The mobile operating system must lock the device following a minimum, organizationally-defined period of inactivity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32944	SRG-OS-000029-MOS-000009	SV-43342r2_rule		Medium

Description
The device lock function prevents further access to the system by initiating a session lock after a period of inactivity or upon receiving a request from a user. The device lock is retained until the user reestablishes access using established identification and authentication procedures. A device lock is a temporary action taken when a user stops work but does not want to shut down because of the temporary nature of the hiatus. During the device lock a publicly viewable pattern is visible on the associated display, hiding what was previously visible on the screen. Once invoked, the device lock shall remain in place until the user re-authenticates. No other system activity aside from re-authentication can unlock the system. The operating system must lock the device after the organizationally-defined time period. This prevents others from gaining access to the device when not in the user's possession and accessing sensitive DoD information. A device lock mitigates the risk that an adversary can access data on an unattended mobile device but only after the minimum, organizationally-defined period of inactivity.

Description

The device lock function prevents further access to the system by initiating a session lock after a period of inactivity or upon receiving a request from a user. The device lock is retained until the user reestablishes access using established identification and authentication procedures. A device lock is a temporary action taken when a user stops work but does not want to shut down because of the temporary nature of the hiatus. During the device lock a publicly viewable pattern is visible on the associated display, hiding what was previously visible on the screen. Once invoked, the device lock shall remain in place until the user re-authenticates. No other system activity aside from re-authentication can unlock the system. The operating system must lock the device after the organizationally-defined time period. This prevents others from gaining access to the device when not in the user's possession and accessing sensitive DoD information. A device lock mitigates the risk that an adversary can access data on an unattended mobile device but only after the minimum, organizationally-defined period of inactivity.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41246r3_chk )
Inspect the mobile operating system for the feature to device lock after an organizationally-defined period of inactivity. If the mobile operating system cannot be configured to lock the device after a specific time period or does not perform this function, this is a finding.

Fix Text (F-36859r2_fix)
Configure the mobile operating system to lock the device after a minimum, organizationally-defined period of inactivity.