The mobile operating system must retain the device lock until the user reestablishes access using established identification and authentication procedures.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32943	SRG-OS-000028-MOS-000008	SV-43341r1_rule		Medium

Description
The device lock function prevents further access to the system by initiating a session lock after a period of inactivity or upon receiving a request from a user. The device lock is retained until the user reestablishes access using established identification and authentication procedures. A device lock is a temporary action taken when a user stops work but does not want to log out because of the temporary nature of the hiatus. During the device lock a publicly viewable pattern is visible on the associated display, hiding what was previously visible on the screen. Once invoked, the device lock shall remain in place until the user re-authenticates. No other system activity aside from re-authentication can unlock the system. The operating system must enforce a device lock function. This prevents others from gaining access to the device when not in the user's possession and accessing sensitive DoD information. The identification and authentication procedure configuration must be set by a Mobile Device Management (MDM) service and be sufficiently complex to protect sensitive data.

Description

The device lock function prevents further access to the system by initiating a session lock after a period of inactivity or upon receiving a request from a user. The device lock is retained until the user reestablishes access using established identification and authentication procedures. A device lock is a temporary action taken when a user stops work but does not want to log out because of the temporary nature of the hiatus. During the device lock a publicly viewable pattern is visible on the associated display, hiding what was previously visible on the screen. Once invoked, the device lock shall remain in place until the user re-authenticates. No other system activity aside from re-authentication can unlock the system. The operating system must enforce a device lock function. This prevents others from gaining access to the device when not in the user's possession and accessing sensitive DoD information. The identification and authentication procedure configuration must be set by a Mobile Device Management (MDM) service and be sufficiently complex to protect sensitive data.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41245r1_chk )
Examine the mobile operating system to determine if it retains the device lock until the user reestablishes access using established identification and authentication procedures. If the device cannot be locked, this is a finding. If the device lock is not retained until the user reestablishes access using established identification and authentication procedures, this is a finding.

Fix Text (F-36858r1_fix)
Configure the mobile operating system to implement the device lock function and to retain the device lock until the user reestablishes access using established identification and authentication procedures.