| V-80259 | High | Samsung Android 8 with Knox must be configured to enable encryption for information at rest on removable storage media or alternately, the use of removable storage media must be disabled. | Samsung Android 8 with Knox must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to... |
| V-80257 | High | The Samsung Android 8 with Knox device must have the latest available Samsung Android operating system (OS) installed. | Required security features are not available in earlier OS versions. In addition, there may be known vulnerabilities in earlier versions.
SFR ID: FMT_SMF_EXT.1.1 #47 |
| V-80207 | Medium | Samsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, hybrid authentication factor: Disable Trust Agents.
Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed). | Trust Agents allow a user to unlock a mobile device without entering a passcode when the mobile device is, for example, connected to a user-selected Bluetooth device or in a user-selected... |
| V-80213 | Medium | Samsung Android 8 with Knox must implement the management setting: Disable automatic completion of browser text input. | The auto-fill functionality in the web browser allows the user to complete a form that contains sensitive information, such as personally identifiable information (PII), without previous knowledge... |
| V-80191 | Medium | Samsung Android 8 with Knox must be configured to not display the following notifications when the device is locked: All notifications. | Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there... |
| V-80211 | Medium | Samsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, and hybrid authentication factor: Disable Face Recognition.
Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed). | The Face Recognition feature allows a user's face to be registered and used to unlock the device. This technology would allow unauthorized users to have access to DoD sensitive data if... |
| V-80193 | Medium | Samsung Android 8 mobile device users must complete required training. | The security posture of Samsung devices requires the device user to configure several required policy rules on their device. User Based Enforcement (UBE) is required for these controls. In... |
| V-80195 | Medium | The Samsung DeX Station/Pad multimedia dock must not be connected directly to a DoD network. | If the Samsung DeX Station/Pad multimedia dock is connected to a DoD network, the Samsung smartphone connected to the DeX Station will be connected to the DoD network as well. The Samsung... |
| V-80215 | Medium | Samsung Android 8 with Knox must be configured to disable multi-user modes. | Multi-user mode allows multiple users to share a mobile device by providing a degree of separation between user data. To date, no mobile device with multi-user mode features meets DoD requirements... |
| V-80235 | Medium | Samsung Android 8 with Knox must implement the management setting: Disable Manual Date Time Changes. | Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events.
Periodically synchronizing... |
| V-80231 | Medium | Samsung Android 8 with Knox must be configured to disable USB mass storage mode. | USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a... |
| V-80237 | Medium | Samsung Android 8 with Knox must implement the management setting: USB host mode whitelist. | The USB host mode feature allows select USB devices to connect to the device (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB to USB adapter cable. A user can copy sensitive DoD... |
| V-80233 | Medium | Samsung Android 8 with Knox must implement the management setting: Enable CC mode. | CC mode implements several security controls required by the Mobile Device Functional Protection Profile (MDFPP). If CC mode is not implemented, DoD data is more at risk of being compromised, and... |
| V-80255 | Medium | Samsung Android 8 with Knox must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key. | If no authentication is required to establish personal hotspot connections, an adversary may be able to use that device to perform attacks on other devices or networks without detection. A... |
| V-80253 | Medium | Samsung Android 8 with Knox must be configured to disable developer modes. | Developer modes expose features of the Samsung Android 8 with Knox that are not available during standard operation. An adversary may leverage a vulnerability inherent in a developer mode to... |
| V-80251 | Medium | Samsung Android 8 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Deselect Allow Google Backup. | Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the Samsung Android 8 with Knox. Where the... |
| V-80179 | Medium | The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other mobile devices (MDs) or printers. | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-80177 | Medium | The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Allows synchronization of data or applications between devices associated with user. | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-80175 | Medium | The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Voice dialing application if available when MD is locked. | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-80173 | Medium | The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Voice assistant application if available when mobile device (MD) is locked. | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-80171 | Medium | The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Back up mobile device (MD) data to non-DoD cloud servers (including user and application access to cloud backup services). | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-80183 | Medium | Samsung Android 8 with Knox must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store]: Disable unknown sources. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing... |
| V-80201 | Medium | Samsung Android 8 with Knox must implement the management setting: Configure minimum password complexity. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is... |
| V-80181 | Medium | The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Transmit mobile device (MD) diagnostic data to non-DoD servers. | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-80203 | Medium | Samsung Android 8 with Knox must be configured to lock the display after 15 minutes (or less) of inactivity. | The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain... |
| V-80261 | Medium | Samsung Android 8 with Knox must implement the management setting: Enable Certificate Revocation Status (CRL) Check. | A CRL allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys. Checking the revocation status of the... |
| V-80209 | Medium | Samsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, and hybrid authentication factor: Disable Intelligent Scanning.
Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed). | The Intelligent Scanning feature allows a user's face and iris to be registered and used such that either authentication method returning a match will unlock the device.
Intelligent Scanning... |
| V-80189 | Medium | Samsung Android 8 with Knox must implement the management setting: Enable Audit Log. | Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks so that breaches can either be prevented or limited in their... |
| V-80227 | Medium | Samsung Android 8 with Knox must implement the management setting: Disable Admin Remove. | DoD policy requires DoD mobile devices to be managed via a mobile device management service. If Admin Remove is not disabled, the mobile device user can remove the Administrator (MDM) from the... |
| V-80225 | Medium | Samsung Android 8 with Knox must implement the management setting: Disable Allow New Admin Install. | An application with Administrator permissions (e.g., MDM agent) is allowed to configure policies on the device. If a user is allowed to install another MDM agent on the device, this will allow... |
| V-80249 | Medium | Samsung Android 8 with Knox must be configured to not allow backup of [all applications, configuration data] to locally connected systems. | Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally... |
| V-80245 | Medium | Samsung Android 8 with Knox for Android must implement the management setting: Disable Samsung Wi-Fi Sharing. | Wi-Fi Tethering allows a device to act as an Access Point, sharing its data connection with other wirelessly connected devices. Previously the device could only share its mobile (cellular) data... |
| V-80247 | Medium | Samsung Android 8 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Disable Allow Google Accounts Auto Sync. | Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the Samsung Android 8 with Knox. Where the... |
| V-80241 | Medium | Samsung Android 8 with Knox must implement the management setting: Disable Android Beam. | Android Beam allows transfer of data through NFC and Bluetooth by touching two unlocked devices together. If it were enabled, sensitive DoD data could be transmitted.
SFR ID: FMT_SMF_EXT.1.1 #47 |
| V-80161 | Medium | Samsung Android 8 with Knox must implement the management setting: Account whitelist. | Whitelisting of authorized email accounts (POP3, IMAP, EAS) prevents a user from configuring a personal email account that could be used to forward sensitive DoD data to unauthorized... |
| V-80163 | Medium | Samsung Android 8 with Knox must implement the management setting: Account blacklist. | Blacklisting all email accounts is required so only whitelisted accounts can be configured.
SFR ID: FMT_SMF_EXT.1.1 #47 |
| V-80229 | Medium | Samsung Android 8 with Knox must implement the management setting: Disable S Voice. | On Samsung Android 8 with Knox devices, users may be able to access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile... |
| V-80165 | Medium | Samsung Android 8 with Knox must implement the management setting: Configure application disable list. | Applications from various sources (including the vendor, the carrier, and Google) are installed on the device at the time of manufacture. Core apps are apps pre-installed by Google. Third-party... |
| V-80167 | Medium | Samsung Android 8 with Knox must implement the management setting: Configure application install blacklist. | Blacklisting all applications is required so that only whitelisted applications can be installed on the device. Requiring all authorized applications to be in an application whitelist prevents the... |
| V-80169 | Medium | Samsung Android 8 with Knox must be configured to enforce an application installation policy by specifying an application whitelist that restricts applications by either of the following characteristics: List of digital signatures or list of package names. | The application whitelist, in addition to controlling the installation of applications on the mobile device (MD), must control user access/execution of all core and pre-installed applications, or... |
| V-80239 | Medium | Samsung Android 8 with Knox must implement the management setting: Configure disable Share Via List. | The "Share Via List" feature allows the transfer of data between nearby Samsung devices via Android Beam, Wi-Fi Direct, Link Sharing, and Share to Device. If sharing were enabled, sensitive DoD... |
| V-80263 | Medium | Samsung Android 8 with Knox must implement the management setting: Install DoD root and intermediate PKI certificates on the device. | DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an... |
| V-80217 | Low | Samsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Crash Report. | Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real-world field behavior and improve the product... |
| V-80197 | Low | Samsung Android 8 with Knox must be configured to enforce a minimum password length of six characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is... |
| V-80199 | Low | Samsung Android 8 with Knox must be configured to not allow passwords that include more than two repeating or sequential characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier... |
| V-80219 | Low | Samsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Report Diagnostic Info. | Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real-world field behavior and improve the product... |
| V-80187 | Low | Samsung Android 8 with Knox must be configured to: Disable Bixby Vision. | Bixby Vision's image and text recognition capabilities use cloud-based processing. This may leak sensitive DoD data.
SFR ID: FMT_SMF_EXT.1.1 #47 |
| V-80205 | Low | Samsung Android 8 with Knox must be configured to not allow more than 10 consecutive failed authentication attempts. | The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of... |
| V-80185 | Low | Samsung Android 8 with Knox must be configured to: Add the MDM Client application to the Battery optimizations modes Whitelist. | Doze and App Standby are power-saving features that extend battery life by deferring background CPU and network activity.
If the MDM Client is put into Doze or App Standby mode, the MDM... |
| V-80221 | Low | Samsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Usage and diagnostics. | Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real-world field behavior and improve the product... |
| V-80243 | Low | Samsung Android 8 with Knox must be configured to: Disable upload of DoD contact information. | Caller ID and spam protection apps let a user know who is calling even when the number is not on the user's contact list by using an online service to do the lookup. Users can also upload their... |
| V-80223 | Low | Samsung Android 8 with Knox must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), and SPP (Serial Port Profile). | Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore should be disabled.
SFR... |
| V-80265 | Low | Samsung Android 8 with Knox must be configured to display the DoD advisory warning message at start-up or each time the user unlocks the device. | The Samsung Android 8 with Knox is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices... |
