The mobile operating system device lock, when activated on a device, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32946	SRG-OS-000031-MOS-000011	SV-43344r1_rule		Medium

Description
The device lock function prevents further access to the system by initiating a session lock after a period of inactivity or upon receiving a request from a user. The device lock is retained until the user reestablishes access using established identification and authentication procedures. A device lock is a temporary action taken when a user stops work but does not want to log out because of the temporary nature of the hiatus. During the device lock a publicly viewable pattern is visible on the associated display, hiding what was previously visible on the screen. Once invoked, the device lock shall remain in place until the user re-authenticates. No other system activity aside from re-authentication can unlock the system. The operating system must lock the device with a publicly viewable pattern visible on the associated display, hiding what was previously visible on the screen. This prevents others from gaining access to the device when not in the user's possession and accessing sensitive DoD information. Publicly viewable patterns can include screen saver patterns, photographic images, solid colors, or a blank screen, so long as none of those patterns convey sensitive information. Non-sensitive device information, such as battery life, signal strength, and time/date, may be viewable as part of a publically viewable pattern. However, system notifications, user or contact information must not be viewable because they may reveal owner or organizational information.

Description

The device lock function prevents further access to the system by initiating a session lock after a period of inactivity or upon receiving a request from a user. The device lock is retained until the user reestablishes access using established identification and authentication procedures. A device lock is a temporary action taken when a user stops work but does not want to log out because of the temporary nature of the hiatus. During the device lock a publicly viewable pattern is visible on the associated display, hiding what was previously visible on the screen. Once invoked, the device lock shall remain in place until the user re-authenticates. No other system activity aside from re-authentication can unlock the system. The operating system must lock the device with a publicly viewable pattern visible on the associated display, hiding what was previously visible on the screen. This prevents others from gaining access to the device when not in the user's possession and accessing sensitive DoD information. Publicly viewable patterns can include screen saver patterns, photographic images, solid colors, or a blank screen, so long as none of those patterns convey sensitive information. Non-sensitive device information, such as battery life, signal strength, and time/date, may be viewable as part of a publically viewable pattern. However, system notifications, user or contact information must not be viewable because they may reveal owner or organizational information.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41248r1_chk )
Review the mobile operating system for the device lock function to place a publicly viewable pattern on the associated display, hiding what was previously visible on the screen. If the mobile operating system cannot display a publicly viewable pattern on device lock, this is a finding. If the publicly viewable pattern does not hide the entire screen, this is a finding. NOTE: Allowable features as part of the publicly viewable patterns, so long as none of those patterns convey sensitive information, include: - screen saver patterns - photographic images - solid colors (including a blank screen) - battery life - signal strength - time/date - phone number to call if found Disallowed features as part of the publicly viewable patterns include: - system notifications - user or owner information (PII) - contact list information

Check Text ( C-41248r1_chk )

Review the mobile operating system for the device lock function to place a publicly viewable pattern on the associated display, hiding what was previously visible on the screen. If the mobile operating system cannot display a publicly viewable pattern on device lock, this is a finding. If the publicly viewable pattern does not hide the entire screen, this is a finding.

NOTE:
Allowable features as part of the publicly viewable patterns, so long as none of those patterns convey sensitive information, include:
- screen saver patterns
- photographic images
- solid colors (including a blank screen)
- battery life
- signal strength
- time/date
- phone number to call if found

Disallowed features as part of the publicly viewable patterns include:
- system notifications
- user or owner information (PII)
- contact list information

Fix Text (F-36862r1_fix)
Modify the configuration of the mobile operating system to place a publicly viewable pattern on the associated display, hiding what was previously visible on the screen when the device lock function is engaged.