Title

Applications providing a login capability must also provide a logout functionality to allow the user to manually terminate the session. (Cat II impact)

Discussion

An application that will not allow the user the ability to log out will leave the application and all stored data vulnerable to unauthorized access in the event an adversary is able to unlock the device and re-launch the application or continue the prior session. If a user cannot log out of a mobile application, an adversary could continue to use the previous user's session, access the stored data with malicious intent, and compromise the integrity and confidentiality of the data. This control provides the DoD greater assurance that the device and all stored data is less vulnerable to malicious action in the event a device is stolen or found. Rationale for non-applicability: The MAPP SRG does not require user authentication. Since there is no requirement for a login capability, there similarly is no requirement to provide a logout capability.

Check Content

This requirement is NA for the MAPP SRG.

Fix Text

The requirement is NA. No fix is required.

Additional Identifiers

Rule ID: SV-46850r1_rule

Vulnerability ID: V-35563

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.