diff --git a/benchmarks/DISA/U_Google_Android_14_BYOAD_STIG_V1R1_Manual-xccdf.xml b/benchmarks/DISA/U_Google_Android_14_BYOAD_STIG_V1R1_Manual-xccdf.xml
new file mode 100644
index 000000000..285e8288d
--- /dev/null
+++ b/benchmarks/DISA/U_Google_Android_14_BYOAD_STIG_V1R1_Manual-xccdf.xml
@@ -0,0 +1,123 @@
+acceptedGoogle Android 14 BYOAD Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 13 Mar 20243.4.1.229161.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>PP-BYO-000020<GroupDescription></GroupDescription>GOOG-14-800200The EMM system supporting the Google Android 14 BYOAD must be configured for autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline.<VulnDiscussion>DOD policy requires BYOAD devices with DOD data be managed by a DOD MDM server, MAM server, or VMI system. This ensures the device can be monitored for compliance with the approved security baseline and the work profile can be removed when the device is out of compliance, which protects DOD data from unauthorized exposure.
+
+Examples of possible EMM security controls are as follows:
+1. Device access restrictions: Restrict or isolate access based on the devices access type (i.e., from the internet), authentication type (e.g., password), credential strength, etc.
+2. User and device activity monitoring: Configured to detect anomalous activity, malicious activity, and unauthorized attempts to access DOD information.
+3. Device health tracking: Monitor device attestation, health, and agents reporting compromised applications, connections, intrusions, and/or signatures.
+
+Reference: DOD policy "Use of Non-Government Mobile Devices" (3.a.(3)ii, 3.b.(2)ii.1 & 2).
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 BYOADDISADPMS TargetGoogle Android 14 BYOAD5588CCI-000366Configure the EMM system supporting the Google Android 14 BYOAD to conduct autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline. The exact procedure will depend on the EMM system used at the site.Verify the EMM system supporting the Google Android 14 BYOAD has been configured to conduct autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline. The exact procedure will depend on the EMM system used at the site.
+
+If the EMM system supporting the Google Android 14 BYOAD has not been configured to conduct autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices, this is a finding.PP-BYO-000030<GroupDescription></GroupDescription>GOOG-14-800300The EMM system supporting the Google Android 14 BYOAD must be configured to initiate autonomous monitoring, compliance, and validation prior to granting the Google Android 14 BYOAD access to DOD information and IT resources.<VulnDiscussion>DOD policy requires BYOAD devices with DOD data be managed by a DOD MDM server, MAM server, or VMI system. This ensures the device can be monitored for compliance with the approved security baseline and the work profile can be removed when the device is out of compliance, which protects DOD data from unauthorized exposure.
+
+Reference: DOD policy "Use of Non-Government Mobile Devices" (3.a.(3)iii).
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 BYOADDISADPMS TargetGoogle Android 14 BYOAD5588CCI-000366Configure the EMM system supporting the Google Android 14 BYOAD to initiate autonomous monitoring, compliance, and validation prior to granting the BYOAD access to DOD information and IT resources. The exact procedure will depend on the EMM system used at the site.Verify the EMM system supporting the Google Android 14 BYOAD has been configured to initiate autonomous monitoring, compliance, and validation prior to granting the BYOAD access to DOD information and IT resources. The exact procedure will depend on the EMM system used at the site.
+
+If the EMM system supporting the Google Android 14 BYOAD has not been configured to initiate autonomous monitoring, compliance, and validation prior to granting the BYOAD access to DOD information and IT resources, this is a finding.PP-BYO-000040<GroupDescription></GroupDescription>GOOG-14-800400The EMM system supporting the Google Android 14 BYOAD must be configured to detect if the Google Android 14 BYOAD native security controls are disabled.<VulnDiscussion>Examples of indicators that the native device native security controls have been disabled include jailbroken or rooted devices.
+
+DOD policy requires BYOAD devices with DOD data be managed by a DOD MDM server, MAM server, or VMI system. This ensures the device can be monitored for compliance with the approved security baseline and the work profile can be removed when the device is out of compliance, which protects DOD data from unauthorized exposure. Detection via collecting and analysis of BYOAD generated logs for noncompliance indicators is acceptable.
+
+This detection capability must be implemented prior to BYOAD access to DOD information and IT resources and continuously monitored on the DOD-managed segment of the BYOAD enrolled in the program. If non-DOD information (i.e., personal user data, device information) outside the DOD-managed segment of the BYOAD is required to be accessed, collected, monitored, tracked (i.e., location), or maintained, the circumstances under which this may be done must be outlined in the user agreement.
+
+Reference: DOD policy "Use of Non-Government Mobile Devices" (3.a.(3)iii).
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 BYOADDISADPMS TargetGoogle Android 14 BYOAD5588CCI-000366Configure the EMM system supporting the Google Android 14 BYOAD to detect if the BYOAD native security controls are disabled. The exact procedure will depend on the EMM system used at the site.Verify the EMM system supporting the Google Android 14 BYOAD has been configured to detect if the BYOAD native security controls are disabled. The exact procedure will depend on the EMM system used at the site.
+
+If the EMM system supporting the Google Android 14 BYOAD is not configured to detect if the BYOAD native security controls are disabled, this is a finding.PP-BYO-000050<GroupDescription></GroupDescription>GOOG-14-800500The EMM system supporting the Google Android 14 BYOAD must be configured to detect if known malicious applications, blocked, or prohibited applications are installed on the Google Android 14 BYOAD (DOD-managed segment only).<VulnDiscussion>DOD policy requires BYOAD devices with DOD data be managed by a DOD MDM server, MAM server, or VMI system. This ensures the device can be monitored for compliance with the approved security baseline and the work profile can be removed when the device is out of compliance, which protects DOD data from unauthorized exposure. Detection via collecting and analysis of BYOAD generated logs for noncompliance indicators is acceptable.
+
+This detection capability must be implemented prior to AMD (Approved Mobile Device, called BYOAD device in the STIG) enrollment, AMD access to DOD information and IT resources, and continuously monitored on the DOD-managed segment of the AMD enrolled in the program. If non-DOD information (i.e., personal user data, device information) outside the DOD-managed segment of the AMD is required to be accessed, collected, monitored, tracked (i.e., location), or maintained, the circumstances under which this may be done must be outlined in the user agreement.
+
+Reference: DOD policy "Use of Non-Government Mobile Devices" (3.a.(3)iii).
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 BYOADDISADPMS TargetGoogle Android 14 BYOAD5588CCI-000366Implement an app vetting process before work profile apps are placed in the MDM app repository.Verify an app vetting process is being used to vet apps before work profile apps are placed in the MDM app repository.
+
+If an app vetting process is not being used to vet apps before work profile apps are placed in the MDM app repository, this is a finding.PP-BYO-000070<GroupDescription></GroupDescription>GOOG-14-800700The EMM detection/monitoring system must use continuous monitoring of enrolled Google Android 14 BYOAD.<VulnDiscussion>DOD policy requires BYOAD devices with DOD data be managed by a DOD MDM server, MAM server, or VMI system. This ensures the device can be monitored for compliance with the approved security baseline and the work profile can be removed when the device is out of compliance, which protects DOD data from unauthorized exposure. Continuous monitoring must be used to ensure all noncompliance events will be seen by the detection system.
+
+Reference: DOD policy "Use of Non-Government Mobile Devices" (3.a.(3)iii).
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 BYOADDISADPMS TargetGoogle Android 14 BYOAD5588CCI-000366Configure the EMM detection/monitoring system to use continuous monitoring of enrolled Google Android 14 BYOAD. The exact procedure will depend on the EMM system used at the site.Verify the EMM detection/monitoring system is configured to use continuous monitoring of enrolled Google Android 14 BYOAD. The exact procedure will depend on the EMM system used at the site.
+
+If the EMM detection/monitoring system is not configured to use continuous monitoring of enrolled Google Android 14 BYOAD, this is a finding.PP-BYO-000080<GroupDescription></GroupDescription>GOOG-14-800800The Google Android 14 BYOAD must be configured to either disable access to DOD data and IT systems and user accounts or wipe the work profile if the EMM system detects that native security controls are disabled.<VulnDiscussion>Examples of indicators that the native device security controls have been disabled include jailbroken or rooted devices.
+
+When a BYOAD is out of compliance, DOD data and apps must be removed to protect against compromise of sensitive DOD information.
+
+Note: The site should review DOD and local data retention policies before wiping the work profile of a BYOAD device.
+
+Reference: DOD policy "Use of Non-Government Mobile Devices" (3.b.(4) 3.b.(5)i).
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 BYOADDISADPMS TargetGoogle Android 14 BYOAD5588CCI-000366Configure the EMM to either disable access to DOD data and IT systems and user accounts on the Google Android 14 BYOAD or wipe the work profile if it has been detected that native BYOAD security controls are disabled (e.g., jailbroken/rooted). The exact procedure will depend on the EMM system used at the site.Verify the EMM has been configured to either disable access to DOD data, IT systems, and user accounts on the Google Android 14 BYOAD or wipe the work profile if it has been detected that native BYOAD security controls are disabled (e.g., jailbroken/rooted). The exact procedure will depend on the EMM system used at the site.
+
+If the EMM has not been configured to either disable access to DOD data, IT systems, and user accounts on the Google Android 14 BYOAD or wipe the work profile if it has been detected that native BYOAD security controls are disabled, this is a finding.PP-BYO-000090<GroupDescription></GroupDescription>GOOG-14-800900The Google Android 14 BYOAD must be configured to either disable access to DOD data and IT systems and user accounts or wipe the work profile if the EMM system detects the Google Android 14 BYOAD device has known malicious, blocked, or prohibited applications, or configured to access nonapproved third-party applications stores in the work profile.<VulnDiscussion>When a BYOAD is out of compliance, DOD data and apps must be removed to protect against compromise of sensitive DOD information.
+
+Reference: DOD policy "Use of Non-Government Mobile Devices" (3.a.(3)iii).
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 BYOADDISADPMS TargetGoogle Android 14 BYOAD5588CCI-000366Configure the EMM system to either disable access to DOD data and IT systems and user accounts or wipe the work profile if it has detected the Google Android 14 BYOAD device has known malicious, blocked, or prohibited managed applications, or configured to access nonapproved third-party applications stores for managed apps. The exact procedure will depend on the EMM system used at the site.Verify the EMM system has been configured to either disable access to DOD data and IT systems and user accounts or wipe the work profile if it has detected the Google Android 14 BYOAD device has known malicious, blocked, or prohibited managed applications, or configured to access nonapproved third-party applications stores for managed apps. The exact procedure will depend on the EMM system used at the site.
+
+If the EMM system has not been configured to either disable access to DOD data and IT systems and user accounts or wipe the work profile if it has detected the Google Android 14 BYOAD device has known malicious, blocked, or prohibited managed applications, or configured to access nonapproved third-party applications stores for managed apps, this is a finding.PP-BYO-000100<GroupDescription></GroupDescription>GOOG-14-801000The Google Android 14 BYOAD must be configured so that the work profile is removed if the device is no longer receiving security or software updates.<VulnDiscussion>When a BYOAD is out of compliance, DOD data and apps must be removed to protect against compromise of sensitive DOD information.
+
+Reference: DOD policy "Use of Non-Government Mobile Devices" (3.b.(1)ii).
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 BYOADDISADPMS TargetGoogle Android 14 BYOAD5588CCI-000366Configure the EMM system so the work profile is removed if the Google Android 14 BYOAD is no longer receiving security or software updates. The exact procedure will depend on the EMM system used at the site.Verify the EMM system is configured to wipe the work profile if the Google Android 14 BYOAD is no longer receiving security or software updates. The exact procedure will depend on the EMM system used at the site.
+
+If the EMM system is not configured to wipe the work profile if the Google Android 14 BYOAD is no longer receiving security or software updates, this is a finding.PP-BYO-000110<GroupDescription></GroupDescription>GOOG-14-801100The Google Android 14 BYOAD and DOD enterprise must be configured to limit access to only AO-approved, corporate-owned enterprise IT resources.<VulnDiscussion>Note: IT resources includes DOD networks and applications (for example, DOD email).
+
+The System Administrator must have the capability to limit access of the BYOAD to DOD networks and DOD IT resources based on mission needs and risk. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DOD sensitive information. The AO should document networks, IT resources, and enterprise applications that BYOAD can access.
+
+Examples of EMM security controls are as follows:
+1. Device access restrictions: Restrict or isolate access based on the devices access type (i .e., from the internet), authentication type (e.g., password), credential strength, etc.
+2. User and device activity monitoring: Configured to detect anomalous activity, malicious activity, and unauthorized attempts to access DOD information.
+3. Device health tracking: Monitor device attestation, health, and agents reporting compromised applications, connections, intrusions, and/or signatures.
+
+Reference: DOD policy "Use of Non-Government Mobile Devices" (3.b.(2)ii).
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 BYOADDISADPMS TargetGoogle Android 14 BYOAD5588CCI-000213Configure the EEM system and DOD enterprise to limit the Google Android 14 BYOAD access to only AO-approved enterprise IT resources. The exact procedure will depend on the EMM system used and IT resources at the site.Verify the EMM system and DOD enterprise have been configured to limit the Google Android 14 BYOAD access to only AO-approved enterprise IT resources. The exact procedure will depend on the EMM system used and IT resources at the site.
+
+If the EMM system and DOD enterprise have not been configured to limit Google Android 14 BYOAD access to only AO-approved enterprise IT resources, this is a finding.PP-BYO-000200<GroupDescription></GroupDescription>GOOG-14-802000The EMM system supporting the Google Android 14 BYOAD must be NIAP validated (included on the NIAP list of compliant products or products in evaluation) unless the DOD CIO has granted an Approved Exception to Policy (E2P).<VulnDiscussion>Note: For a VMI solution, both the client and server must be NIAP compliant.
+
+Nonapproved EMM systems may not include sufficient controls to protect work data, applications, and networks from malware or adversary attack. EMM: mobile device management (MDM), mobile application management (MAM), mobile content management (MCM), or virtual mobile infrastructure (VMI).
+
+Components must only approve devices listed on the NIAP compliant product list or products listed in evaluation at the following links:
+- https://www.niap-ccevs.org/Product/
+- https://www.niap-ccevs.org/Product/PINE.cfm
+
+Reference: DOD policy "Use of Non-Government Mobile Devices" (3.a.(2)).
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 BYOADDISADPMS TargetGoogle Android 14 BYOAD5588CCI-000366Only use an EMM system supporting the Google Android 14 BYOAD that is NIAP validated (included on the NIAP list of compliant products or products in evaluation), unless the DOD CIO has granted an Approved Exception to Policy (E2P).
+
+Note: For a VMI solution, both the client and server components must be NIAP compliant.Verify the EMM system supporting the Google Android 14 BYOAD is NIAP-validated (included on the NIAP list of compliant products or products in evaluation). If not, verify the DOD CIO has granted an Approved Exception to Policy (E2P).
+
+Note: For a VMI solution, both the client and server components must be NIAP compliant.
+
+If the EMM system supporting the Google Android 14 BYOAD is not NIAP-validated (included on the NIAP list of compliant products or products in evaluation) and the DOD CIO has not granted an Approved Exception to Policy (E2P), this is a finding.PP-BYO-000210<GroupDescription></GroupDescription>GOOG-14-802100The User Agreement must include a description of what personal data and information is being monitored, collected, or managed by the EMM system or deployed agents or tools.<VulnDiscussion>DOD policy states BYOAD owners must sign a user agreement and be made aware of what personal data and activities will be monitored by the Enterprise by including this information in the user agreement.
+
+Reference: DOD policy "Use of Non-Government Mobile Devices" (3.a.(3)ii, and 3.c.(4)).
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 BYOADDISADPMS TargetGoogle Android 14 BYOAD5588CCI-000366Include a description of what personal data and information is being monitored, collected, or managed by the EMM system or deployed agents or tools in the user agreement.Verify the user agreement includes a description of what personal data and information is being monitored, collected, or managed by the EMM system or deployed agents or tools.
+
+If the user agreement does not include a description of what personal data and information is being monitored, collected, or managed by the EMM system or deployed agents or tools, this is a finding.PP-BYO-000220<GroupDescription></GroupDescription>GOOG-14-802200The DOD Mobile Service Provider must not allow Google Android 14 BYOADs in facilities where personally owned mobile devices are prohibited.<VulnDiscussion>DOD policy requires BYOAD devices with DOD data be managed by a DOD MDM server, MAM server, or VMI system. This ensures the device can be monitored for compliance with the approved security baseline and the work profile can be removed when the device is out of compliance, which protects DOD data from unauthorized exposure.
+
+Follow local physical security procedures regarding allowing or prohibiting personally owned mobile devices in a DOD facility. If BYOAD devices are brought into facilities where the AO has determined the risk of using personal devices is unacceptable, this could lead to the exposure of sensitive DOD data.
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 BYOADDISADPMS TargetGoogle Android 14 BYOAD5588CCI-000382Do not allow BYOADs in facilities where personally owned mobile devices are prohibited.Verify the DOD Mobile Service Provider or ISSO/ISSM do not allow BYOADs in facilities where personally owned mobile devices are prohibited.
+
+If the DOD Mobile Service Provider or ISSO/ISSM allows BYOADs in facilities where personally owned mobile devices are prohibited, this is a finding.PP-BYO-000230<GroupDescription></GroupDescription>GOOG-14-802300The Google Android 14 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.<VulnDiscussion>In some DOD operational environments, the use of the mobile device camera or microphone could lead to a security incident or compromise of DOD information. The System Administrator must have the capability to disable the mobile device camera and/or microphone based on mission needs. Alternatively, mobile devices with cameras or microphones that cannot be disabled must be prohibited from the facility by the ISSO/ISSM.
+
+If BYOAD devices are brought into facilities where the AO has determined the risk of using mobile device cameras or microphones is unacceptable, this could lead to the exposure of sensitive DOD data.
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 BYOADDISADPMS TargetGoogle Android 14 BYOAD5588CCI-000382Do not allow Google Android 14 BYOADs in DOD facilities where mobile phone cameras and/or microphones are prohibited.
+
+It is not possible for the MDM to disable camera and microphones on an Android device in BYOD mode.Verify Google Android 14 BYOADs are prohibited in DOD facilities that prohibit mobile devices with cameras and microphones. (It is not possible for the MDM to disable camera and microphones on an Android device in BYOD mode.)
+
+If for DOD sites that prohibit mobile devices with cameras and microphones, Google Android 14 BYOADs have not been prohibited from the facility by the ISSO/ISSM, this is a finding.PP-BYO-000200<GroupDescription></GroupDescription>GOOG-14-802800The mobile device used for BYOAD must be NIAP validated.<VulnDiscussion>Nonapproved mobile devices may not include sufficient controls to protect work data, applications, and networks from malware or adversary attack.
+
+Components must only approve devices listed on the NIAP compliant product list or products listed in evaluation at the following links respectfully:
+- https://www.niap-ccevs.org/Product/
+- https://www.niap-ccevs.org/Product/PINE.cfm
+
+Reference: DOD policy "Use of Non-Government Mobile Devices" (3.b.(1)i).
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 BYOADDISADPMS TargetGoogle Android 14 BYOAD5588CCI-000366Use only mobile devices for BYOAD that are NIAP validated (included on the NIAP list of compliant products or products in evaluation).Verify the mobile device used for BYOAD is NIAP validated (included on the NIAP list of compliant products or products in evaluation).
+
+If the mobile device used for BYOAD is not NIAP validated (included on the NIAP list of compliant products or products in evaluation), this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_Google_Android_14_MDF_PP_3-3_BYOAD_STIG_V1R1_Manual-xccdf.xml b/benchmarks/DISA/U_Google_Android_14_MDF_PP_3-3_BYOAD_STIG_V1R1_Manual-xccdf.xml
new file mode 100644
index 000000000..e7c014a8c
--- /dev/null
+++ b/benchmarks/DISA/U_Google_Android_14_MDF_PP_3-3_BYOAD_STIG_V1R1_Manual-xccdf.xml
@@ -0,0 +1,592 @@
+acceptedGoogle Android 14 MDFPP 3.3 BYOAD Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 13 Mar 20243.4.1.229161.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>PP-MDF-331090<GroupDescription></GroupDescription>GOOG-14-701100Google Android 14 must prohibit DOD VPN profiles in the Personal Profile.<VulnDiscussion>If DOD VPN profiles are configured in the Personal Profile DOD sensitive data world be at risk of compromise and the DOD network could be at risk of being attacked by malware installed on the device.
+
+SFR ID: FMT_SMF_EXT.1.1 #3</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000366CCI-000370Do not configure DOD VPN profiles in the Personal Profile. If there is a DOD VPN profile configured in the Personal Profile, remove it.Review the list of VPN profiles in the Personal Profile and determine if any VPN profiles are listed. If so, verify the VPN profiles are not configured with a DOD network VPN profile.
+
+If any VPN profiles are installed in the Personal Profile and they have a DOD network VPN profile configured, this is a finding.
+Note: This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement.PP-MDF-333024<GroupDescription></GroupDescription>GOOG-14-706000Google Android 14 must be configured to enforce a minimum password length of six characters and not allow passwords that include more than four repeating or sequential characters.<VulnDiscussion>Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise.
+
+Satisfies: PP-MDF-333024,PP-MDF-333025
+
+SFR ID: FMT_SMF_EXT.1.1 #1a</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000205Configure the Google Android 14 device to enforce high password quality for the device and standard DOD password complexity rules for the Work Profile (at least six-character length and prevent passwords from containing more than four repeating or sequential characters). In addition, enable OneLock so the user only must enter their device password to unlock the Work Profile. Note: enabling OneLock is optional and is a two-step process: configuration on the EMM and configuration by the user on the phone. If OneLock is not used, the user will always need to enter separate passwords to unlock the device and to unlock the Work Profile.
+
+1. Set the password on the whole device:
+Set device password complexity to "HIGH" (requires (at minimum) an eight numeric character password, or six alphabetic character password, or a six alphanumeric character password).
+
+On the EMM console, do the following:
+
+a. Open "Lock screen" settings.
+b. Open "Set required password complexity on parent".
+c. Select "High".
+
+2. Set DOD password for the Work Profile.
+
+On the EMM console, do the following:
+a. Open "Lock screen" settings.
+b. Open "Password constraints".
+c. Open "Minimum password quality".
+d. Choose Numeric Complex, Alphabetic, Alphanumeric, or Complex.
+e. Open "Minimum password length".
+f. Enter in the number of characters as "6".
+
+3. Enable OneLock on the EMM.
+
+On the MDM console, do the following:
+a. Disable the following Android API: "DISALLOW_UNIFIED_PASSWORD". The exact procedure will depend on the EMM product.
+Note: this control may be called "Require separate challenge".
+
+4. Train users to implement OneLock with the following User Based Enforcement (UBE): procedure:
+
+a. Open Settings >> Security & privacy >> More security settings.
+b. Enable "Use one lock".Review managed Google Android 14 device configuration settings to determine if the mobile device is enforcing a high password quality for the device and standard DOD password complexity rules for the Work Profile (at least six-character length and prevent passwords from containing more than four repeating or sequential characters).
+
+1. Verify the device password configuration:
+
+On the EMM Console:
+a. Open "Lock screen" settings.
+b. Open "Set required password complexity on parent".
+c. Verify "High" is selected.
+
+2. Verify the Work Profile password configuration:
+
+On the EMM console (for the work profile):
+1. Open "Lock screen" settings.
+2. Open "Password constraints".
+3. Open "Minimum password quality".
+4. Verify Numeric Complex, Alphabetic, Alphanumeric, or Complex is selected.
+5. Open "Minimum password length".
+6. Verify "6" is set for number of characters.
+
+If the device password quality is not set to High, or the Work Profile password length is not set to six characters, or the password quality is not set as required, this is a finding.
+
+Note: verifying the OneLock configuration is not required because the use of OneLock is optional.PP-MDF-333026<GroupDescription></GroupDescription>GOOG-14-706200Google Android 14 must be configured to enable a screen-lock policy that will lock the display after a period of inactivity.<VulnDiscussion>The screen-lock timeout helps protect the device from unauthorized access. Devices without a screen-lock timeout provide an opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device and possibly access to DOD networks.
+
+SFR ID: FMT_SMF_EXT.1.1 #2a</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000057Configure the Google Android 14 device to enable a screen-lock policy that will lock the display after a period of inactivity.
+
+On the EMM Console:
+
+1. Open "Lock screen" settings.
+2. Open "Lock screen restrictions".
+3. Set "Max time to screen lock" to any number desired.
+Note: The units are in seconds.Review managed Google Android 14 device configuration settings to determine if the mobile device is enforcing a screen-lock policy that will lock the display after a period of inactivity.
+
+This validation procedure is performed on both the EMM Administration Console and the managed Google Android 14 device.
+
+On the EMM Console:
+
+1. Open "Lock screen" settings.
+2. Open "Lock screen restrictions".
+3. Verify that "Max time to screen lock" is set to any number desired; the units are in seconds.
+
+On the managed Google Android 14 device:
+
+1. Open Settings >> Display.
+2. Tap "Screen timeout".
+3. Ensure the Screen timeout value is set to the desired value and cannot be set to a larger value.
+
+If the EMM console device policy is not set to enable a screen-lock policy that will lock the display after a period of inactivity, this is a finding.PP-MDF-333030<GroupDescription></GroupDescription>GOOG-14-706300Google Android 14 must be configured to lock the display after 15 minutes (or less) of inactivity.<VulnDiscussion>The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device.
+
+SFR ID: FMT_SMF_EXT.1.1 #2b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000057Configure the Google Android 14 device to enable a screen-lock policy of 15 minutes for the max period of inactivity.
+
+Note: Google Android 14 does not support the 15 minute increment. The available allowable selection is 10 minutes, then increases to 30 minutes. Therefore, the control will be set to 10 minutes.
+
+On the EMM Console:
+
+1. Open "Lock screen restrictions".
+2. Set "Max time to screen lock" to "600".
+Note: The units are in seconds.Review managed Google Android device configuration settings to determine if the mobile device is enforcing a screen-lock policy that will lock the display after a period of 15 minutes or less of inactivity.
+
+Note: Google Android 14 does not support the 15-minute increment. The available allowable selection is 10 minutes, then increases to 30 minutes. Therefore, the control should be set to 10 minutes.
+
+This validation procedure is performed on both the EMM Administration Console and the Android 14 device.
+
+On the EMM Console:
+
+1. Open "Lock screen restrictions".
+2. Verify that "Max time to screen lock" is set to "600".
+Note: The units are in seconds.
+
+On the managed Google Android 14 device:
+
+1. Open Settings >> Display.
+2. Tap "Screen timeout".
+3. Ensure the Screen timeout value is set to "600" seconds or less.
+
+If the EMM console device policy is not set to enable a screen-lock policy that will lock the display after a period of inactivity of 600 seconds or less, this is a finding.PP-MDF-333040<GroupDescription></GroupDescription>GOOG-14-706400Google Android 14 must be configured to not allow more than 10 consecutive failed authentication attempts.<VulnDiscussion>The more attempts an adversary makes to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of attempts mitigates this risk. Setting the limit at 10 or less gives authorized users the ability to make a few mistakes when entering the password but still provides adequate protection against dictionary or brute force attacks on the password.
+
+SFR ID: FMT_SMF_EXT.1.1 #2c, FIA_AFL_EXT.1.5</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000044Configure the Google Android 14 device to allow only 10 or fewer consecutive failed authentication attempts.
+Note: Work Profile will be wiped.
+
+On the EMM Console:
+
+1. Open "Lock screen" settings.
+2. Open "Lock screen restrictions".
+3. Set "Max password failures for local wipe" to a number between 1 and 10.Review managed Google Android 14 device configuration settings to determine if the work profile has the maximum number of consecutive failed authentication attempts set at 10 or fewer.
+
+This validation procedure is performed on both the EMM Administration Console and the managed Google Android 14 device.
+
+On the EMM Console:
+
+1. Open "Lock screen" settings.
+2. Open "Lock screen restrictions".
+3. Verify that "Max password failures for local wipe" is set to a number between 1 and 10.
+
+On the managed Google Android 14 device:
+
+1. Lock the device screen.
+2. Attempt to unlock the device and validate that the device autowipes the Work Profile after specified number of invalid entries. Note: Perform this verification only with a test phone set up with a production profile.
+3. Attempt to unlock the Work Profile and validate that the device autowipes the Work Profile after specified number of invalid entries. Note: Perform this verification only with a test phone set up with a production profile.
+
+If the EMM console device policy is not set to the maximum number of consecutive failed authentication attempts at 10 or fewer, or if on the managed Google Android 14 device the device policy is not set to the maximum number of consecutive failed authentication attempts at 10 or fewer, this is a finding.PP-MDF-333050<GroupDescription></GroupDescription>GOOG-14-706500Google Android 14 must be configured to enforce an application installation policy by specifying one or more authorized application repositories.<VulnDiscussion>Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DOD data accessible by these unauthorized/malicious applications.
+
+SFR ID: FMT_SMF_EXT.1.1 #8a</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000366Configure the Google Android 14 device to disable unauthorized application repositories.
+
+On the EMM Console:
+
+1. Open "Set user restrictions".
+2. Toggle "Disallow install unknown sources" to "ON".
+3. Toggle "Disallow installs from unknown sources globally" to "ON".Review managed Google Android 14 device configuration settings to determine if the mobile device has only approved application repositories.
+
+This validation procedure is performed on both the EMM Administration Console and the managed Google Android 14 device.
+
+On the EMM Console:
+
+1. Open "Set user restrictions".
+2. Verify that "Disallow install unknown sources" is toggled to "ON".
+3. Verify that "Disallow installs from unknown sources globally" is toggled to "ON".
+
+On the Google Android 14 device:
+
+1. Open Settings >> Apps >> Special app access.
+2. Open Install unknown apps.
+3. Ensure the list of apps is blank or if an app is on the list, "Disabled" is listed under the app name.
+
+If the EMM console device policy is not set to allow connections to only approved application repositories or on the managed Google Android 14 device, the device policy is not set to allow connections to only approved application repositories, this is a finding.PP-MDF-333060<GroupDescription></GroupDescription>GOOG-14-706600Google Android 14 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].<VulnDiscussion>The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and preinstalled applications.
+
+Core application: Any application integrated into the OS by the OS or MD vendors.
+
+Preinstalled application: Additional noncore applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.
+
+Requiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allowlist. Failure to configure an application allowlist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DOD data accessible by these applications.
+
+The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the OS by the OS vendor) and preinstalled applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and preinstalled applications.
+
+SFR ID: FMT_SMF_EXT.1.1 #8b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-001764Configure the Google Android 14 device to use an application allowlist.
+
+On the EMM Console:
+
+1. Go to the Android app catalog for managed Google Play.
+2. Select apps to be available (only approved apps).
+3. Push updated policy to the device.
+
+Note: Managed Google Play is an allowed App Store.Review managed Google Android 14 device configuration settings to determine if the mobile device has an application allowlist configured. Verify all applications listed on the allowlist have been approved by the Approving Official (AO).
+
+On the EMM console:
+
+1. Go to the Android app catalog for managed Google Play.
+2. Verify all selected apps are AO approved.
+
+On the managed Google Android 14 device:
+
+1. Open the managed Google Play Store.
+2. Verify that only the approved apps are visible.
+
+Note: Managed Google Play is an allowed App Store.
+
+If the EMM console list of selected managed Google Play apps includes nonapproved apps, this is a finding.
+
+Note: The application allowlist will only include approved core applications (included in the OS by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. For Google Android, there are no pre-installed applications.PP-MDF-333070<GroupDescription></GroupDescription>GOOG-14-706700Google Android 14 allowlist must be configured to not include applications with the following characteristics (work profile only):
+
+1. Back up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services);
+2. Transmit MD diagnostic data to non-DOD servers;
+3. Voice assistant application if available when MD is locked;
+4. Voice dialing application if available when MD is locked;
+5. Allows synchronization of data or applications between devices associated with user; and
+6. Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers.
+7. Apps which backup their own data to a remote system.<VulnDiscussion>Requiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allowlist. Failure to configure an application allowlist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DOD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DOD data or have features with no known application in the DOD environment.
+
+Application Note: The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and preinstalled applications.
+
+Core application: Any application integrated into the OS by the OS or MD vendors.
+
+Preinstalled application: Additional noncore applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.
+
+SFR ID: FMT_SMF_EXT.1.1 #8b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000366Configure the Google Android 14 device application allowlist to exclude applications with the following characteristics:
+
+- Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services);
+- Transmit MD diagnostic data to non-DOD servers;
+- Voice assistant application if available when MD is locked;
+- Voice dialing application if available when MD is locked;
+- Allows synchronization of data or applications between devices associated with user;
+- Payment processing;
+- Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs, display screens (screen mirroring), or printers; and
+- Apps which backup their own data to a remote system.
+
+On the EMM Console:
+
+1. Go to the Android app catalog for managed Google Play.
+2. Before selecting an app, review the app details and privacy policy to ensure the app does not include prohibited characteristics.Review managed Google Android 14 device configuration settings to determine if the mobile device has an application allowlist configured and that the application allowlist does not include applications with the following characteristics:
+
+- Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services);
+- Transmit MD diagnostic data to non-DOD servers;
+- Voice assistant application if available when MD is locked;
+- Voice dialing application if available when MD is locked;
+- Allows synchronization of data or applications between devices associated with user;
+- Payment processing;
+- Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs, display screens (screen mirroring), or printers; and
+- Apps which backup their own data to a remote system.
+
+This validation procedure is performed only on the EMM Administration Console.
+
+On the EMM console:
+
+1. Review the list of selected Managed Google Play apps.
+2. Review the details and privacy policy of each selected app to ensure the app does not include prohibited characteristics.
+
+If the EMM console device policy includes applications with unauthorized characteristics, this is a finding.PP-MDF-333080<GroupDescription></GroupDescription>GOOG-14-706800Google Android 14 must be configured to not display the following (work profile) notifications when the device is locked: [selection:
+a. email notifications
+b. calendar appointments
+c. contact associated with phone call notification
+d. text message notification
+e. other application-based notifications
+f. all notifications].<VulnDiscussion>Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the mobile operating system (MOS) to not send notifications to the lock screen mitigates this risk.
+
+SFR ID: FMT_SMF_EXT.1.1 #18</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000060Configure the Google Android 14 device to not display (work profile) notifications when the device is locked.
+
+On the EMM console:
+
+1. Open "Lock screen" settings.
+2. Open "Lock screen restrictions".
+3. Toggle "Disable unredacted notifications".Review managed Google Android 14 device settings to determine if the Google Android 14 device displays (work profile) notifications on the lock screen. Notifications of incoming phone calls are acceptable even when the device is locked.
+
+This validation procedure is performed on both the EMM Administration Console and the managed Google Android 14 device.
+
+On the EMM console:
+
+1. Open "Lock screen" settings.
+2. Open "Lock screen restrictions".
+3. Verify that "Disable unredacted notifications" is toggled to "ON".
+
+On the managed Google Android 14 device:
+
+1. Go to Settings >> Display >> Lock screen.
+2. Tap on "When work profile is locked".
+3. Verify that "Hide sensitive work content" is selected.
+
+If the EMM console device policy allows work notifications on the lock screen, or the managed Google Android 14 device allows work notifications on the lock screen, this is a finding.PP-MDF-333110<GroupDescription></GroupDescription>GOOG-14-707200Google Android 14 must be configured to disable trust agents.<VulnDiscussion>Trust agents allow a user to unlock a mobile device without entering a passcode when the mobile device is, for example, connected to a user-selected Bluetooth device or in a user-selected location. This technology would allow unauthorized users to have access to DOD sensitive data if compromised. By not permitting the use of nonpassword authentication mechanisms, users are forced to use passcodes that meet DOD passcode requirements.
+
+SFR ID: FMT_SMF_EXT.1.1 #22, FIA_UAU.5.1</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000767Configure the Google Android 14 device to disable trust agents at the same location where the DOD password is implemented (device or work profile).
+
+On the EMM console:
+
+1. Open "Lock screen restrictions".
+2. Select "Personal Profile".
+3. Toggle "Disable trust agents" to "ON".
+4. Open "Lock screen restrictions".
+5. Select "Work Profile".
+6. Toggle "Disable trust agents" to "ON".Review device configuration settings to confirm that trust agents are disabled at the same location where the DOD password is implemented (device or work profile).
+
+This procedure is performed on both the EMM Administration console and the managed Google Android 14 device.
+
+On the EMM console:
+1. Open "Lock screen restrictions".
+2. Select "Personal Profile".
+3. Verify that "Disable trust agents" is toggled to "ON".
+4. Open "Lock screen restrictions".
+5. Select "Work Profile".
+6. Verify that "Disable trust agents" is toggled to "ON".
+
+On the managed Google Android 14 device:
+
+1. Open Settings.
+2. Tap "Security & privacy".
+3. Tap "More security settings".
+4. Tap "Trust agents".
+5. Verify that all listed trust agents are disabled and cannot be enabled.
+
+If on the EMM console, "disable trust agents" is not selected, or on the managed Google Android 14 device a trust agent can be enabled, this is a finding.PP-MDF-333160<GroupDescription></GroupDescription>GOOG-14-707700Google Android 14 must be configured to display the DOD advisory warning message at startup or each time the user unlocks the Work Profile.<VulnDiscussion>Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner that provides privacy and security notices consistent with applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DOD can audit and monitor the activities of mobile device users without legal restriction.
+
+System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click-through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".
+
+The approved DOD text must be used exactly as required in the Knowledge Service referenced in DODI 8500.01. For devices accommodating banners of 1300 characters, the banner text is:
+
+You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+-At any time, the USG may inspect and seize data stored on this IS.
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
+
+For devices with severe character limitations, the banner text is:
+
+I've read & consent to terms in IS user agreem't.
+
+The administrator must configure the banner text exactly as written without any changes.
+
+SFR ID: FMT_SMF_EXT.1.1 #36</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000048Configure the DOD warning banner by the following method (required text is found in the Vulnerability Discussion):
+
+Place the DOD warning banner text in the user agreement signed by each Google Android 14 device user (preferred method).
+
+Note: It is not possible for the EMM to force a warning banner be placed on the device screen when using "work profile for employee-owned devices (BYOD)" deployment mode.The DOD warning banner can be displayed using the following method (required text is found in the Vulnerability Discussion):
+
+Place the DOD warning banner text in the user agreement signed by each managed Android 14 device user (preferred method).
+
+Note: It is not possible for the EMM to force a warning banner be placed on the device screen when using "work profile for employee-owned devices (BYOD)" deployment mode.
+
+Review the signed user agreements for Google Android 14 device users and verify the agreement includes the required DOD warning banner text.
+
+If the required warning banner text is not on all signed user agreements reviewed, this is a finding.PP-MDF-333250<GroupDescription></GroupDescription>GOOG-14-708600Google Android 14 must be configured to not allow backup of all work profile applications to remote systems.<VulnDiscussion>Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the mobile operating system (MOS). Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DOD devices may synchronize DOD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk.
+
+SFR ID: FMT_SMF_EXT.1.1 #40</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-001090Configure the Google Android 14 device to disable backup to remote systems (including commercial clouds).
+
+On the EMM console:
+
+1. Open "Device owner management".
+2. Toggle "Enable backup service" to "OFF".Review managed Google Android 14 device configuration settings to determine if the capability to back up to a remote system has been disabled.
+
+Note: Since personal accounts cannot be added to the work profile (GOOG-14-710100), this control only impacts personal accounts, this setting is used to prevent violations within the work profile for backing up data. This is not applicable to the personal profile.
+
+This validation procedure is performed on both the EMM Administration Console and the managed Google Android 14 device.
+
+On the EMM console:
+
+1. Open "Device owner management".
+2. Verify "Enable backup service" is toggled to "OFF".
+
+On the managed Google Android 14 device:
+
+1. Go to Settings >> System >> System >> Backup.
+2. Select "Work".
+3. Verify Backup settings is "Not available".
+
+If backup service for the work profile has not been disabled, this is a finding.PP-MDF-333280<GroupDescription></GroupDescription>GOOG-14-708900Google Android 14 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].<VulnDiscussion>App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DOD sensitive information. To mitigate this risk, there are data sharing restrictions, primarily from sharing data from personal (unmanaged) apps and work (managed) apps. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk.
+
+Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups.
+
+SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-002233CCI-002530Configure the Google Android 14 device to enable the access control policy that prevents [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].
+
+Note: All application data is inherently sandboxed and isolated from other applications. To disable copy/paste on the EMM Console:
+
+1. Open "User restrictions".
+2. Open "Set user restrictions".
+3. Toggle "Disallow cross profile copy/paste" to "ON".
+4. Toggle "Disallow sharing data into the profile" to "ON".Review documentation on the managed Google Android 14 device and inspect the configuration on the Google Android device to verify the access control policy that prevents [selection: application processes] from accessing [selection: all] data stored by other [selection: application processes] is enabled.
+
+This validation procedure is performed only on the EMM Administration Console.
+
+On the EMM console:
+
+1. Open "User restrictions".
+2. Open "Set user restrictions".
+3. Verify that "Disallow cross profile copy/paste" is toggled to "ON".
+4. Verify that "Disallow sharing data into the profile" is toggled to "ON".
+
+If the EMM console device policy is not set to disable data sharing between profiles, this is a finding.PP-MDF-993300<GroupDescription></GroupDescription>GOOG-14-709800Google Android 14 users must complete required training.<VulnDiscussion>The security posture of Google devices requires the device user to configure several required policy rules on their device. User-Based Enforcement (UBE) is required for these controls. In addition, if the Authorizing Official (AO) has approved the use of an unmanaged personal space, the user must receive training on risks. If a user is not aware of their responsibilities and does not comply with UBE requirements, the security posture of the Google mobile device and DOD sensitive data may become compromised.
+
+SFR ID: NA</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000366All Google Android 14 device users must complete training on the following training topics (users must acknowledge that they have reviewed training via a signed User Agreement or similar written record):
+- Operational security concerns introduced by unmanaged applications/unmanaged personal space, including applications using global positioning system (GPS) tracking.
+- The need to ensure no DOD data is saved to the personal space or transmitted from a personal app (for example, from personal email).
+- If the Purebred key management app is used, users are responsible for always maintaining positive control of their credentialed device. The DOD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys and to report any loss of control so the credentials can be revoked. Upon device retirement, turn-in, or reassignment, ensure that a factory data reset is performed prior to device hand-off. Follow mobility service provider decommissioning procedures as applicable.
+- How to configure the following UBE controls (users must configure the control) on the Google device:
+**Do not remove DOD intermediate and root PKI digital certificates.
+**Do not configure a DOD network (work) VPN profile on any third-party VPN client installed in the personal space.
+-How to implement OneLock.
+-Screenshots will not be taken of any "work"-related managed data.
+-Screenshots will not be taken of any "work"-related managed data.Review a sample of site User Agreements for Google Android 14 device users or similar training records and training course content.
+
+Verify the Google Android 14 device users have completed the required training. The intent is that required training is renewed on a periodic basis in a time period determined by the AO.
+
+If any Google Android 14 device user has not completed the required training, this is a finding.PP-MDF-993300<GroupDescription></GroupDescription>GOOG-14-710000Google Android 14 must have the DOD root and intermediate PKI certificates installed (work profile only).<VulnDiscussion>DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an adversary could falsely sign a certificate in such a way that it could not be detected. Providing access to the DOD root and intermediate PKI certificates greatly diminishes the risk of this attack.
+
+SFR ID: FMT_SMF_EXT.1.1 #11</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000366Configure the Google Android 14 device to install DOD root and intermediate certificates (work profile only).
+
+On the EMM console upload DOD root and intermediate certificates as part of the work profile.
+
+The current DOD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://cyber.mil/pki-pke (for NIPRNet).Review device configuration settings to confirm that the DOD root and intermediate PKI certificates are installed (work profile only).
+
+This procedure is performed on both the EMM Administration console and the managed Google Android 14 device.
+
+The current DOD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://cyber.mil/pki-pke (for NIPRNet).
+
+On the EMM console, verify that the DOD root and intermediate certificates are part of a device and/or work profile that is being pushed down to the devices.
+
+On the managed Google Android 14 device:
+
+1. Open Settings.
+2. Tap "Security & privacy".
+3. Tap "More security settings".
+4. Tap "Encryption & credentials".
+5. Tap "Trusted credentials".
+6. Verify that DOD root and intermediate PKI certificates are listed under the User tab in the Work section.
+
+If on the EMM console the DOD root and intermediate certificates are not listed in a profile, or the managed Android 14 device does not list the DOD root and intermediate certificates under the user tab, this is a finding.PP-MDF-993300<GroupDescription></GroupDescription>GOOG-14-710100The Google Android 14 work profile must be configured to prevent users from adding personal email accounts to the work email app.<VulnDiscussion>If the user can add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DOD data to unauthorized recipients. Restricting email account addition to the administrator or restricting email account addition to allowlisted accounts mitigates this vulnerability.
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000366Configure the Google Android 14 device to prevent users from adding personal email accounts to the work email app.
+
+On the EMM console:
+
+1. Open "Set user restrictions".
+2. Toggle "Disallow modify accounts" to "ON".
+
+Refer to the EMM documentation to determine how to provision users' work email accounts for the work email app.Review the managed Google Android 14 work profile configuration settings to confirm that users are prevented from adding personal email accounts to the work email app.
+
+This procedure is performed on both the EMM Administrator console and the managed Google Android 14 device.
+
+On the EMM console:
+1. Open "Set user restrictions".
+2. Verify "Disallow modify accounts" is toggled to "ON".
+
+On the managed Google Android 14 device:
+
+1. Open Settings.
+2. Tap "Passwords & accounts".
+3. Select "Work".
+4. Tap "Add account".
+5. Verify a message is displayed to the user stating, "Blocked by your IT admin".
+
+If on the EMM console the restriction to "Disallow modify accounts" is not set, or on the managed Android 14 device the user is able to add an account in the Work section, this is a finding.PP-MDF-993300<GroupDescription></GroupDescription>GOOG-14-710200The Google Android 14 work profile must be configured to enforce the system application disable list (work profile only).<VulnDiscussion>The system application disables list controls user access to/execution of all core and preinstalled applications.
+
+Core application: Any application integrated into Google Android 14 by Google.
+
+Preinstalled application: Additional noncore applications included in the Google Android 14 build by Google or the wireless carrier.
+
+Some system applications can compromise DOD data or upload users' information to non-DOD-approved servers. A user must be blocked from using such applications that exhibit behavior that can result in compromise of DOD data or DOD user information.
+
+The site administrator must analyze all preinstalled applications on the device and disable all applications not approved for DOD use by configuring the system application disable list.
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000366Configure the Google Android 14 device to enforce the system application disable list (work profile only).
+
+The required configuration is the default configuration when the device is enrolled. If the device configuration is changed, use the following procedure to bring the device back into compliance:
+
+On the EMM console:
+
+1. Open "Apps management" section.
+2. Select "Hide apps on parent".
+3. Enter package names of apps to hide.
+
+Configure a list of approved Google core and preinstalled apps in the core app allowlist.Review the managed Google Android 14 work profile configuration settings to confirm the system application disable list is enforced (work profile only). This setting is enforced by default. Verify only approved system apps have been placed on the core allowlist.
+
+This procedure is performed on the EMM Administrator console.
+
+Review the system app allowlist and verify only approved apps are on the list.
+
+1. Open "Apps management" section.
+2. Select "Hide apps on parent".
+3. Verify package names of apps are listed.
+
+If on the EMM console the system app allowlist contains unapproved core apps, this is a finding.PP-MDF-993300<GroupDescription></GroupDescription>GOOG-14-710300Google Android 14 must be provisioned as a BYOAD device (Android work profile for employee-owned devices [BYOD]).<VulnDiscussion>The Android work profile for employee-owned devices (BYOD) is the designated application group for the BYOAD use case.
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000366Configure the Google Android 14 device for BYOD (work profile for employee-owned devices [BYOD]).
+
+On the EMM console, configure the default enrollment as work profile for employee-owned devices (BYOD).
+
+Refer to the EMM documentation to determine how to configure the device.Review that managed Google Android 14 is configured for BYOD (work profile for employee-owned devices [BYOD]).
+
+This procedure is performed on both the EMM Administrator console and the managed Google Android 14 device.
+
+On the EMM console, configure the default enrollment as work profile for employee-owned devices (BYOD).
+
+On the managed Google Android 14 device:
+
+1. Go to the application drawer.
+2. Ensure a Personal tab and a Work tab are present.
+
+If on the EMM console, the default enrollment is not set for BYOD (work profile for employee-owned devices [BYOD]), or if on the managed Android 14 device, the user does not have a Work tab, this is a finding.PP-MDF-993300<GroupDescription></GroupDescription>GOOG-14-710400The Google Android 14 work profile must be configured to disable automatic completion of workspace internet browser text input.<VulnDiscussion>The autofill functionality in the web browser allows the user to complete a form that contains sensitive information, such as personally identifiable information (PII), without previous knowledge of the information. By allowing the use of autofill functionality, an adversary who learns a user's Android 14 device password, or who otherwise can unlock the device, may be able to further breach other systems by relying on the autofill feature to provide information unknown to the adversary. By disabling the autofill functionality, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated.
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000366Configure the Chrome browser on the Google Android 14 device work profile to disable autofill.
+
+On the EMM console:
+
+1. Open "Managed Configurations" section.
+2. Select the Chrome Browser version from the work profile.
+3. Ensure "SearchSuggestEnabled" is turned "OFF".
+
+Refer to the EMM documentation to determine how to configure Chrome Browser Settings.Review the work profile Chrome Browser app on the Google Android 14 autofill setting.
+
+This procedure is performed only on the EMM Administrator console.
+
+On the EMM console:
+
+1. Open "Managed Configurations" section.
+2. Select the Chrome Browser version from the work profile.
+3. Verify "SearchSuggestEnabled" is turned "OFF".
+
+If on the EMM console autofill is set to "On" in the Chrome Browser Settings, this is a finding.PP-MDF-993300<GroupDescription></GroupDescription>GOOG-14-710500The Google Android 14 work profile must be configured to disable the autofill services.<VulnDiscussion>The autofill services allow the user to complete text inputs that could contain sensitive information, such as personally identifiable information (PII), without previous knowledge of the information. By allowing the use of autofill services, an adversary who learns a user's Android 14 device password, or who otherwise can unlock the device, may be able to further breach other systems by relying on the autofill services to provide information unknown to the adversary. By disabling the autofill services, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated.
+
+Examples of apps that offer autofill services include Samsung Pass, Google, Dashlane, LastPass, and 1Password.
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000366Configure the Google Android 14 device work profile to disable the autofill services.
+
+On the EMM console:
+
+1. Open "Set user restrictions".
+2. Toggle "Disallow autofill" to "ON".Review the Google Android 14 work profile configuration settings to confirm that autofill services are disabled.
+
+This procedure is performed only on the EMM Administration console.
+
+On the EMM console:
+
+1. Open "Set user restrictions".
+2. Verify "Disallow autofill" is toggled to "ON".
+
+If on the EMM console "disallow autofill" is not selected, this is a finding.PP-MDF-993300<GroupDescription></GroupDescription>GOOG-14-710800Android 14 devices must have the latest available Google Android 14 operating system installed.<VulnDiscussion>Required security features are not available in earlier operating system versions. In addition, there may be known vulnerabilities in earlier versions.
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000366Install the latest released version of the Google Android 14 operating system on all managed Google devices.
+
+Note: Google Android device operating system updates are released directly by Google or can be distributed via the EMM. Check each device manufacturer and/or carriers for current updates.Review device configuration settings to confirm the Google Android device has the most recently released version of managed Google Android 14 installed.
+
+This procedure is performed on both the EMM console and the managed Google Android 14 device.
+
+In the EMM management console, review the version of Google Android 14 installed on a sample of managed devices. This procedure will vary depending on the EMM product.
+
+To determine the installed operating system version on the managed Google Android 14 device:
+
+1. Open Settings.
+2. Tap "About phone".
+3. Verify "Build number".
+
+If the installed version of the Google Android 14 operating system on any reviewed device is not the latest released by Google, this is a finding.
+
+Google's Android operating system patch website: https://source.android.com/security/bulletin/
+
+Android versions for Pixel devices: https://developers.google.com/android/imagesPP-MDF-993300<GroupDescription></GroupDescription>GOOG-14-710900Android 14 devices must be configured to disable the use of third-party keyboards (work profile only).<VulnDiscussion>Many third-party keyboard applications are known to contain malware.
+
+SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000366Configure the Google Android 14 device to disallow the use of third-party keyboards (work profile only).
+
+On the EMM console:
+
+1. Open "Input methods".
+2. Tap "Set input methods".
+3. Select only the approved keyboards.
+
+Additionally, admins can configure application allowlists for Google Play so no third-party keyboards are available for user installation.Review the managed Google Android 14 configuration settings to confirm that no third-party keyboards are enabled (work profile only).
+
+This procedure is performed on the EMM console.
+
+On the EMM console:
+
+1. Open "Input methods".
+2. Tap "Set input methods".
+3. Verify only the approved keyboards are selected.
+
+If unapproved third-party keyboards are allowed in the work profile, this is a finding.PP-MDF-333350<GroupDescription></GroupDescription>GOOG-14-712300The Google Android 14 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates (work profile).<VulnDiscussion>DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed to remove root and intermediate certificates, the user could allow an adversary to falsely sign a certificate in such a way that it could not be detected. Restricting the ability to remove DOD root and intermediate PKI certificates to the Administrator mitigates this risk.
+
+SFR ID: FMT_MOF_EXT.1.2 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Android 14 MDFPP 3.3 BYOAD DISADPMS TargetGoogle Android 14 MDFPP 3.3 BYOAD 5589CCI-000366CCI-000370Configure Google Android 14 device to prevent a user from removing DOD root and intermediate PKI certificates (work profile).
+
+On the EMM console:
+1. Open "Set user restrictions".
+2. Toggle "Disallow config credentials" to "ON".Review the device configuration to confirm that the user is unable to remove DOD root and intermediate PKI certificates (work profile).
+
+On the EMM console:
+1. Open "Set user restrictions".
+2. Verify "Disallow config credentials" is toggled to "ON".
+
+On the Google Android 14 device:
+1. Open Settings.
+2. Tap "Security and privacy".
+3. Tap "More security settings".
+4. Tap "Encryption & credentials".
+5. Tap "Trusted credentials".
+6. Verify the user is unable to untrust or remove any work certificates.
+
+If the user can remove certificates on the Google Android 14 device, this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_RHEL_9_STIG_V1R2_Manual-xccdf.xml b/benchmarks/DISA/U_RHEL_9_STIG_V1R2_Manual-xccdf.xml
index 066a3f83d..7b8879ea0 100644
--- a/benchmarks/DISA/U_RHEL_9_STIG_V1R2_Manual-xccdf.xml
+++ b/benchmarks/DISA/U_RHEL_9_STIG_V1R2_Manual-xccdf.xml
@@ -1892,14 +1892,14 @@ $ sudo stat -c "%a %n" /etc/shadow
0 /etc/shadow
-If a value of "0" is not returned, this is a finding.SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>RHEL-09-251010RHEL 9 must have the firewalld package installed.<VulnDiscussion>"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
-
-Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
-
-Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-RHEL 9 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
-
+If a value of "0" is not returned, this is a finding.SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>RHEL-09-251010RHEL 9 must have the firewalld package installed.<VulnDiscussion>"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
+
+Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
+
+Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+RHEL 9 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
+
Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366CCI-000382CCI-002314CCI-002322To install the "firewalld" package run the following command:
$ sudo dnf install firewalldRun the following command to determine if the firewalld package is installed with the following command:
@@ -2797,8 +2797,8 @@ $ systemctl is-active sshd
active
-If the "sshd" service is not active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-255020RHEL 9 must have the openssh-clients package installed.<VulnDiscussion>This package includes utilities to make encrypted connections and transfer files securely to SSH servers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366The openssh-clients package can be installed with the following command:
-
+If the "sshd" service is not active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-255020RHEL 9 must have the openssh-clients package installed.<VulnDiscussion>This package includes utilities to make encrypted connections and transfer files securely to SSH servers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366The openssh-clients package can be installed with the following command:
+
$ sudo dnf install openssh-clientsVerify that RHEL 9 has the openssh-clients package installed with the following command:
$ sudo dnf list --installed openssh-clients
diff --git a/stigs.json b/stigs.json
index 7b27c3ac1..ee733e526 100644
--- a/stigs.json
+++ b/stigs.json
@@ -4650,18 +4650,40 @@
"version": "V1R1",
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_RHEL_9_STIG_V1R1_Manual-xccdf.xml"
},
- {
- "id": "0f33547e-f85c-4a55-88b3-88743b2b3352",
- "name": "z/OS RACF Products - Ver 6, Rel 59",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_RACF_V6R59_Products.zip",
- "size": "8.96 MB",
- "version": "V6R59"
- },
{
"id": "8e0e35b5-f538-4bd4-b3af-c032bc48a3cf",
"name": "z/OS ACF2 Products - Ver 6, Rel 59",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_ACF2_V6R59_Products.zip",
"size": "9.7 MB",
"version": "V6R59"
+ },
+ {
+ "id": "4962c00d-d569-4e92-be07-5f46e08868e4",
+ "name": "Google Android 14 BYOAD STIG",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Google_Android_14_BYOAD_Y24M03_STIG.zip",
+ "size": "2.81 MB"
+ },
+ {
+ "id": "RHEL_9_STIG",
+ "name": "Red Hat Enterprise Linux 9 STIG for Ansible- Ver 1, Rel 2",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V1R2_STIG_Ansible.zip",
+ "size": "638.65 KB",
+ "version": "V1R2",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_RHEL_9_STIG_V1R2_Manual-xccdf.xml"
+ },
+ {
+ "id": "RHEL_9_STIG",
+ "name": "Red Hat Enterprise Linux 9 STIG for Chef- Ver 1, Rel 2",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V1R2_STIG_Chef.zip",
+ "size": "630.87 KB",
+ "version": "V1R2",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_RHEL_9_STIG_V1R2_Manual-xccdf.xml"
+ },
+ {
+ "id": "ffe61a9f-b6a2-4861-94d5-47f6b8c2b3bd",
+ "name": "z/OS SRR Scripts - Ver 6, Rel 59",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_V6R59_SRR.zip",
+ "size": "1.89 MB",
+ "version": "V6R59"
}
]
\ No newline at end of file