The mobile operating system must not permit a user to disable the password-protected lock feature on the device.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33291 | SRG-OS-999999-MOS-000134 | SV-43710r1_rule | Medium |
| Description |
|---|
| If the user is able to disable the password-protected lock feature, the user can change the configuration of the device to allow access without a password. The modified configuration would enable an adversary with access to the device to obtain DoD information and possibly other information resources on other systems. An operating system that does not allow a user to disable this feature mitigates the risk of this attack. In cases in which the mobile operating system relies on another application for protected data storage (e.g., if FIPS 140-2 validated encryption for unclassified use is not native to the device), then this requirement applies to both the device lock password and the password to the data storage application. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41588r1_chk ) |
|---|
| Review the mobile operating system configuration for prohibiting a user to disable the password-protected lock feature on the device. If the mobile operating system allows the user to disable the password-protected lock feature, this is a finding. |
| Fix Text (F-37221r1_fix) |
|---|
| Configure the operating system to prohibit a user from disabling the password-protected lock feature. |