The mobile operating system must support both software-based and hardware-based asymmetric key technology (e.g., CAC/PIV).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33150 | SRG-OS-000167-MOS-000088 | SV-43548r1_rule | Medium |
| Description |
|---|
| Software-based certificates are required to authenticate many web sites. Hardware-based tokens are embedded in the DoD Common Access Card (CAC). Without both software and hardware-based asymmetric key technology, there is the potential that critical authentication transactions cannot occur. This will either hinder performance of the mission or degrade the IA posture of one or more applications. If the operating system can support both software and hardware-based asymmetric key technology, this provides assurance that all required certificate-based transactions are supported. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41410r1_chk ) |
|---|
| Review the mobile operating system configuration to verify both software-based and hardware-based asymmetric key technology is supported. If the system supports a hardware token method other than the DoD CAC, this is acceptable for the purposes of this control, but may result in non-compliance for other controls requiring DoD CAC. If the mobile operating system fails to support either software-based or hardware-based asymmetric key technology, this is a finding. |
| Fix Text (F-37050r1_fix) |
|---|
| Configure the mobile operating system (or selected third party application) to support both software-based and hardware-based asymmetric key technology. |