The mobile operating system must enforce an organizationally-defined maximum lifetime for the device unlock password (password age).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33003 | SRG-OS-000076-MOS-000050 | SV-43401r2_rule | Low |
| Description |
|---|
| Changing passcodes regularly prevents an attacker who has compromised the password from re-using it to regain access. This is an unlikely scenario, but is addressed by setting a password expiration. The IA control only needs to be enforced in product level STIGs if there is a need for such rotation based on the expected operational use of the device. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-04-12 |
Details
| Check Text ( C-41300r2_chk ) |
|---|
| Review the mobile operating system configuration for an organizationally-defined maximum password age setting. If the mobile device does not contain or access sensitive or classified information, this requirement does not apply. If the mobile operating system does not enforce an organizationally-defined maximum password age, this is a finding. NOTE: The IA control only needs to be enforced in product level STIGs if there is a need for such rotation based on the expected operational use of the device. |
| Fix Text (F-36915r2_fix) |
|---|
| Configure the mobile operating system to have an organizationally-defined maximum lifetime for the device unlock password. |