24958

Group Title: Follow procedures for disposal of CMDs

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.