DoD data and the DoD network could be compromised if transmitted data is not secured with a compliant VPN. A VPN provides an open connection to the DoD network. If the VPN client does not timeout after the required period of inactivity, and a hacker is able to bypass the device password controls, they would have access to the DoD network.
This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Note: Use of a VPN to access DoD email on a mobile device is not required. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets. Verify the VPN client is configured to timeout an inactive session after a set period of inactivity. The check procedures will vary depending on the VPN client used.
Mark as a finding if the VPN client is not configured to timeout after 4 hours.
Fix Text (F-36594r3_fix)
Configure the VPN client to timeout a session after 4 hours of inactivity.