Check: SRG-MPOL-066
Mobile Policy SRG:
SRG-MPOL-066
(in version v1 r2)
Title
The organization must obtain approval from the DAA or Command IT Configuration Control Board prior to installing a software application on a mobile device. (Cat II impact)
Discussion
Core applications are applications included in the CMD operating system. Applications added by the wireless carrier are not considered core applications. A security risk analysis must be performed by the DAA or DAA approval must be obtained prior to a mobile OS application being used. Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). The DAA, DAA-designated Application Configuration Control Board, or other DAA-designated process has the responsibility to approve all third-party applications installed on mobile devices under the purview of the DAA. The application review and approval process must include an evaluation of what OS level permissions are required by the application and how the application shares data and memory space with other applications. The review process must also ensure approved applications do not contain malware or share data stored on the mobile OS device with non-DoD servers.
Check Content
Review the policy to determine if all non-core mobile OS applications are required to have DAA or Command IT Configuration Control Board approval prior to installation. If DAA or Command IT CCB approval is not required or, if required, not obtained prior to installation on a CMD, this is a finding.
Fix Text
Obtain DAA or Command IT CCB approval prior to installing non-core applications on CMDs.
Additional Identifiers
Rule ID:
Vulnerability ID: V-35984
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000083 |
The organization establishes implementation guidance for organization-controlled mobile devices. |
Controls
Number | Title |
---|---|
AC-19 |
Access Control For Mobile Devices |