Google Android 16 must be configured to enforce a password for Wi-Fi and Bluetooth hotspot if approved for use by the authorizing official (AO). If not approved for use, Wi-Fi and Bluetooth hotspot must be disabled.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-276771	PP-MDF-993300	GOOG-16-009950	SV-276771r1140105_rule	2025-09-18	1

Description
Wi-Fi and Bluetooth hotspot use may increase the risk for exposing sensitive DOD data for some use cases; therefore, it should be disabled unless approved by the AO. When a DOD mobile phone is used as a Wi-Fi or Bluetooth hotspot, a hotspot password must be enabled; otherwise, unauthorized devices could connect to the DOD hotspot, which may increase the risk of exposure of sensitive DOD data and/or a performance degradation of the DOD mobile phone. SFR ID: FMT_SMF_EXT.1.1 / WLAN #3

Description

Wi-Fi and Bluetooth hotspot use may increase the risk for exposing sensitive DOD data for some use cases; therefore, it should be disabled unless approved by the AO. When a DOD mobile phone is used as a Wi-Fi or Bluetooth hotspot, a hotspot password must be enabled; otherwise, unauthorized devices could connect to the DOD hotspot, which may increase the risk of exposure of sensitive DOD data and/or a performance degradation of the DOD mobile phone. SFR ID: FMT_SMF_EXT.1.1 / WLAN #3

ℹ️ Check
Review device configuration and user training and determine if the AO has approved hotspot use. If the AO has not approved hotspot use, verify that hotspot use has been disabled: On the EMM console: COBO: 1. Open "Set user restrictions". 2. Verify that "Disallow config tethering" is toggled to "ON". COPE: 1. Open "Set user restrictions on parent". 2. Toggle "Disallow config tethering" to "ON". On the managed Google Android 16 device: COBO and COPE: 1. Go to Settings >> Network & Internet. 2. Verify that "Hotspot & tethering" is "Controlled by admin". 3. Verify that tapping "Hotspot & tethering" provides a prompt to the user specifying "Action not allowed". If on the managed Google Android 16 device "Hotspot & tethering" is enabled, this is a finding. If hotspot use has been approved, verify that the user has been trained to use the default hotspot password. Refer to GOOG-16-009800 for the procedure. If users are not trained to use the default hotspot password, this is a finding.

ℹ️ Check

Review device configuration and user training and determine if the AO has approved hotspot use. If the AO has not approved hotspot use, verify that hotspot use has been disabled: On the EMM console: COBO: 1. Open "Set user restrictions". 2. Verify that "Disallow config tethering" is toggled to "ON". COPE: 1. Open "Set user restrictions on parent". 2. Toggle "Disallow config tethering" to "ON". On the managed Google Android 16 device: COBO and COPE: 1. Go to Settings >> Network & Internet. 2. Verify that "Hotspot & tethering" is "Controlled by admin". 3. Verify that tapping "Hotspot & tethering" provides a prompt to the user specifying "Action not allowed". If on the managed Google Android 16 device "Hotspot & tethering" is enabled, this is a finding. If hotspot use has been approved, verify that the user has been trained to use the default hotspot password. Refer to GOOG-16-009800 for the procedure. If users are not trained to use the default hotspot password, this is a finding.

✔️ Fix
Disable hotspot functions on the DOD phone if not approved by the AO. On the EMM console: COBO: 1. Open "Set user restrictions". 2. Toggle "Disallow config tethering" to "ON". COPE: 1. Open "Set user restrictions on parent". 2. Toggle "Disallow config tethering" to "ON". If the AO has approved the use of Wi-Fi and Bluetooth hotspots, train the user to not change the default hotspot password (refer to GOOG-16-009800). By default, when Wi-Fi Hotspot is enabled, a 15-character complex password is automatically configured for the hotspot. Configuration API: DISALLOW_CONFIG_TETHERING

✔️ Fix

Disable hotspot functions on the DOD phone if not approved by the AO. On the EMM console: COBO: 1. Open "Set user restrictions". 2. Toggle "Disallow config tethering" to "ON". COPE: 1. Open "Set user restrictions on parent". 2. Toggle "Disallow config tethering" to "ON". If the AO has approved the use of Wi-Fi and Bluetooth hotspots, train the user to not change the default hotspot password (refer to GOOG-16-009800). By default, when Wi-Fi Hotspot is enabled, a 15-character complex password is automatically configured for the hotspot. Configuration API: DISALLOW_CONFIG_TETHERING