An error occurred:

Check: LGA6-20-100101

LG Android 6-x STIG: LGA6-20-100101 (in versions v1 r2 through v1 r1)

Title

LG Android 6.x must require a valid password be successfully entered before the mobile device data is unencrypted. (Cat I impact)

Discussion

Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, then this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk. Note: MDF PP v.2.0 requires a Password Authentication Factor and requires management of its length and complexity. It leaves open whether the existence of a password is subject to management. This STIGID addresses the configuration to require a password, which is critical to the cybersecurity posture of the device. SFR ID: FIA_UAU_EXT.1.1

Check Content

This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Password" setting in the MDM console. 2. Verify a password policy has been configured. 3. Verify a password policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to the password entry screen: Settings >> General >> Security (or Fingerprints & security) >> Lock screen >> Select screen lock. 3. Verify password is enabled and cannot be disabled (grayed out). If on the MDM console a password policy is not configured or on the LG Android device the password is not enabled or can be disabled, this is a finding.

Fix Text

Configure the mobile operating system to force successful entry of a password before data resident on the device is decrypted. On the MDM Administration Console, configure a "Password" policy and assign it to all groups.

Additional Identifiers

Rule ID: SV-81295r2_rule

Vulnerability ID: V-66805

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002476

The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-28 (1)

Cryptographic Protection