The SA must change the iOS device profile passwords every 365 days or sooner.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-25757 | WIR-MOS-iOS-G-025 | SV-32025r1_rule | IAIA-1 IAIA-2 | Low |
| Description |
|---|
| Sensitive DoD data could be compromised if a security profile is not installed on DoD iOS devices. The profile should only be removed by the SA. When a new profile is pushed to an iOS device, the old one remains on the device, unless the new one is an update of the old one. When two profiles are on a device, the device follows the most secure setting found in either the new or old profile, which may lead to unexpected behavior. The only way to disable a profile is to remove it by wiping the device or remove it using the profile password. The DoD will use the profile password, so a SA can remove old profiles. The profile password must be changed periodically to ensure it is not compromised. |
| STIG | Date |
|---|---|
| Apple iOS 4 (Good Mobility Suite) Interim Security Configuration Guide (ISCG) | 2011-11-07 |
Details
| Check Text ( C-32251r1_chk ) |
|---|
| Interview the IAO and SA and review site smartphone security policies. Verify the SA changes the profile password in each iOS policy set up on the Good server at least every 365 days or sooner. Mark as a finding if the site cannot provide documentation showing the profile password is changed every 365 days or sooner. |
| Fix Text (F-28617r1_fix) |
|---|
| The SA changes the iOS device profile passwords every 365 days or sooner. |