STIGQter: STIG Summary: Commercial Mobile Device (CMD) Policy Security Technical Implementation Guide (STIG) Version: 2 Release: 5 Benchmark Date: 28 Oct 2016:

Mobile device software updates must only originate from approved DoD sources.

DISA Rule

SV-30701r4_rule

Vulnerability Number

V-24964

Group Title

CMD provisioning-02

Rule Version

WIR-SPP-008-02

Severity

CAT III

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Ensure CMD software updates originate from DoD sources or approved non-DoD sources only. Users do not accept Over-The-Air (OTA) wireless software updates from non-approved sources.

Check Contents

Detailed Policy Requirements:
Software updates must come from either DoD sources or DoD-approved sources. CMD system administrators should push OTA software updates from the CMD management server, when this feature is available. Otherwise the site administrator should verify the non-DoD source of the update has been approved by IT management.

Check Procedures:
Interview the ISSO and CMD management server system administrator.

-Verify the site mobile device handheld and mobile device management server administrators are aware of the requirements.

-Determine what procedures are used at the site for installing software updates on site-managed CMDs.

If the site does not have procedures in place, so users can down-load software updates from a DoD source or DoD-approved source, this is a finding.

Mobile device software updates must only originate from approved DoD sources.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Responsibility

Target Key

Comments