STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 22 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to STIGs

Google Android 17 COPE Security Technical Implementation Guide

Version

V1R1

Release Date

Jul 9, 2026

SCAP Benchmark ID

Google_Android_17_COPE_STIG

Total Checks

47

Tags

mobile
CAT I: 2CAT II: 38CAT III: 7

This Security Technical Implementation Guide is published as a tool to improve the security of Department of War (DoW) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (47)

V-284794MEDIUMGoogle Android 17 must be configured to enforce a minimum password length of six characters.V-284795MEDIUMGoogle Android 17 must be configured to not allow passwords that include more than four repeating or sequential characters.V-284796MEDIUMGoogle Android 17 must be configured to lock the display after 15 minutes (or less) of inactivity.V-284797MEDIUMGoogle Android 17 must be configured to not allow more than 10 consecutive failed authentication attempts.V-284798MEDIUMGoogle Android 17 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoW-approved commercial app repository, MDM server, mobile application store].V-284799MEDIUMGoogle Android 17 must be configured to enforce an application installation policy by specifying an application allow list that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].V-284800MEDIUMGoogle Android 17 allow list must be configured to not include applications with the following characteristics: - Backs up MD data to non-DoW cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DoW servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers; - Backs up its own data to a remote system; and - Renders TV shows and movies.V-284801MEDIUMGoogle Android 17 allow list must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.V-284802MEDIUMGoogle Android 17 must be configured to not display the following (work profile) notifications when the device is locked: [selection: - Email notifications - Calendar appointments - Contact associated with phone call notifications - Text message notifications - Other application-based notifications - All notifications].V-284806MEDIUMGoogle Android 17 must be configured to disable trust agents.V-284808MEDIUMGoogle Android 17 must be configured to disable developer modes.V-284810MEDIUMGoogle Android 17 must be configured to enable audit logging.V-284812LOWGoogle Android 17 must be configured to display the DoW advisory warning message at startup or each time the user unlocks the device.V-284813MEDIUMGoogle Android 17 must be configured to generate audit records for the following auditable events: Detected integrity violations.V-284814MEDIUMGoogle Android 17 must be configured to disable USB mass storage mode.V-284815MEDIUMGoogle Android 17 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.V-284816MEDIUMGoogle Android 17 must be configured to not allow backup of [all applications, configuration data] to remote systems.V-284817MEDIUMGoogle Android 17 must be configured to enable authentication of personal hotspot connections to the device using a preshared key.V-284819MEDIUMGoogle Android 17 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].V-284820MEDIUMGoogle Android 17 must be configured to disable multiuser modes.V-284824LOWGoogle Android 17 must be configured to disable Bluetooth or configured via User-Based Enforcement (UBE) to allow Bluetooth for only Headset Profile (HSP), Hands-Free Profile (HFP), and Serial Port Profile (SPP).V-284825MEDIUMGoogle Android 17 must be configured to disable ad hoc wireless client-to-client connection capability.V-284827MEDIUMGoogle Android 17 users must complete required training.V-284828MEDIUMGoogle Android 17 must be configured to disable Wi-Fi sharing.V-284829MEDIUMGoogle Android 17 must be configured to enforce a password for Wi-Fi and Bluetooth hotspot if approved for use by the authorizing official (AO). If not approved for use, Wi-Fi and Bluetooth hotspot must be disabled.V-284830MEDIUMGoogle Android 17 must have the DoW root and intermediate PKI certificates installed.V-284831MEDIUMThe Google Android 17 work profile must be configured to prevent users from adding personal email accounts to the work email app.V-284832MEDIUMThe Google Android 17 work profile must be configured to enforce the system application disable list.V-284833MEDIUMGoogle Android 17 must be provisioned as a fully managed device and configured to create a work profile.V-284834MEDIUMThe Google Android 17 work profile must be configured to disable automatic completion of workspace internet browser text input.V-284835MEDIUMThe Google Android 17 work profile must be configured to disable the autofill services.V-284836MEDIUMGoogle Android 17 must be configured to disallow configuration of date and time.V-284838HIGHAndroid 17 devices must have the latest available Google Android 17 operating system installed.V-284839LOWAndroid 17 devices must be configured to disable the use of third-party keyboards.V-284840LOWAndroid 17 devices must be configured to enable Common Criteria (CC) mode.V-284841MEDIUMGoogle Android 17 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].V-284842MEDIUMGoogle Android 17 must allow only the administrator (EMM) to install/remove DoW root and intermediate PKI certificates.V-284843LOWGoogle Android 17 must allow only the administrator (MDM) to perform the following management function: Disable Phone Hub.V-284844HIGHGoogle Android 17 must be configured to disable Private Space use.V-284845MEDIUMGoogle Android 17 must disable the user's ability to wipe the device.V-284847LOWGoogle Android 17 must disable wireless printing.V-284848LOWGoogle Android 17 must disable screen capture.V-284849MEDIUMGoogle Android 17 devices must have a Mobile Threat Detection (MTD) app installed.V-284850MEDIUMGoogle Android 17 must implement the management setting: Disable Camera.V-284851MEDIUMThe Google Android device must be configured to disable Wi-Fi Aware for work profile apps.V-284852MEDIUMThe Google Android device must be configured to disable Cross-Device Handoff (also called "Continuity On").V-285857MEDIUMThe Google Android 17 device must be configured to disable web-based artificial intelligence (AI) interactions.