Title

The organization must make a risk-based determination for applications before they are accredited by the DAA prior to distribution or installation on a CMD. (Cat II impact)

Discussion

CMD applications can be written and published very quickly without a thorough life cycle management process or security assessment. It is critical that all applications that reside on CMDs go through the same rigorous security evaluation as a typical COTS product, so as not to introduce malware or other risks to DoD information and networks. If an application is utilized that has not been approved for use, and a risk based determination has not been made by the appropriate approving authority, DoD has no way of knowing what type of risk the application may pose to DoD information systems or data.

Check Content

Review the organization's CMD policy to determine if it states that a risk-based determination for applications is performed before they are accredited by the DAA prior to distribution or installation on a CMD. If the organization's CMD policy does not provide for a risk-based determination and approval, prior to installation on a CMD, this is a finding.

Fix Text

Include a risk-based determination and DAA accreditation for applications prior to installation on a CMD in the CMD policy.

Additional Identifiers

Rule ID:

Vulnerability ID: V-35912

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.