UCF STIG Viewer Logo

Samsung Android OS 13 with Knox 3.x COBO Security Technical Implementation Guide


Overview

Date Finding Count (30)
2022-11-10 CAT I (High): 2 CAT II (Med): 24 CAT III (Low): 4
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-255119 High Samsung Android must be configured to enable encryption for data at rest on removable storage media or, alternately, the use of removable storage media must be disabled.
V-255136 High The Samsung Android device must have the latest available Samsung Android operating system (OS) installed.
V-255111 Medium Samsung Android must be configured to enforce a minimum password length of six characters.
V-255110 Medium Samsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity.
V-255113 Medium Samsung Android must be configured to lock the display after 15 minutes (or less) of inactivity.
V-255112 Medium Samsung Android must be configured to not allow more than 10 consecutive failed authentication attempts.
V-255115 Medium Samsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.
V-255114 Medium Samsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including face recognition.
V-255117 Medium Samsung Android must be configured to disable developer modes.
V-255116 Medium Samsung Android must be configured to not allow backup of all applications and configuration data to remote systems. - Disable Backup Services.
V-255131 Medium Samsung Android must allow only the Administrator (management tool) to perform the following management function: Install/remove DOD root and intermediate PKI certificates.
V-255130 Medium Samsung Android must be configured to not allow backup of all applications, configuration data to remote systems. - Disable Data Sync Framework.
V-255135 Medium Samsung Android device users must complete required training.
V-255132 Medium Samsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including DOD-approved commercial app repository, management tool server, or mobile application store.
V-255122 Medium Samsung Android must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.
V-255128 Medium Samsung Android must be configured to enable audit logging.
V-255129 Medium Samsung Android must be configured to prevent users from adding personal email accounts to the work email app.
V-255109 Medium Samsung Android must be configured to not allow passwords that include more than four repeating or sequential characters.
V-255120 Medium Samsung Android must be configured to disable USB mass storage mode.
V-255121 Medium Samsung Android must be configured to not allow backup of all applications and configuration data to locally connected systems.
V-255107 Medium Samsung Android must be enrolled as a COBO device.
V-255123 Medium Samsung Android must be configured to disallow configuration of the device's date and time.
V-255124 Medium Samsung Android must have the DOD root and intermediate PKI certificates installed.
V-255125 Medium Samsung Android must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: Names.
V-255126 Medium Samsung Android must be configured to not allow installation of applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
V-255127 Medium Samsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.
V-255118 Low Samsung Android must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).
V-255134 Low Samsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.
V-255133 Low Samsung Android must be configured to enable Common Criteria (CC) mode.
V-255108 Low Samsung Android must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device.