STIGQter STIGQter: STIG Summary: Commercial Mobile Device (CMD) Policy Security Technical Implementation Guide (STIG) Version: 2 Release: 5 Benchmark Date: 28 Oct 2016:

A security risk analysis must be performed on a mobile application by the Authorizing Official (AO) or AO-authorized authority prior to the application being approved for use.

DISA Rule

SV-43023r4_rule

Vulnerability Number

V-32677

Group Title

Mobile application security review

Rule Version

WIR-SPP-021

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Have AO or Command IT CCB use the required procedures to review mobile applications prior to approving them.

Check Contents

Detailed Requirements:
Core applications are applications included in the mobile device operating system. Applications added by the wireless carrier are not considered core applications. A security risk analysis must be performed by the AO or AO-approved approval authority prior to a mobile OS application being approved for use.

- The application review and approval process must include an evaluation of what OS level permissions are required by the application and how the application shares data and memory space with other applications. The review process must also ensure:
- Approved applications do not contain malware or share data stored on the mobile OS device with non-DoD servers.

Check Procedures:



Ask the site for documentation showing what security risk analysis procedures are used by the AO prior to approving non-core applications for use.

Determine if the procedures include an evaluation of the following:
- What OS level permissions are required by the application?
- The application does not contain malware.
- The application does not share data stored on the CMDs with non-DoD servers.
- If the application stores sensitive data, the application data storage container uses FIPS 140-2 validated cryptographic module.

If a security review was not conducted on approved applications or the application security risk review procedures do not contain the required risk assessment evaluation tasks, this is a finding.

Vulnerability Number

V-32677

Documentable

False

Rule Version

WIR-SPP-021

Severity Override Guidance

Detailed Requirements:
Core applications are applications included in the mobile device operating system. Applications added by the wireless carrier are not considered core applications. A security risk analysis must be performed by the AO or AO-approved approval authority prior to a mobile OS application being approved for use.

- The application review and approval process must include an evaluation of what OS level permissions are required by the application and how the application shares data and memory space with other applications. The review process must also ensure:
- Approved applications do not contain malware or share data stored on the mobile OS device with non-DoD servers.

Check Procedures:



Ask the site for documentation showing what security risk analysis procedures are used by the AO prior to approving non-core applications for use.

Determine if the procedures include an evaluation of the following:
- What OS level permissions are required by the application?
- The application does not contain malware.
- The application does not share data stored on the CMDs with non-DoD servers.
- If the application stores sensitive data, the application data storage container uses FIPS 140-2 validated cryptographic module.

If a security review was not conducted on approved applications or the application security risk review procedures do not contain the required risk assessment evaluation tasks, this is a finding.

Check Content Reference

M

Responsibility

System Administrator

Target Key

1978

Comments