UCF STIG Viewer Logo

Google Android 12 COPE Security Technical Implementation Guide


Overview

Date Finding Count (35)
2021-09-17 CAT I (High): 1 CAT II (Med): 30 CAT III (Low): 4
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-250448 High Android 12 devices must have the latest available Google Android 12 operating system installed.
V-250453 Medium Google Android 12 must allow only the administrator (EMM) to install/remove DoD root and intermediate PKI certificates.
V-250419 Medium Google Android 12 must be configured to enforce a minimum password length of six characters.
V-250418 Medium Google Android 12 must be configured to enable audit logging.
V-250428 Medium Google Android 12 must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.
V-250429 Medium Google Android 12 must be configured to disable developer modes.
V-250422 Medium Google Android 12 must be configured to lock the display after 15 minutes (or less) of inactivity.
V-250423 Medium Google Android 12 must be configured to not allow more than 10 consecutive failed authentication attempts.
V-250420 Medium Google Android 12 must be configured to not allow passwords that include more than two repeating or sequential characters.
V-250421 Medium Google Android 12 must be configured to enable a screen-lock policy that will lock the display after a period of inactivity.
V-250426 Medium Google Android 12 allowlist must be configured to not include applications with the following characteristics: 1. Back up mobile device (MD) data to non-DoD cloud servers (including user and application access to cloud backup services);2. Transmit MD diagnostic data to non-DoD servers;3. Voice assistant application if available when MD is locked;4. Voice dialing application if available when MD is locked;5. Allows synchronization of data or applications between devices associated with user; and6. Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
V-250427 Medium Google Android 12 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].
V-250424 Medium Google Android 12 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store].
V-250425 Medium Google Android 12 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].
V-250440 Medium Google Android 12 must be configured to enforce that Wi-Fi Sharing is disabled.
V-250441 Medium Google Android 12 must have the DoD root and intermediate PKI certificates installed.
V-250442 Medium The Google Android 12 Work Profile must be configured to prevent users from adding personal email accounts to the work email app.
V-250443 Medium Google Android 12 work profile must be configured to enforce the system application disable list.
V-250444 Medium Google Android 12 must be provisioned as a fully managed device and configured to create a work profile.
V-250445 Medium Google Android 12 work profile must be configured to disable automatic completion of work space Internet browser text input.
V-250446 Medium Google Android 12 Work Profile must be configured to disable the autofill services.
V-250447 Medium Google Android 12 must be configured to disallow configuration of date and time.
V-250454 Medium Google Android 12 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
V-250439 Medium Google Android 12 users must complete required training.
V-250438 Medium Google Android 12 must be configured to disable ad hoc wireless client-to-client connection capability.
V-250435 Medium Google Android 12 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].
V-250434 Medium Google Android 12 must be configured to not allow backup of [all applications, configuration data] to remote systems.
V-250436 Medium Google Android 12 must be configured to disable multiuser modes.
V-250431 Medium Google Android 12 must be configured to generate audit records for the following auditable events: detected integrity violations.
V-250433 Medium Google Android 12 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.
V-250432 Medium Google Android 12 must be configured to disable USB mass storage mode.
V-250450 Low Android 12 devices must be configured to enable Common Criteria Mode (CC Mode).
V-250449 Low Android 12 devices must be configured to disable the use of third-party keyboards.
V-250437 Low Google Android 12 must be configured to disable Bluetooth or configured via User Based Enforcement (UBE) to allow Bluetooth for only Headset Profile (HSP), Hands-Free Profile (HFP), and Serial Port Profile (SPP).
V-250430 Low Google Android 12 must be configured to display the DoD advisory warning message at startup or each time the user unlocks the device.