TickYouOff
Sign in
Back
🔒

Android 15 STIG Checklist

Hard 16 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps IT and security teams implement the Google Android 15 STIG for corporate Android devices (COPE/COBO). It guides enrollment, data separation, configuration profiles, and compliance reporting to meet DoD security expectations.

Source: https://ncp.nist.gov/checklist/1259

Progress
0 / 16
  1. Download Android 15 STIG XCCDF and supplemental documents — Obtain official STIG and supplemental PDFs from DISA or public.cyber.mil.
  2. Identify COPE and COBO devices in your inventory — Tag devices by ownership and intended use to apply correct policies.
  3. Decide enrollment method and recommend zero-touch for corporate devices — Prefer zero-touch for bulk COPE/COBO deployments to ensure consistent configuration.
  4. Enroll corporate devices via zero-touch enrollment — Use zero-touch to provision devices with your EMM and baseline policies.
  5. Set up zero-touch service account — Create and configure the admin account for zero-touch enrollment.
  6. Upload device list to zero-touch console — Provide IMEIs/serials or order IDs to bind devices to your account.
  7. Assign EMM/management profile to devices — Map devices to your EMM and assign appropriate corporate profiles.
  8. Enable Android Enterprise work profile for COPE devices — Activate native AE work profile for data separation on COPE devices.
  9. Verify NIAP-certified data separation is active — Confirm the work profile is NIAP-certified and enforces separation.
  10. Configure personal space restrictions per AO approval — Apply restrictions only where Authorizing Official approval requires limits.
  11. Implement configuration profiles and user-based enforcement (UBE) — Create and deploy STIG-required profiles and attach UBE where specified.
  12. Enforce Wi-Fi network compliance with Network Infrastructure STIG — Ensure Wi‑Fi APs and bridges comply and are not directly on enclave networks.
  13. Restrict unmanaged app installs when AO denies personal apps — Block or limit sideloading and app installs to prevent data exposure.
  14. Test device compliance reporting and generate baseline report — Run scans/reports to verify STIG controls and capture a baseline.
  15. Document AO approvals, user privacy guidance, and deployment procedures — Record AO decisions, user policy, and deployment runbooks for audits.
  16. Schedule periodic STIG reviews and update tracking — Track DISA change history and plan regular reviews for STIG updates.
Sign in to save
📝 My Notes