STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

STIGs updated 1 hour ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Google Android 15 COBO Security Technical Implementation Guide

Version

V1R4

Release Date

Feb 6, 2026

SCAP Benchmark ID

Google_Android_15_COBO_STIG

Total Checks

44

Tags

mobile

CAT I: 2CAT II: 34CAT III: 8

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (44)

V-267430MEDIUMGoogle Android 15 must be configured to enable audit logging.V-267431MEDIUMGoogle Android 15 must be configured to enforce a minimum password length of six characters.V-267432MEDIUMGoogle Android 15 must be configured to not allow passwords that include more than four repeating or sequential characters.V-267433MEDIUMGoogle Android 15 must be configured to lock the display after 15 minutes (or less) of inactivity.V-267434MEDIUMGoogle Android 15 must be configured to not allow more than 10 consecutive failed authentication attempts.V-267435MEDIUMGoogle Android 15 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store].V-267436MEDIUMGoogle Android 15 must be configured to enforce an application installation policy by specifying an application allow list that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].V-267437MEDIUMGoogle Android 15 allowlist must be configured to not include applications with the following characteristics: - Backs up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers; - Backs up own data to a remote system; - Renders TV shows and movies.V-267438MEDIUMGoogle Android 15 allow list must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.V-267439MEDIUMGoogle Android 15 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].V-267440MEDIUMGoogle Android 15 must be configured to disable trust agents.V-267441MEDIUMGoogle Android 15 must be configured to disable developer modes.V-267442LOWGoogle Android 15 must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device.V-267443MEDIUMGoogle Android 15 must be configured to generate audit records for the following auditable events: Detected integrity violations.V-267444MEDIUMGoogle Android 15 must be configured to disable USB mass storage mode.V-267445MEDIUMGoogle Android 15 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.V-267446MEDIUMGoogle Android 15 must be configured to not allow backup of [all applications, configuration data] to remote systems.V-267447MEDIUMGoogle Android 15 must be configured to enable authentication of personal hotspot connections to the device using a preshared key.V-267448MEDIUMGoogle Android 15 must be configured to disable multiuser modes.V-267449LOWGoogle Android 15 must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).V-267450MEDIUMGoogle Android 15 must be configured to disable ad hoc wireless client-to-client connection capability.V-267451MEDIUMGoogle Android 15 users must complete required training.V-267452MEDIUMGoogle Android 15 must be configured to disable Wi-Fi Sharing.V-267453MEDIUMGoogle Android 15 must be configured to enforce a password for Wi-Fi and Bluetooth hotspot, if approved for use by the approving authority (AO). If not approved for use, Wi-Fi and Bluetooth hotspot must be disabled.V-267454MEDIUMGoogle Android 15 must have the DOD root and intermediate PKI certificates installed.V-267455MEDIUMThe Google Android 15 work profile must be configured to enforce the system application disable list.V-267456MEDIUMThe Google Android 15 work profile must be configured to disable automatic completion of workspace internet browser text input.V-267457MEDIUMThe Google Android 15 work profile must be configured to disable the autofill services.V-267458MEDIUMGoogle Android 15 must be configured to disallow configuration of date and time.V-267459HIGHAndroid 15 devices must have the latest available Google Android 15 operating system installed.V-267460LOWAndroid 15 devices must be configured to disable the use of third-party keyboards.V-267461LOWAndroid 15 devices must be configured to enable Common Criteria Mode (CC Mode).V-267462MEDIUMGoogle Android 15 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].V-267463MEDIUMThe Google Android 15 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates.V-267464LOWGoogle Android 15 must allow only the administrator (MDM) to perform the following management function: Disable Phone Hub.V-269100HIGHGoogle Android 15 must be configured to disable "Private Space" use.V-276985MEDIUMGoogle Android 15 must disable the user's ability to wipe the device.V-276986LOWGoogle Android 15 must disable the use of assistants (including Google Assistant) unless required to meet Section 508 compliance requirements.V-276987LOWGoogle Android 15 must disable wireless printing.V-276988LOWGoogle Android 15 must disable screen capture.V-276989MEDIUMGoogle Android 15 devices must have a Mobile Threat Detection (MTD) app installed.V-276990MEDIUMGoogle Android 15 must implement the management setting: disable Camera.V-278365MEDIUMThe Google Android device must be configured to disable Wi-Fi Aware for Work Profile apps.V-278366MEDIUMGoogle Android must implement the management setting: disable the Bluetooth radio.