Applications serving to determine the state of information system components with regard to flaw remediation (patching) must use automated mechanisms to make that determination. The automation schedule must be determined on an organization-defined basis.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35704	SRG-APP-000270-MAPP-NA	SV-46991r1_rule		Medium

Description
Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report this information to designated organizational officials with information security responsibilities (e.g., senior information security officers, information system security managers, information systems security officers). To support this requirement, an automated process or mechanism is required. This role is usually assigned to patch management software that is deployed in order to track the number of systems installed in the network, as well as, the types of software installed on these systems, the corresponding versions, and the related flaws that require patching. Rationale for non-applicability: The MDM determines the state of information system components with respect to flaw remediation. This is outside the scope of this SRG. Moreover, typically mobile applications are not "patched" but are replaced with an updated version.

Description

Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report this information to designated organizational officials with information security responsibilities (e.g., senior information security officers, information system security managers, information systems security officers). To support this requirement, an automated process or mechanism is required. This role is usually assigned to patch management software that is deployed in order to track the number of systems installed in the network, as well as, the types of software installed on these systems, the corresponding versions, and the related flaws that require patching. Rationale for non-applicability: The MDM determines the state of information system components with respect to flaw remediation. This is outside the scope of this SRG. Moreover, typically mobile applications are not "patched" but are replaced with an updated version.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-44047r1_chk )
This requirement is NA for the MAPP SRG.

Fix Text (F-40247r1_fix)
The requirement is NA. No fix is required.