TickYouOff
Sign in
Back
🔒

Android 13 BYOAD STIG Checklist

Hard 18 items · 1 day
testuser's avatar
testuser Published 1 month ago
Security

This checklist guides IT teams and device owners through baseline steps to align Bring Your Own Android Device (BYOAD) environments with the Android 13 STIG. It’s designed for administrators, security engineers, and technical owners who must harden devices, enforce policies, and document compliance for enterprise or government use.

Source: https://ncp.nist.gov/checklist/1071

Progress
0 / 18
  1. Download the official Android 13 BYOAD STIG document — Get the latest STIG from DoD Cyber Exchange or public.cyber.mil if needed.
  2. Review and highlight applicable STIG controls — Identify controls relevant to your BYOAD policy and device types.
  3. Inventory all BYOAD devices and owners — Record model, OS build, owner, and enrollment status.
  4. Classify devices by risk and allowed access — Group by sensitivity of data and permitted enterprise resources.
  5. Define and enforce mandatory MDM enrollment — Require MDM for access to enterprise apps and data.
  6. Configure enrollment profiles and device policies in MDM — Include restrictions, update channels, and compliance checks.
  7. Enforce OS updates and patch management via MDM — Set required update windows and automatic installation where possible.
  8. Enable and verify device encryption — Ensure full-disk/file-based encryption is active for all devices.
  9. Enforce strong screen lock and authentication policies — Set PIN/biometric rules, timeout, and lock requirements.
  10. Disable developer options and USB debugging — Prevent easy device compromise and unauthorized access.
  11. Restrict app installation to approved sources — Allow Play Store and enterprise app store; block unknown sources.
  12. Enable Play Protect and mobile malware scanning — Turn on built-in threat protection and regular scans.
  13. Verify SELinux is enforcing and enable integrity checks — Confirm system integrity and enforcement mode on devices.
  14. Configure VPN and network access controls for enterprise resources — Use per-app VPN or device VPN for approved traffic.
  15. Enable remote wipe, lock, and lost-device capabilities — Ensure administrators can quickly protect data on lost/stolen devices.
  16. Enable logging and forward audit logs to a central SIEM — Collect authentication, policy, and device events for monitoring.
  17. Test STIG settings in a representative lab environment — Validate functionality and user impact before production rollout.
  18. Document accepted deviations and obtain AO approval — Record risks, compensating controls, and approval from the Authorizing Official.
Sign in to save
📝 My Notes