Title

The organization must establish standard operating procedures for provisioning mobile devices. (Cat II impact)

Discussion

A trusted provisioning process must be the foundation for installation of the mobile operating system and applications on the device during provisioning (whether tethered or over-the-air (OTA)). Provisioning data includes operating system configuration, key material, and other initialization data. It may be sensitive and therefore must be adequately protected. An adversary within the general proximity of the mobile device can eavesdrop on OTA transactions, making them particularly vulnerable to attack if confidentiality protections are not in place. Proper use of cryptography provides strong assurance that provisioning data is protected against confidentiality attacks. It may be possible for an adversary within the general proximity of the mobile device to hijack provisioning sessions and modify data transmitted during the provisioning process.

Check Content

Review the organization's policy and procedures for provisioning mobile operating systems and applications. Determine if there are requirements to ensure integrity mechanisms protecting the confidentiality of OTA provisioning. Appropriate integrity mechanisms generally involve the use of FIPS-validated cryptographic modules implementing algorithms that provide integrity services. If there are no requirements in the policies or procedural documentation for these mechanisms, this is a finding.

Fix Text

Establish standard operating procedures for provisioning mobile devices to include integrity mechanisms protecting the confidentiality of OTA provisioning.

Additional Identifiers

Rule ID:

Vulnerability ID: V-35979

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.