Check: AIOS-11-010800
Apple iOS 11 STIG:
AIOS-11-010800
(in versions v1 r4 through v1 r1)
Title
Apple iOS must require a valid password be successfully entered before the mobile device data is unencrypted. (Cat I impact)
Discussion
Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk. Note: MDF PP v2.0 requires a Password Authentication Factor and requires management of its length and complexity. It leaves open whether the existence of a password is subject to management. This STIGID addresses the configuration to require a password, which is critical to the cybersecurity posture of the device. SFR ID: FIA_UAU_EXT.1.1
Check Content
Review configuration settings to confirm the device is set to require a passcode before use. This procedure is performed on the iOS device. On the Apple iOS device: 1. Open the Settings app. 2. Tap "General". 3. Tap "Profiles & Device Management". 4. Tap the Configuration Profile from the iOS management tool containing the password policy. 5. Tap "Restrictions". 6. Verify "Passcode" is listed. If "Passcode" is not listed, this is a finding.
Fix Text
Install a configuration profile to require a password to unlock the device.
Additional Identifiers
Rule ID: SV-93109r1_rule
Vulnerability ID: V-78403
Group Title: PP-MDF-991000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002476 |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components. |
Controls
Number | Title |
---|---|
SC-28 (1) |
Cryptographic Protection |