Check: SRG-APP-000012-MAPP-00007
Mobile Application SRG:
SRG-APP-000012-MAPP-00007
(in version v1 r1)
Title
The mobile application must enable the user of the mobile device to assign a classification level to any data the user creates while using the mobile device, unless the application concept of operations requires that all data be handled at a single classification level. (Cat II impact)
Discussion
Data at rest or data in transit is at risk to exposure if improperly classified; IA controls not in place as a result of incorrect or non-labeling can result in non-secure transmission and storage of sensitive data. Data that has no classification level assigned to it can be misclassified or improperly handled when it is used or once it is forwarded. In some cases, it is possible that users can upwardly reclassify data in order to ensure correct handling of the data. Implementing this control prevents inadvertent use of or misclassification of data when the system is operating at one or more level of classification.
Check Content
For applications that process, store, or transmit classified data, research the mobile application's CONOPs and assess if the applications' stored, processed, and transmitted data is to be uniformly treated as one, single security classification. If the latter is true, then the application is in compliance. If the CONOPS review reveals that no requirement for handling data at a single classification level exists, then perform a dynamic program analysis to assess if the application allows a user to manually assign a classification to the data stored on the device. If the dynamic program analysis is inconclusive, or cannot be performed, carry out a static program analysis on the application to assess if code exists that allows all data to be held and attributed at one, single classification level. If the dynamic or static program analysis concluded that the user cannot manually assign a classification to the data stored on the device, this is a finding.
Fix Text
If the CONOPs do not require data to be classified uniformly at one level, modify code to support manual classification of the data by the user.
Additional Identifiers
Rule ID: SV-46384r1_rule
Vulnerability ID: V-35097
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001427 |
The information system allows authorized users to associate security attributes with information. |
Controls
Number | Title |
---|---|
No controls are assigned to this check |