STIGs Search Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 3 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Samsung Android OS 15 with Knox 3.x COBO Security Technical Implementation Guide

Version

V1R3

Release Date

Feb 6, 2026

SCAP Benchmark ID

SS_Android_15_COBO_STIG

Total Checks

46

Tags

mobile

CAT I: 2CAT II: 35CAT III: 9

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (46)

V-268882LOWSamsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.V-268924MEDIUMSamsung Android must be configured to enforce a minimum password length of six characters.V-268925MEDIUMSamsung Android must be configured to not allow passwords that include more than four repeating or sequential characters.V-268926MEDIUMSamsung Android must be configured to lock the display after 15 minutes (or less) of inactivity.V-268927MEDIUMSamsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.V-268928MEDIUMSamsung Android must be configured to not allow more than 10 consecutive failed authentication attempts.V-268929MEDIUMSamsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including DOD-approved commercial app repository, management tool server, or mobile application store.V-268930MEDIUMSamsung Android's Work environment must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: Names.V-268931MEDIUMSamsung Android's Work environment must be configured to not allow installation of applications with the following characteristics: - Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers; - Backs up own data to a remote system; - Renders TV shows and movies.V-268932MEDIUMSamsung Android 15 allowlist must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.V-268933MEDIUMSamsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.V-268935HIGHSamsung Android must be configured to enable encryption for data at rest on removable storage media or, alternately, the use of removable storage media must be disabled.V-268936MEDIUMSamsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition.V-268939MEDIUMSamsung Android must be configured to disable developer modes.V-268942LOWSamsung Android must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device.V-268947MEDIUMSamsung Android must be configured to disable USB mass storage mode.V-268948MEDIUMSamsung Android must be configured to not allow backup of all applications and configuration data to locally connected systems.V-268949MEDIUMSamsung Android must be configured to not allow backup of all applications, configuration data to remote systems. (This requirement applies to the Work Profile for COPE.) - Disable Data Sync Framework.V-268950MEDIUMSamsung Android must be configured to not allow backup of all applications and configuration data to remote systems. - Disable Backup Services.V-268952MEDIUMSamsung Android must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.V-268957LOWSamsung Android must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).V-268958MEDIUMSamsung Android must be configured to disable ad hoc wireless client-to-client connection capability.V-268960MEDIUMSamsung Android's Work environment must allow only the Administrator (management tool) to perform the following management function: Install/remove DOD root and intermediate PKI certificates.V-268961MEDIUMSamsung Android must be enrolled as a COBO device.V-268962MEDIUMSamsung Android must be configured to disallow configuration of the device's date and time.V-268963MEDIUMSamsung Android's Work profile must have the DOD root and intermediate PKI certificates installed.V-268964MEDIUMSamsung Android's Work environment must be configured to enable audit logging.V-268965MEDIUMSamsung Android's Work environment must be configured to prevent users from adding personal email accounts to the work email app.V-268966LOWSamsung Android's Work profile must be configured to enable Common Criteria (CC) mode.V-268967MEDIUMSamsung Android device users must complete required training.V-268968HIGHThe Samsung Android device must have the latest available Samsung Android operating system (OS) installed.V-268969MEDIUMThe Samsung Android device must be configured to enable Certificate Revocation List (CRL) status checking.V-268970MEDIUMThe Samsung Android device must be configured to enforce that Wi-Fi Sharing is disabled.V-268971MEDIUMThe Samsung Android device work profile must be configured to enforce the system application disable list.V-268972LOWThe Samsung Android device must be configured to disable the use of third-party keyboards.V-268973MEDIUMThe Samsung Android device must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].V-268974LOWThe Samsung Android device must be configured to perform the following management function: Disable Phone Hub.V-277011MEDIUMSamsung Android 15 must disable the ability of the user to wipe the device.V-277012LOWSamsung Android 15 must disable the use of assistants (including Samsung Assistant) unless required to meet Section 508 compliance requirements.V-277013LOWSamsung Android 15 must disable wireless printing.V-277014LOWSamsung Android 15 must disable screen capture.V-277015MEDIUMSamsung Android 15 devices must have a Mobile Threat Detection (MTD) app installed.V-277016MEDIUMSamsung Android 15 must implement the management setting: disable Camera.V-278371MEDIUMThe Samsung Android device must be configured to disable Wi-Fi Aware for Work Profile apps.V-278377MEDIUMSamsung Android must implement the management setting: disable the Bluetooth radio.V-282951MEDIUMAll Samsung Android 15 installations must be removed.