UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Samsung Android OS 14 with Knox 3.x COBO Security Technical Implementation Guide


Overview

Date Finding Count (37)
2024-02-07 CAT I (High): 2 CAT II (Med): 29 CAT III (Low): 6
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-258655 High The Samsung Android device must have the latest available Samsung Android operating system (OS) installed.
V-258638 High Samsung Android must be configured to enable encryption for data at rest on removable storage media or, alternately, the use of removable storage media must be disabled.
V-258648 Medium Samsung Android must be configured to prevent users from adding personal email accounts to the work email app.
V-258649 Medium Samsung Android must be configured to not allow backup of all applications, configuration data to remote systems.- Disable Data Sync Framework.
V-258642 Medium Samsung Android must be configured to disallow configuration of the device's date and time.
V-258643 Medium Samsung Android must have the DOD root and intermediate PKI certificates installed.
V-258640 Medium Samsung Android must be configured to not allow backup of all applications and configuration data to locally connected systems.
V-258641 Medium Samsung Android must be configured to enable authentication of personal hotspot connections to the device using a preshared key. - Disallow config tethering.
V-258646 Medium Samsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.
V-258647 Medium Samsung Android must be configured to enable audit logging.
V-258644 Medium Samsung Android must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: Names.
V-258645 Medium Samsung Android must be configured to not allow installation of applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
V-258628 Medium Samsung Android must be configured to not allow passwords that include more than four repeating or sequential characters.
V-258629 Medium Samsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity.
V-258660 Medium The Samsung Android device must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
V-258662 Medium Samsung Android must be configured to disable ad hoc wireless client-to-client connection capability.
V-258626 Medium Samsung Android must be enrolled as a COBO device.
V-258658 Medium The Samsung Android device work profile must be configured to enforce the system application disable list.
V-258654 Medium Samsung Android device users must complete required training.
V-258657 Medium The Samsung Android device must be configured to enforce that Wi-Fi Sharing is disabled.
V-258656 Medium The Samsung Android device must be configured to enable Certificate Revocation List (CRL) status checking.
V-258651 Medium Samsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including DOD-approved commercial app repository, management tool server, or mobile application store.
V-258650 Medium Samsung Android must allow only the Administrator (management tool) to perform the following management function: Install/remove DOD root and intermediate PKI certificates.
V-258639 Medium Samsung Android must be configured to disable USB mass storage mode.
V-258633 Medium Samsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition.
V-258632 Medium Samsung Android must be configured to lock the display after 15 minutes (or less) of inactivity.
V-258631 Medium Samsung Android must be configured to not allow more than 10 consecutive failed authentication attempts.
V-258630 Medium Samsung Android must be configured to enforce a minimum password length of six characters.
V-258636 Medium Samsung Android must be configured to disable developer modes.
V-258635 Medium Samsung Android must be configured to not allow backup of all applications and configuration data to remote systems. - Disable Backup Services.
V-258634 Medium Samsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.
V-258661 Low The Samsung Android device must be configured to perform the following management function: Disable Phone Hub.
V-258627 Low Samsung Android must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device.
V-258659 Low The Samsung Android device must be configured to disable the use of third-party keyboards.
V-258653 Low Samsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.
V-258652 Low Samsung Android must be configured to enable Common Criteria (CC) mode.
V-258637 Low Samsung Android must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).