STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Samsung Android 16 COPE Security Technical Implementation Guide

V-276677

CAT II (Medium)

Samsung Android allowlist must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.

Rule ID

SV-276677r1139553_rule

STIG

Samsung Android 16 COPE Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000803

Discussion

Sensitive DOD data could be exposed when an AI app processes device data in the cloud. SFR ID: FMT_SMF.1.1 #8

Check Content

Review managed Samsung Android 16 device configuration settings to determine if the mobile device has an AI application that processes device data in the cloud, including Google Gemini.

Verify requirement KNOX-16-009200 (disallow modify accounts) has been implemented.

Verify the KPE API "isIntelligenceOnlineProcessingAllowed()" returns false or that the KSP configuration has the restriction "Allow process data only on device" set to true.

If any AI applications that processes data in the cloud are included in the MDM console of allowed apps or "Allow process data only on device" is not set to true, this is a finding.

Fix Text

This validation procedure is performed only on the EMM Administration Console.

On the EMM console:

1. Review the list of selected Managed Google Play apps.
2. Verify no AI applications that processes device data in the cloud, including Google Gemini, are included.

Note: This restriction does not include Galaxy on device AI. Galaxy on device AI is a "built-in" capability of Android 16 and processes device data on the device.

If the EMM console device policy includes AI applications that processes device data in the cloud, including Google Gemini, this is a finding.

Disallow modify accounts (refer to requirement KNOX-16-009200).

If "disallow modify accounts" has not been implemented, this is a finding.

Apply the "Disallow Intelligence Online Processing" using the KPE API or KSP. The KPE API is allowIntelligenceOnlineProcessing(false) and the KSP restriction is "Allow process data only on device", which should be set to true.

KPE: allowIntelligenceOnlineProcessing