STIGs Search Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 3 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Samsung Android OS 15 with Knox 3.x COPE Security Technical Implementation Guide

Version

V1R3

Release Date

Feb 6, 2026

SCAP Benchmark ID

SS_Android_15_COPE_STIG

Total Checks

49

Tags

mobile

CAT I: 2CAT II: 38CAT III: 9

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (49)

V-268981LOWSamsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.V-269023MEDIUMSamsung Android must be configured to enforce a minimum password length of six characters.V-269024MEDIUMSamsung Android must be configured to not allow passwords that include more than four repeating or sequential characters.V-269025MEDIUMSamsung Android must be configured to lock the display after 15 minutes (or less) of inactivity.V-269026MEDIUMSamsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.V-269027MEDIUMSamsung Android must be configured to not allow more than 10 consecutive failed authentication attempts.V-269028MEDIUMSamsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including DOD-approved commercial app repository, management tool server, or mobile application store.V-269029MEDIUMSamsung Android's Work environment must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: Names.V-269030MEDIUMSamsung Android's Work environment must be configured to not allow installation of applications with the following characteristics: - Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers; - Backs up own data to a remote system; - Renders TV shows and movies.V-269031MEDIUMSamsung Android 15 allowlist must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.V-269032MEDIUMSamsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.V-269034HIGHSamsung Android must be configured to enable encryption for data at rest on removable storage media or, alternately, the use of removable storage media must be disabled.V-269035MEDIUMSamsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition.V-269038MEDIUMSamsung Android must be configured to disable developer modes.V-269041LOWSamsung Android must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device.V-269046MEDIUMSamsung Android must be configured to disable USB mass storage mode.V-269047MEDIUMSamsung Android must be configured to not allow backup of all applications and configuration data to locally connected systems.V-269048MEDIUMSamsung Android must be configured to not allow backup of all applications, configuration data to remote systems. (This requirement applies to the Work Profile for COPE.) - Disable Data Sync Framework.V-269050MEDIUMSamsung Android must be configured to enable authentication of personal hotspot connections to the device using a preshared key.V-269052MEDIUMSamsung Android's Work profile must be configured to disable exceptions to the access control policy that prevent application processes and groups of application processes from accessing all data stored by other application processes and groups of application processes.V-269056LOWSamsung Android must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).V-269057MEDIUMSamsung Android must be configured to disable ad hoc wireless client-to-client connection capability.V-269059MEDIUMSamsung Android's Work environment must allow only the Administrator (management tool) to perform the following management function: Install/remove DOD root and intermediate PKI certificates.V-269060MEDIUMSamsung Android must be enrolled as a COPE device.V-269061MEDIUMSamsung Android must be configured to disallow configuration of the device's date and time.V-269062MEDIUMSamsung Android's Work profile must have the DOD root and intermediate PKI certificates installed.V-269063MEDIUMSamsung Android's Work environment must be configured to enable audit logging.V-269064MEDIUMSamsung Android's Work environment must be configured to prevent users from adding personal email accounts to the work email app.V-269065LOWSamsung Android's Work profile must be configured to enable Common Criteria (CC) mode.V-269066MEDIUMSamsung Android device users must complete required training.V-269067HIGHThe Samsung Android device must have the latest available Samsung Android operating system (OS) installed.V-269068MEDIUMThe Samsung Android device must be configured to enable Certificate Revocation List (CRL) status checking.V-269069MEDIUMThe Samsung Android device must be configured to enforce that Wi-Fi Sharing is disabled.V-269070MEDIUMThe Samsung Android device work profile must be configured to enforce the system application disable list.V-269071MEDIUMThe Samsung Android device must be provisioned as a fully managed device and configured to create a work profile.V-269072MEDIUMThe Samsung Android device work profile must be configured to disable automatic completion of workspace internet browser text input.V-269073MEDIUMThe Samsung Android device work profile must be configured to disable the autofill services.V-269074LOWThe Samsung Android device must be configured to disable the use of third-party keyboards.V-269075MEDIUMThe Samsung Android device must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].V-269076LOWThe Samsung Android device must be configured to perform the following management function: Disable Phone Hub.V-277017MEDIUMSamsung Android 15 must disable the ability of the user to wipe the device.V-277018LOWSamsung Android 15 must disable the use of assistants (including Samsung Assistant) unless required to meet Section 508 compliance requirements.V-277019LOWSamsung Android 15 must disable wireless printing.V-277020LOWSamsung Android 15 must disable screen capture.V-277021MEDIUMSamsung Android 15 devices must have a Mobile Threat Detection (MTD) app installed.V-277022MEDIUMSamsung Android 15 must implement the management setting: disable Camera.V-278378MEDIUMThe Samsung Android device must be configured to disable Wi-Fi Aware for Work Profile apps.V-278379MEDIUMSamsung Android must implement the management setting: disable the Bluetooth radio.V-282961MEDIUMAll Samsung Android 15 installations must be removed.