UCF STIG Viewer Logo

All non-core applications on mobile devices must be approved by the DAA or Command IT Configuration Control Board.


Finding ID Version Rule ID IA Controls Severity
V-24986 WIR-MOS-NS-006-01 SV-40110r2_rule DCCB-1 ECWN-1 Low
Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). The DAA or Command IT Configuration Control Board (CCB) is responsible for setting up procedures to review, test, and approve smartphone applications. It is expected the process will be similar to what is used to approve and manage applications on command PCs.
General Mobile Device (Technical) (Non-Enterprise Activated) Security Technical Implementation Guide 2013-03-19


Check Text ( C-39058r1_chk )
Detailed Requirements:
Core applications are applications included in the mobile operating system by the operating system vendor. A list of core applications is usually in the STIG overview document or the STIG Configuration Tables document. All non-core applications on the mobile device must be approved by the DAA or the Command IT CCB. Approval must be documented in some type of approval (memo, letter, etc.). Non-core applications include applications added to the device by the carrier (AT&T or Verizon Wireless map application).

Check Procedures:

First, review the procedures the site or command uses to review and approve third-party applications used on site managed mobile devices. Have the IAO or DAA representative provide a copy of the application review.

Second, select 2-3 random devices managed by the site to review.

-Make a list of non-core applications on each device. Look in the smartphone memory and on the SD card.

--Have the user log into the device and show the list of applications installed on the device and the media card (procedure will vary, depending on mobile OS).

--Verify the site has written approval to use the app from the DAA or Command IT CCB.

-Mark as a finding if any app has not been approved.
Fix Text (F-27627r1_fix)
Have DAA or Command IT CCB review and approve all non-core applications on mobile OS devices.