Rule ID
SV-282826r1197167_rule
Version
V1R1
CCIs
The Apple Developer Strap provides a USB connector on the AVP and is used to download content on the AVP from a Mac. The use of the Developer Strap without authorization is considered an unauthorized modification to the DOD-owned AVP. The Developer Strap is sold by Apple only to registered Apple developers but can also be bought online. Data cannot be downloaded from the AVP to a connected Mac and does not currently provide access to an AVP enterprise network to the connected Mac. Only unmanaged apps can be uploaded to an AVP via the Developer Strap. Unauthorized unmanaged apps can be downloaded to the AVP from the connected Mac. SFR ID: FMT_MOF_EXT.1.2 #47
Interview the site information system security officer and AVP users. 1. Determine if the AVP Developer Strap is used at the site. If it is, verify the AO has approved its use by reviewing approval documentation. 2. Verify AVP users are trained to not use the AVP developer Strap without AO approval (AVOS-26-011900). If the AVP Developer Strap is used at the site without AO approval, this is a finding.
Train AVP users to not connect and use the Developer Strap unless the AO has approved its use for a specific use case (refer to AVOS-26-011900). AO use approval must be documented and detail specific use cases for which use is approved.