Check: AIOS-06-080003
Apple iOS 8 ISCG:
AIOS-06-080003
(in version v1 r1)
Title
The Apple iOS app used to support the DoD notice and consent banner must either prevent access to a frequently used service or notify another device that acceptance of the user agreement has occurred. (Cat III impact)
Discussion
If a user is able to deny either that he or she has used the app or that he or she provided the requisite consent within the app, then the app will not properly support the investigative and prosecutorial purposes of notice and consent. Without notice and consent, a user may be able to thwart otherwise authorized searches and seizures of the device. If the app is tied to a frequently used service, then use of that service indicates that the consent message has been accepted. If the app is not tied to a frequently used service, then it must notify an external device of consent transactions to enable DoD to determine which users have not periodically accepted the consent statement. Additional information is found in DoD Instruction 8500.01. SFR ID: FMT_SMF.1.1 #42
Check Content
This check procedure is performed on the iOS device only. On the iOS device: 1. Ask the MDM administrator to identify the app used to fulfill the requirement. 2. Launch the app. 3. Determine whether the app is a frequently used app, such as an email client, that a user would be expected to use on a daily or nearly daily basis. If the app is a frequently used app, this is acceptable evidence that the user is acknowledging acceptance of the user agreement on a regular basis. 4. If the app is not a frequently used app, determine whether the app provides notification to an external device when the user acknowledges the notice and consent banner. In this case, the reviewer will need to work with the MDM administrator to determine how the app functions and to where it sends records of acceptance transactions. If the MDM administrator is unable to identify an app to fulfill the requirement, if there is no banner, or if the app does not generate evidence that the user is acknowledging acceptance of the user agreement, this is a finding.
Fix Text
Install an app that provides assurance that the user cannot deny having accepted the notice and consent banner.
Additional Identifiers
Rule ID:
Vulnerability ID: V-54301
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000050 |
The information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system. |
CCI-000366 |
The organization implements the security configuration settings. |