| V-260082 | | Google Android 14 must prohibit DOD VPN profiles in the Personal Profile. | If DOD VPN profiles are configured in the Personal Profile DOD sensitive data world be at risk of compromise and the DOD network could be at risk of b... |
| V-260126 | | Google Android 14 must be configured to enforce a minimum password length of six characters and not allow passwords that include more than four repeating or sequential characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a ... |
| V-260127 | | Google Android 14 must be configured to enable a screen-lock policy that will lock the display after a period of inactivity. | The screen-lock timeout helps protect the device from unauthorized access. Devices without a screen-lock timeout provide an opportunity for adversarie... |
| V-260128 | | Google Android 14 must be configured to lock the display after 15 minutes (or less) of inactivity. | The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the wi... |
| V-260129 | | Google Android 14 must be configured to not allow more than 10 consecutive failed authentication attempts. | The more attempts an adversary makes to guess a password, the more likely the adversary will enter the correct password and gain access to resources o... |
| V-260130 | | Google Android 14 must be configured to enforce an application installation policy by specifying one or more authorized application repositories. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being insta... |
| V-260131 | | Google Android 14 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version]. | The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and p... |
| V-260132 | | Google Android 14 allowlist must be configured to not include applications with the following characteristics (work profile only):
1. Back up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services);
2. Transmit MD diagnostic data to non-DOD servers;
3. Voice assistant application if available when MD is locked;
4. Voice dialing application if available when MD is locked;
5. Allows synchronization of data or applications between devices associated with user; and
6. Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers.
7. Apps which backup their own data to a remote system. | Requiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) tha... |
| V-260133 | | Google Android 14 must be configured to not display the following (work profile) notifications when the device is locked: [selection:
a. email notifications
b. calendar appointments
c. contact associated with phone call notification
d. text message notification
e. other application-based notifications
f. all notifications]. | Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to freque... |
| V-260137 | | Google Android 14 must be configured to disable trust agents. | Trust agents allow a user to unlock a mobile device without entering a passcode when the mobile device is, for example, connected to a user-selected B... |
| V-260142 | | Google Android 14 must be configured to display the DOD advisory warning message at startup or each time the user unlocks the Work Profile. | Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner th... |
| V-260149 | | Google Android 14 must be configured to not allow backup of all work profile applications to remote systems. | Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than... |
| V-260152 | | Google Android 14 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes]. | App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant ri... |
| V-260160 | | Google Android 14 users must complete required training. | The security posture of Google devices requires the device user to configure several required policy rules on their device. User-Based Enforcement (UB... |
| V-260162 | | Google Android 14 must have the DOD root and intermediate PKI certificates installed (work profile only). | DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermed... |
| V-260163 | | The Google Android 14 work profile must be configured to prevent users from adding personal email accounts to the work email app. | If the user can add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DOD data to unauthorized r... |
| V-260164 | | The Google Android 14 work profile must be configured to enforce the system application disable list (work profile only). | The system application disables list controls user access to/execution of all core and preinstalled applications.
Core application: Any application ... |
| V-260165 | | Google Android 14 must be provisioned as a BYOAD device (Android work profile for employee-owned devices [BYOD]). | The Android work profile for employee-owned devices (BYOD) is the designated application group for the BYOAD use case.
SFR ID: FMT_SMF_EXT.1.1 #47... |
| V-260166 | | The Google Android 14 work profile must be configured to disable automatic completion of workspace internet browser text input. | The autofill functionality in the web browser allows the user to complete a form that contains sensitive information, such as personally identifiable ... |
| V-260167 | | The Google Android 14 work profile must be configured to disable the autofill services. | The autofill services allow the user to complete text inputs that could contain sensitive information, such as personally identifiable information (PI... |
| V-260170 | | Android 14 devices must have the latest available Google Android 14 operating system installed. | Required security features are not available in earlier operating system versions. In addition, there may be known vulnerabilities in earlier versions... |
| V-260171 | | Android 14 devices must be configured to disable the use of third-party keyboards (work profile only). | Many third-party keyboard applications are known to contain malware.
SFR ID: FMT_SMF_EXT.1.1 #47... |
| V-260174 | | The Google Android 14 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates (work profile). | DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed t... |
