| V-91783 | High | Only authorized versions of the LG Android OS must be used. | The LG Android OS 6 is no longer supported by LG and therefore, may contain security vulnerabilities. The LG Android OS 6 is not authorized within the DoD. |
| V-66885 | High | LG Android 6.x must implement the management setting: Enable CC mode. | CC mode implements several security controls required by the Mobile Device Functional Protection Profile (MDFPP). If CC mode is not implemented, DoD data is more at risk of being compromised, and... |
| V-66805 | High | LG Android 6.x must require a valid password be successfully entered before the mobile device data is unencrypted. | Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of... |
| V-66823 | High | LG Android 6.x must protect data at rest on built-in storage media. | The mobile operating system must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable... |
| V-66825 | High | LG Android 6.x must protect data at rest on removable storage media. | The mobile operating system must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to... |
| V-66899 | Medium | LG Android 6.x must implement the management setting: list approved apps on the Whitelisted Android Apps (for Work Profile).
This requirement is only valid for activation type COPE#2. | This setting enables an application whitelist in the Work Profile. Failure to specify which applications are approved could allow unauthorized and malicious applications to be downloaded,... |
| V-66895 | Medium | LG Android 6.x must be configured to disable download mode. | Download mode allows the firmware of the device to be flashed (updated) by the user. All updates should be controlled by the system administrator to ensure configuration control of the security... |
| V-66897 | Medium | LG Android 6.x must implement the management setting: Disallow addition of Google Accounts (for Work Profile).
This requirement is only valid for activation type COPE#2. | A Google account may gather a user's information, such as PII, or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and... |
| V-66891 | Medium | LG Android 6.x must not allow Google Auto sync. | Synchronization of data between devices associated with one user permits a user of a mobile operating system device to transition user activities from one device to another. This feature passes... |
| V-66893 | Medium | LG Android 6.x must be configured to implement the management settings: Disable Android Beam. | Android Beam provides the capability for Android devices to transfer data between them. Data transfer is not encrypted using FIPS-validated encryption mechanisms. Sensitive DoD information could... |
| V-66869 | Medium | LG Android 6.x must disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Disable Smart Lock. | Many mobile devices now permit a user to unlock the user's device by presenting a fingerprint to an embedded fingerprint reader. Other biometrics and token-based systems are feasible as well. None... |
| V-66815 | Medium | LG Android 6.x must enforce an application installation policy by specifying one or more authorized application repositories by disabling Google Play. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing... |
| V-66817 | Medium | LG Android 6.x must enforce an application installation policy by specifying an application whitelist. | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-66819 | Medium | LG Android 6.x must not display notifications when the device is locked. | Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there... |
| V-66843 | Medium | LG Android 6.x must be configured to implement the management setting: Disable Bluetooth Data Transfer. | Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore should be disabled.
SFR... |
| V-66873 | Medium | LG Android 6.x must implement the management setting: Disable USB host storage. | The USB host storage feature allows the device to connect to select USB devices (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB to USB adapter cable. A user can copy sensitive... |
| V-66871 | Medium | LG Android 6.x must not allow protocols supporting wireless remote access connections: USB tethering. | Having wireless remote access connections enabled could allow establishment of unauthorized remote access connections, which may give an adversary unintended capabilities. These remote access... |
| V-66833 | Medium | LG Android 6.x must not allow backup to remote systems. | Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the mobile operating system. Where the remote... |
| V-66831 | Medium | LG Android 6.x must not allow backup to locally connected systems. | Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally... |
| V-66837 | Medium | LG Android 6.x must disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Disable fingerprint. | Many mobile devices now permit a user to unlock the user's device by presenting a fingerprint to an embedded fingerprint reader. Other biometrics and token-based systems are feasible as well. None... |
| V-66879 | Medium | LG Android 6.x must implement the management setting: Disable Nearby devices. | The Nearby devices feature allows the user to share files with other devices that are connected on the same Wi-Fi access point using the DLNA technology. Even though the user must allow requests... |
| V-66889 | Medium | LG Android 6.x must be configured to implement the management setting: Disable LG browser and Chrome browser.
Note: This requirement is Not Applicable for the COPE#2 activation type. | The native browser includes encryption modules that are not FIPS 140-2 validated. DoD policy requires all encryption modules used in DoD IT systems be FIPS 140-2 validated.
SFR ID: FMT_SMF_EXT.1.1 #45 |
| V-66829 | Medium | LG Android 6.x must not allow a USB mass storage mode. | USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a... |
| V-66883 | Medium | LG Android 6.x must implement the management setting: Disable System Time Changes. | Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events.
Periodically synchronizing internal... |
| V-66881 | Medium | LG Android 6.x must implement the management setting: Disable Removal of device administrator rights. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-66887 | Medium | LG Android 6.x must implement the management setting: Disable all non-approved preinstalled applications. | Applications from various sources (including the vendor, the carrier, and Google) are installed on the device at the time of manufacture. Core apps are apps preinstalled by Google. Third-party... |
| V-66809 | Medium | LG Android 6.x must lock the display after 15 minutes (or less) of inactivity. | The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain... |
| V-66865 | Medium | LG Android 6.x must enforce an application installation policy by specifying one or more authorized application repositories by disabling unknown sources. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing... |
| V-66867 | Medium | LG Android 6.x must not allow protocols supporting wireless remote access connections: Bluetooth tethering. | Having wireless remote access connections enabled could allow establishment of unauthorized remote access connections, which may give an adversary unintended capabilities. These remote access... |
| V-66861 | Medium | LG Android 6.x must be configured to disable automatic updates of system software. | FOTA allows the user to download and install firmware updates over-the-air. These updates can include OS upgrades, security patches, bug fixes, new features and applications. Since the updates are... |
| V-66863 | Medium | LG Android 6.x must implement the management setting: Install CA certificate. | Without implementing the desired security configuration settings, the mobile operating system will have known weaknesses that adversaries could exploit to disrupt the confidentiality, integrity,... |
| V-66903 | Medium | LG Android 6.x must implement the management setting: Install CA certificate (for Work Profile).
This requirement is only valid for activation type COPE#2. | Unauthorized applications pose a variety of risks to DoD information and systems. Digital signature (or public key) technology enables strong assurance of application source and integrity.... |
| V-66821 | Medium | LG Android 6.x must not allow use of developer modes. | Developer modes expose features of the mobile operating system that are not available during standard operation. An adversary may leverage a vulnerability inherently in developer mode to... |
| V-66907 | Medium | LG Android 6.x must implement the management setting: Disable allow copy and paste between Work Profile and personal space.
This requirement is only valid for activation type COPE#2. | Allowing movement of data between the container and personal side will result in both personal data and sensitive DoD data being placed in the same space. This can potentially result in DoD data... |
| V-66905 | Medium | LG Android 6.x must implement the management setting: Disable content sharing (for Work Profile).
This requirement is only valid for activation type COPE#2. | Allowing movement of files between the container and personal side will result in both personal data and sensitive DoD data being placed in the same space. This can potentially result in DoD data... |
| V-66841 | Medium | LG Android 6.x whitelist must not include applications with the following characteristics:
-backup MD data to non-DoD cloud servers (including user and application access to cloud backup services);
-transmit MD diagnostic data to non-DoD servers;
-voice assistant application if available when MD is locked;
-voice dialing application if available when MD is locked;
-allows synchronization of data or applications between devices associated with user;
-payment processing; and
-allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs, display screens (screen mirroring), or printers. | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-66845 | Medium | LG Android 6.x must be configured to disable VPN split-tunneling. | Spilt-tunneling allows multiple simultaneous remote connections to the mobile device. Without VPN split-tunneling disabled, malicious applications can covertly off-load device data to a... |
| V-66875 | Low | LG Android 6.x must implement the management setting: Disable Voice Command. | On mobile operating system devices, users (may be able to) access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile... |
| V-66811 | Low | LG Android 6.x must not allow passwords that include more than two repeating or sequential characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier... |
| V-66835 | Low | LG Android 6.x must disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. | Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real world field behavior and improve the product... |
| V-66813 | Low | LG Android 6.x must not allow more than 10 consecutive failed authentication attempts. | The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of... |
| V-66827 | Low | LG Android 6.x must display the DoD advisory warning message at start-up or each time the user unlocks the device. | The mobile operating system is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices... |
| V-66877 | Low | LG Android 6.x must implement the management setting: Disable NFC. | NFC is a wireless technology that transmits small amounts of information from the device to the NFC reader. Any data transmitted can be potentially compromised. Disabling this feature mitigates... |
| V-66839 | Low | LG Android 6.x must enable VPN protection. | A key characteristic of a mobile device is that they typically will communicate wirelessly and are often expected to reside in locations outside the physical security perimeter of a DoD facility.... |
| V-66807 | Low | LG Android 6.x must enforce a minimum password length of 6 characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is... |
| V-66901 | Low | LG Android 6.x must implement the management setting: Set uninstall not allowed for mandatory Work Profile apps.
This requirement is only valid for activation type COPE#2. | This setting will block the removal of required applications. The Approving Authority may determine that a specific set of apps are required to meet mission needs. Key mission capabilities may be... |
