The Samsung KNOX for Android platform must be configured to enable CC mode.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-69685	KNOX-39-015600	SV-84307r1_rule		High

Description
CC mode implements several security controls required by the Mobile Device Functional Protection Profile (MDFPP). If CC mode is not implemented, DoD data is more at risk of being compromised, and the mobile device is more at risk of being compromised if lost or stolen. CC mode implements the following controls: - enables the OpenSSL FIPS crypto library - sets the password failure settings to wipe the device to 5 (5 failed consecutive attempts will wipe the device) - disables ODIN mode (download mode) SFR ID: FMT_SMF_EXT.1.1 #45

Description

CC mode implements several security controls required by the Mobile Device Functional Protection Profile (MDFPP). If CC mode is not implemented, DoD data is more at risk of being compromised, and the mobile device is more at risk of being compromised if lost or stolen. CC mode implements the following controls: - enables the OpenSSL FIPS crypto library - sets the password failure settings to wipe the device to 5 (5 failed consecutive attempts will wipe the device) - disables ODIN mode (download mode) SFR ID: FMT_SMF_EXT.1.1 #45

STIG	Date
Samsung Android OS 6 (with KNOX 2.x) Security Technical Implementation Guide	2016-11-14

Details

Check Text ( C-70127r1_chk )
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "CC Mode" settings in the "Android Restrictions" rule. 2. Verify the value is enabled. Note: If the MDM does not support CC mode, ask the MDM administrator if the Samsung APK has been installed and CC mode enabled. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "About Device". 3. Select "Software info". (Note: On some devices, this step is not needed.) 4. Verify the value of "Security software version" displays "Enforced". If the CC mode setting is not enabled, or if the "Security software version" on the device does not display "Enforced", this is a finding.

Check Text ( C-70127r1_chk )

This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device.

Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "CC Mode" settings in the "Android Restrictions" rule.
2. Verify the value is enabled.

Note: If the MDM does not support CC mode, ask the MDM administrator if the Samsung APK has been installed and CC mode enabled.

On the Samsung KNOX for Android device:
1. Open the device settings.
2. Select "About Device".
3. Select "Software info". (Note: On some devices, this step is not needed.)
4. Verify the value of "Security software version" displays "Enforced".

If the CC mode setting is not enabled, or if the "Security software version" on the device does not display "Enforced", this is a finding.

Fix Text (F-75889r1_fix)
Configure the operating system to enable CC mode. On the MDM Administration Console, enable the "CC mode" setting in the "Android Restrictions" rule. If this setting is not available on the console, install the CC mode APK and enable CC mode from this application. This APK will be made available by Samsung.