STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 22 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to STIGs

Google Android 17 COBO Security Technical Implementation Guide

Version

V1R1

Release Date

Jul 9, 2026

SCAP Benchmark ID

Google_Android_17_COBO_STIG

Total Checks

44

Tags

mobile
CAT I: 2CAT II: 35CAT III: 7

This Security Technical Implementation Guide is published as a tool to improve the security of Department of War (DoW) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (44)

V-284689MEDIUMGoogle Android 17 must be configured to enforce a minimum password length of six characters.V-284690MEDIUMGoogle Android 17 must be configured to not allow passwords that include more than four repeating or sequential characters.V-284691MEDIUMGoogle Android 17 must be configured to lock the display after 15 minutes (or less) of inactivity.V-284692MEDIUMGoogle Android 17 must be configured to not allow more than 10 consecutive failed authentication attempts.V-284693MEDIUMGoogle Android 17 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoW-approved commercial app repository, MDM server, mobile application store].V-284694MEDIUMGoogle Android 17 must be configured to enforce an application installation policy by specifying an application allow list that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].V-284695MEDIUMGoogle Android 17 allow list must be configured to not include applications with the following characteristics: - Backs up MD data to non-DoW cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DoW servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers; - Backs up its own data to a remote system; and - Renders TV shows and movies.V-284696MEDIUMGoogle Android 17 allow list must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.V-284697MEDIUMGoogle Android 17 must be configured to not display the following (work profile) notifications when the device is locked: [selection: - Email notifications - Calendar appointments - Contact associated with phone call notifications - Text message notifications - Other application-based notifications - All notifications].V-284701MEDIUMGoogle Android 17 must be configured to disable trust agents.V-284703MEDIUMGoogle Android 17 must be configured to disable developer modes.V-284705MEDIUMGoogle Android 17 must be configured to enable audit logging.V-284707LOWGoogle Android 17 must be configured to display the DoW advisory warning message at startup or each time the user unlocks the device.V-284708MEDIUMGoogle Android 17 must be configured to generate audit records for the following auditable events: Detected integrity violations.V-284709MEDIUMGoogle Android 17 must be configured to disable USB mass storage mode.V-284710MEDIUMGoogle Android 17 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.V-284711MEDIUMGoogle Android 17 must be configured to not allow backup of [all applications, configuration data] to remote systems.V-284712MEDIUMGoogle Android 17 must be configured to enable authentication of personal hotspot connections to the device using a preshared key.V-284714MEDIUMGoogle Android 17 must be configured to disable multiuser modes.V-284718LOWGoogle Android 17 must be configured to disable Bluetooth or configured via User-Based Enforcement (UBE) to allow Bluetooth for only Headset Profile (HSP), Hands-Free Profile (HFP), and Serial Port Profile (SPP).V-284719MEDIUMGoogle Android 17 must be configured to disable ad hoc wireless client-to-client connection capability.V-284721MEDIUMGoogle Android 17 users must complete required training.V-284722MEDIUMGoogle Android 17 must be configured to disable Wi-Fi sharing.V-284723MEDIUMGoogle Android 17 must be configured to enforce a password for Wi-Fi and Bluetooth hotspot if approved for use by the authorizing official (AO). If not approved for use, Wi-Fi and Bluetooth hotspot must be disabled.V-284724MEDIUMGoogle Android 17 must have the DoW root and intermediate PKI certificates installed.V-284725MEDIUMThe Google Android 17 work profile must be configured to enforce the system application disable list.V-284726MEDIUMThe Google Android 17 work profile must be configured to disable automatic completion of workspace internet browser text input.V-284727MEDIUMThe Google Android 17 work profile must be configured to disable the autofill services.V-284728MEDIUMGoogle Android 17 must be configured to disallow configuration of date and time.V-284730HIGHAndroid 17 devices must have the latest available Google Android 17 operating system installed.V-284731LOWAndroid 17 devices must be configured to disable the use of third-party keyboards.V-284732LOWAndroid 17 devices must be configured to enable Common Criteria (CC) mode.V-284733MEDIUMGoogle Android 17 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].V-284734MEDIUMGoogle Android 17 must allow only the administrator (EMM) to install/remove DoW root and intermediate PKI certificates.V-284735LOWGoogle Android 17 must allow only the administrator (MDM) to perform the following management function: Disable phone hub.V-284736HIGHGoogle Android 17 must be configured to disable Private Space use.V-284737MEDIUMGoogle Android 17 must disable the user's ability to wipe the device.V-284739LOWGoogle Android 17 must disable wireless printing.V-284740LOWGoogle Android 17 must disable screen capture.V-284741MEDIUMGoogle Android 17 devices must have a Mobile Threat Detection (MTD) app installed.V-284742MEDIUMGoogle Android 17 must implement the management setting: Disable Camera.V-284743MEDIUMThe Google Android device must be configured to disable Wi-Fi Aware for work profile apps.V-284744MEDIUMThe Google Android device must be configured to disable Cross-Device Handoff (also called "Continuity On").V-285856MEDIUMThe Google Android 17 device must be configured to disable web-based artificial intelligence (AI) interactions.