Mobile device software updates must only originate from approved DoD sources.

From Commercial Mobile Device (CMD) Policy Security Technical Implementation Guide (STIG)

Part of CMD provisioning-02

Associated with IA controls: ECWN-1

SV-30701r4_rule Mobile device software updates must only originate from approved DoD sources.

Vulnerability discussion

Users must not accept Over-The-Air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the ISSO. Unauthorized/unapproved software updates could include malware or cause a degradation of the security posture of the CMD and DoD network infrastructure. All software updates should be reviewed and/or tested by the smartphone system administrator and originate from a DoD source or DoD-approved source. Wireless software updates should be pushed from the CMD management server, when this feature is available.

Check content

Detailed Policy Requirements: Software updates must come from either DoD sources or DoD-approved sources. CMD system administrators should push OTA software updates from the CMD management server, when this feature is available. Otherwise the site administrator should verify the non-DoD source of the update has been approved by IT management. Check Procedures: Interview the ISSO and CMD management server system administrator. -Verify the site mobile device handheld and mobile device management server administrators are aware of the requirements. -Determine what procedures are used at the site for installing software updates on site-managed CMDs. If the site does not have procedures in place, so users can down-load software updates from a DoD source or DoD-approved source, this is a finding.

Fix text

Ensure CMD software updates originate from DoD sources or approved non-DoD sources only. Users do not accept Over-The-Air (OTA) wireless software updates from non-approved sources.

Pro Tips

Powered by sagemincer