Title

Mobile device software updates must only originate from approved DoD sources. (Cat III impact)

Discussion

Users must not accept Over-The-Air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the ISSO. Unauthorized/unapproved software updates could include malware or cause a degradation of the security posture of the CMD and DoD network infrastructure. All software updates should be reviewed and/or tested by the smartphone system administrator and originate from a DoD source or DoD-approved source. Wireless software updates should be pushed from the CMD management server, when this feature is available.

Check Content

Detailed Policy Requirements: Software updates must come from either DoD sources or DoD-approved sources. CMD system administrators should push OTA software updates from the CMD management server, when this feature is available. Otherwise the site administrator should verify the non-DoD source of the update has been approved by IT management. Check Procedures: Interview the ISSO and CMD management server system administrator. -Verify the site mobile device handheld and mobile device management server administrators are aware of the requirements. -Determine what procedures are used at the site for installing software updates on site-managed CMDs. If the site does not have procedures in place, so users can down-load software updates from a DoD source or DoD-approved source, this is a finding.

Fix Text

Ensure CMD software updates originate from DoD sources or approved non-DoD sources only. Users do not accept Over-The-Air (OTA) wireless software updates from non-approved sources.

Additional Identifiers

Rule ID: SV-30701r4_rule

Vulnerability ID: V-24964

Group Title: CMD provisioning-02

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.