Check: SRG-APP-000200-MAPP-00044
Mobile Application SRG:
SRG-APP-000200-MAPP-00044
(in version v1 r1)
Title
The mobile application must shut down or take an alternative organization defined action when it determines that one of its required security functions is unavailable. (Cat II impact)
Discussion
While mobile applications primarily rely on MOS security controls, a mobile application may contain security functions that enable the device and user to operate in a secure manner. For example, the mobile application may operate its own cryptographic modules for data at rest and data in transit. In the event a security function that would normally encrypt data at rest, data in motion or perform some other form of security measure is not present, then all data, the device and network are at risk to exposure and intrusion from a malicious, unauthorized user. This measure mitigates DoD risk and exposure from being compromised due to the security posture of the device being weakened as a result of failed or disabled security modules. When the application shuts down it must cease running and not just deny services to a user. Other organization defined response actions might include writing an entry to the audit log, notifying the user, or limiting access to particular application features, such as the ability to export data.
Check Content
If the application does not contain security functions beyond those provided by the MOS, this requirement is not applicable. Perform a static analysis and assess if there is code present that checks for the presence and availability of required security functions which will then shut the application down. If the static analysis reveals that no code exists that checks for the presence and availability of required security functions which will then shut the application down, this is a finding.
Fix Text
Modify code to assure the application will shut down or perform an organization defined response action when one of its required security features is not available.
Additional Identifiers
Rule ID: SV-46813r1_rule
Vulnerability ID: V-35526
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001674 |
The information system responds to security function anomalies in accordance with organization-defined responses and alternative action(s). |
Controls
Number | Title |
---|---|
No controls are assigned to this check |