From Mobile Policy Security Requirements Guide
Part of SRG-MPOL-061
Associated with: CCI-000083
A trusted provisioning process must be the foundation for installation of the mobile operating system and applications on the device during provisioning (whether tethered or over-the-air (OTA)). Provisioning data includes operating system configuration, key material, and other initialization data. It may be sensitive and therefore must be adequately protected. An adversary within the general proximity of the mobile device can eavesdrop on OTA transactions, making them particularly vulnerable to attack if confidentiality protections are not in place. Proper use of cryptography provides strong assurance that provisioning data is protected against confidentiality attacks.
Review the organization's policy and procedures for provisioning mobile operating systems and applications. Determine if there are requirements to ensure integrity mechanisms protecting the confidentiality of OTA provisioning. Appropriate integrity mechanisms generally involve the use of FIPS-validated cryptographic modules implementing algorithms that provide integrity services. If there are no requirements in the policies or procedural documentation for these mechanisms, this is a finding.
Establish standard operating procedures for provisioning mobile devices to include integrity mechanisms protecting the confidentiality of OTA provisioning.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer