UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The timeout for the PKI certificate PIN cache must be set at 120 minutes or less. (Note: 15 minutes or less is the recommended setting.)


Overview

Finding ID Version Rule ID IA Controls Severity
V-24987 WIR-GMMS-004 SV-30727r2_rule ECSC-1 Low
Description
Most mobile devices have the capability to cache the digital certificate PIN so that it does not need to be entered every time the user’s digital certificate has to be accessed when a PKI encryption or authentication operation takes place. The PIN should only be cached for a limited time period; otherwise the user’s digital certificates could be exposed to unauthorized individuals if the mobile device is lost or stolen.
STIG Date
Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG) 2013-05-08

Details

Check Text ( C-31142r6_chk )
1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.

2. Select each policy set users are assigned to and, in turn, verify the required settings are in the policy set. Verify the CAC PIN cache is set to timeout at 120 minutes or less.
(Note: 15 minutes or less is the recommended setting.)

-Note: If there is a finding, note the name of the policy set in the Findings Details section in VMS/Component Provided Tracking Database.

Mark as a finding if the inactivity timeout is not set as required.

For the Good Technology MDM:
- Verify “Re-challenge for CAC PIN every” is checked and set to 120 minutes or less if “Smartcard PIN (requires S/MIME)” has been selected.
- Verify “Re-challenge for password every” is checked and set to 120 minutes or less if “Password- protected (with or without soft token or S/MIME)” has been selected.
Fix Text (F-27628r3_fix)
Enable the timeout for the PKI certificate PIN cache and set to 120 minutes or less.