UCF STIG Viewer Logo

Samsung Android OS 9 with Knox 3.x COPE Use Case KPE(Legacy) Deployment Security Technical Implementation Guide


Overview

Date Finding Count (51)
2020-05-15 CAT I (High): 3 CAT II (Med): 41 CAT III (Low): 7
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-93895 High Samsung Android must be configured to enable Knox Common Criteria (CC) Mode.
V-93911 High Samsung Android must be configured to enable encryption for data at rest on removable storage media or alternately, the use of removable storage media must be disabled.
V-93923 High Samsung Android devices must have the latest available Samsung Android operating system installed.
V-93859 Medium Samsung Android must be configured to enable the Knox audit log.
V-93897 Medium Samsung Android must be configured to disallow configuration of date and time.
V-93851 Medium Samsung Android Workspace must be configured to enforce an application installation policy by specifying an application whitelist that restricts applications by the following characteristics: list of digital signatures, list of package names.
V-93853 Medium The Samsung Android whitelist must be configured to not include applications with the following characteristic: - transmit MD diagnostic data to non-DoD servers.
V-93899 Medium Samsung Android must be configured to enforce a USB host mode exception list. Note: This configuration allows DeX mode (with input devices), which is DoD-approved for use.
V-93857 Medium Samsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [DoD-approved commercial app repository, MDM server, mobile application store]: - disallow unknown app installation sources.
V-93869 Medium Any accessory that provides wired networking capabilities to a Samsung Android device must not be connected to a DoD network (for example: DeX Station [LAN port], USB to Ethernet adapter, etc.).
V-93893 Medium Samsung Android must be configured to disable USB mass storage mode.
V-93867 Medium Samsung Android device users must complete required training.
V-93903 Medium Samsung Android must be configured to not allow backup of [all applications, configuration data] to locally connected systems.
V-93847 Medium Samsung Android must be configured to enforce the system application disable list.
V-93901 Medium Samsung Android Workspace must be configured to disallow the Share Via List feature.
V-93845 Medium The Samsung Android Workspace must be configured to prevent users from adding personal email accounts to the work email app.
V-93907 Medium Samsung Android must be configured to disable developer modes.
V-93905 Medium Samsung Android Workspace must be configured to not allow backup of [all applications, configuration data] to remote systems.
V-93925 Medium Samsung Android Workspace must be configured to enable the Online Certificate Status Protocol (OCSP).
V-93929 Medium Samsung Android Workspace must be configured to not enable Microsoft Exchange ActiveSync (EAS) password recovery. This requirement is not applicable if not using Microsoft EAS.
V-93909 Medium Samsung Android must be configured to enable authentication of personal hotspot connections to the device using a preshared key.
V-93875 Medium Samsung Android must be configured to lock the display after 15 minutes (or less) of inactivity.
V-93877 Medium Samsung Android Workspace must be configured to lock after 15 minutes (or less) of inactivity.
V-93849 Medium Samsung Android Workspace must be configured to enforce the system application disable list.
V-93883 Medium Samsung Android must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the products Common Criteria evaluation.
V-93887 Medium Samsung Android Workspace must be configured to disable automatic completion of Samsung Internet browser text input.
V-93885 Medium Samsung Android must be configured to disable Face Recognition. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the products Common Criteria evaluation.
V-93947 Medium Samsung Android must be configured to enforce that Strong Protection is enabled. This requirement is Not Applicable (NA) for devices older than Galaxy S10.
V-93855 Medium The Samsung Android Workspace whitelist must be configured to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
V-93945 Medium Samsung Android Workspace must be configured to enable a screen-lock policy that will lock the Workspace after a period of inactivity.
V-93889 Medium Samsung Android must be configured to disable multi-user modes.
V-93861 Medium Samsung Android must be configured to disable exceptions to the access control policy that prevents [application processes, groups of application processes] from accessing [all, private] data stored by other [application processes, groups of application processes].
V-93941 Medium Samsung Android Workspace must be configured to enforce a minimum password length of four characters.
V-93863 Medium Samsung Android must be configured to create a Knox Workspace.
V-93927 Medium Samsung Android must be configured to enable the Online Certificate Status Protocol (OCSP).
V-93865 Medium Samsung Android Workspace must be configured to not display the following notifications when the device is locked: - all notifications.
V-93913 Medium Samsung Android Workspace must be configured to enable Certificate Revocation List (CRL) status checking.
V-93939 Medium Samsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity.
V-93915 Medium Samsung Android must be configured to enable Certificate Revocation List (CRL) status checking.
V-93917 Medium Samsung Android Workspace must have the DoD root and intermediate PKI certificates installed.
V-93933 Medium Samsung Android must be configured to set the password history with a length of 0.
V-93931 Medium Samsung Android must be configured to not enable Microsoft Exchange ActiveSync (EAS) password recovery. This requirement is not applicable if not using Microsoft EAS.
V-93937 Medium Samsung Android must be configured to enforce that Secure Startup is enabled. This requirement is Not Applicable (NA) to Galaxy S10 (or newer) devices.
V-93935 Medium Samsung Android Workspace must be configured to set the password history with a length of 0.
V-93891 Low Samsung Android must be configured to disable all Bluetooth profiles except HSP (Headset Profile), HFP (HandsFree Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).
V-93879 Low Samsung Android must be configured to not allow more than 10 consecutive failed authentication attempts.
V-93873 Low Samsung Android must be configured to not allow passwords that include more than two repeating or sequential characters.
V-93921 Low Samsung Android must be configured to display the DoD advisory warning message at startup or each time the user unlocks the device.
V-93881 Low Samsung Android Workspace must be configured to not allow more than 10 consecutive failed authentication attempts.
V-93943 Low Samsung Android Workspace must be configured to not allow passwords that include more than two repeating or sequential characters.
V-93871 Low Samsung Android must be configured to enforce a minimum password length of six characters.