ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.
- Group Title
- PP-MDF-993300
- Group ID
- V-257120
- Rule Version
- AIOS-16-710400
- Rule Title
- Apple iOS/iPadOS 16 must require a valid password be successfully entered before the mobile device data is unencrypted.
- Rule ID
- SV-257120r904260_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk.
Note: MDF PP v2.0 requires a Password Authentication Factor and requires management of its length and complexity. It leaves open whether the existence of a password is subject to management. This requirement addresses the configuration to require a password, which is critical to the cybersecurity posture of the device.
SFR ID: FIA_UAU_EXT.1.1
- Documentable
- False
- Check Content
-
Review configuration settings to confirm the device is set to require a passcode before use.
This procedure is performed on the iOS and iPadOS device.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS management tool containing the password policy.
5. Tap "Restrictions".
6. Tap "Passcode".
7. Verify "Passcode required" is set to "Yes".
If "Passcode required" is not set to "Yes", this is a finding.
- Check System
- C-60805r904258_chk
- Fix Reference
- F-60746r904259_fix
- Fix Text
-
Install a configuration profile to require a password to unlock the device.
- Identities
-
CCI-001199
Protects the confidentiality and/or integrity of organization-defined information at rest.
- 800-53 :: SC-28
- 800-53 Rev. 4 :: SC-28
- 800-53 Rev. 5 :: SC-28
- 800-53A :: SC-28.1
- Group Title
- PP-MDF-993300
- Group ID
- V-257123
- Rule Version
- AIOS-16-711200
- Rule Title
- iPhone and iPad must have the latest available iOS/iPadOS operating system installed.
- Rule ID
- SV-257123r904269_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Required security features are not available in earlier OS versions. In addition, earlier versions may have known vulnerabilities.
SFR ID: FMT_SMF_EXT.1.1 #47
- Documentable
- False
- Check Content
-
Review configuration settings to confirm the most recently released version of iOS is installed.
This validation procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad. Go to https://www.apple.com and determine the most current version of iOS released by Apple.
In the MDM management console, review the version of iOS installed on a sample of managed devices. This procedure will vary depending on the MDM product.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "About" and view the installed version of iOS.
4. Go back to the "General" screen. Tap "Software Update" and verify the following message is shown on the screen: "Your software is up to date."
If the installed version of iOS on any reviewed iOS/iPadOS devices is not the latest released by Apple, this is a finding.
- Check System
- C-60808r904267_chk
- Fix Reference
- F-60749r904268_fix
- Fix Text
-
Install the latest release version of Apple iOS/iPadOS on all managed iOS devices.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
CCI-000370Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.
- 800-53 :: CM-6 (1)
- 800-53 Rev. 4 :: CM-6 (1)
- 800-53 Rev. 5 :: CM-6 (1)
- 800-53A :: CM-6 (1).1
CCI-000381Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)