Encryption is only effective if the decryption procedure is protected. If an adversary can easily access the private key (either directly or through a software application), then sensitive DoD data is likely to be disclosed. Password protection is one method to reduce the likelihood of such an occurrence.
On a sample of devices known to encrypt information resident on the devices, attempt to access an encrypted file and verify the operating system prompts for a password. In many cases, the transaction may involve the entry of a CAC PIN, which still satisfies the requirement. If data is accessible without entering a password at some point when using the device, this is a finding.
Fix Text (F-36609r1_fix)
Configure the operating system to require a valid password be successfully entered before the mobile device data is unencrypted.