The Global Gold Standard: DISA Adds Active Defense With MTD STIG Requirement
For government agencies globally, compliance is often treated as a checklist. You follow the guidelines, apply the patches, and pass the audit. But in the rapidly shifting world of mobile warfare, moving beyond the checklist to truly understand the threat is now more important than ever.
The Security Technical Implementation Guides (STIGs) are developed and maintained by the U.S. Defense Information Systems Agency (DISA) for the U.S. Department of War (DoW). They are publicly available and battle-tested, and as such are widely regarded as the "gold standard" for securing critical government (and non-government) systems worldwide. The STIGs serve as the "how-to" manual for implementing the federal cybersecurity standards defined by the National Institute of Standards and Technology (NIST) with additional product-specific configuration details for hardening.
STIG adoption is widespread globally. In the U.S., this extends beyond the DoW to include Federal civilian agencies, the Intelligence Community (IC), and even defense contractors who are contractually obligated to use STIGs on their internal networks to protect Controlled Unclassified Information (CUI). Outside the U.S., the STIGs are used as the gold standard security benchmark across NATO allies, “Five Eyes” partners (UK, Canada, Australia, New Zealand), and any foreign government agencies purchasing U.S. military equipment to keep their warranty and support valid.
These guides tell agencies how (the STIGs) to do what (the NIST controls with hardening). However, for years these guides were written from a posture of hardening mobile devices versus active mobile defense, creating a growing security gap based on the evolving mobile threat landscape. Until now.
The Loophole is Closed: MTD is Now Mandatory for iOS and Android
With the release of the Android 16 STIG (and subsequent backport for the Android 15 V1R3 STIG), DISA now requires active mobile defense using an approved MTD app for both iOS and Android devices.
Previously, agencies could satisfy "compromised device" requirements purely through Mobile Device Management (MDM) configurations. The old check text (found in the Android 15 V1R1 STIG and earlier) only required that a device be configured to "detect if the device has been jailbroken or rooted." This allowed agencies to "check the box" by simply enabling a basic setting in their MDM console. As long as the MDM agent could see if a device was jailbroken or rooted, the requirement was met—without ever deploying a dedicated mobile threat defense solution. However, this static level of mobile security only monitors a device’s configuration state, not its active threat state.
The new STIGs explicitly close this loophole. The check text for iOS 18, iOS 26, and now Android 16 reads:
"Verify an MTD app is listed as a managed app being deployed... If an MTD app is not installed on the device, this is a finding."
You can no longer "configure" your way to compliance using MDM policy alone. You must have active, dedicated mobile threat defense. This requirement change enables MDM and MTD as complementary solutions to work together as designed, with MDM focused on control (mobile configuration management and compliance) and MTD focused on active mobile threat defense.
A Global Consensus: Active Mobile Defense Is a Must for Security
Across the globe, leading cybersecurity agencies are converging on the same conclusion: hardening is not enough; active mobile defense is required.
- United Kingdom (NCSC): The National Cyber Security Centre’s Device Security Guidance explicitly differentiates between "management" (MDM) and "monitoring" (MTD). Their guidance emphasizes the need for solutions that can detect device compromise and audit for malicious applications—capabilities that standard MDM checks cannot provide.
- Germany (BSI): The Federal Office for Information Security’s IT-Grundschutz (IT-GS) framework requires protection measures against malware and data leakage that typically necessitates on-device threat detection beyond basic OS hardening.
- Australia (ACSC): The Australian Cyber Security Centre’s Information Security Manual (ISM) includes specific controls for malicious code protection that align directly with MTD capabilities, mandating the ability to detect and prevent the execution of malicious code.
- Singapore (CSA): The Cyber Security Agency’s Mobile Cyber Security Guide explicitly recommends security software that performs real-time scanning for malware and phishing—calling for active defense layers that sit on top of the device management layer.
The “Why” Behind Mandating Active Mobile Defense
Why has the guidance shifted from management to active mobile defense?
The answer lies in the limitations of MDM against modern adversaries. MDM is a tool designed primarily for policy, not protection.
- The "How" of MDM: It dictates how a device is set up (e.g., forcing a 6-digit device passcode).
- The "Why" of MTD: It addresses the reality that a 6-digit passcode is useless if a malicious app has already gained full access to the device.
The "Why" behind mandating active mobile defense is that the battlefield has moved, requiring comprehensive detection even without network connectivity. Adversaries targeting government agencies—from state-sponsored actors to criminal syndicates—are no longer trying to break the configuration; they are bypassing it. They use zero-day exploits, network attacks, and malicious applications that require specialized detection capabilities unique to MTD.
|
Mobile Device Management (MDM) |
Mobile Threat Defense (MTD) |
|
|
Primary Goal |
Device, app, and policy management; compliance enforcement |
Real-time threat detection, prevention, and response |
|
Focus |
Onboarding, configuration, app deployment, policy enforcement |
User behavior; vetting 3rd party apps for security, privacy, & compliance; network & device vulnerability assessment |
|
Threat Handling |
Limited; enforces policies after issues arise (reactive) |
Proactive; detects phishing, malware, app, & network attacks |
|
Detection |
Basic; checks for compliance, not sophisticated threats |
Advanced ML/AI; real-time analysis of user & app activity |
|
User Experience |
Can be restrictive (policy-focused) |
Seamless, privacy-focused protection without hindering users; zero-touch capabilities |
|
Integration |
Foundational; often deploys the MTD agent |
Extends MDM; uses MDM data to apply security policies and trigger response workflows; data can be correlated by XDR / SIEM for comprehensive visibility |
The leading global standards for mobile security now clearly show native mobile operating system protections are no longer sufficient to handle the rapidly evolving mobile threat environment. The MITRE ATT&CK® for Mobile framework supports this notion by highlighting numerous adversarial techniques that are completely invisible to static MDM policies but are visible to MTD that must be addressed in real-time, such as phishing, app threats, and network threats.
Mobile devices are now contested territory and must be treated as such. If the STIG is the blueprint for the walls of your fortress, MTD is the guard watching for the enemy scaling them. You cannot configure your way out of a cyberattack; you must actively defend against it.
Conclusion
With Android 16 now joining iOS 18 & iOS 26 in mandating MTD in the DISA STIGs, the "MDM checkbox" era of static mobile security is over. The loophole of relying on basic root detection for devices has been closed by the gold standard provider, driving global consensus with the world's most rigorous standards bodies.
Zimperium is the MTD market leader providing active protection to secure government data against sophisticated mobile threats. The mobile threat is real, it is active, and it is bypassing static mobile security configurations. Compliance is mandatory, but security is a choice. Choose a partner that understands the difference.
