Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
For applications that store a single classification of data or have multiple personas, this check does not apply. For applications that store classified data, perform a static program analysis of the application software to assess if the highest data classification attribute is automatically or manually created. If the supporting code is not present, this is a finding.
Modify code to enable the creation and storage of a highest data classification attribute.
For applications that store a single classification of data or have multiple personas, this check does not apply. For applications that store classified data, perform a static program analysis of the application software to assess if the highest data classification attribute is automatically or manually created. If the supporting code is not present, this is a finding.
Modify code and functionality that prohibits an application from reclassifying the data downwardly.
For applications that store a single classification of data or have multiple personas, this check does not apply. For applications that transmit classified data, perform a dynamic program analysis to assess if any data classification attributes are transmitted with the data. Check the received data and examine it for the inclusion of classification attributes. If the dynamic program analysis is inconclusive, or cannot be performed, carry out a static program analysis to assess if the code supports any data classification attributes are transmitted with the data. If the static or dynamic program analysis reveals no data classification attributes are transmitted with the data, this is a finding. This test may entail an end-to-end test that extends beyond that of the application, to ensure the data file construct meets the requirements of data classification attribute presence.
Modify code to include data classification attributes with transmitted data.
For applications that store a single classification of data or have multiple personas, this check does not apply. For applications that store, process, or transmit classified data, carry out a dynamic program analysis to assess if the application assigns a classification attribute to any newly created data file or transmitted data stream. Examine each data file created and assess if an attribute is included. If the dynamic program analysis is inconclusive, or cannot be performed, carry out a static program analysis to assess if code is present that makes the application assign a classification attribute to any newly created data file and transmitted data stream. If the dynamic or static program analysis reveals no data classification attributes are assigned to any newly created data file or transmit data stream, this is a finding.
Modify code to assign a classification attribute to any newly created data file or stream when the application stores, processes, or transmits classified data.
For applications that combine classified data from multiple data elements, perform a dynamic program analysis to assess if the application assigns the highest classification of the combination's elements to the classification attribute of the combination whole. Examine each data file created and assess if the appropriate attribute is included. If the dynamic program analysis is inconclusive, or cannot be performed, carry out a static program analysis to assess if code is present that forces the application to assign the highest classification of the combination's elements to the classification attribute of the combination whole. If the static or dynamic program analysis reveals the application does not assign the highest classification of the combination's elements to the classification attribute of the combination whole, this is a finding.
Modify code to ensure the application assigns the highest classification of the combination's elements to the classification attribute of the combination whole.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
For applications that transmit classified data, perform a dynamic program analysis to assess if the application was able to maintain the binding of classification attributes to data throughout transmission. These attributes must be able to be properly processed by automated policy action on the receive side and thus the network to which the application transmits the data must be a part of the test. If the dynamic program analysis is inconclusive, or cannot be performed, carry out a static program analysis to assess if the application is able to maintain the binding of classification attributes to information when it is being transmitted. This test may entail an end-to-end test that extends beyond that of the application, to ensure the data file constructs meets the requirements of data attribute presence and binding. If the dynamic or static program analysis reveals the application does not maintain the binding of classification attributes to information with sufficient assurance that the information/attribute association can be used as the basis for automated policy actions, this is a finding.
Modify code to strongly bind classification attributes to information using asymmetric cryptography or an approved alternative technology that provides sufficient assurance that the information/attribute association can be used as the basis for automated policy actions.
For applications that process, store, or transmit classified data, research the mobile application's CONOPs and assess if the applications' stored, processed, and transmitted data is to be uniformly treated as one, single security classification. If the latter is true, then the application is in compliance. If the CONOPS review reveals that no requirement for handling data at a single classification level exists, then perform a dynamic program analysis to assess if the application allows a user to manually assign a classification to the data stored on the device. If the dynamic program analysis is inconclusive, or cannot be performed, carry out a static program analysis on the application to assess if code exists that allows all data to be held and attributed at one, single classification level. If the dynamic or static program analysis concluded that the user cannot manually assign a classification to the data stored on the device, this is a finding.
If the CONOPs do not require data to be classified uniformly at one level, modify code to support manual classification of the data by the user.
For applications that process, store, or transmit classified data, perform a dynamic program analysis to assure that the user is reliably informed in human readable form of the classification of any data that the user works with on the mobile device. If no function exists to display the classification of the data in human readable form whenever it displays any data to the user of the mobile device, this is a finding.
Modify code to create functionality that displays the classification of the data in human readable form whenever it displays any data to the user of the mobile device.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
Perform a static program analysis to determine if the application executes non DoD-approved external code at any time. Check whether calls to such code include a user acceptance or direction step. Perform a dynamic program analysis to verify the application does not execute non DoD- approved code without user direction. In this context, user direction refers to the user either accepting or requesting the service or capability that the code provides upon each instance code is executed which has not been executed previously. It is not acceptable to have a one-time acceptance to accept automatic execution. If the application ever executes non DoD-approved external code, this is a finding.
Modify code to prevent execution of code non DoD-approved without user direction.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
Perform a review of the application's documentation to understand the application's operational requirements or the functionality of the application to establish the level of OS privilege required to operate. Based on the review, determine the appropriate OS permissions the application should have assigned during and at the time of installation. Next, conduct a static program analysis to assess the application's ability to restrict user OS privileges except where explicitly required for the application to operate. If the static program analysis reveals OS access privileges that exist, are modifiable or can be requested that are beyond requirements are granted to the application, this is a finding.
Modify the code to secure the boundaries within which the application may operate with respect to OS privileges.
Perform a review of the application's documentation to understand the application's operational requirements or the functionality of the application to establish the level of OS privilege required to operate. Based on the review, determine the appropriate OS permissions the application should have assigned for normal application operations during and at the time of installation. Next, conduct a static program analysis to assess the application's ability to restrict user OS privileges except where explicitly required for the application to operate. If the static program analysis reveals OS access privileges that are beyond requirements are granted to the application, this is a finding.
Modify the code to secure the boundaries within which the application may operate with respect to OS privileges.
Review the requirements for the application design, and assess which external resources it will require to address for normal operation. Perform a document review to evaluate the functional requirements to understand which APIs require addressing in order to meet these requirements. Next, perform a static program analysis and assess which APIs are addressed, i.e., camera, microphone, Bluetooth, address book, GPS, etc., and which applications, as well as other resources external to the application that are addressed. If the design/functional requirements documentation and static program analysis reveal that APIs and resources addressed or available are beyond those which the functional and operational requirements demand, this is a finding.
Modify code and architecture to create a sandbox environment for the application to prevent it from controlling APIs and accessing other resources that do not relate to the application's functional and operational requirements.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
For mobile applications that support multiple persona, perform a dynamic program analysis to assess the application's ability: - to identify the domains not authorized for using DoD data. - to prevent inter-domain transfer of data on the device through any designed in policy controls if they are present. If the dynamic program analysis cannot be performed or is inconclusive, perform a static program analysis to assess if code is present that will support the application's ability to identify the domains not authorized for accessing DoD data and the ability to prevent data transfer between these identified domains. If the dynamic program analysis and static program analysis concludes that domains cannot be identified and discerned between, this is a finding.
Implement non-discretionary access controls in the application or operating system to prohibit unauthorized transfers between domains.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
For mobile applications that support multiple personas, perform one or more of the following: Conduct a dynamic program analysis to assess the application's ability to: - identify data that is authorized for inter-domain transfer. - grant the ability to transfer the above data. - prevent inter-domain transfer of data if it is not authorized to do so. If the dynamic program analysis cannot be performed or is inconclusive, perform a static program analysis to assess if code is present that will support the application's ability to identify data authorized for inter-domain transfer. The review must also identify code that will prevent the inter-domain transfer of data, if not it is not authorized for such transfer. The mobile application may also leverage available MOS or virtualization services that enforce persona separation to achieve compliance. If the dynamic program analysis and/or static program analysis conclude that data authorized for inter-domain transfer cannot be identified, this is a finding. If the dynamic program analysis and/or static program analysis conclude that data transfer between domains is always permitted, this is a finding. If the dynamic program analysis and/or static program analysis reveal there is no ability to discern authorized and non authorized data for inter-domain transfer, this is a finding.
Modify code or operating system configuration to prohibit the transfer of identified unauthorized data between domains.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
If the application does not support multiple personas, this requirement is not applicable. For mobile applications that support multiple personas, conduct a dynamic program analysis to assess the application's ability to identify the source persona. This is primarily achieved by verifying the application enforces known restrictions on inter-persona transfers. If the dynamic program analysis cannot be performed or is inconclusive, perform a static program analysis to assess if code is present that will support the application's ability to identify the source persona in such scenarios. If the dynamic program analysis and/or static program analysis conclude that the application does not identify the source persona when transferring data from one persona to another, this is a finding.
Modify code to identify the source persona when data is transferred from one persona to another.
If the application does not support multiple personas, this requirement is not applicable. For mobile applications that support multiple personas, conduct a dynamic program analysis to assess the application's ability to authenticate the source persona. This is primarily achieved by verifying the application enforces known restrictions on inter-persona transfers. If the dynamic program analysis cannot be performed or is inconclusive, perform a static program analysis to assess if code is present that will support the application's ability to authenticate the source persona in such scenarios. If the dynamic program analysis and/or static program analysis conclude that the application does not authenticate the source persona when transferring data from one person to another, this is a finding.
Modify code to authenticate the source persona when data is transferred from one persona to another.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
If the organization has no defined limitations on the embedding of data types within other data types, this requirement is NA. Perform a static program analysis to determine whether the mobile application contains code to limit the embedding of data types within other data types according to organization defined specifications. Alternatively, perform a dynamic program analysis to determine if the application enforces the restriction in operation. This will require embedding data in other data in a manner that violates the organization defined limitations, and then verifying the mobile application enforces the limitation. If the mobile application neither contains code to enforce the restriction nor can be demonstrated to enforce the organization defined restriction, this is a finding.
Modify the code to limit the ability to embed data types within other data types.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
For mobile applications that support multiple personas, conduct a dynamic program analysis to assess the application's ability to detect and log all failed attempts to transfer data between security domains. Observe any on-screen messages and system logs that would reflect a failed attempt to transfer the data. If the dynamic program analysis cannot be performed or is inconclusive, perform a static program analysis to assess the application's ability to detect and log all failed attempts to transfer data between security domains. Search for code that supports the ability to force any on-screen messaging or create any log file that would reflect a failed attempt to transfer the data. If the dynamic or static program analysis concludes that no means are available to detect failed attempts of cross domain data transfer, this is a finding.
Modify code so the application records a log entry when there is a failed attempt to improperly transfer data from one domain to another.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
e requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
Perform a review of the application documentation to assess if the application design prevents the application from executing unsigned Category 1A mobile code. If the documentation review is inconclusive, conduct a dynamic program analysis of all major components of the application to assess if: - mobile code is in use and the mobile application will prompt to download the code. - at the download prompt, the application will indicate that code has been digitally signed. If the code has not been signed or the application warns that code cannot be invoked due to security settings, this is a finding. If the code has not been signed with a DoD approved PKI certificate, this is a finding. Definitions for mobile code categories can be found at http://iase.disa.mil/mcp/index.html
Modify the code so that the application does not execute unsigned DoD Mobile Code Policy Category 1A or 2 mobile code.
Perform a review of the application documentation to assess if the application design validates the signature on Category 1A and 2 mobile code. If the documentation review is inconclusive, conduct a dynamic program analysis to assess if code is available that performs the necessary functions required to validate all digital signatures. If the dynamic program analysis reveals the code does not validate digital signatures through a DoD approved PKI certificate, this is a finding. Definitions for mobile code categories can be found in DoD Instruction 8552.01.
Modify code so the application will verify DoD Mobile Code Policy Category 1A and 2 mobile code before executing it.
If the application does not download or interpret mobile code, this requirement is not applicable. Perform a static analysis of the code to assess of code is present that forces the application to access system resources external to the application. If the code review reveals the application executes mobile code that attempts to access local operating system resources or establish network connections to servers other than the application server, this is a finding.
Modify code so that DoD Mobile Code Policy Category 2 mobile code is unable to access resources not dedicated to the mobile application.
If the application does not download or interpret mobile code, this requirement is not applicable. Review the documents at http://iase.disa.mil/mcp/index.html which detail all mobile codes, categorized per DoD policy. Definitions for mobile code categories can be found at this site. Conduct a review of the application documentation and assess which mobile codes are present. Compare the two documents to assess if the application uses mobile code technologies or interpreters are present for such technologies not permitted by DoD policy. If the documentation review is inconclusive or cannot be carried out, perform a static code analysis and assess which mobile code technologies and/or interpreters are present in the application code. If the documentation and/or code review reveal that technologies and/or interpreters are present for code not permitted by DoD policy, this is a finding.
Remove uncategorized mobile code and interpreters for uncategorized mobile code.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
Review the installation package and look for a digital signature. Assess if it identifies the developer. If no digital signature is available or if a signature is present but does not identify the developer, this is a finding.
Modify the application and the application's installation code to support identifying digital signatures.
For mobile applications that process digitally signed data or code, perform a dynamic program analysis that uses data or code with invalid signatures on it. The check should involve at least the following three invalid signature scenarios: expired certificate, revoked certificate, and certificate issued by cryptographically unrecognized certificate authority. If the dynamic program analysis reveals the code or data with invalid signatures is accepted and processed under any invalidity scenario, this is a finding.
Modify code to include digital signature validation.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
e requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
e requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
Perform a static program analysis to assess if the application hosts interprets that process mobile code. If this is not feasible, conduct a dynamic program analysis in conjunction with a protocol analyzer to determine if the mobile application downloads and executes mobile code, thereby providing evidence of an embedded interpreter. Also, check what type of mobile code is being downloaded to determine whether it is prohibited. If the source code contains an embedded interpreter that executes prohibited mobile code, this is a finding.
Modify the application architecture so it does not require embedded interpreters.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
If both the mobile application and the MOS use the same time source (e.g., GPS), then it is not necessary for the mobile application to refer to the MOS system time, and this check is not applicable. Otherwise, perform a documentation review to assess if the mobile devices system time is used as the authoritative time source. If the documentation review is inconclusive, perform a static program analysis to assess if code exists that supports the application using the mobile device's internal clock as a source for all timing the application uses. If the application uses a different timing source other than the device's system time, this is a finding.
Modify code to use the device's system time for its authoritative time source, removing any code that uses other sources.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
Perform a static program analysis to determine if the mobile application code attempts to change the file permissions of files external to the operation of the mobile application. If this is not feasible, perform a dynamic program analysis to determine if routine installation and operation of the mobile application changes the permissions of any files other than those dedicated to the application. In order to complete this analysis, the permissions after operation of the mobile application will have to be measured against a known baseline of all the file permissions in the file system. If static analysis is not feasible and the MOS does not permit visibility into file system permissions, then this should be marked "Not Reviewed". If data files not dedicated to the operation of the application can have their permission attributes modified by the application, this is a finding.
Modify the code so it does not change the file permission on any files not dedicated to the mobile application's operation.
If the MOS fulfills all of the mobile application's access control requirements, then this requirement is NA. Investigate the application's access control requirements. Identify requirements that are not addressed by the operating system. For each identified requirement, perform a dynamic program analysis to assess the ability of the application to automatically impose restrictions related to that requirement. Alternatively, perform a static analysis to verify appropriate automation exists for each of the indentified requirements. Automated enforcement includes any mechanism not based on user enforcement. If a user must type a password or present a biometric, this is still considered automated because the inability to access information without presenting these credentials is automated. If restrictions to data were based on user trust and not a technical mechanism, this would not be automated. If either the dynamic or static program analyses reveal that one or more requirements are not addressed through automated enforcement, this is a finding.
Modify code to implement automated enforcement of access control not provided by the operating system.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
Perform a documentation review to assess if the application supports other applications or non-privileged processes that enable the application the ability to modify software libraries. If the application functional requirements review cannot be carried out or is inconclusive perform a static program analysis to assess if code exists that invokes other applications or other non-privileged processes that enables them the ability to modify software libraries. If the application's functional requirements review and/or the static program analysis reveals the application can enable other applications, as well as permit privileged processes the ability to modify software libraries, this is a finding.
Modify the code or installation configuration files to limit an application's access to its software libraries to the application only.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
Perform a static program analysis to search for code that is never executed. This analysis must also: - assess if there are any variables that are assigned values but are never used. - search for expressions that are hard coded as TRUE or FALSE. If the code analysis reveals that there is either unused code, unused variables with values or expressions that are hard coded as TRUE or FALSE, this is a finding.
Modify code to remove unused code, unused variables, and expressions whose logical state persists.
Perform a documentation review to assess all necessary ports, services, and protocols needed for the application's operation. Next conduct a static analysis to assess which ports are open, services used, and protocols available during the operation of the application. If a static analysis is not feasible, conduct a dynamic program analysis in conjunction with port scanning or protocol analysis to determine how the application uses network ports. Next, review the documentation at the following url. (http://iase.disa.mil/ports/index.html) Compare the findings of the above two documents and the static analysis results to assess if the ports, protocols, and services are in compliance with the Ports Protocols Services Management (PPSM) guidance, available at the above url. If the documentation review and/or the static program analysis reveal that the application is not in compliance with DoD Ports and Protocols guidance, this is a finding.
Modify code that the mobile application uses ports, protocols, and services in accordance with the DoD PPSM.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
For mobile applications that are transaction based, perform a review of the application's documentation to assess if the application uses an on-board database, such as SQLite, Oracle9i Lite, Jdatastore, etc. Review the documentation to assess if the on-board databases support journaling and rollback. If the application's database does not support journaling or rollback or the application is unable to provide the same, this is a finding.
Implement rollback and journaling features in the application or incorporate products with rollback and journaling features.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
Perform a static program analysis, to assess the application's ability to lock or set file permissions that would prevent OS and other approved applications from performing copy and backup functions. If the application has the ability to set and lock file permissions, this is a finding.
Modify code so the MOS or approved backup application is not prevented from copying application files.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
For mobile applications that manage wireless network connections for other devices, perform a documentation review to assess if the application uses encryption when managing other wireless connections for other devices. If the documentation review is inconclusive, perform a dynamic program analysis to assess if the application offers the user set up options or readily indicates encryption is present when managing other wireless connections for other devices. If the above tests are inconclusive, perform a static program analysis and assess if code is available that supports providing the user options for encryption when managing other wireless connections for other devices. If the documentation review, dynamic program analysis, or static program analysis reveals the application does not authenticate devices using bidirectional cryptographic authentication, this is a finding.
Modify code to support the use of bidirectional cryptographic authentication.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.
This requirement is NA for the MAPP SRG.
The requirement is NA. No fix is required.