Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-24964 | WIR-SPP-008-02 | SV-30701r2_rule | ECWN-1 | Low |
Description |
---|
Users must not accept over-the-air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the IAO. Unauthorized/unapproved software updates could include malware or cause a degradation of the security posture of the smartphone and DoD network infrastructure. All software updates should be reviewed and/or tested by the smartphone system administrator and originate from a DoD source or DoD-approved source. Wireless software updates should be pushed from the smartphone management server, when this feature is available. |
STIG | Date |
---|---|
Smartphone Policy Security Technical Implementation Guide | 2011-04-08 |
Check Text ( C-31127r2_chk ) |
---|
Detailed Policy Requirements: Smartphone users must be trained to not install OTA software updates that come from non-DoD sources. Smartphone system administrators should push OTA software updates from the smartphone management server, when this feature is available. Check Procedures: Interview the IAO and smartphone management server system administrator. -Verify users have been trained on this requirement (review site user smartphone training documentation or the site User Agreement). -Verify that the site smartphone handheld administrator and the smartphone management server administrator are aware of the requirement. -Determine what procedures are used at the site for installing software updates on site-managed smartphones. |
Fix Text (F-27598r2_fix) |
---|
Ensure smartphone software updates originate from DoD sources or approved non-DoD sources only. Users do not accept over-the-air (OTA) wireless software updates from non-approved sources. |