The IAO has not ensured PDAs and Smartphones are protected by authenticated login procedures to unlock the device. Either CAC or password authentication is required.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15814	WIR0850	SV-16753r1_rule	IAIA-1 IAIA-2	High

Description
PDAs and Smartphones must be password protected to protect data on the device and connections to the network.

STIG	Date
PDA Security Technical Implementation Guide (STIG)	2013-03-14

Details

Check Text ( C-16104r1_chk )
Detailed Policy Requirements: PDAs and smartphones must be protected by authenticated login procedures to unlock the device. Either CAC or password authentication is required. When password authentication is used, the following requirements apply: - The device password is set to eight or more characters. - The password is changed at least every 90 days. - If the PDA can enforce a complete device wipe after a specified number of incorrect passwords are entered, the following requirements apply: The number of incorrect passwords entered before a device wipe occurs is set to 10 or less. -If the PDA is used to connect to a DoD network via a direct connection or VPN connection, the password policy will be controlled by a security policy management server. The “Wireless Remote Access Capability” asset posture in VMS must be assigned to the PDA. Note: This requirement does not apply to wireless email PDAs and Smartphones (e.g., Blackberry). See the appropriate Wireless STIG wireless email system checklist for requirements for those systems. Check Procedures: Interview the IAO and system administrator. - Verify that CAC authentication or password authentication is used on site managed PDAs. - If password authentication is used, verify correct settings. - If any site PDAs are used to connect to a DoD network via a direct or VPN connection, verify the “Wireless Remote Access Capability” asset posture has been assigned in VMS to the PDA and appropriate checks have been completed. Mark as a finding if any of the requirements are not met.

Check Text ( C-16104r1_chk )

Detailed Policy Requirements:

PDAs and smartphones must be protected by authenticated login procedures to unlock the device. Either CAC or password authentication is required. When password authentication is used, the following requirements apply:

- The device password is set to eight or more characters.
- The password is changed at least every 90 days.
- If the PDA can enforce a complete device wipe after a specified number of incorrect passwords are entered, the following requirements apply: The number of incorrect passwords entered before a device wipe occurs is set to 10 or less.
-If the PDA is used to connect to a DoD network via a direct connection or VPN connection, the password policy will be controlled by a security policy management server. The “Wireless Remote Access Capability” asset posture in VMS must be assigned to the PDA.

Note: This requirement does not apply to wireless email PDAs and Smartphones (e.g., Blackberry). See the appropriate Wireless STIG wireless email system checklist for requirements for those systems.

Check Procedures:

Interview the IAO and system administrator.
- Verify that CAC authentication or password authentication is used on site managed PDAs.
- If password authentication is used, verify correct settings.
- If any site PDAs are used to connect to a DoD network via a direct or VPN connection, verify the “Wireless Remote Access Capability” asset posture has been assigned in VMS to the PDA and appropriate checks have been completed.
Mark as a finding if any of the requirements are not met.

Fix Text (F-15767r1_fix)
Comply with policy.