The mobile operating system must require a valid password be successfully entered before the mobile device data is unencrypted.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33239 | SRG-OS-000230-MOS-000119 | SV-43657r1_rule | Medium |
| Description |
|---|
| Encryption is only effective if the decryption procedure is protected. If an adversary can easily access the private key (either directly or through a software application), sensitive DoD data is likely to be disclosed. Password protection is one method to reduce the likelihood of such an occurrence. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41535r1_chk ) |
|---|
| Verify the mobile operating system configuration is set to prompt for a password prior to unencrypting data on the mobile device. In many cases, the transaction may involve the entry of a CAC PIN, which still satisfies the requirement. If data is accessible without entering a password at any point when using the device, this is a finding. |
| Fix Text (F-37169r1_fix) |
|---|
| Configure the operating system to require a valid password be successfully entered before the mobile device data is unencrypted. |