Rule ID
SV-258470r929226_rule
Version
V1R1
CCIs
CCI-000366
Note: For a VMI solution, both the client and server must be NIAP compliant. Nonapproved EMM systems may not include sufficient controls to protect work data, applications, and networks from malware or adversary attack. EMM: mobile device management (MDM), mobile application management (MAM), mobile content management (MCM), and virtual mobile infrastructure (VMI). Components must only approve devices listed on the NIAP product compliant list or products listed in evaluation at the following links respectfully: - https://www.niap-ccevs.org/Product/ - https://www.niap-ccevs.org/Product/PINE.cfm Reference: DOD policy "Use of Non-Government Mobile Devices" (3.a.(2)). SFR ID: FMT_SMF_EXT.1.1 #47
Verify the EMM system supporting the Google Android 13 BYOAD is NIAP-validated (included on the NIAP list of compliant products or products in evaluation). If not, verify the DOD CIO has granted an Approved Exception to Policy (E2P). Note: For a VMI solution, both the client and server components must be NIAP compliant. If the EMM system supporting the Google Android 13 BYOAD is not NIAP-validated (included on the NIAP list of compliant products or products in evaluation) and the DOD CIO has not granted an Approved Exception to Policy (E2P), this is a finding.
Only use an EMM system supporting the Google Android 13 BYOAD that is NIAP validated (included on the NIAP list of compliant products or products in evaluation), unless the DOD CIO has granted an Approved Exception to Policy (E2P). Note: For a VMI solution, both the client and server components must be NIAP compliant.