Google Android 13 BYOAD V1R2

a

Google Android 13 must prohibit DOD VPN profiles in the Personal Profile.

CM-6 - Low - CCI-000366 - V-258475 - SV-258475r950986_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

GOOG-13-701100

Vuln IDs

V-258475

Rule IDs

SV-258475r950986_rule

If DOD VPN profiles are configured in the Personal Profile DOD sensitive data world be at risk of compromise and the DOD network could be at risk of being attacked by malware installed on the device. SFR ID: FMT_SMF_EXT.1.1 #3

Checks: C-62215r950986_chk

Review the list of VPN profiles in the Personal Profile and determine if any VPN profiles are listed. If so, verify the VPN profiles are not configured with a DOD network VPN profile. If any VPN profiles are installed in the Personal Profile and they have a DOD network VPN profile configured, this is a finding. Note: This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement.

Fix: F-62124r929462_fix

Do not configure DOD VPN profiles in the Personal Profile.

b

Google Android 13 must be configured to enforce a minimum password length of six characters and not allow passwords that include more than four repeating or sequential characters.

IA-5 - Medium - CCI-000205 - V-258476 - SV-258476r929466_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000205

Version

GOOG-13-706000

Vuln IDs

V-258476

Rule IDs

SV-258476r929466_rule

Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. Satisfies: PP-MDF-333024, PP-MDF-333025 SFR ID: FMT_SMF_EXT.1.1 #1a

Checks: C-62216r929464_chk

Review managed Google Android 13 device configuration settings to determine if the mobile device is enforcing a high password quality for the device and standard DOD password complexity rules for the Work Profile (at least six-character length and prevent passwords from containing more than four repeating or sequential characters). 1. Verify the device password configuration: On the EMM console: a. Open "Lock screen" settings. b. Open "Set required password complexity on parent". c. Verify "High" is selected. 2. Verify the Work Profile password configuration: On the EMM console (for the work profile): 1. Open "Lock screen" settings. 2. Open "Password constraints". 3. Open "Minimum password quality". 4. Verify Numeric Complex, Alphabetic, Alphanumeric, or Complex is selected. 5. Open "Minimum password length". 6. Verify "6" is set for number of characters. If the device password quality is not set to High or the Work Profile password length is not set to six characters or the password quality is not set as required, this is a finding. Note: verifying the OneLock configuration is not required because the use of OneLock is optional.

Fix: F-62125r929465_fix

Configure the Google Android 13 device to enforce high password quality for the device and standard DOD password complexity rules for the Work Profile (at least six-character length and prevent passwords from containing more than four repeating or sequential characters). In addition, enable OneLock so the user only must enter their device password to unlock the Work Profile. Note: enabling OneLock is optional and is a two-step process: configuration on the EMM and configuration by the user on the phone. If OneLock is not used, the user will always need to enter separate passwords to unlock the device and to unlock the Work Profile. 1. Set the password on the whole device: Set device password complexity to "HIGH" (requires (at minimum) an eight numeric character password, or six alphabetic character password, or a six alphanumeric character password) On the EMM console: a. Open "Lock screen" settings. b. Open "Set required password complexity on parent". c. Select "High". 2. Set DOD password for the Work Profile. On the EMM console: a. Open "Lock screen" settings. b. Open "Password constraints". c. Open "Minimum password quality". d. Choose Numeric Complex, Alphabetic, Alphanumeric, or Complex. e. Open "Minimum password length". f. Enter in the number of characters as "6". 3. Enable OneLock on the EMM. On the MDM console: a. Disable the following Android API: "DISALLOW_UNIFIED_PASSWORD". The exact procedure will depend on the EMM product. Note: this control may be called "Require separate challenge". 4. Train users to implement OneLock with the following User Based Enforcement (UBE): procedure: a. Open Settings >> Security & privacy >> More security settings. b. Enable "Use one lock".

b

Google Android 13 must be configured to enable a screen-lock policy that will lock the display after a period of inactivity.

AC-11 - Medium - CCI-000057 - V-258477 - SV-258477r929469_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000057

Version

GOOG-13-706200

Vuln IDs

V-258477

Rule IDs

SV-258477r929469_rule

The screen-lock timeout helps protect the device from unauthorized access. Devices without a screen-lock timeout provide an opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device and possibly access to DOD networks. SFR ID: FMT_SMF_EXT.1.1 #2a

Checks: C-62217r929467_chk

Review managed Google Android 13 device configuration settings to determine if the mobile device is enforcing a screen-lock policy that will lock the display after a period of inactivity. This validation procedure is performed on both the EMM Administration Console and the managed Google Android 13 device. On the EMM console: 1. Open "Lock screen" settings. 2. Open "Lock screen restrictions". 3. Verify that "Max time to screen lock" is set to any number desired, the units are in seconds. On the managed Google Android 13 device: 1. Open Settings >> Display. 2. Tap "Screen timeout". 3. Ensure the Screen timeout value is set to the desired value and cannot be set to a larger value. If the EMM console device policy is not set to enable a screen-lock policy that will lock the display after a period of inactivity, this is a finding.

Fix: F-62126r929468_fix

Configure the Google Android 13 device to enable a screen-lock policy that will lock the display after a period of inactivity. On the EMM console: 1. Open "Lock screen" settings. 2. Open "Lock screen restrictions". 3. Set "Max time to screen lock" to any number desired. Note: The units are in seconds.

b

Google Android 13 must be configured to lock the display after 15 minutes (or less) of inactivity.

AC-11 - Medium - CCI-000057 - V-258478 - SV-258478r929472_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000057

Version

GOOG-13-706300

Vuln IDs

V-258478

Rule IDs

SV-258478r929472_rule

The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device. SFR ID: FMT_SMF_EXT.1.1 #2b

Checks: C-62218r929470_chk

Review managed Google Android device configuration settings to determine if the mobile device is enforcing a screen-lock policy that will lock the display after a period of 15 minutes or less of inactivity. Note: Google Android 13 does not support the 15-minute increment. The available allowable selection is 10 minutes, then increases to 30 minutes. Therefore, the control should be set to 10 minutes. This validation procedure is performed on both the EMM Administration Console and the Android 13 device. On the EMM console: 1. Open "Lock screen restrictions". 2. Verify that "Max time to screen lock" is set to "600". Note: The units are in seconds. On the managed Google Android 13 device: 1. Open Settings >> Display. 2. Tap "Screen timeout". 3. Ensure the Screen timeout value is set to "600" seconds or less. If the EMM console device policy is not set to enable a screen-lock policy that will lock the display after a period of inactivity of 600 seconds or less, this is a finding.

Fix: F-62127r929471_fix

Configure the Google Android 13 device to enable a screen-lock policy of 15 minutes for the max period of inactivity. Note: Google Android 13 does not support the 15 minute increment. The available allowable selection is 10 minutes, then increases to 30 minutes. Therefore, the control will be set to 10 minutes. On the EMM console: 1. Open "Lock screen restrictions". 2. Set "Max time to screen lock" to "600". Note: The units are in seconds.

b

Google Android 13 must be configured to not allow more than 10 consecutive failed authentication attempts.

AC-7 - Medium - CCI-000044 - V-258479 - SV-258479r929475_rule

RMF Control

AC-7

Severity

M

CCI

CCI-000044

Version

GOOG-13-706400

Vuln IDs

V-258479

Rule IDs

SV-258479r929475_rule

The more attempts an adversary makes to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of attempts mitigates this risk. Setting the limit at 10 or less gives authorized users the ability to make a few mistakes when entering the password but still provides adequate protection against dictionary or brute force attacks on the password. SFR ID: FMT_SMF_EXT.1.1 #2c, FIA_AFL_EXT.1.5

Checks: C-62219r929473_chk

Review managed Google Android 13 device configuration settings to determine if the work profile has the maximum number of consecutive failed authentication attempts set at 10 or fewer. This validation procedure is performed on both the EMM Administration Console and the managed Google Android 13 device. On the EMM console: 1. Open "Lock screen" settings. 2. Open "Lock screen restrictions". 3. Verify that "Max password failures for local wipe" is set to a number between 1 and 10. On the managed Google Android 13 device: 1. Lock the device screen. 2. Attempt to unlock the device and validate that the device autowipes the Work Profile after specified number of invalid entries. Note: Perform this verification only with a test phone set up with a production profile. 3. Attempt to unlock the Work Profile and validate that the device autowipes the Work Profile after specified number of invalid entries. Note: Perform this verification only with a test phone set up with a production profile. If the EMM console device policy is not set to the maximum number of consecutive failed authentication attempts at 10 or fewer, or if on the managed Google Android 13 device the device policy is not set to the maximum number of consecutive failed authentication attempts at 10 or fewer, this is a finding.

Fix: F-62128r929474_fix

Configure the Google Android 13 device to allow only 10 or fewer consecutive failed authentication attempts. Note: Work Profile will be wiped. On the EMM console: 1. Open "Lock screen" settings. 2. Open "Lock screen restrictions". 3. Set "Max password failures for local wipe" to a number between 1 and 10.

b

Google Android 13 must be configured to enforce an application installation policy by specifying one or more authorized application repositories.

CM-6 - Medium - CCI-000366 - V-258480 - SV-258480r929478_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GOOG-13-706500

Vuln IDs

V-258480

Rule IDs

SV-258480r929478_rule

Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DOD data accessible by these unauthorized/malicious applications. SFR ID: FMT_SMF_EXT.1.1 #8a

Checks: C-62220r929476_chk

Review managed Google Android 13 device configuration settings to determine if the mobile device has only approved application repositories. This validation procedure is performed on both the EMM Administration Console and the managed Google Android 13 device. On the EMM console: 1. Open "Set user restrictions". 2. Verify that "Disallow install unknown sources" is toggled to "ON". 3. Verify that "Disallow installs from unknown sources globally" is toggled to "ON". On the Google Android 13 device: 1. Open Settings >> Apps >> Special app access. 2. Open Install unknown apps. 3. Ensure the list of apps is blank or if an app is on the list, "Disabled" is listed under the app name. If the EMM console device policy is not set to allow connections to only approved application repositories or on the managed Google Android 13 device, the device policy is not set to allow connections to only approved application repositories, this is a finding.

Fix: F-62129r929477_fix

Configure the Google Android 13 device to disable unauthorized application repositories. On the EMM console: 1. Open "Set user restrictions". 2. Toggle "Disallow install unknown sources" to "ON". 3. Toggle "Disallow installs from unknown sources globally" to "ON".

b

Google Android 13 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].

CM-7 - Medium - CCI-001764 - V-258481 - SV-258481r929481_rule

RMF Control

CM-7

Severity

M

CCI

CCI-001764

Version

GOOG-13-706600

Vuln IDs

V-258481

Rule IDs

SV-258481r929481_rule

The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and preinstalled applications. Core application: Any application integrated into the OS by the OS or MD vendors. Preinstalled application: Additional noncore applications included in the OS build by the OS vendor, MD vendor, or wireless carrier. Requiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allowlist. Failure to configure an application allowlist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DOD data accessible by these applications. The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the OS by the OS vendor) and preinstalled applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and preinstalled applications. SFR ID: FMT_SMF_EXT.1.1 #8b

Checks: C-62221r929479_chk

Review managed Google Android 13 device configuration settings to determine if the mobile device has an application allowlist configured. Verify all applications listed on the allowlist have been approved by the Approving Official (AO). On the EMM console: 1. Go to the Android app catalog for managed Google Play. 2. Verify all selected apps are AO approved. On the managed Google Android 13 device: 1. Open the managed Google Play Store. 2. Verify that only the approved apps are visible. Note: Managed Google Play is an allowed App Store. If the EMM console list of selected managed Google Play apps includes nonapproved apps, this is a finding. Note: The application allowlist will only include approved core applications (included in the OS by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. For Google Android, there are no pre-installed applications.

Fix: F-62130r929480_fix

Configure the Google Android 13 device to use an application allowlist. On the EMM console: 1. Go to the Android app catalog for managed Google Play. 2. Select apps to be available (only approved apps). 3. Push updated policy to the device. Note: Managed Google Play is an allowed App Store.

b

Google Android 13 allowlist must be configured to not include applications with the following characteristics (work profile only): 1. Back up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services); 2. Transmit MD diagnostic data to non-DOD servers; 3. Voice assistant application if available when MD is locked; 4. Voice dialing application if available when MD is locked; 5. Allows synchronization of data or applications between devices associated with user; and 6. Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.

CM-6 - Medium - CCI-000366 - V-258482 - SV-258482r929484_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GOOG-13-706700

Vuln IDs

V-258482

Rule IDs

SV-258482r929484_rule

Requiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allowlist. Failure to configure an application allowlist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DOD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DOD data or have features with no known application in the DOD environment. Application Note: The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and preinstalled applications. Core application: Any application integrated into the OS by the OS or MD vendors. Preinstalled application: Additional noncore applications included in the OS build by the OS vendor, MD vendor, or wireless carrier. SFR ID: FMT_SMF_EXT.1.1 #8b

Checks: C-62222r929482_chk

Review managed Google Android 13 device configuration settings to determine if the mobile device has an application allowlist configured and that the application allowlist does not include applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; and - Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs, display screens (screen mirroring), or printers. This validation procedure is performed only on the EMM Administration Console. On the EMM console: 1. Review the list of selected Managed Google Play apps. 2. Review the details and privacy policy of each selected app to ensure the app does not include prohibited characteristics. If the EMM console device policy includes applications with unauthorized characteristics, this is a finding.

Fix: F-62131r929483_fix

Configure the Google Android 13 device application allowlist to exclude applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; and - Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs, display screens (screen mirroring), or printers. On the EMM console: 1. Go to the Android app catalog for managed Google Play. 2. Before selecting an app, review the app details and privacy policy to ensure the app does not include prohibited characteristics.

b

Google Android 13 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].

AC-11 - Medium - CCI-000060 - V-258483 - SV-258483r929487_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000060

Version

GOOG-13-706800

Vuln IDs

V-258483

Rule IDs

SV-258483r929487_rule

Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the mobile operating system (MOS) to not send notifications to the lock screen mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #18

Checks: C-62223r929485_chk

Review managed Google Android 13 device settings to determine if the Google Android 13 device displays (work profile) notifications on the lock screen. Notifications of incoming phone calls are acceptable even when the device is locked. This validation procedure is performed on both the EMM Administration Console and the managed Google Android 13 device. On the EMM console: 1. Open "Lock screen" settings. 2. Open "Lock screen restrictions". 3. Verify that "Disable unredacted notifications" is toggled to "ON". On the managed Google Android 13 device: 1. Go to Settings >> Display >> Lock screen. 2. Tap on "When work profile is locked". 3. Verify that "Hide sensitive work content" is selected. If the EMM console device policy allows work notifications on the lock screen, or the managed Google Android 13 device allows work notifications on the lock screen, this is a finding.

Fix: F-62132r929486_fix

Configure the Google Android 13 device to not display (work profile) notifications when the device is locked. On the EMM console: 1. Open "Lock screen" settings. 2. Open "Lock screen restrictions". 3. Toggle "Disable unredacted notifications".

b

Google Android 13 must be configured to disable trust agents.

IA-2 - Medium - CCI-000767 - V-258484 - SV-258484r930570_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000767

Version

GOOG-13-707200

Vuln IDs

V-258484

Rule IDs

SV-258484r930570_rule

Trust agents allow a user to unlock a mobile device without entering a passcode when the mobile device is, for example, connected to a user-selected Bluetooth device or in a user-selected location. This technology would allow unauthorized users to have access to DOD sensitive data if compromised. By not permitting the use of nonpassword authentication mechanisms, users are forced to use passcodes that meet DOD passcode requirements. SFR ID: FMT_SMF_EXT.1.1 #22, FIA_UAU.5.1

Checks: C-62224r929488_chk

Review device configuration settings to confirm that trust agents are disabled at the same location where the DOD password is implemented (device or work profile). This procedure is performed on both the EMM Administration console and the managed Google Android 13 device. On the EMM console: 1. Open "Lock screen restrictions". 2. Select "Personal Profile". 3. Verify that "Disable trust agents" is toggled to "ON". 4. Open "Lock screen restrictions". 5. Select "Work Profile". 6. Verify that "Disable trust agents" is toggled to "ON". On the managed Google Android 13 device: 1. Open Settings. 2. Tap "Security & privacy". 3. Tap "More security settings". 4. Tap "Trust agents". 5. Verify that all listed trust agents are disabled and cannot be enabled. If on the EMM console, "disable trust agents" is not selected, or on the managed Google Android 13 device a trust agent can be enabled, this is a finding.

Fix: F-62133r929489_fix

Configure the Google Android 13 device to disable trust agents at the same location where the DOD password is implemented (device or work profile). On the EMM console: 1. Open "Lock screen restrictions". 2. Select "Personal Profile". 3. Toggle "Disable trust agents" to "ON". 4. Open "Lock screen restrictions". 5. Select "Work Profile". 6. Toggle "Disable trust agents" to "ON".

a

Google Android 13 must be configured to display the DOD advisory warning message at startup or each time the user unlocks the Work Profile.

AC-8 - Low - CCI-000048 - V-258485 - SV-258485r929493_rule

RMF Control

AC-8

Severity

L

CCI

CCI-000048

Version

GOOG-13-707700

Vuln IDs

V-258485

Rule IDs

SV-258485r929493_rule

Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner that provides privacy and security notices consistent with applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DOD can audit and monitor the activities of mobile device users without legal restriction. System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click-through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". The approved DOD text must be used exactly as required in the Knowledge Service referenced in DODI 8500.01. For devices accommodating banners of 1300 characters, the banner text is: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. For devices with severe character limitations, the banner text is: I've read & consent to terms in IS user agreem't. The administrator must configure the banner text exactly as written without any changes. SFR ID: FMT_SMF_EXT.1.1 #36

Checks: C-62225r929491_chk

The DOD warning banner can be displayed using the following method (required text is found in the Vulnerability Discussion): By placing the DOD warning banner text in the user agreement signed by each managed Android 13 device user (preferred method). Note: It is not possible for the EMM to force a warning banner be placed on the device screen when using "work profile for employee-owned devices (BYOD)" deployment mode. Review the signed user agreements for several Google Android 13 device users and verify the agreement includes the required DOD warning banner text. If the required warning banner text is not on all signed user agreements reviewed, this is a finding.

Fix: F-62134r929492_fix

Configure the DOD warning banner by the following method (required text is found in the Vulnerability Discussion): By placing the DOD warning banner text in the user agreement signed by each Google Android 13 device user (preferred method). Note: It is not possible for the EMM to force a warning banner be placed on the device screen when using "work profile for employee-owned devices (BYOD)" deployment mode.

b

Google Android 13 must be configured to not allow backup of all work profile applications to remote systems.

SC-4 - Medium - CCI-001090 - V-258486 - SV-258486r929496_rule

RMF Control

SC-4

Severity

M

CCI

CCI-001090

Version

GOOG-13-708600

Vuln IDs

V-258486

Rule IDs

SV-258486r929496_rule

Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the mobile operating system (MOS). Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DOD devices may synchronize DOD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40

Checks: C-62226r929494_chk

Review managed Google Android 13 device configuration settings to determine if the capability to back up to a remote system has been disabled. Note: Since personal accounts cannot be added to the work profile (GOOG-13-710100), this control only impacts personal accounts, this setting is used to prevent violations within the work profile for backing up data. This is not applicable to the personal profile. This validation procedure is performed on both the EMM Administration Console and the managed Google Android 13 device. On the EMM console: 1. Open "Device owner management". 2. Verify "Enable backup service" is toggled to "OFF". On the managed Google Android 13 device: 1. Go to Settings >> System >> System >> Backup. 2. Select "Work". 3. Verify Backup settings is "Not available". If backup service for the work profile has not been disabled, this is a finding.

Fix: F-62135r929495_fix

Configure the Google Android 13 device to disable backup to remote systems (including commercial clouds). On the EMM console: 1. Open "Device owner management". 2. Toggle "Enable backup service" to "OFF".

b

Google Android 13 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].

AC-6 - Medium - CCI-002233 - V-258487 - SV-258487r929499_rule

RMF Control

AC-6

Severity

M

CCI

CCI-002233

Version

GOOG-13-708900

Vuln IDs

V-258487

Rule IDs

SV-258487r929499_rule

App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DOD sensitive information. To mitigate this risk, there are data sharing restrictions, primarily from sharing data from personal (unmanaged) apps and work (managed) apps. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk. Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups. SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2

Checks: C-62227r929497_chk

Review documentation on the managed Google Android 13 device and inspect the configuration on the Google Android device to verify the access control policy that prevents [selection: application processes] from accessing [selection: all] data stored by other [selection: application processes] is enabled. This validation procedure is performed only on the EMM Administration Console. On the EMM console: 1. Open "User restrictions". 2. Open "Set user restrictions". 3. Verify that "Disallow cross profile copy/paste" is toggled to "ON". 4. Verify that "Disallow sharing data into the profile" is toggled to "ON". If the EMM console device policy is not set to disable data sharing between profiles, this is a finding.

Fix: F-62136r929498_fix

Configure the Google Android 13 device to enable the access control policy that prevents [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes]. Note: All application data is inherently sandboxed and isolated from other applications. To disable copy/paste on the EMM console: 1. Open "User restrictions". 2. Open "Set user restrictions". 3. Toggle "Disallow cross profile copy/paste" to "ON". 4. Toggle "Disallow sharing data into the profile" to "ON".

b

Google Android 13 users must complete required training.

CM-6 - Medium - CCI-000366 - V-258488 - SV-258488r929502_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GOOG-13-709800

Vuln IDs

V-258488

Rule IDs

SV-258488r929502_rule

The security posture of Google devices requires the device user to configure several required policy rules on their device. User-Based Enforcement (UBE) is required for these controls. In addition, if the Authorizing Official (AO) has approved the use of an unmanaged personal space, the user must receive training on risks. If a user is not aware of their responsibilities and does not comply with UBE requirements, the security posture of the Google mobile device and DOD sensitive data may become compromised. SFR ID: NA

Checks: C-62228r929500_chk

Review a sample of site User Agreements for Google Android 13 device users or similar training records and training course content. Verify the Google Android 13 device users have completed the required training. The intent is that required training is renewed on a periodic basis in a time period determined by the AO. If any Google Android 13 device user has not completed the required training, this is a finding.

Fix: F-62137r929501_fix

All Google Android 13 device users must complete training on the following training topics (users must acknowledge that they have reviewed training via a signed User Agreement or similar written record): - Operational security concerns introduced by unmanaged applications/unmanaged personal space, including applications using global positioning system (GPS) tracking. - The need to ensure no DOD data is saved to the personal space or transmitted from a personal app (for example, from personal email). - If the Purebred key management app is used, users are responsible for always maintaining positive control of their credentialed device. The DOD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys and to report any loss of control so the credentials can be revoked. Upon device retirement, turn-in, or reassignment, ensure that a factory data reset is performed prior to device hand-off. Follow mobility service provider decommissioning procedures as applicable. - How to configure the following UBE controls (users must configure the control) on the Google device: **Do not remove DOD intermediate and root PKI digital certificates **Do not configure a DOD network (work) VPN profile on any third-party VPN client installed in the personal space - How to implement OneLock. - Screenshots will not be taken of any “work” related managed data.-Screenshots will not be taken of any “work” related managed data.

b

Google Android 13 must have the DOD root and intermediate PKI certificates installed (work profile only).

CM-6 - Medium - CCI-000366 - V-258489 - SV-258489r929505_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GOOG-13-710000

Vuln IDs

V-258489

Rule IDs

SV-258489r929505_rule

DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an adversary could falsely sign a certificate in such a way that it could not be detected. Providing access to the DOD root and intermediate PKI certificates greatly diminishes the risk of this attack. SFR ID: FMT_SMF_EXT.1.1 #47

Checks: C-62229r929503_chk

Review device configuration settings to confirm that the DOD root and intermediate PKI certificates are installed (work profile only). This procedure is performed on both the EMM Administration console and the managed Google Android 13 device. The current DOD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://cyber.mil/pki-pke (for NIPRNet). On the EMM console verify that the DOD root and intermediate certificates are part of a device and/or work profile that is being pushed down to the devices. On the managed Google Android 13 device: 1. Open Settings. 2. Tap "Security & privacy". 3. Tap "More security settings". 4. Tap "Encryption & credentials". 5. Tap "Trusted credentials". 6. Verify that DOD root and intermediate PKI certificates are listed under the User tab in the Work section. If on the EMM console the DOD root and intermediate certificates are not listed in a profile, or the managed Android 13 device does not list the DOD root and intermediate certificates under the user tab, this is a finding.

Fix: F-62138r929504_fix

Configure the Google Android 13 device to install DOD root and intermediate certificates (work profile only). On the EMM console upload DOD root and intermediate certificates as part of the work profile. The current DOD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://cyber.mil/pki-pke (for NIPRNet).

b

The Google Android 13 work profile must be configured to prevent users from adding personal email accounts to the work email app.

CM-6 - Medium - CCI-000366 - V-258490 - SV-258490r929508_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GOOG-13-710100

Vuln IDs

V-258490

Rule IDs

SV-258490r929508_rule

If the user can add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DOD data to unauthorized recipients. Restricting email account addition to the administrator or restricting email account addition to allowlisted accounts mitigates this vulnerability. SFR ID: FMT_SMF_EXT.1.1 #47

Checks: C-62230r929506_chk

Review the managed Google Android 13 work profile configuration settings to confirm that users are prevented from adding personal email accounts to the work email app. This procedure is performed on both the EMM Administrator console and the managed Google Android 13 device. On the EMM console: 1. Open "Set user restrictions". 2. Verify "Disallow modify accounts" is toggled to "ON". On the managed Google Android 13 device: 1. Open Settings. 2. Tap "Passwords & accounts". 3. Select "Work". 4. Tap "Add account". 5. Verify a message is displayed to the user stating, "Blocked by your IT admin". If on the EMM console the restriction to "Disallow modify accounts" is not set, or on the managed Android 13 device the user is able to add an account in the Work section, this is a finding.

Fix: F-62139r929507_fix

Configure the Google Android 13 device to prevent users from adding personal email accounts to the work email app. On the EMM console: 1. Open "Set user restrictions". 2. Toggle "Disallow modify accounts" to "ON". Refer to the EMM documentation to determine how to provision users' work email accounts for the work email app.

b

The Google Android 13 work profile must be configured to enforce the system application disable list (work profile only).

CM-6 - Medium - CCI-000366 - V-258491 - SV-258491r929511_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GOOG-13-710200

Vuln IDs

V-258491

Rule IDs

SV-258491r929511_rule

The system application disables list controls user access to/execution of all core and preinstalled applications. Core application: Any application integrated into Google Android 13 by Google. Preinstalled application: Additional noncore applications included in the Google Android 13 build by Google or the wireless carrier. Some system applications can compromise DOD data or upload users' information to non-DOD-approved servers. A user must be blocked from using such applications that exhibit behavior that can result in compromise of DOD data or DOD user information. The site administrator must analyze all preinstalled applications on the device and disable all applications not approved for DOD use by configuring the system application disable list. SFR ID: FMT_SMF_EXT.1.1 #47

Checks: C-62231r929509_chk

Review the managed Google Android 13 work profile configuration settings to confirm the system application disable list is enforced (work profile only). This setting is enforced by default. Verify only approved system apps have been placed on the core allowlist. This procedure is performed on the EMM Administrator console. Review the system app allowlist and verify only approved apps are on the list. 1. Open "Apps management" section. 2. Select "Hide apps on parent". 3. Verify package names of apps are listed. If on the EMM console the system app allowlist contains unapproved core apps, this is a finding.

Fix: F-62140r929510_fix

Configure the Google Android 13 device to enforce the system application disable list (work profile only). The required configuration is the default configuration when the device is enrolled. If the device configuration is changed, use the following procedure to bring the device back into compliance: On the EMM console: 1. Open "Apps management" section. 2. Select "Hide apps on parent". 3. Enter package names of apps to hide. Configure a list of approved Google core and preinstalled apps in the core app allowlist.

b

Google Android 13 must be provisioned as a BYOAD device (Android work profile for employee-owned devices [BYOD]).

CM-6 - Medium - CCI-000366 - V-258492 - SV-258492r929530_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GOOG-13-710300

Vuln IDs

V-258492

Rule IDs

SV-258492r929530_rule

The Android work profile for employee-owned devices (BYOD) is the designated application group for the BYOAD use case. SFR ID: FMT_SMF_EXT.1.1 #47

Checks: C-62232r929512_chk

Review that managed Google Android 13 is configured for BYOD (work profile for employee-owned devices [BYOD]). This procedure is performed on both the EMM Administrator console and the managed Google Android 13 device. On the EMM console, configure the default enrollment as work profile for employee-owned devices (BYOD). On the managed Google Android 13 device: 1. Go to the application drawer. 2. Ensure a Personal tab and a Work tab are present. If on the EMM console, the default enrollment is not set for BYOD (work profile for employee-owned devices [BYOD]), or if on the managed Android 13 device, the user does not have a Work tab, this is a finding.

Fix: F-62141r929513_fix

Configure the Google Android 13 device for BYOD (work profile for employee-owned devices [BYOD]). On the EMM console, configure the default enrollment as work profile for employee-owned devices (BYOD). Refer to the EMM documentation to determine how to configure the device.

b

The Google Android 13 work profile must be configured to disable automatic completion of workspace internet browser text input.

CM-6 - Medium - CCI-000366 - V-258493 - SV-258493r929517_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GOOG-13-710400

Vuln IDs

V-258493

Rule IDs

SV-258493r929517_rule

The autofill functionality in the web browser allows the user to complete a form that contains sensitive information, such as personally identifiable information (PII), without previous knowledge of the information. By allowing the use of autofill functionality, an adversary who learns a user's Android 13 device password, or who otherwise can unlock the device, may be able to further breach other systems by relying on the autofill feature to provide information unknown to the adversary. By disabling the autofill functionality, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated. SFR ID: FMT_SMF_EXT.1.1 #47

Checks: C-62233r929515_chk

Review the work profile Chrome Browser app on the Google Android 13 autofill setting. This procedure is performed only on the EMM Administrator console. On the EMM console: 1. Open "Managed Configurations" section. 2. Select the Chrome Browser version from the work profile. 3. Verify "SearchSuggestEnabled" is turned "OFF". If on the EMM console autofill is set to "On" in the Chrome Browser Settings, this is a finding.

Fix: F-62142r929516_fix

Configure the Chrome browser on the Google Android 13 device work profile to disable autofill. On the EMM console: 1. Open "Managed Configurations" section. 2. Select the Chrome Browser version from the work profile. 3. Ensure "SearchSuggestEnabled" is turned "OFF". Refer to the EMM documentation to determine how to configure Chrome Browser Settings.

b

The Google Android 13 work profile must be configured to disable the autofill services.

CM-6 - Medium - CCI-000366 - V-258494 - SV-258494r929520_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GOOG-13-710500

Vuln IDs

V-258494

Rule IDs

SV-258494r929520_rule

The autofill services allow the user to complete text inputs that could contain sensitive information, such as personally identifiable information (PII), without previous knowledge of the information. By allowing the use of autofill services, an adversary who learns a user's Android 13 device password, or who otherwise can unlock the device, may be able to further breach other systems by relying on the autofill services to provide information unknown to the adversary. By disabling the autofill services, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated. Examples of apps that offer autofill services include Samsung Pass, Google, Dashlane, LastPass, and 1Password. SFR ID: FMT_SMF_EXT.1.1 #47

Checks: C-62234r929518_chk

Review the Google Android 13 work profile configuration settings to confirm that autofill services are disabled. This procedure is performed only on the EMM Administration console. On the EMM console: 1. Open "Set user restrictions". 2. Verify "Disallow autofill" is toggled to "ON". If on the EMM console "disallow autofill" is not selected, this is a finding.

Fix: F-62143r929519_fix

Configure the Google Android 13 device work profile to disable the autofill services. On the EMM console: 1. Open "Set user restrictions". 2. Toggle "Disallow autofill" to "ON".

c

Android 13 devices must have the latest available Google Android 13 operating system installed.

CM-6 - High - CCI-000366 - V-258495 - SV-258495r929523_rule

RMF Control

CM-6

Severity

H

CCI

CCI-000366

Version

GOOG-13-710800

Vuln IDs

V-258495

Rule IDs

SV-258495r929523_rule

Required security features are not available in earlier operating system versions. In addition, earlier versions may have known vulnerabilities. SFR ID: FMT_SMF_EXT.1.1 #47

Checks: C-62235r929521_chk

Review device configuration settings to confirm the Google Android device has the most recently released version of managed Google Android 13 installed. This procedure is performed on both the EMM console and the managed Google Android 13 device. In the EMM management console, review the version of Google Android 13 installed on a sample of managed devices. This procedure will vary depending on the EMM product. To determine the installed operating system version on the managed Google Android 13 device: 1. Open Settings. 2. Tap "About phone". 3. Verify "Build number". If the installed version of the Google Android 13 operating system on any reviewed device is not the latest released by Google, this is a finding. Google's Android operating system patch website: https://source.android.com/security/bulletin/ Android versions for Pixel devices: https://developers.google.com/android/images

Fix: F-62144r929522_fix

Install the latest released version of the Google Android 13 operating system on all managed Google devices. Note: Google Android device operating system updates are released directly by Google or can be distributed via the EMM. Check each device manufacturer and/or carriers for current updates.

a

Android 13 devices must be configured to disable the use of third-party keyboards (work profile only).

CM-6 - Low - CCI-000366 - V-258496 - SV-258496r929526_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

GOOG-13-710900

Vuln IDs

V-258496

Rule IDs

SV-258496r929526_rule

Many third-party keyboard applications are known to contain malware. SFR ID: FMT_SMF_EXT.1.1 #47

Checks: C-62236r929524_chk

Review the managed Google Android 13 configuration settings to confirm that no third-party keyboards are enabled (work profile only). This procedure is performed on the EMM console. On the EMM console: 1. Open "Input methods". 2. Tap "Set input methods". 3. Verify only the approved keyboards are selected. If unapproved third-party keyboards are allowed in the work profile, this is a finding.

Fix: F-62145r929525_fix

Configure the Google Android 13 device to disallow the use of third-party keyboards (work profile only). On the EMM console: 1. Open "Input methods". 2. Tap "Set input methods". 3. Select only the approved keyboards. Additionally, admins can configure application allowlists for Google Play so no third-party keyboards are available for user installation.

b

The Google Android 13 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates (work profile).

CM-6 - Medium - CCI-000366 - V-258497 - SV-258497r929529_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GOOG-13-712300

Vuln IDs

V-258497

Rule IDs

SV-258497r929529_rule

DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed to remove root and intermediate certificates, the user could allow an adversary to falsely sign a certificate in such a way that it could not be detected. Restricting the ability to remove DOD root and intermediate PKI certificates to the Administrator mitigates this risk. SFR ID: FMT_MOF_EXT.1.2 #47

Checks: C-62237r929527_chk

Review the device configuration to confirm that the user is unable to remove DOD root and intermediate PKI certificates (work profile). On the EMM console: 1. Open "Set user restrictions". 2. Verify "Disallow config credentials" is toggled to "ON". On the Google Android 13 device: 1. Open Settings. 2. Tap "Security and privacy". 3. Tap "More security settings". 4. Tap "Encryption & credentials". 5. Tap "Trusted credentials". 6. Verify the user is unable to untrust or remove any work certificates. If the user can remove certificates on the Google Android 13 device, this is a finding.

Fix: F-62146r929528_fix

Configure Google Android 13 device to prevent a user from removing DOD root and intermediate PKI certificates (work profile). On the EMM console: 1. Open "Set user restrictions". 2. Toggle "Disallow config credentials" to "ON".

Content changes 1

Checks: C-62215r950986_chk

Fix: F-62124r929462_fix

Generate Mitigation Statement:

Checks: C-62216r929464_chk

Fix: F-62125r929465_fix

Generate Mitigation Statement:

Checks: C-62217r929467_chk

Fix: F-62126r929468_fix

Generate Mitigation Statement:

Checks: C-62218r929470_chk

Fix: F-62127r929471_fix

Generate Mitigation Statement:

Checks: C-62219r929473_chk

Fix: F-62128r929474_fix

Generate Mitigation Statement:

Checks: C-62220r929476_chk

Fix: F-62129r929477_fix

Generate Mitigation Statement:

Checks: C-62221r929479_chk

Fix: F-62130r929480_fix

Generate Mitigation Statement:

Checks: C-62222r929482_chk

Fix: F-62131r929483_fix

Generate Mitigation Statement:

Checks: C-62223r929485_chk

Fix: F-62132r929486_fix

Generate Mitigation Statement:

Checks: C-62224r929488_chk

Fix: F-62133r929489_fix

Generate Mitigation Statement:

Checks: C-62225r929491_chk

Fix: F-62134r929492_fix

Generate Mitigation Statement:

Checks: C-62226r929494_chk

Fix: F-62135r929495_fix

Generate Mitigation Statement:

Checks: C-62227r929497_chk

Fix: F-62136r929498_fix

Generate Mitigation Statement:

Checks: C-62228r929500_chk

Fix: F-62137r929501_fix

Generate Mitigation Statement:

Checks: C-62229r929503_chk

Fix: F-62138r929504_fix

Generate Mitigation Statement:

Checks: C-62230r929506_chk

Fix: F-62139r929507_fix

Generate Mitigation Statement:

Checks: C-62231r929509_chk

Fix: F-62140r929510_fix

Generate Mitigation Statement:

Checks: C-62232r929512_chk

Fix: F-62141r929513_fix

Generate Mitigation Statement:

Checks: C-62233r929515_chk

Fix: F-62142r929516_fix

Generate Mitigation Statement:

Checks: C-62234r929518_chk

Fix: F-62143r929519_fix

Generate Mitigation Statement:

Checks: C-62235r929521_chk

Fix: F-62144r929522_fix

Generate Mitigation Statement:

Checks: C-62236r929524_chk

Fix: F-62145r929525_fix

Generate Mitigation Statement:

Checks: C-62237r929527_chk

Fix: F-62146r929528_fix

Generate Mitigation Statement: