Check: SRG-MPOL-048
Mobile Policy SRG:
SRG-MPOL-048
(in version v1 r2)
Title
The organization must maintain results and mitigation actions, from CMD integrity validation tool scans on site managed mobile devices, for 6 months (one year recommended). (Cat III impact)
Discussion
Scan results must be maintained, so auditors can verify mitigation actions have been completed, so a scan can be compared to a previous scan, and to determine if there are any security vulnerability trends.
Check Content
Verify the security personnel or system administrator is saving records of scan results and mitigation actions for the length of time designated by the site security manager (which must be a minimum of 6 months, one year recommended). If results of scans are not maintained by the site for 6 months, this is a finding.
Fix Text
Maintain the results and mitigation actions from integrity tool validation scans on CMDs, for at least 6 months.
Additional Identifiers
Rule ID:
Vulnerability ID: V-35966
Group Title:
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001334 |
The organization requires that unclassified mobile devices used in facilities containing information systems processing, storing, or transmitting classified information and the information stored on those devices be subject to random reviews and inspections by organization-defined security officials. |
Controls
| Number | Title |
|---|---|
| AC-19 (4) |
Restrictions For Classified Information |