Title

The mobile application must assign the classification corresponding to the highest classification of its elements whenever it combines data elements classified at multiple levels. (Cat I impact)

Discussion

A classification attribute assures the data is correctly handled and processed according to its sensitivity. Data of mixed classification is vulnerable to accidental exposure if it is combined with several other data elements and not properly reclassified. This control greatly reduces the risk of misclassification when data of multiple classifications are combined.

Check Content

For applications that combine classified data from multiple data elements, perform a dynamic program analysis to assess if the application assigns the highest classification of the combination's elements to the classification attribute of the combination whole. Examine each data file created and assess if the appropriate attribute is included. If the dynamic program analysis is inconclusive, or cannot be performed, carry out a static program analysis to assess if code is present that forces the application to assign the highest classification of the combination's elements to the classification attribute of the combination whole. If the static or dynamic program analysis reveals the application does not assign the highest classification of the combination's elements to the classification attribute of the combination whole, this is a finding.

Fix Text

Modify code to ensure the application assigns the highest classification of the combination's elements to the classification attribute of the combination whole.

Additional Identifiers

Rule ID: SV-46374r1_rule

Vulnerability ID: V-35087

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.