The timeout for the PKI certificate PIN cache must be set at 120 minutes or less. (Note: 15 minutes or less is the recommended setting.)

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24987	WIR-GMMS-004	SV-30727r2_rule	ECSC-1	Low

Description
Most mobile devices have the capability to cache the digital certificate PIN so that it does not need to be entered every time the user’s digital certificate has to be accessed when a PKI encryption or authentication operation takes place. The PIN should only be cached for a limited time period; otherwise the user’s digital certificates could be exposed to unauthorized individuals if the mobile device is lost or stolen.

Description

Most mobile devices have the capability to cache the digital certificate PIN so that it does not need to be entered every time the user’s digital certificate has to be accessed when a PKI encryption or authentication operation takes place. The PIN should only be cached for a limited time period; otherwise the user’s digital certificates could be exposed to unauthorized individuals if the mobile device is lost or stolen.

STIG	Date
Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG)	2013-05-08

Details

Check Text ( C-31142r6_chk )
1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy. 2. Select each policy set users are assigned to and, in turn, verify the required settings are in the policy set. Verify the CAC PIN cache is set to timeout at 120 minutes or less. (Note: 15 minutes or less is the recommended setting.) -Note: If there is a finding, note the name of the policy set in the Findings Details section in VMS/Component Provided Tracking Database. Mark as a finding if the inactivity timeout is not set as required. For the Good Technology MDM: - Verify “Re-challenge for CAC PIN every” is checked and set to 120 minutes or less if “Smartcard PIN (requires S/MIME)” has been selected. - Verify “Re-challenge for password every” is checked and set to 120 minutes or less if “Password- protected (with or without soft token or S/MIME)” has been selected.

Check Text ( C-31142r6_chk )

1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.

2. Select each policy set users are assigned to and, in turn, verify the required settings are in the policy set. Verify the CAC PIN cache is set to timeout at 120 minutes or less.
(Note: 15 minutes or less is the recommended setting.)

-Note: If there is a finding, note the name of the policy set in the Findings Details section in VMS/Component Provided Tracking Database.

Mark as a finding if the inactivity timeout is not set as required.

For the Good Technology MDM:
- Verify “Re-challenge for CAC PIN every” is checked and set to 120 minutes or less if “Smartcard PIN (requires S/MIME)” has been selected.
- Verify “Re-challenge for password every” is checked and set to 120 minutes or less if “Password- protected (with or without soft token or S/MIME)” has been selected.

Fix Text (F-27628r3_fix)
Enable the timeout for the PKI certificate PIN cache and set to 120 minutes or less.