The mobile operating system must enforce a maximum lifetime of 120 days for the device unlock password (password age).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33003	SRG-OS-000076-MOS-000050	SV-43401r1_rule		Low

Description
Changing passcodes regularly prevents an attacker who has compromised the password from re-using it to regain access. This is an unlikely scenario, but is addressed by setting a password expiration. The IA control only needs to be enforced in product level STIGs if there is a need for such rotation based on the expected operational use of the device.

STIG	Date
Mobile Operating System Security Requirements Guide	2012-10-01

Details

Check Text ( C-41300r1_chk )
Review the mobile operating system configuration for a maximum password age setting of 120 days or less. If the mobile device does not contain or access sensitive or classified information, this requirement does not apply. If the mobile operating system does not enforce a maximum password age of 120 days or less, this is a finding. NOTE: The IA control only needs to be enforced in product level STIGs if there is a need for such rotation based on the expected operational use of the device.

Check Text ( C-41300r1_chk )

Review the mobile operating system configuration for a maximum password age setting of 120 days or less. If the mobile device does not contain or access sensitive or classified information, this requirement does not apply. If the mobile operating system does not enforce a maximum password age of 120 days or less, this is a finding.

NOTE: The IA control only needs to be enforced in product level STIGs if there is a need for such rotation based on the expected operational use of the device.

Fix Text (F-36915r1_fix)
Configure the mobile operating system to have a maximum lifetime of 120 days for the device unlock password.