The mobile operating system must require a valid password be successfully entered before the mobile device data is unencrypted.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-32713 | WIR-MOS-iOS-65-13 | SV-43059r1_rule | IAIA-1 | Medium |
| Description |
|---|
| Encryption is only effective if the decryption procedure is protected. If an adversary can easily access the private key (either directly or through a software application), then sensitive DoD data is likely to be disclosed. Password protection is one method to reduce the likelihood of such an occurrence. |
| STIG | Date |
|---|---|
| Apple iOS 5 Security Technical Implementation Guide (STIG) | 2012-07-20 |
Details
| Check Text ( C-41074r1_chk ) |
|---|
| On a sample of devices known to encrypt information resident on the devices, attempt to access an encrypted file and verify the operating system prompts for a password. In many cases, the transaction may involve the entry of a CAC PIN, which still satisfies the requirement. If data is accessible without entering a password at some point when using the device, this is a finding. |
| Fix Text (F-36609r1_fix) |
|---|
| Configure the operating system to require a valid password be successfully entered before the mobile device data is unencrypted. |