| V-267459 | | Android 15 devices must have the latest available Google Android 15 operating system installed. | Required security features are not available in earlier operating system versions. In addition, there may be known vulnerabilities in earlier versions... |
| V-269100 | | Google Android 15 must be configured to disable "Private Space" use. | Private Space is an Android feature that provides a separate encrypted container on the mobile device. Apps in Private Space show up in a separate con... |
| V-267430 | | Google Android 15 must be configured to enable audit logging. | Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. To be useful, administrators must have the abil... |
| V-267431 | | Google Android 15 must be configured to enforce a minimum password length of six characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a ... |
| V-267432 | | Google Android 15 must be configured to not allow passwords that include more than four repeating or sequential characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or s... |
| V-267433 | | Google Android 15 must be configured to lock the display after 15 minutes (or less) of inactivity. | The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the wi... |
| V-267434 | | Google Android 15 must be configured to not allow more than 10 consecutive failed authentication attempts. | The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on ... |
| V-267435 | | Google Android 15 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store]. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being insta... |
| V-267436 | | Google Android 15 must be configured to enforce an application installation policy by specifying an application allow list that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version]. | The application allow list, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and ... |
| V-267437 | | Google Android 15 allow list must be configured to not include applications with the following characteristics:
- Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services);
- Transmits MD diagnostic data to non-DOD servers;
- Voice assistant application if available when MD is locked;
- Voice dialing application if available when MD is locked;
- Allows synchronization of data or applications between devices associated with user;
- Payment processing;
- Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers; and
- Backs up its own data to a remote system. | Requiring all authorized applications to be in an application allow list prevents the execution of any applications (e.g., unauthorized, malicious) th... |
| V-267438 | | Google Android 15 allow list must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini. | Sensitive DOD data could be exposed when an AI app processes device data in the cloud.
SFRID: FMT_SMF.1.1 #8... |
| V-267439 | | Google Android 15 must be configured to not display the following (work profile) notifications when the device is locked: [selection:
a. email notifications
b. calendar appointments
c. contact associated with phone call notification
d. text message notification
e. other application-based notifications
f. all notifications]. | Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to freque... |
| V-267440 | | Google Android 15 must be configured to disable trust agents. | Trust agents allow a user to unlock a mobile device without entering a passcode when the mobile device is, for example, connected to a user-selected B... |
| V-267441 | | Google Android 15 must be configured to disable developer modes. | Developer modes expose features of the mobile operating system (MOS) that are not available during standard operation. An adversary may leverage a vul... |
| V-267443 | | Google Android 15 must be configured to generate audit records for the following auditable events: Detected integrity violations. | Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks so that breaches can... |
| V-267444 | | Google Android 15 must be configured to disable USB mass storage mode. | USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage i... |
| V-267445 | | Google Android 15 must be configured to not allow backup of [all applications, configuration data] to locally connected systems. | Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed u... |
| V-267446 | | Google Android 15 must be configured to not allow backup of [all applications, configuration data] to remote systems. | Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than... |
| V-267447 | | Google Android 15 must be configured to enable authentication of personal hotspot connections to the device using a preshared key. | If no authentication is required to establish personal hotspot connections (Wi-Fi and Bluetooth), an adversary may be able to use that device to perfo... |
| V-267448 | | Google Android 15 must be configured to disable multiuser modes. | Multiuser mode allows multiple users to share a mobile device by providing a degree of separation between user data. To date, no mobile device with mu... |
| V-267450 | | Google Android 15 must be configured to disable ad hoc wireless client-to-client connection capability. | Ad hoc wireless client-to-client connections allow mobile devices to communicate with each other directly, circumventing network security policies and... |
| V-267451 | | Google Android 15 users must complete required training. | The security posture of Google devices requires the device user to configure several required policy rules on their device. User-Based Enforcement (UB... |
| V-267452 | | Google Android 15 must be configured to disable Wi-Fi Sharing. | Wi-Fi Sharing is an optional configuration of Wi-Fi Tethering/Mobile Hotspot, which allows the device to share its Wi-Fi connection with other wireles... |
| V-267453 | | Google Android 15 must be configured to enforce a password for Wi-Fi and Bluetooth hotspot, if approved for use by the approving authority (AO). If not approved for use, Wi-Fi and Bluetooth hotspot must be disabled. | Wi-Fi and Bluetooth hotspot use may increase the risk for exposing sensitive DOD data for some use cases, therefore it should be disabled unless appro... |
| V-267454 | | Google Android 15 must have the DOD root and intermediate PKI certificates installed. | DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermed... |
| V-267455 | | The Google Android 15 work profile must be configured to enforce the system application disable list. | The system application disable list controls user access to/execution of all core and preinstalled applications.
Core application: Any application ... |
| V-267456 | | The Google Android 15 work profile must be configured to disable automatic completion of workspace internet browser text input. | The autofill functionality in the web browser allows the user to complete a form that contains sensitive information, such as personally identifiable ... |
| V-267457 | | The Google Android 15 work profile must be configured to disable the autofill services. | The autofill services allow the user to complete text inputs that could contain sensitive information, such as personally identifiable information (PI... |
| V-267458 | | Google Android 15 must be configured to disallow configuration of date and time. | Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating syste... |
| V-267462 | | Google Android 15 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)]. | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-267463 | | The Google Android 15 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates. | DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed t... |
| V-267442 | | Google Android 15 must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device. | Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner th... |
| V-267449 | | Google Android 15 must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile). | Some Bluetooth profiles provide the capability for remote transfer of sensitive DOD data without encryption or otherwise do not meet DOD IT security p... |
| V-267460 | | Android 15 devices must be configured to disable the use of third-party keyboards. | Many third-party keyboard applications are known to contain malware.
SFRID: FMT_SMF.1.1 #47... |
| V-267461 | | Android 15 devices must be configured to enable Common Criteria Mode (CC Mode). | The CC Mode feature is a superset of other features and behavioral changes that are mandatory MDFPP requirements. If CC mode is not implemented, the d... |
| V-267464 | | Google Android 15 must allow only the administrator (MDM) to perform the following management function: Disable Phone Hub. | It may be possible to transfer work profile data on a DOD Android device to an unauthorized Chromebook if the user has the same Google Account set up ... |
