STIGs Search Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 3 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Samsung Android OS 14 with Knox 3.x COPE Security Technical Implementation Guide

Version

V2R4

Release Date

Feb 24, 2026

SCAP Benchmark ID

SS_Android_OS_14_KPE_3-x_COPE_STIG

Total Checks

48

Tags

mobile

CAT I: 2CAT II: 37CAT III: 9

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (48)

V-258663MEDIUMSamsung Android must be enrolled as a COPE device.V-258664LOWSamsung Android must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device.V-258665MEDIUMSamsung Android must be configured to not allow passwords that include more than four repeating or sequential characters.V-258667MEDIUMSamsung Android must be configured to enforce a minimum password length of six characters.V-258668MEDIUMSamsung Android must be configured to not allow more than 10 consecutive failed authentication attempts.V-258669MEDIUMSamsung Android must be configured to lock the display after 15 minutes (or less) of inactivity.V-258670MEDIUMSamsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition.V-258671MEDIUMSamsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.V-258672MEDIUMSamsung Android must be configured to disable developer modes.V-258673LOWSamsung Android must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).V-258674HIGHSamsung Android must be configured to enable encryption for data at rest on removable storage media or, alternately, the use of removable storage media must be disabled.V-258675MEDIUMSamsung Android must be configured to disable USB mass storage mode.V-258676MEDIUMSamsung Android must be configured to not allow backup of all applications and configuration data to locally connected systems.V-258677MEDIUMSamsung Android must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.V-258678MEDIUMSamsung Android must be configured to disallow configuration of the device's date and time.V-258679MEDIUMSamsung Android's Work profile must have the DOD root and intermediate PKI certificates installed.V-258680MEDIUMSamsung Android's Work profile must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: Names.V-258681MEDIUMSamsung Android's Work profile must be configured to not allow installation of applications with the following characteristics: - Backs up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers; - Backs up own data to a remote system; - Renders TV shows and movies.V-258682MEDIUMSamsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.V-258683MEDIUMSamsung Android's Work profile must be configured to enable audit logging.V-258684MEDIUMSamsung Android's Work profile must be configured to prevent users from adding personal email accounts to the work email app.V-258685MEDIUMSamsung Android's Work profile must be configured to not allow backup of all applications, configuration data to remote systems.- Disable Data Sync Framework.V-258686MEDIUMSamsung Android's Work profile must be configured to disable exceptions to the access control policy that prevent application processes and groups of application processes from accessing all data stored by other application processes and groups of application processes.V-258687MEDIUMSamsung Android's Work profile must allow only the Administrator (management tool) to perform the following management function: Install/remove DOD root and intermediate PKI certificates.V-258688MEDIUMSamsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including DOD-approved commercial app repository, management tool server, or mobile application store.V-258689LOWSamsung Android's Work profile must be configured to enable Common Criteria (CC) mode.V-258690LOWSamsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.V-258691MEDIUMSamsung Android device users must complete required training.V-258692HIGHThe Samsung Android device must have the latest available Samsung Android operating system (OS) installed.V-258693MEDIUMThe Samsung Android device must be configured to enable Certificate Revocation List (CRL) status checking.V-258694MEDIUMThe Samsung Android device must be configured to enforce that Wi-Fi Sharing is disabled.V-258695MEDIUMThe Samsung Android device work profile must be configured to enforce the system application disable list.V-258696MEDIUMThe Samsung Android device must be provisioned as a fully managed device and configured to create a work profile.V-258697MEDIUMThe Samsung Android device work profile must be configured to disable automatic completion of work space internet browser text input.V-258698MEDIUMThe Samsung Android device work profile must be configured to disable the autofill services.V-258699LOWThe Samsung Android device must be configured to disable the use of third-party keyboards.V-258700MEDIUMThe Samsung Android device must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].V-258701LOWThe Samsung Android device must be configured to perform the following management function: Disable Phone Hub.V-258702MEDIUMSamsung Android must be configured to disable ad hoc wireless client-to-client connection capability.V-277005MEDIUMSamsung Android 14 must disable the ability of the user to wipe the device.V-277006LOWSamsung Android 14 must disable the use of assistants (including Samsung Assistant) unless required to meet Section 508 compliance requirements.V-277007LOWSamsung Android 14 must disable wireless printing.V-277008LOWSamsung Android 14 must disable screen capture.V-277009MEDIUMSamsung Android 14 devices must have a Mobile Threat Detection (MTD) app installed.V-277010MEDIUMSamsung Android 14 must implement the management setting: disable Camera.V-278370MEDIUMThe Samsung Android device must be configured to disable Wi-Fi Aware for Work Profile apps.V-278375MEDIUMSamsung Android must implement the management setting: disable the Bluetooth radio.V-282945MEDIUMAll Samsung Android 14 installations must be removed. Exception: Tactical Edition (TE) devices with Android 14 can be used until April 2027.