Apple iOS must require a valid password be successfully entered before the mobile device data is unencrypted.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-61893 | AIOS-01-080006 | SV-76383r1_rule | High |
| Description |
|---|
| Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, then this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk. Note: MDF PP v.2.0 requires a Password Authentication Factor and requires management of its length and complexity. It leaves open whether the existence of a password is subject to management. This STIGID addresses the configuration to require a password, which is critical to the cybersecurity posture of the device. SFR ID: FIA_UAU_EXT.1.1 |
| STIG | Date |
|---|---|
| Apple iOS 9 Interim Security Configuration Guide | 2015-12-07 |
Details
| Check Text ( C-62775r1_chk ) |
|---|
| Review configuration settings to confirm the device is set to require a passcode before use. This procedure is performed on the iOS device. On the Apple iOS device: 1. Lock the device. 2. Wait the duration of the “Grace Lock” period. 3. Attempt to unlock the device. 4. Verify the unlock screen cannot be bypassed without entering a passcode. If the unlock screen can be bypassed without entering a passcode, this is a finding. |
| Fix Text (F-67811r1_fix) |
|---|
| Install a Configuration Profile to require a password to unlock the device. |