Title

The mobile application must not permit any classification attribute to be modified to a lower level of classification if it processes classified data. (Cat I impact)

Discussion

A classification attribute assures the data is correctly handled and processed according to its sensitivity. If the classification attribute can be modified, then there is a risk to misclassification of the data resulting in a data spill. This control greatly reduces the risk of unauthorized downward classification of sensitive data that could result in the data being inadvertently combined with non-sensitive data, creating a data spill.

Check Content

For applications that store a single classification of data or have multiple personas, this check does not apply. For applications that store classified data, perform a static program analysis of the application software to assess if the highest data classification attribute is automatically or manually created. If the supporting code is not present, this is a finding.

Fix Text

Modify code and functionality that prohibits an application from reclassifying the data downwardly.

Additional Identifiers

Rule ID: SV-46371r1_rule

Vulnerability ID: V-35084

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.