Check: SRG-MPOL-046
Mobile Policy SRG:
SRG-MPOL-046
(in version v1 r2)
Title
The organization, at the mobile device management (MDM) server site, must verify that local sites, where CMDs are provisioned, issued, and managed, are conducting annual self assessments. (Cat III impact)
Discussion
The security integrity of the CMD system depends on whether local sites, where CMDs are provisioned and issued, are complying with IA requirements. The risk of both malware being introduced on a handheld device, and of avenues of attack into the enclave being introduced via a CMD, are heightened if IA control procedures are not followed.
Check Content
Verify the security personnel of the site where the MDM server is located, is tracking whether local/remote sites (where CMDs are provisioned, issued, and managed) are conducting annual self assessments. Command-level action should be considered for local sites not complying with security requirements for the provisioning, issuance, and managements of CMDs. If required annual self assessments have not been completed by the site, this is a finding.
Fix Text
Conduct annual self assessments where CMDs are provisioned, issued, and managed.
Additional Identifiers
Rule ID:
Vulnerability ID: V-35964
Group Title:
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001334 |
The organization requires that unclassified mobile devices used in facilities containing information systems processing, storing, or transmitting classified information and the information stored on those devices be subject to random reviews and inspections by organization-defined security officials. |
Controls
| Number | Title |
|---|---|
| AC-19 (4) |
Restrictions For Classified Information |