{
"stig": {
"date": "2022-06-07",
"description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-252406": {
"checkid": "C-55862r815429_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices are enrolled in a DoD-approved use case.\n\nThis validation procedure is performed on both the management tool Administration Console and the Samsung Android device. \n\nOn the management tool, verify that the default enrollment is set to \"Work profile for company-owned devices\".\n\nOn the Samsung Android device: \n1. Open Settings >> Work profile >> Other security settings >> Device admin apps.\n2. Verify that the management tool Agent is listed.\n3. Go to the app drawer.\n4. Verify that a \"Personal\" and \"Work\" tab are present.\n\nIf on the management tool the default enrollment is not set as \"Work profile for company-owned devices\", or on the Samsung Android device the \"Personal\" and \"Work\" tabs are not present or the management tool Agent is not listed, this is a finding.",
"description": "The Work profile is the designated application group for the COPE use case.\n\nSFR ID: FMT_MOF_EXT.1.2 #47",
"fixid": "F-55812r815430_fix",
"fixtext": "Enroll the Samsung Android devices in a DoD-approved use case.\n\nOn the management tool, configure the default enrollment as \"Work profile for company-owned devices\".\n\nRefer to the management tool documentation to determine how to configure the device enrollment.",
"iacontrols": null,
"id": "V-252406",
"ruleID": "SV-252406r815431_rule",
"severity": "medium",
"title": "Samsung Android must be enrolled as a COPE device.",
"version": "KNOX-12-210010"
},
"V-252407": {
"checkid": "C-55863r815432_chk",
"checktext": "Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nValidation Procedure for Method #1: Place the DoD warning banner in the user agreement signed by each Samsung Android device user (preferred method).\n\nReview the signed user agreements for several Samsung Android device users and verify that the agreement includes the required DoD warning banner text.\n\nValidation Procedure for Method #2: Configure the warning banner text in the Lock screen message on each managed mobile device.\n\nOn the management tool, in the device restrictions section, verify that \"Lock Screen Message\" is set to the DoD-mandated warning banner text.\n\nOn the Samsung Android device, verify that the required DoD warning banner text is displayed on the Lock screen.\n\n\nIf the warning text has not been placed in the signed user agreement, or if on the management tool \"Lock Screen Message\" is not set to the DoD-mandated warning banner text, or on the Samsung Android device the required DoD warning banner text is not displayed on the Lock screen, this is a finding.",
"description": "Before granting access to the system, the mobile operating system is required to display the DoD-approved system use notification message or banner that provides privacy and security notices consistent with applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DoD can audit and monitor the activities of mobile device users without legal restriction.\n\nSystem use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a \"click-through\" banner at device unlock (to the extent permitted by the operating system). A \"click-through\" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK.\"\n\nThe approved DoD text must be used exactly as required in the Knowledge Service referenced in DoDI 8500.01. For devices accommodating banners of 1300 characters, the banner text is: \n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. \nBy using this IS (which includes any device attached to this IS), you consent to the following conditions: \n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. \n-At any time, the USG may inspect and seize data stored on this IS. \n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. \n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. \n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n\nFor devices with severe character limitations, the banner text is: \n\nI've read & consent to terms in IS user agreem't.\n\nThe administrator must configure the banner text exactly as written without any changes.\n\nSFR ID: FMT_SMF_EXT.1.1 #36",
"fixid": "F-55813r816524_fix",
"fixtext": "Configure the DoD warning banner by either of the following methods (required text is found in the Vulnerability Discussion):\n\nMethod #1: Place the DoD warning banner in the user agreement signed by each Samsung Android device user (preferred method).\n\nMethod #2: Configure the warning banner text in the Lock screen message on each managed mobile device.\n\nOn the management tool, in the device restrictions section, set \"Lock Screen Message\" to the DoD-mandated warning banner text.",
"iacontrols": null,
"id": "V-252407",
"ruleID": "SV-252407r815434_rule",
"severity": "low",
"title": "Samsung Android must be configured to display the DoD advisory warning message at startup or each time the user unlocks the device.",
"version": "KNOX-12-210020"
},
"V-252408": {
"checkid": "C-55864r815435_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices are disallowing passwords containing more than four repeating or sequential characters.\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nOn the management tool, in the device password policies, verify \"minimum password quality\" is set to \"Numeric(Complex)\" or better.\n\nOn the Samsung Android device: \n1. Open Settings >> Lock screen >> Screen lock type. \n2. Enter current password. \n3. Tap \"PIN\". \n4. Verify that PINS with more than four repeating or sequential numbers are not accepted.\n\nIf on the management tool \"minimum password quality\" is not set to \"Numeric(Complex)\" or better, or on the Samsung Android device a password with more than four repeating or sequential numbers is accepted, this is a finding.",
"description": "Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not contain repeating or sequential characters. Therefore, disallowing repeating or sequential characters increases password strength and decreases risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #1b",
"fixid": "F-55814r815436_fix",
"fixtext": "Configure the Samsung Android devices to disallow passwords containing more than four repeating or sequential characters.\n\nOn the management tool, in the device password policies, set \"minimum password quality\" to \"Numeric(Complex)\" or better.\n\nIf your management tool does not support \"Numeric(Complex)\" but does support \"Numeric\", KPE can be used to achieve STIG compliance. In this case, configure this policy with value \"Numeric\" and use an additional KPE policy (innately by the management tool or via KSP) \"Maximum Numeric Sequence Length\" with value \"4\".",
"iacontrols": null,
"id": "V-252408",
"ruleID": "SV-252408r815437_rule",
"severity": "medium",
"title": "Samsung Android must be configured to not allow passwords that include more than four repeating or sequential characters.",
"version": "KNOX-12-210030"
},
"V-252409": {
"checkid": "C-55865r815438_chk",
"checktext": "Verify requirement KNOX-12-210030 (minimum password quality) has been implemented.\n\nIf a \"minimum password quality\" has not been implemented, this is a finding.",
"description": "The screen-lock timeout helps protect the device from unauthorized access. Devices without a screen-lock timeout provide an opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device and possibly access to DoD networks.\n\nSFR ID: FMT_SMF_EXT.1.1 #2a",
"fixid": "F-55815r815439_fix",
"fixtext": "Implement a \"minimum password quality\" (see requirement KNOX-12-210030).",
"iacontrols": null,
"id": "V-252409",
"ruleID": "SV-252409r815440_rule",
"severity": "medium",
"title": "Samsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity.",
"version": "KNOX-12-210040"
},
"V-252410": {
"checkid": "C-55866r815441_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices are enforcing a minimum password length of six characters.\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nOn the management tool, in the device password policies, verify \"minimum password length\" is set to \"6\".\n\nOn the Samsung Android device:\n1. Open Settings >> Lock screen >> Screen lock type.\n2. Enter current password.\n3. Tap \"PIN\".\n4. Verify the text \"PIN must contain at least\", followed by a value of at least \"6 digits\", appears above the PIN entry.\n\nIf on the management tool \"minimum password length\" is not set to \"6\", or on the Samsung Android device the text \"PIN must contain at least\" is followed by a value of less than \"6 digits\", this is a finding.",
"description": "Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise.\n\nSFR ID: FMT_SMF_EXT.1.1 #1a",
"fixid": "F-55816r815442_fix",
"fixtext": "Configure the Samsung Android devices to enforce a minimum password length of six characters.\n\nOn the management tool, in the device password policies, set \"minimum password length\" to \"6\".",
"iacontrols": null,
"id": "V-252410",
"ruleID": "SV-252410r815443_rule",
"severity": "medium",
"title": "Samsung Android must be configured to enforce a minimum password length of six characters.",
"version": "KNOX-12-210050"
},
"V-252411": {
"checkid": "C-55867r815444_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices are allowing only 10 or fewer consecutive failed authentication attempts.\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nOn the management tool, in the device password policies, verify \"max password failures for local wipe\" is set to \"10\" attempts or less.\n\nOn the Samsung Android device: \n1. Open Settings >> Lock screen.\n2. Verify \"Secure lock settings\" is present and tap it.\n3. Enter current password.\n4. Verify that \"Auto factory reset\" is greyed out, and cannot be configured.\n\nIf on the management tool \"max password failures for local wipe\" is not set to \"10\" attempts or less, or on the Samsung Android device the \"Auto factory reset\" menu can be configured, this is a finding.",
"description": "The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of attempts mitigates this risk. Setting the limit at 10 or less gives authorized users the ability to make a few mistakes when entering the password but still provides adequate protection against dictionary or brute force attacks on the password.\n\nSFR ID: FMT_SMF_EXT.1.1 #2c, FIA_AFL_EXT.1.5",
"fixid": "F-55817r815445_fix",
"fixtext": "Configure the Samsung Android devices to allow only 10 or fewer consecutive failed authentication attempts.\n\nOn the management tool, in the device password policies, set \"max password failures for local wipe\" to \"10\" attempts or less.\n\nA device password must be set for \"max password failures for local wipe\" to become active.",
"iacontrols": null,
"id": "V-252411",
"ruleID": "SV-252411r815446_rule",
"severity": "medium",
"title": "Samsung Android must be configured to not allow more than 10 consecutive failed authentication attempts.",
"version": "KNOX-12-210060"
},
"V-252412": {
"checkid": "C-55868r815447_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices are locking the device display after 15 minutes (or less) of inactivity.\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nOn the management tool, in the device password policies, verify \"max time to screen lock\" is set to \"15 minutes\" or less.\n\nOn the Samsung Android device:\n1. Open Settings >> Lock screen.\n2. Verify \"Secure lock settings\" is present and tap it.\n3. Enter current password.\n4. Tap \"Auto lock when screen turns off\".\n5. Verify the listed timeout values are 15 minutes or less.\n\nIf on the management tool \"max time to screen lock\" is not set to \"15 minutes\" or less, or on the Samsung Android device \"Secure lock settings\" is not present and the listed Screen timeout values include durations of more than 15 minutes, this is a finding.",
"description": "The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device.\n\nSFR ID: FMT_SMF_EXT.1.1 #2b",
"fixid": "F-55818r815448_fix",
"fixtext": "Configure the Samsung Android devices to lock the device display after 15 minutes (or less) of inactivity.\n\nOn the management tool, in the device password policies, set \"max time to screen lock\" to \"15 minutes\" or less.\n\nA device password must be set for \"max time to screen lock\" to become active.",
"iacontrols": null,
"id": "V-252412",
"ruleID": "SV-252412r815449_rule",
"severity": "medium",
"title": "Samsung Android must be configured to lock the display after 15 minutes (or less) of inactivity.",
"version": "KNOX-12-210070"
},
"V-252413": {
"checkid": "C-55869r815450_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices are disabling Face Recognition.\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nIf a KPE premium license is activated, Facial Recognition will be automatically disabled\n\nOtherwise, On the management tool, in the device restrictions, verify that \"Face\" is set to \"Disable\".\n\nOn the Samsung Android device: \n1. Open Settings >> Lock screen >> Screen lock type.\n2. Enter current password.\n3. Verify that \"Face\" is disabled and cannot be enabled.\n\nIf on the management tool a KPE premium license is not activated and \"Face\" is not set to \"Disable\", or on the Samsung Android device \"Face\" can be enabled, this is a finding.",
"description": "The biometric factor can be used to authenticate the user in order to unlock the mobile device. Unapproved/evaluated biometric mechanisms could allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of unapproved/evaluated biometric authentication mechanisms, this risk is mitigated.\n\nSFR ID: FMT_SMF_EXT.1.1 #22, FIA_UAU.5.1",
"fixid": "F-55819r815451_fix",
"fixtext": "Configure the Samsung Android devices to disable Face Recognition.\n\nThis policy is included to allow a Samsung Android device to be deployed without an activated KPE premium license. If a license is activated, Facial Recognition will be automatically disabled. In this case, this policy does not need to be configured for STIG compliance, as Face as a biometric will be disabled.\n\nOn the management tool, in the device restrictions, set \"Face\" to \"Disable\".",
"iacontrols": null,
"id": "V-252413",
"ruleID": "SV-252413r815452_rule",
"severity": "medium",
"title": "Samsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including face recognition.",
"version": "KNOX-12-210080"
},
"V-252414": {
"checkid": "C-55870r835024_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices are disabling Trust Agents.\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nOn the management tool, in the device restrictions, verify that \"Trust Agents\" are set to \"Disable\".\n-On the Samsung Android device: \n1. Open Settings >> Biometrics and security >> Other security settings >> Trust agents.\n2. Verify that all listed Trust Agents are disabled and cannot be enabled. If a Trust Agent is not disabled in the list, verify for that Trust Agent all of its listed Trustlets are disabled and cannot be enabled.\n\nIf on the management tool \"Trust Agents\" are not set to \"Disable\", or on the Samsung Android device a \"Trust Agent\" or \"Trustlet\" can be enabled, this is a finding.\n\nNote: If the management tool has been correctly configured, but a Trust Agent is still enabled, configure the \"List of approved apps listed in managed Google Play\" to disable it; refer to KNOX-12-110190.\n\nException: Trust Agents may be used if the AO allows a screen lock timeout after four hours (or more) of inactivity. This may be applicable to tactical use case.",
"description": "The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device.\n\nSFR ID: FMT_SMF_EXT.1.1 #2a",
"fixid": "F-55820r815454_fix",
"fixtext": "Configure the Samsung Android devices to disable Trust Agents.\n\nOn the management tool, in the device restrictions, set \"Trust Agents\" to \"Disable\".",
"iacontrols": null,
"id": "V-252414",
"ruleID": "SV-252414r835025_rule",
"severity": "medium",
"title": "Samsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.",
"version": "KNOX-12-210090"
},
"V-252415": {
"checkid": "C-55871r815456_chk",
"checktext": "Review the configure to determine if the Samsung Android devices are disabling developer modes.\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nOn the management tool, in the device restrictions, verify that \"Debugging Features\" is set to \"Disallow\".\n\nOn the Samsung Android device: \n1. Open \"Settings\".\n2. Verify \"Developer options\" is not listed.\n\nIf on the management tool \"Debugging Features\" is not set to \"Disallow\" or on the Samsung Android device \"Developer options\" is listed, this is a finding.",
"description": "Developer modes expose features of the MOS that are not available during standard operation. An adversary may leverage a vulnerability inherent in a developer mode to compromise the confidentiality, integrity, and availability of DoD sensitive information. Disabling developer modes mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #26",
"fixid": "F-55821r815457_fix",
"fixtext": "Configure the Samsung Android devices to disable developer modes.\n\nOn the management tool, in the device restrictions, set \"Debugging Features\" to \"Disallow\".",
"iacontrols": null,
"id": "V-252415",
"ruleID": "SV-252415r815458_rule",
"severity": "medium",
"title": "Samsung Android must be configured to disable developer modes.",
"version": "KNOX-12-210100"
},
"V-252416": {
"checkid": "C-55872r815459_chk",
"checktext": "Review the Samsung documentation and inspect the configuration to verify the Samsung Android devices are paired only with devices which support HSP, HFP, SPP, A2DP, AVRCP, and PBAP Bluetooth profiles.\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nOn the management tool, in the device restrictions section, verify \"Bluetooth\" is set to the AO-approved selection; \"Allow\" - if the AO has approved the use of Bluetooth - or \"Disallow\", if not.\n\nOn the Samsung Android device: \n1. Open Settings >> Connections >> Bluetooth\n2. Verify that all listed paired Bluetooth devices use only authorized Bluetooth profiles.\n\nIf on the management tool \"Bluetooth\" is not set to the AO-approved value, or the Samsung Android device is paired with a device which uses unauthorized Bluetooth profiles, this is a finding.",
"description": "Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore must be disabled.\n\nSFR ID: FMT_SMF_EXT.1.1/BLUETOOTH BT-8",
"fixid": "F-55822r815460_fix",
"fixtext": "Configure the Samsung Android devices to disable Bluetooth, or if the AO has approved the use of Bluetooth (for example, for hands-free use), train users to only pair devices which support HSP, HFP, SPP, A2DP, AVRCP, PBAP profiles.\n\nOn the management tool, in the device restrictions section, set \"Bluetooth\" to the AO-approved selection; \"Allow\" - if the AO has approved the use of Bluetooth - or \"Disallow\", if not.\n\nThe user training requirement is satisfied in requirement KNOX-12-210290.",
"iacontrols": null,
"id": "V-252416",
"ruleID": "SV-252416r816525_rule",
"severity": "low",
"title": "Samsung Android must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).",
"version": "KNOX-12-210110"
},
"V-252417": {
"checkid": "C-55873r815462_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices are either enabling data-at-rest protection for removable media, or are disabling their use.\n\nThis requirement is not applicable for devices that do not support removable storage media.\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nOn the management tool, in the device restrictions, verify that \"Mount physical media\" is set to \"Disallow\".\n\nOn the Samsung Android device, verify that a microSD card cannot be mounted.\n\nThe device should ignore the inserted SD card and no notifications for the transfer of media files should appear, nor should any files be listed using a file browser, such as Samsung My Files.\n\nIf on the management tool \"Mount physical media\" is not set to \"Disallow\", or on the Samsung Android device a microSD card can be mounted, this is a finding.",
"description": "The MOS must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running.\n\nSFR ID: FMT_SMF_EXT.1.1 #20, #47d",
"fixid": "F-55823r815463_fix",
"fixtext": "Configure the Samsung Android devices to enable data-at-rest protection for removable media, or alternatively, disable their use.\n\nThis requirement is not applicable for devices that do not support removable storage media.\n\nOn the management tool, in the device restrictions, set \"Mount physical media\" to \"Disallow\".\n\nThis disables the use of all removable storage, e.g., micro SD cards, USB thumb drives, etc.\n\nIf your deployment requires the use of micro SD cards, KPE can be used to allow its usage in a STIG approved configuration. In this case, do not configure this policy, and instead replace with KPE policy (innately by management tool or via KSP) \"Enforce external storage encryption\" with value \"enable\".",
"iacontrols": null,
"id": "V-252417",
"ruleID": "SV-252417r815464_rule",
"severity": "high",
"title": "Samsung Android must be configured to enable encryption for data at rest on removable storage media or, alternately, the use of removable storage media must be disabled.",
"version": "KNOX-12-210120"
},
"V-252418": {
"checkid": "C-55874r815465_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices are disabling USB mass storage mode.\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nOn the management tool, in the device restrictions, verify that \"USB file transfer\" has been set to \"Disallow\".\n\nOn the PC, browse the mounted Samsung Android device and verify that it does not display any folders or files.\n\nIf on the management tool \"USB file transfer\" is not set to \"Disallow\", or the PC can mount and browse folders and files on the Samsung Android device, this is a finding.",
"description": "USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a potential vector for malware and unauthorized data exfiltration. Prohibiting USB mass storage mode mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #39",
"fixid": "F-55824r815466_fix",
"fixtext": "Configure the Samsung Android devices to disable USB mass storage mode.\n\nOn the management tool, in the device restrictions, set \"USB file transfer\" to \"Disallow\".\n\nDeX drag & drop file transfer capabilities will be prohibited, but all other DeX capabilities remain useable.",
"iacontrols": null,
"id": "V-252418",
"ruleID": "SV-252418r815467_rule",
"severity": "medium",
"title": "Samsung Android must be configured to disable USB mass storage mode.",
"version": "KNOX-12-210130"
},
"V-252419": {
"checkid": "C-55875r815468_chk",
"checktext": "Verify requirement KNOX-12-210130 (Disallow USB file transfer) has been implemented.\n\nIf \"Disallow USB file transfer\" has not been implemented, this is a finding.",
"description": "Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally connected or cloud based), many if not all of these mechanisms are no longer present. This leaves the backed-up data vulnerable to attack. Disabling backup to external systems mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #40",
"fixid": "F-55825r815469_fix",
"fixtext": "Verify \"USB file transfer\" has been \"Disallowed\" (see requirement KNOX-12-210130).",
"iacontrols": null,
"id": "V-252419",
"ruleID": "SV-252419r816526_rule",
"severity": "medium",
"title": "Samsung Android must be configured to not allow backup of all applications' configuration data to locally connected systems.",
"version": "KNOX-12-210140"
},
"V-252420": {
"checkid": "C-55876r815471_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices are enabling authentication of personal hotspot connections to the device using a preshared key. \n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nOn the management tool, in the device restrictions, verify \"Config tethering\" is set to \"Disallow\".\n\nOn the Samsung Android device: \n1. Open Settings >> Connections.\n2. Verify that \"Mobile Hotspot and Tethering\" is greyed out.\n\nIf on the management tool \"Config tethering\" is not set to \"Disallow\", or on the Samsung Android device \"Mobile Hotspot and Tethering\" is not greyed out, this is a finding.",
"description": "If no authentication is required to establish personal hotspot connections, an adversary may be able to use that device to perform attacks on other devices or networks without detection. A sophisticated adversary may also be able to exploit unknown system vulnerabilities to access information and computing resources on the device. Requiring authentication to establish personal hotspot connections mitigates this risk.\n\nApplication note: If hotspot functionality is permitted, it must be authenticated via a preshared key. There is no requirement to enable hotspot functionality, and it is recommended this functionality be disabled by default.\n\nSFR ID: FMT_SMF_EXT.1.1 #41",
"fixid": "F-55826r815472_fix",
"fixtext": "Configure the Samsung Android devices to enable authentication of personal hotspot connections to the device using a pre-shared key.\n\nOn the management tool, in the device restrictions, set \"Config tethering\" to \"Disallow\".\n\nIf your deployment requires the use of Mobile Hotspot & Tethering, KPE policy can be used to allow its usage in a STIG approved configuration. In this case, do not configure this policy, and instead replace with KPE policy (innately by management tool or via KSP) \"Allow open Wi-Fi connection\" with value \"Disable\" and add Training Topic \"Don't use Wi-Fi Sharing\" (see supplemental document for additional information)",
"iacontrols": null,
"id": "V-252420",
"ruleID": "SV-252420r815473_rule",
"severity": "medium",
"title": "Samsung Android must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.",
"version": "KNOX-12-210150"
},
"V-252421": {
"checkid": "C-55877r815474_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices are disallowing the users from changing the date and time.\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nOn the management tool, in the device restrictions, verify that \"Config Date/Time\" is set to \"Disallow\".\n\nOn the Samsung Android device: \n1. Open Settings >> General management >> Date and time.\n2. Verify that \"Automatic data and time\" is on and the user cannot disable it.\n\nIf on the management tool \"Config Date/Time\" is not set to \"Disallow\", or on the Samsung Android device \"Automatic date and time\" is not set or the user can disable it, this is a finding.",
"description": "Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. \n\nPeriodically synchronizing internal clocks with an authoritative time source is needed to correctly correlate the timing of events that occur across the enterprise. The three authoritative time sources for Samsung Android are an authoritative time server that is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet or SIPRNet), the Global Positioning System (GPS), or the wireless carrier.\n\nTime stamps generated by the audit system in Samsung Android must include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.\n\nSFR ID: FMT_MOF_EXT.1.2 #47",
"fixid": "F-55827r815475_fix",
"fixtext": "Configure the Samsung Android devices to disallow users from changing the date and time.\n\nOn the management tool, in the device restrictions, set \"Config Date/Time\" to \"Disallow\".",
"iacontrols": null,
"id": "V-252421",
"ruleID": "SV-252421r815476_rule",
"severity": "medium",
"title": "Samsung Android must be configured to disallow configuration of the device's date and time.",
"version": "KNOX-12-210160"
},
"V-252422": {
"checkid": "C-55878r815477_chk",
"checktext": "Review the configuration to determine if the Samsung Android's Work profile has the DoD root and intermediate PKI certificates installed.\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nThe current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at https://cyber.mil/pki-pke (for NIPRNet).\n\nOn the management tool, in the Work profile policy management, verify that the DoD root and intermediate PKI certificates are installed.\n\nOn the Samsung Android device: \n1. Open Settings >> Biometrics and security >> Other security settings >> View security certificates.\n2. In the User tab, verify that the DoD root and intermediate PKI certificates are listed in the Work profile.\n\nIf on the management tool the DoD root and intermediate PKI certificates are not listed in the Work profile, or on the Samsung Android device the DoD root and intermediate PKI certificates are not listed in the Work profile, this is a finding.",
"description": "DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an adversary could falsely sign a certificate in such a way that it could not be detected. Providing access to the DoD root and intermediate PKI certificates greatly diminishes the risk of this attack.\n\nSFR ID: FMT_MOF_EXT.1.2 #47",
"fixid": "F-55828r815478_fix",
"fixtext": "Install the DoD root and intermediate PKI certificates into the Samsung Android devices' Work profile.\n\nThe current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at https://cyber.mil/pki-pke (for NIPRNet).\n\nOn the management tool, in the Work profile policy management, install the DoD root and intermediate PKI certificates.",
"iacontrols": null,
"id": "V-252422",
"ruleID": "SV-252422r815479_rule",
"severity": "medium",
"title": "Samsung Android's Work profile must have the DoD root and intermediate PKI certificates installed.",
"version": "KNOX-12-210170"
},
"V-252423": {
"checkid": "C-55879r815480_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices' Work profile is allowing users to install only applications that have been approved by the Authorizing Official (AO).\n\nThis validation procedure is performed only on the management tool.\n\nOn the management tool, in the app catalog for managed Google Play, verify that only AO-approved apps are available.\n\nIf on the management tool the app catalog for managed Google Play includes non-AO-approved apps, this is a finding.",
"description": "The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and preinstalled applications. \n\nCore application: Any application integrated into the OS by the OS or MD vendors.\n\nPreinstalled application: Additional noncore applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.\n\nRequiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allowlist. Failure to configure an application allowlist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.\n\nThe application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the OS by the OS vendor) and preinstalled applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and preinstalled applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #8b",
"fixid": "F-55829r815481_fix",
"fixtext": "Configure the Samsung Android devices' Work profile to allow users to install only applications that have been approved by the Authorizing Official (AO).\n\nIn addition to any local policy, the AO must not approve applications which have certain prohibited characteristics, these are covered in KNOX-12-210190.\n\nOn the management tool, in the app catalog for managed Google Play, add each AO-approved app to be available.\n\nNOTE: Managed Google Play is an allowed App Store.",
"iacontrols": null,
"id": "V-252423",
"ruleID": "SV-252423r815482_rule",
"severity": "medium",
"title": "Samsung Android's Work profile must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: names.",
"version": "KNOX-12-210180"
},
"V-252424": {
"checkid": "C-55880r816528_chk",
"checktext": "Verify requirement KNOX-12-210180 (managed Google Play) has been implemented.\n\nIf \"managed Google Play\" has not been implemented, this is a finding.",
"description": "Requiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allowlist. Failure to configure an application allowlist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment.\n\nApplication note: The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and preinstalled applications.\n\nCore application: Any application integrated into the OS by the OS or MD vendors.\n\nPreinstalled application: Additional noncore applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.\n\nSFR ID: FMT_SMF_EXT.1.1 #8b",
"fixid": "F-55830r816529_fix",
"fixtext": "The Authorizing Official (AO) must not approve applications with the following characteristics for installation by users in the Work profile:\n\n- back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);\n- transmit MD diagnostic data to non-DoD servers;\n- voice assistant application if available when MD is locked;\n- voice dialing application if available when MD is locked;\n- allows synchronization of data or applications between devices associated with user;\n- payment processing; and\n- allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs, display screens (screen mirroring), or printers.\n\nImplement \"managed Google Play\" (see requirement KNOX-12-210180).",
"iacontrols": null,
"id": "V-252424",
"ruleID": "SV-252424r816527_rule",
"severity": "medium",
"title": "Samsung Android's Work profile must be configured to not allow installation of applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);- transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.",
"version": "KNOX-12-210190"
},
"V-252425": {
"checkid": "C-55881r815486_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices are not displaying (Work Environment) notifications when the device is locked.\n\nNotifications of incoming phone calls are acceptable even when the device is locked.\n\nThis validation procedure is performed on both the management tool Administration Console and the Samsung Android device.\n\nOn the management tool, in the Work profile restrictions section, verify that \"Unredacted Notifications\" is set to \"Disallow\".\n\nOn the Samsung Android device: \n1. Open Settings >> Work profile >> Notification and data.\n2. Verify that \"Show notification content\" is disabled.\n\nIf on the management tool \"Unredacted Notifications\" is not set to \"Disallow\", or on the Samsung Android device \"Show notification content\" is not disabled, this is a finding.",
"description": "Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #18",
"fixid": "F-55831r815487_fix",
"fixtext": "Configure the Samsung Android devices to not display (Work Environment) notifications when the device is locked.\n\nOn the management tool, in the Work profile restrictions section, set \"Unredacted Notifications\" to \"Disallow\".",
"iacontrols": null,
"id": "V-252425",
"ruleID": "SV-252425r815488_rule",
"severity": "medium",
"title": "Samsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: all notifications.",
"version": "KNOX-12-210200"
},
"V-252426": {
"checkid": "C-55882r815489_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices' Work profile is enabling audit logging.\n\nThis validation procedure is performed on the management tool only.\n\nOn the management tool, in the Work profile restrictions, verify that \"Security logging\" is set to \"Enable\".\n\nIf on the management tool \"Security logging\" is not set to \"Enable\", this is a finding.",
"description": "Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security. The Requirement Statement lists key events for which the system must generate an audit record.\n\nSFR ID: FMT_MOF_EXT.1.2 #47",
"fixid": "F-55832r815490_fix",
"fixtext": "Configure the Samsung Android devices' Work profile to enable audit logging.\n\nOn the management tool, in the Work profile restrictions section, set \"Security logging\" to \"Enable\".",
"iacontrols": null,
"id": "V-252426",
"ruleID": "SV-252426r815491_rule",
"severity": "medium",
"title": "Samsung Android's Work profile must be configured to enable audit logging.",
"version": "KNOX-12-210210"
},
"V-252427": {
"checkid": "C-55883r815492_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices are preventing users from adding personal email accounts to the work email app.\n\nOn the management tool, in the device restrictions section, verify \"Modify accounts\" is set to \"Disallow\".\n\nOn the Samsung Android device: \n1. Open Settings >> Work profile >> Accounts.\n2. Verify that no account can be added.\n\nIf on the management tool \"Modify accounts\" is not set to \"Disallow\", or on the Samsung Android device an account can be added, this is a finding.",
"description": "If the user is able to add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DoD data to unauthorized recipients. Restricting email account addition to the Administrator or to allowlisted accounts mitigates this vulnerability.\n\nSFR ID: FMT_MOF_EXT.1.2 #47",
"fixid": "F-55833r815493_fix",
"fixtext": "Configure the Samsung Android devices to prevent users from adding personal email accounts to the work email app.\n\nOn the management tool, in the Work profile restrictions, set \"Modify accounts\" to \"Disallow\".",
"iacontrols": null,
"id": "V-252427",
"ruleID": "SV-252427r815494_rule",
"severity": "medium",
"title": "Samsung Android's Work profile must be configured to prevent users from adding personal email accounts to the work email app.",
"version": "KNOX-12-210220"
},
"V-252428": {
"checkid": "C-55884r815495_chk",
"checktext": "Verify requirement KNOX-12-210220 (Disallow modify accounts) has been implemented.\n\nIf \"Disallow modify accounts\" has not been implemented, this is a finding.",
"description": "Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the MOS. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #40",
"fixid": "F-55834r815496_fix",
"fixtext": "Implement \"Disallow modify accounts\" (see requirement KNOX-12-210220)",
"iacontrols": null,
"id": "V-252428",
"ruleID": "SV-252428r815497_rule",
"severity": "medium",
"title": "Samsung Android's Work profile must be configured to not allow backup of [all applications, configuration data] to remote systems.\n\n- Disable Data Sync Framework",
"version": "KNOX-12-210230"
},
"V-252429": {
"checkid": "C-55885r815498_chk",
"checktext": "Review the Samsung documentation and inspect the configuration to verify the Samsung Android devices are enabling an \"access control policy\" that prevents \"application processes, and groups of application processes from accessing all data stored by other application processes, and groups of application processes\".\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nOn the management tool, in the Work profile restrictions, set \"Cross profile copy/paste\" to \"Disallow\".\n\nOn the Samsung Android device: \n1. Using any Work app, copy text to the clipboard.\n2. Using any Personal app, verify that the clipboard text cannot be pasted.\n\nIf on the management tool \"Cross profile copy/paste\" is not set to \"Disallow\", or on the Samsung Android device the clipboard text can be pasted into a Personal app, this is a finding.",
"description": "App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. To mitigate this risk, there are data sharing restrictions, primarily from sharing data from personal (unmanaged) apps and work (managed) apps. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk.\n\nCopy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups.\n\nSFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2",
"fixid": "F-55835r815499_fix",
"fixtext": "Configure the Samsung Android devices to enable an \"access control policy\" that prevents \"application processes, and groups of application processes from accessing all data stored by other application processes, and groups of application processes\".\n\nOn the management tool, in the Work profile restrictions section, set \"Cross profile copy/paste\" to \"Disallow\".",
"iacontrols": null,
"id": "V-252429",
"ruleID": "SV-252429r816530_rule",
"severity": "medium",
"title": "Samsung Android's Work profile must be configured to disable exceptions to the access control policy that prevent application processes, and groups of application processes from accessing all data stored by other application processes, and groups of application processes.",
"version": "KNOX-12-210240"
},
"V-252430": {
"checkid": "C-55886r815501_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices' Work profile is preventing users from removing DoD root and intermediate PKI certificates.\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nOn the management tool, in the Work profile restrictions, verify that \"Config credentials\" is set to \"Disallow\".\n\nOn the Samsung Android device: \n1. Open Settings >> Biometrics and security >> Other security settings >> View security certificates.\n2. In the System tab, verify that no listed certificate in the Work profile can be untrusted.\n3. In the User tab, verify that no listed certificate in the Work profile can be removed.\n\nIf on the management tool the device \"Config credentials\" is not set to \"Disallow\", or on the Samsung Android device a certificate can be untrusted or removed, this is a finding.",
"description": "DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed to remove root and intermediate certificates, the user could allow an adversary to falsely sign a certificate in such a way that it could not be detected. Restricting the ability to remove DoD root and intermediate PKI certificates to the Administrator mitigates this risk.\n\nSFR ID: FMT_MOF_EXT.1.2 #47",
"fixid": "F-55836r815502_fix",
"fixtext": "Configure the Samsung Android devices' Work profile to prevent users from removing DoD root and intermediate PKI certificates.\n\nOn the management tool, in the Work profile restrictions, set \"Config credentials\" to \"Disallow\".",
"iacontrols": null,
"id": "V-252430",
"ruleID": "SV-252430r815503_rule",
"severity": "medium",
"title": "Samsung Android's Work profile must allow only the Administrator (management tool) to perform the following management function: install/remove DoD root and intermediate PKI certificates.",
"version": "KNOX-12-210250"
},
"V-252431": {
"checkid": "C-55887r815504_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices are disabling unauthorized application repositories.\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nOn the management tool, in the Work profile restrictions, verify that \"installs from unknown sources globally\" is set to \"Disallow\".\n\nOn the Samsung Android device:\n1. Open Settings >> Biometric and security >> Install unknown apps.\n2. In the \"Personal\" tab, ensure that each app listed has the status \"Disabled\" under the app name or that no apps are listed.\n3. In the \"Work\" tab, ensure that each app listed has the status \"Disabled\" under the app name or that no apps are listed.\n\nIf on the management tool \"installs from unknown sources globally\" is not set to \"Disallow\", or on the Samsung Android device an app is listed with a status other than \"Disabled\", this is a finding.",
"description": "Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #8a",
"fixid": "F-55837r815505_fix",
"fixtext": "Configure the Samsung Android devices to disable unauthorized application repositories.\n\nOn the management tool, in the Work profile restrictions, set \"installs from unknown sources globally\" to \"Disallow\".\n\nNOTE: Google Play must not be disabled. Disabling Google Play will cause system instability and critical updates will not be received.",
"iacontrols": null,
"id": "V-252431",
"ruleID": "SV-252431r815506_rule",
"severity": "medium",
"title": "Samsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including DoD-approved commercial app repository, management tool server, or mobile application store.",
"version": "KNOX-12-210260"
},
"V-252432": {
"checkid": "C-55888r815507_chk",
"checktext": "Review the configuration to determine if the Samsung Android devices are enabling Common Criteria (CC) mode.\n\nThis validation procedure is performed on both the management tool and the Samsung Android device.\n\nOn the management tool, in the Work profile restrictions, verify that \"Common Criteria mode\" is set to \"Enable\".\n\nOn the Samsung Android device, put the device into \"Download mode\" and verify that the text \"Blocked by CC Mode\" is displayed on the screen.\n\nIf on the management tool \"Common Criteria mode\" is not set to \"Enable\", or on the Samsung Android device the text \"Blocked by CC Mode\" is not displayed in \"Download mode\", this is a finding.",
"description": "The CC Mode feature is a superset of other features and behavioral changes that are mandatory MDFPP requirements. If CC mode is not implemented the device will not be operating in the NIAP-certified compliant CC Mode of operation.\n\nWhen enforcing AE CC mode on a Samsung Android device, additional Samsung specific security features are also enabled.\n\nCC Mode implements the following behavioral/functional changes to meet MDFPP requirements:\n- How the Bluetooth and Wi-Fi keys are stored using different types of encryption.\n- Download Mode is disabled and all updates will occur via FOTA only\n\nIn addition, CC Mode adds new restrictions, which are not to meet MDFPP requirements, but to offer better security above what is required:\n- Force password info following FOTA update for consistency\n- Disable Remote unlock by FindMyMobile\n- Restrict biometric attempts to 10 for better security\n\nSFR ID: FMT_MOF_EXT.1.2 #47",
"fixid": "F-55838r815508_fix",
"fixtext": "Configure the Samsung Android devices to enable Common Criteria (CC) mode.\n\nOn the management tool, in the Work profile restrictions, set \"Common Criteria mode\" to \"Enable\".",
"iacontrols": null,
"id": "V-252432",
"ruleID": "SV-252432r815509_rule",
"severity": "low",
"title": "Samsung Android's Work profile must be configured to enable Common Criteria (CC) Mode.",
"version": "KNOX-12-210270"
},
"V-252433": {
"checkid": "C-55889r815510_chk",
"checktext": "Verify requirement KNOX-12-210270 (CC Mode) has been implemented.\n\nIf \"CC Mode\" has not been implemented, this is a finding.",
"description": "Certificate-based security controls depend on the ability of the system to verify the validity of a certificate. If the MOS were to accept an invalid certificate, it could take unauthorized actions, resulting in unanticipated outcomes. At the same time, if the MOS were to disable functionality when it could not determine the validity of the certificate, this could result in a denial of service. Therefore, the ability to provide exceptions is appropriate to balance the tradeoff between security and functionality. Always accepting certificates when they cannot be determined to be valid is the most extreme exception policy and is not appropriate in the DoD context. Involving an Administrator or user in the exception decision mitigates this risk to some degree.\n\nSFR ID: FIA_X509_EXT_2.2",
"fixid": "F-55839r815511_fix",
"fixtext": "Implement CC Mode (see requirement KNOX-12-210270).",
"iacontrols": null,
"id": "V-252433",
"ruleID": "SV-252433r815512_rule",
"severity": "low",
"title": "Samsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.",
"version": "KNOX-12-210280"
},
"V-252434": {
"checkid": "C-55890r815513_chk",
"checktext": "Review a sample of site User Agreements of Samsung device users or similar training records and training course content. \n\nVerify that Samsung device users have completed required training. The intent is that required training is renewed on a periodic basis in a time period determined by the AO.\n\nIf any Samsung device user has not completed required training, this is a finding.",
"description": "The security posture of Samsung devices requires the device user to configure several required policy rules on their device. User Based Enforcement (UBE) is required for these controls. In addition, if the Authorizing Official (AO) has approved the use of an unmanaged personal space, the user must receive training on risks. If a user is not aware of their responsibilities and does not comply with UBE requirements, the security posture of the Samsung mobile device may become compromised and DoD sensitive data may become compromised.\n\nSFR ID: FMT_MOF_EXT.1.2 #47",
"fixid": "F-55840r815514_fix",
"fixtext": "Have all Samsung device users\u2019 complete training on the following topics. Users should acknowledge they have reviewed training via a signed User Agreement or similar written record.\n\nTraining topics:\n\n- Operational security concerns introduced by unmanaged applications/unmanaged personal space including applications using global positioning system (GPS) tracking.\n\n- Need to ensure no DoD data is saved to the personal space or transmitted from a personal app (for example, from personal email).\n\n- If the Purebred key management app is used, users are responsible for maintaining positive control of their credentialed device at all times. The DoD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys and to report any loss of control so the credentials can be revoked. Upon device retirement, turn-in, or reassignment, ensure a factory data reset is performed prior to device hand-off. Follow Mobility service provider decommissioning procedures as applicable. \n\n- How to configure the following UBE controls (users must configure the control) on the Samsung device:\n1. Secure use of Calendar Alarm.\n2. Local screen mirroring and MirrorLink procedures (authorized/not authorized for use).\n3. Do not connect Samsung devices (via either DeX Station or dongle) to any DoD network via Ethernet connection.\n4. Do not upload DoD contacts via smart call and caller ID services.\n5. Disable Wi-Fi Sharing.\n6. Do not configure a DoD network (work) VPN profile on any third-party VPN client installed in the personal space.\n\n- AO guidance on acceptable use and restrictions, if any, on downloading and installing personal apps and data (music, photos, etc.) in the Samsung device personal space.",
"iacontrols": null,
"id": "V-252434",
"ruleID": "SV-252434r815515_rule",
"severity": "medium",
"title": "Samsung Android device users must complete required training.",
"version": "KNOX-12-210290"
},
"V-252435": {
"checkid": "C-55891r816531_chk",
"checktext": "Review the configuration to confirm if the Samsung Android devices have the most recently released version of Samsung Android is installed.\n\nThis procedure is performed on both the management tool and the Samsung Android device. \n\nIn the management tool management console, review the version of Samsung Android installed on a sample of managed devices. This procedure will vary depending on the management tool product. See the notes below to determine the latest available OS version.\n\nOn the Samsung Android device, to see the installed OS version:\n1. Open Settings.\n2. Tap \"About phone\".\n3. Tap \"Software information\".\n\nIf the installed version of Android OS on any reviewed Samsung devices is not the latest released by the wireless carrier, this is a finding.\n\nNOTE: Some wireless carriers list the version of the latest Android OS release by mobile device model online:\n\nATT: https://www.att.com/devicehowto/dsm.html#!/popular/make/Samsung\n\nT-Mobile: https://support.t-mobile.com/docs/DOC-34510\n\nVerizon Wireless: https://www.verizonwireless.com/support/software-updates/\n\nGoogle Android OS patch website: https://source.android.com/security/bulletin/ \n\nSamsung Android OS patch website: https://security.samsungmobile.com/securityUpdate.smsb",
"description": "Required security features are not available in earlier OS versions. In addition, earlier versions may have known vulnerabilities.\n\nSFR ID: FMT_MOF_EXT.1.2 #47",
"fixid": "F-55841r815517_fix",
"fixtext": "Install the latest released version of Samsung Android OS on all managed Samsung devices. \n\nNote: In most cases, OS updates are released by the wireless carrier (for example, Sprint, T-Mobile, Verizon Wireless, and ATT).",
"iacontrols": null,
"id": "V-252435",
"ruleID": "SV-252435r815518_rule",
"severity": "high",
"title": "The Samsung Android device must have the latest available Samsung Android operating system (OS) installed.",
"version": "KNOX-12-210300"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-252406": "true",
"V-252407": "true",
"V-252408": "true",
"V-252409": "true",
"V-252410": "true",
"V-252411": "true",
"V-252412": "true",
"V-252413": "true",
"V-252414": "true",
"V-252415": "true",
"V-252416": "true",
"V-252417": "true",
"V-252418": "true",
"V-252419": "true",
"V-252420": "true",
"V-252421": "true",
"V-252422": "true",
"V-252423": "true",
"V-252424": "true",
"V-252425": "true",
"V-252426": "true",
"V-252427": "true",
"V-252428": "true",
"V-252429": "true",
"V-252430": "true",
"V-252431": "true",
"V-252432": "true",
"V-252433": "true",
"V-252434": "true",
"V-252435": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-252406": "true",
"V-252407": "true",
"V-252408": "true",
"V-252409": "true",
"V-252410": "true",
"V-252411": "true",
"V-252412": "true",
"V-252413": "true",
"V-252414": "true",
"V-252415": "true",
"V-252416": "true",
"V-252417": "true",
"V-252418": "true",
"V-252419": "true",
"V-252420": "true",
"V-252421": "true",
"V-252422": "true",
"V-252423": "true",
"V-252424": "true",
"V-252425": "true",
"V-252426": "true",
"V-252427": "true",
"V-252428": "true",
"V-252429": "true",
"V-252430": "true",
"V-252431": "true",
"V-252432": "true",
"V-252433": "true",
"V-252434": "true",
"V-252435": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-252406": "true",
"V-252407": "true",
"V-252408": "true",
"V-252409": "true",
"V-252410": "true",
"V-252411": "true",
"V-252412": "true",
"V-252413": "true",
"V-252414": "true",
"V-252415": "true",
"V-252416": "true",
"V-252417": "true",
"V-252418": "true",
"V-252419": "true",
"V-252420": "true",
"V-252421": "true",
"V-252422": "true",
"V-252423": "true",
"V-252424": "true",
"V-252425": "true",
"V-252426": "true",
"V-252427": "true",
"V-252428": "true",
"V-252429": "true",
"V-252430": "true",
"V-252431": "true",
"V-252432": "true",
"V-252433": "true",
"V-252434": "true",
"V-252435": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-252406": "true",
"V-252407": "true",
"V-252408": "true",
"V-252409": "true",
"V-252410": "true",
"V-252411": "true",
"V-252412": "true",
"V-252413": "true",
"V-252414": "true",
"V-252415": "true",
"V-252416": "true",
"V-252417": "true",
"V-252418": "true",
"V-252419": "true",
"V-252420": "true",
"V-252421": "true",
"V-252422": "true",
"V-252423": "true",
"V-252424": "true",
"V-252425": "true",
"V-252426": "true",
"V-252427": "true",
"V-252428": "true",
"V-252429": "true",
"V-252430": "true",
"V-252431": "true",
"V-252432": "true",
"V-252433": "true",
"V-252434": "true",
"V-252435": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-252406": "true",
"V-252407": "true",
"V-252408": "true",
"V-252409": "true",
"V-252410": "true",
"V-252411": "true",
"V-252412": "true",
"V-252413": "true",
"V-252414": "true",
"V-252415": "true",
"V-252416": "true",
"V-252417": "true",
"V-252418": "true",
"V-252419": "true",
"V-252420": "true",
"V-252421": "true",
"V-252422": "true",
"V-252423": "true",
"V-252424": "true",
"V-252425": "true",
"V-252426": "true",
"V-252427": "true",
"V-252428": "true",
"V-252429": "true",
"V-252430": "true",
"V-252431": "true",
"V-252432": "true",
"V-252433": "true",
"V-252434": "true",
"V-252435": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-252406": "true",
"V-252407": "true",
"V-252408": "true",
"V-252409": "true",
"V-252410": "true",
"V-252411": "true",
"V-252412": "true",
"V-252413": "true",
"V-252414": "true",
"V-252415": "true",
"V-252416": "true",
"V-252417": "true",
"V-252418": "true",
"V-252419": "true",
"V-252420": "true",
"V-252421": "true",
"V-252422": "true",
"V-252423": "true",
"V-252424": "true",
"V-252425": "true",
"V-252426": "true",
"V-252427": "true",
"V-252428": "true",
"V-252429": "true",
"V-252430": "true",
"V-252431": "true",
"V-252432": "true",
"V-252433": "true",
"V-252434": "true",
"V-252435": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-252406": "true",
"V-252407": "true",
"V-252408": "true",
"V-252409": "true",
"V-252410": "true",
"V-252411": "true",
"V-252412": "true",
"V-252413": "true",
"V-252414": "true",
"V-252415": "true",
"V-252416": "true",
"V-252417": "true",
"V-252418": "true",
"V-252419": "true",
"V-252420": "true",
"V-252421": "true",
"V-252422": "true",
"V-252423": "true",
"V-252424": "true",
"V-252425": "true",
"V-252426": "true",
"V-252427": "true",
"V-252428": "true",
"V-252429": "true",
"V-252430": "true",
"V-252431": "true",
"V-252432": "true",
"V-252433": "true",
"V-252434": "true",
"V-252435": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-252406": "true",
"V-252407": "true",
"V-252408": "true",
"V-252409": "true",
"V-252410": "true",
"V-252411": "true",
"V-252412": "true",
"V-252413": "true",
"V-252414": "true",
"V-252415": "true",
"V-252416": "true",
"V-252417": "true",
"V-252418": "true",
"V-252419": "true",
"V-252420": "true",
"V-252421": "true",
"V-252422": "true",
"V-252423": "true",
"V-252424": "true",
"V-252425": "true",
"V-252426": "true",
"V-252427": "true",
"V-252428": "true",
"V-252429": "true",
"V-252430": "true",
"V-252431": "true",
"V-252432": "true",
"V-252433": "true",
"V-252434": "true",
"V-252435": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-252406": "true",
"V-252407": "true",
"V-252408": "true",
"V-252409": "true",
"V-252410": "true",
"V-252411": "true",
"V-252412": "true",
"V-252413": "true",
"V-252414": "true",
"V-252415": "true",
"V-252416": "true",
"V-252417": "true",
"V-252418": "true",
"V-252419": "true",
"V-252420": "true",
"V-252421": "true",
"V-252422": "true",
"V-252423": "true",
"V-252424": "true",
"V-252425": "true",
"V-252426": "true",
"V-252427": "true",
"V-252428": "true",
"V-252429": "true",
"V-252430": "true",
"V-252431": "true",
"V-252432": "true",
"V-252433": "true",
"V-252434": "true",
"V-252435": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "samsung_android_12_with_knox_3.x_cope",
"title": "Samsung Android 12 with Knox 3.x COPE Security Technical Implementation Guide",
"version": "1"
}
}