LG Android 6.x must require a valid password be successfully entered before the mobile device data is unencrypted.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-66805	LGA6-20-100101	SV-81295r2_rule		High

Description
Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, then this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk. Note: MDF PP v.2.0 requires a Password Authentication Factor and requires management of its length and complexity. It leaves open whether the existence of a password is subject to management. This STIGID addresses the configuration to require a password, which is critical to the cybersecurity posture of the device. SFR ID: FIA_UAU_EXT.1.1

Description

Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, then this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk. Note: MDF PP v.2.0 requires a Password Authentication Factor and requires management of its length and complexity. It leaves open whether the existence of a password is subject to management. This STIGID addresses the configuration to require a password, which is critical to the cybersecurity posture of the device. SFR ID: FIA_UAU_EXT.1.1

STIG	Date
LG Android 6.x Security Technical Implementation Guide	2019-02-21

Details

Check Text ( C-67455r2_chk )
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Password" setting in the MDM console. 2. Verify a password policy has been configured. 3. Verify a password policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to the password entry screen: Settings >> General >> Security (or Fingerprints & security) >> Lock screen >> Select screen lock. 3. Verify password is enabled and cannot be disabled (grayed out). If on the MDM console a password policy is not configured or on the LG Android device the password is not enabled or can be disabled, this is a finding.

Check Text ( C-67455r2_chk )

This validation procedure is performed on both the MDM Administration Console and the LG Android device.

On the MDM console, do the following:

1. Ask the MDM administrator to display the "Password" setting in the MDM console.
2. Verify a password policy has been configured.
3. Verify a password policy has been assigned to all groups.

On the LG Android device:

1. Unlock the device.
2. Navigate to the password entry screen: Settings >> General >> Security (or Fingerprints & security) >> Lock screen >> Select screen lock.
3. Verify password is enabled and cannot be disabled (grayed out).

If on the MDM console a password policy is not configured or on the LG Android device the password is not enabled or can be disabled, this is a finding.

Fix Text (F-72905r2_fix)
Configure the mobile operating system to force successful entry of a password before data resident on the device is decrypted. On the MDM Administration Console, configure a "Password" policy and assign it to all groups.