The organization must establish standard operating procedures for provisioning mobile devices.

From Mobile Policy Security Requirements Guide

Part of SRG-MPOL-061

Associated with: CCI-000083

SV-47295r1_rule The organization must establish standard operating procedures for provisioning mobile devices.

Vulnerability discussion

A trusted provisioning process must be the foundation for installation of the mobile operating system and applications on the device during provisioning (whether tethered or over-the-air (OTA)). Provisioning data includes operating system configuration, key material, and other initialization data. It may be sensitive and therefore must be adequately protected. An adversary within the general proximity of the mobile device can eavesdrop on OTA transactions, making them particularly vulnerable to attack if confidentiality protections are not in place. Proper use of cryptography provides strong assurance that provisioning data is protected against confidentiality attacks. It may be possible for an adversary within the general proximity of the mobile device to hijack provisioning sessions and modify data transmitted during the provisioning process.

Check content

Review the organization's policy and procedures for provisioning mobile operating systems and applications. Determine if there are requirements to ensure integrity mechanisms protecting the confidentiality of OTA provisioning. Appropriate integrity mechanisms generally involve the use of FIPS-validated cryptographic modules implementing algorithms that provide integrity services. If there are no requirements in the policies or procedural documentation for these mechanisms, this is a finding.

Fix text

Establish standard operating procedures for provisioning mobile devices to include integrity mechanisms protecting the confidentiality of OTA provisioning.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer