Password or CAC authentication to the security container on the mobile device must be enabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-25032	WIR-GMMS-001	SV-30832r2_rule	ECWN-1 IAIA-1	Medium

Description
A hacker could gain access to sensitive data in the security container on the mobile device and gain an attack vector to the enclave if the password access control/authentication feature of the application is not enabled. A security container is required on any device that uses a mobile OS that with an encryption module that is not FIPS 140-2 validated.

STIG	Date
Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG)	2012-07-20

Details

Check Text ( C-31255r6_chk )
If the MDM agent provides the mobile device security container, use the following procedure for verifying requirement is met: 1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: -Have the SA identify STIG compliant and non compliant policies on the server. --Log into the MDM server console. --Click on the Policies tab. --View all iOS security policies on the server. -Note: STIG-compliant policies should be identified as such in the policy title. An example is STIG_iOS_Policy. It is recommended that all non-STIG policies be deleted. 2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. -Note: If there is a finding, note the name of the non STIG-compliant policy in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the MDM console and click on the Policies tab. -Select an iOS security policy to review. -Verify the security container password is enabled. CAC authentication is also an acceptable option. The exact procedure used to verify the setting will vary depending on the MDM product used. For the Good Technology MDM server: -Verify S/MIME with password-protected lock screen or CAC PIN (Enables S/MIME) is checked. Mark as a finding if the MDM agent password (or CAC authentication) is not enabled.

Check Text ( C-31255r6_chk )

If the MDM agent provides the mobile device security container, use the following procedure for verifying requirement is met:

1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure:
-Have the SA identify STIG compliant and non compliant policies on the server.
--Log into the MDM server console.
--Click on the Policies tab.
--View all iOS security policies on the server.
-Note: STIG-compliant policies should be identified as such in the policy title. An example is STIG_iOS_Policy. It is recommended that all non-STIG policies be deleted.

2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy.
-Note: If there is a finding, note the name of the non STIG-compliant policy in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the MDM console and click on the Policies tab.
-Select an iOS security policy to review.

-Verify the security container password is enabled. CAC authentication is also an acceptable option. The exact procedure used to verify the setting will vary depending on the MDM product used.

For the Good Technology MDM server:
-Verify S/MIME with password-protected lock screen or CAC PIN (Enables S/MIME) is checked.

Mark as a finding if the MDM agent password (or CAC authentication) is not enabled.

Fix Text (F-27719r2_fix)
Enable password or CAC access to the security container app on the mobile device.