TickYouOff
Sign in
Back
🔒

Android 16 Security STIG

Hard 18 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist converts the Google Android 16 STIG (Y25M08) into a practical set of configuration and compliance tasks for IT, security, and device management teams. It’s intended for organizations deploying corporate-owned Android 16 devices (COPE/COBO) that must meet DoD security requirements.

Source: https://ncp.nist.gov/checklist/1314

Progress
0 / 18
  1. Enroll devices via zero-touch enrollment — Use zero-touch for bulk COPE/COBO provisioning to ensure managed state from first boot.
  2. Configure Android Enterprise work profile for COPE devices — Use the native work profile (NIAP-certified) for data separation on COPE devices.
  3. Enforce device encryption — Require file- or full-disk encryption for all corporate devices to protect stored data.
  4. Set strong screen lock policies — Require authenticated unlock and reasonable auto-lock timeout.
  5. Require minimum PIN/password complexity — Set minimum PIN length and complexity per organizational policy.
  6. Configure biometric and fallback rules — Control biometric use and require fallback authentication where appropriate.
  7. Enable automatic OS and security updates — Allow automatic installs or enforce timely patching via MDM.
  8. Disable installation from unknown sources — Block sideloading and require apps from managed Play or approved stores.
  9. Disable developer options and USB debugging — Prevent user-enabled debugging to reduce attack surface.
  10. Enable Play Protect and app scanning — Turn on Google Play Protect or equivalent runtime app scanning.
  11. Restrict app installation to managed or approved apps — Allow unmanaged app installs only with Authorizing Official (AO) approval.
  12. Implement MDM enrollment and apply configuration profiles — Use an enterprise MDM to enforce STIG profiles, restrictions, and reporting.
  13. Configure approved Wi‑Fi and verify network compliance — Allow only approved Wi‑Fi; ensure network infrastructure meets STIG requirements.
  14. Disable Bluetooth auto-pairing and restrict connections — Limit wireless pairing to approved peripherals only.
  15. Enforce data separation using a NIAP-certified solution — Implement work profile or another NIAP-certified tech for work/personal separation.
  16. Configure logging, reporting, and periodic compliance scans — Enable device logging and schedule automated compliance checks and reports.
  17. Test compliance and generate STIG reports — Run scans, validate settings against the STIG, and export a compliance report.
  18. Document AO approvals, exceptions, and configuration baselines — Maintain records of AO approvals and any accepted deviations from STIG controls.
Sign in to save
📝 My Notes