Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-33003 | SRG-OS-000076-MOS-000050 | SV-43401r1_rule | Low |
Description |
---|
Changing passcodes regularly prevents an attacker who has compromised the password from re-using it to regain access. This is an unlikely scenario, but is addressed by setting a password expiration. The IA control only needs to be enforced in product level STIGs if there is a need for such rotation based on the expected operational use of the device. |
STIG | Date |
---|---|
Mobile Operating System Security Requirements Guide | 2012-10-01 |
Check Text ( C-41300r1_chk ) |
---|
Review the mobile operating system configuration for a maximum password age setting of 120 days or less. If the mobile device does not contain or access sensitive or classified information, this requirement does not apply. If the mobile operating system does not enforce a maximum password age of 120 days or less, this is a finding. NOTE: The IA control only needs to be enforced in product level STIGs if there is a need for such rotation based on the expected operational use of the device. |
Fix Text (F-36915r1_fix) |
---|
Configure the mobile operating system to have a maximum lifetime of 120 days for the device unlock password. |