Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15814 | WIR0850 | SV-16753r1_rule | IAIA-1 IAIA-2 | High |
Description |
---|
PDAs and Smartphones must be password protected to protect data on the device and connections to the network. |
STIG | Date |
---|---|
PDA Security Technical Implementation Guide (STIG) | 2013-03-14 |
Check Text ( C-16104r1_chk ) |
---|
Detailed Policy Requirements: PDAs and smartphones must be protected by authenticated login procedures to unlock the device. Either CAC or password authentication is required. When password authentication is used, the following requirements apply: - The device password is set to eight or more characters. - The password is changed at least every 90 days. - If the PDA can enforce a complete device wipe after a specified number of incorrect passwords are entered, the following requirements apply: The number of incorrect passwords entered before a device wipe occurs is set to 10 or less. -If the PDA is used to connect to a DoD network via a direct connection or VPN connection, the password policy will be controlled by a security policy management server. The “Wireless Remote Access Capability” asset posture in VMS must be assigned to the PDA. Note: This requirement does not apply to wireless email PDAs and Smartphones (e.g., Blackberry). See the appropriate Wireless STIG wireless email system checklist for requirements for those systems. Check Procedures: Interview the IAO and system administrator. - Verify that CAC authentication or password authentication is used on site managed PDAs. - If password authentication is used, verify correct settings. - If any site PDAs are used to connect to a DoD network via a direct or VPN connection, verify the “Wireless Remote Access Capability” asset posture has been assigned in VMS to the PDA and appropriate checks have been completed. Mark as a finding if any of the requirements are not met. |
Fix Text (F-15767r1_fix) |
---|
Comply with policy. |