| V-276537 | | Samsung Android's Work profile must allow only the Administrator (management tool) to perform the following management function: Install/remove DOD root and intermediate PKI certificates. | DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed t... |
| V-276538 | | Samsung Android must be configured to disallow configuration of the device's date and time. | Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating syste... |
| V-276539 | | Samsung Android must be configured to enable authentication of personal hotspot connections to the device using a preshared key. | If no authentication is required to establish personal hotspot connections (Wi-Fi and Bluetooth), an adversary may be able to use that device to perfo... |
| V-276540 | | Samsung Android must be configured to disable developer modes. | Developer modes expose features of the MOS that are not available during standard operation. An adversary may leverage a vulnerability inherent in a d... |
| V-276541 | | Samsung Android 16 must disable the ability of the user to wipe the device. | This feature must be disabled in order to comply with DOD electronic records retention requirements for mobile devices. Otherwise, mobile device users... |
| V-276542 | | Samsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including DOD-approved commercial app repository, management tool server, or mobile application store. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being insta... |
| V-276543 | | Samsung Android must be configured to not allow backup of all applications and configuration data to remote systems. (This requirement applies to the Work Profile for COPE.)
- Disable Data Sync Framework. | Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than... |
| V-276544 | | Samsung Android's Work profile must be configured to prevent users from adding personal email accounts to the work email app. | If the user is able to add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DOD data to unautho... |
| V-276547 | | Samsung Android must be configured to disable USB mass storage mode. | USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage i... |
| V-276548 | | Samsung Android must be configured to not allow backup of all applications and configuration data to locally connected systems. | Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed u... |
| V-276549 | | Samsung Android must be configured to disable ad hoc wireless client-to-client connection capability. | Ad hoc wireless client-to-client connections allow mobile devices to communicate with each other directly, circumventing network security policies and... |
| V-276550 | | The Samsung Android device must be configured to enforce that Wi-Fi Sharing is disabled. | Wi-Fi Sharing is an optional configuration of Wi-Fi Tethering/Mobile Hotspot, which allows the device to share its Wi-Fi connection with other wireles... |
| V-276551 | | Samsung Android's Work profile must have the DOD root and intermediate PKI certificates installed. | DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermed... |
| V-276552 | | The Samsung Android device work profile must be configured to enforce the system application disable list. | The system application disable list controls user access to/execution of all core and preinstalled applications.
Core application: Any application ... |
| V-276556 | | Samsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition. | Note: This requirement is Not Applicable for specific biometric authentication factors included in the product's Common Criteria evaluation.
The biom... |
| V-276557 | | Samsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents. | The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the wi... |
| V-276558 | | Samsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications. | Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to freque... |
| V-276559 | | Samsung Android must be configured to not allow more than 10 consecutive failed authentication attempts. | The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on ... |
| V-276560 | | Samsung Android must be configured to lock the display after 15 minutes (or less) of inactivity. | The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the wi... |
| V-276562 | | Samsung Android must be configured to enforce a minimum password length of six characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a ... |
| V-276563 | | Samsung Android must be configured to not allow passwords that include more than four repeating or sequential characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or s... |
| V-276566 | | Samsung Android's Work profile must be configured to enable audit logging. | Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks so that breaches can... |
| V-276567 | | The Samsung Android device must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)]. | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-276568 | | The Samsung Android device must be configured to enable Certificate Revocation List (CRL) status checking. | A CRL allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys.... |
| V-276569 | | Samsung Android allowlist must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini. | Sensitive DOD data could be exposed when an AI app processes device data in the cloud.
SFR ID: FMT_SMF.1.1 #8... |
| V-276614 | | Samsung Android's Work profile must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: Names. | The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and p... |
| V-276615 | | Samsung Android's Work profile must be configured to not allow installation of applications with the following characteristics:
- Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services);
- Transmit MD diagnostic data to non-DOD servers;
- Voice assistant application if available when MD is locked;
- Voice dialing application if available when MD is locked;
- Allows synchronization of data or applications between devices associated with user; and
- Allows unencrypted (or encrypted but not FIPS 140-2/140-3-validated) data sharing with other MDs or printers.
- Apps that backup their own data to a remote system.
- Apps that render TV shows and movies. | Requiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) tha... |
| V-276625 | | Samsung Android must be configured to not allow backup of all applications and configuration data to remote systems.
- Disable Backup Services. | Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than... |
| V-276632 | | Samsung Android must be enrolled as a COBO device. | The device is the designated application group for the COBO use case.
SFR ID: FMT_MOF_EXT.1.2 #47... |
| V-276633 | | Samsung Android device users must complete required training. | The security posture of Samsung devices requires the device user to configure several required policy rules on their device. User-Based Enforcement (U... |
| V-276635 | | Samsung Android 16 devices must have a Mobile Threat Detection (MTD) app installed. | DOD mobile devices are in constant risk of cyber threats. MTD apps mitigate these risks by providing real-time threat detection, malware prevention, a... |
| V-276636 | | Samsung Android 16 must implement the management setting: disable Camera. | Authorizing official (AO) approval is required before the mobile device camera can be enabled for a specific user or group of users, based on a risk a... |
| V-279244 | | Samsung Android 16 must implement the management setting: disable the Bluetooth radio. | Authorizing official (AO) approval is required before the Samsung device Bluetooth radio can be enabled. All AO approvals must be documented and based... |
| V-279245 | | The Samsung Android device must be configured to disable Wi-Fi Aware for Work Profile apps. | Wi-Fi Aware allows direct connections between nearby devices for fast data transfer, video streaming, and multiplayer gaming. It allows full peer-to-p... |
| V-276535 | | Samsung Android 16 must disable the use of assistants (including Samsung Assistant) unless required to meet Section 508 compliance requirements. | The use of assistants could expose sensitive DOD data to cloud based servers during the processing of assistant requests.
SFR ID: FMT_MOF_EXT.1.2 #47... |
| V-276536 | | Samsung Android must be configured to disable all Bluetooth profiles except for Headset Profile (HSP), Hands-Free Profile (HFP), Serial Port Profile (SPP), Advanced Audio Distribution Profile (A2DP), Audio/Video Remote Control Profile (AVRCP), and Phone Book Access Profile (PBAP). | Some Bluetooth profiles provide the capability for remote transfer of sensitive DOD data without encryption or otherwise do not meet DOD IT security p... |
| V-276546 | | Samsung Android 16 must disable wireless printing. | Wireless printing allows the printing of sensitive DOD documents to non-DOD controlled printers, which may lead to the exposure of sensitive DOD infor... |
| V-276553 | | Samsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate. | Certificate-based security controls depend on the ability of the system to verify the validity of a certificate. If the MOS were to accept an invalid ... |
| V-276554 | | Samsung Android's Work profile must be configured to enable Common Criteria (CC) mode. | The CC mode feature is a superset of other features and behavioral changes that are mandatory MDFPP requirements. If CC mode is not implemented, the d... |
| V-276555 | | Samsung Android must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device. | Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner th... |
| V-276561 | | The Samsung Android device must be configured to perform the following management function: Disable Phone Hub. | It may be possible to transfer work profile data on a DOD Android device to an unauthorized Chromebook if the user has the same Google Account set up ... |
| V-276564 | | The Samsung Android device must be configured to disable the use of third-party keyboards. | Many third-party keyboard applications are known to contain malware.
SFR ID: FMT_SMF.1.1 #47... |
| V-276565 | | Samsung Android 16 must disable screen capture. | The feature screen capture could lead to the exposure of sensitive DOD information.
SFR ID: FMT_MOF_EXT.1.2 #47... |
| V-276545 | | Samsung Android must be configured to enable encryption for data at rest on removable storage media or, alternately, the use of removable storage media must be disabled. | The MOS must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypte... |
| V-276634 | | The Samsung Android device must have the latest available Samsung Android operating system (OS) installed. | Required security features are not available in earlier OS versions. In addition, earlier versions may have known vulnerabilities.
SFR ID: FMT_MOF_EX... |
