Mobile Encryption Security Compliance

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Mobile Encryption Security Compliance

    ServiceNow mobile apps (Now Mobile, Mobile Agent, and Mobile Onboarding) comply with stringent encryption security standards to meet FedRAMP and DISA requirements. These standards apply to the GovCommunityCloud (GCC) environment, which is authorized at FedRAMP High and DoD Impact Level 4. Compliance ensures secure connections, encrypted local data, and enforced security features on mobile devices used by U.S. Federal, State, and local government customers.

    Show full answer Show less

    Key Features

    • FIPS 140-2 Validated Encryption: All ServiceNow mobile apps use FIPS 140-2 validated encryption modules for secure communication and local data protection.
    • Device Security Enforcement: Apps require device PIN or biometric authentication when connecting to FedRAMP or DISA instances to ensure compliance with encryption policies.
    • Encryption of Locally Stored Data: User preferences and offline data are encrypted using validated cryptographic modules.
    • Blur Feature: The app screen automatically blurs when running in the background, enhancing data privacy. This feature is configurable via the glide.sg.bluruiwhenbackgrounded system property and is supported on both iOS and Android, with specific restrictions on Android (such as disabling screen sharing and screenshots).
    • Platform-Specific Compliance:
      • iOS: Uses Apple validated cryptographic modules available on iOS 11 and above. Requires passcode enabled on the device for FIPS 140-2 compliance.
      • Android: Integrates a third-party SDK with FIPS 140-2 validated modules for devices running Android 7.0 Nougat and above. Also requires device passcode enforcement.
    • System Properties for Compliance Management:
      • glide.sg.deviceencryptionenabled — Enforces encryption and device passcode, defaulting to true on FedRAMP and DISA instances.
      • glide.sg.offline.enabled — Controls offline mode availability; disabled by default on FedRAMP and DISA instances but enabled by default on commercial instances.
      • glide.sg.bluruiwhenbackgrounded — Controls automatic screen blurring when the app is backgrounded.

    Practical Implications for ServiceNow Customers

    Government customers using ServiceNow mobile apps can trust that their data transmissions and local storage comply with FedRAMP and DISA encryption standards. Administrators have control over encryption enforcement, offline mode, and privacy features through system properties, enabling tailored security policies for their environment. Device passcode enforcement and use of validated cryptographic modules ensure that mobile access meets federal security expectations, helping organizations maintain compliance while enabling secure mobile workflows.

    Learn about how ServiceNow mobile apps comply with encryption security standards for the FedRAMP and DISA environments.

    Device PIN and Blur features in the mobile UI.

    ServiceNow GovCommunityCloud (GCC) compliance is designed for U.S. Federal, State, and local government customers. This environment is FedRAMP High and DoD Impact Level 4 authorized and compliant. Each ServiceNow mobile app (Now Mobile, Mobile Agent, and Mobile Onboarding) use FIPS 140-2 validated encryption modules.

    As part of using these validated modules, ServiceNow mobile apps include the following:

    Encryption
    ServiceNow uses FIPS 140-2 validated encryption when connecting to FedRAMP and DISA instances.
    Enforced security feature enablement
    Enforced device PIN or biometric enablement when connecting to FedRAMP and DISA instances.
    Encryption for locally stored data
    Locally stored app data such as user preferences and offline data are encrypted.
    Blur feature
    The blur feature is automatically enabled when the app is in the background.

    iOS FIPS 140-2 Compliance

    • On iOS devices, ServiceNow mobile apps use the Apple validated cryptographic modules. These modules are available on all devices using iOS 11 and up.

    • To enforce iOS FIPS 140-2 encryption, the ServiceNow mobile apps require that a user’s device has a pass code enabled when connecting to a FedRAMP or DISA instance.

    • All locally stored mobile app data such as user preferences and offline data use FIPS 140-2 validated encryption when pass code enablement is confirmed.

    For more information on the Apple validated cryptographic modules, see Apple Platform Certifications

    Android FIPS 140-2 Compliance

    • On Android devices, ServiceNow mobile apps are integrated with a third party SDK that uses a FIPS 140-2 validated module.

    • With this SDK, Android versions of ServiceNow mobile apps are FIPS 140-2 compliant for data at rest. All locally stored app data such as user preferences and offline data use the same level of encryption.
    • ServiceNow mobile apps also require that a device pass code is enabled when a user connects to a FedRAMP or DISA instance.
      Note:
      This feature requires Android version 7.0 Nougat and up.

    For more information on the certificate used with the third party SDK, see https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3220

    Mobile system properties related to compliance

    Enforcing FIPS 140-2 Encryption
    Use the glide.sg.device_encryption_enabled system property to enforce encryption and require that a device pass code is configured. This system property is automatically added and defaults to true for FedRAMP and DISA instances.
    For non-FedRAMP and non-DISA instances, this property defaults to false. Enable this property on these instances to take advantage of encryption and device pass code enablement.
    Disabling offline mode
    On FedRAMP and DISA instances, offline mode is disabled by default when the offline mode plugin is installed. To enable offline mode on a FedRAMP or DISA instance, an administrator must create the glide.sg.offline.enabled system property on the [sys_properties] table, and set the value of this property to true.
    For commercial instances, offline mode is enabled by default when the offline mode plugin is installed. To disable offline mode on a commercial instance, an administrator must create the glide.sg.offline.enabled system property on the [sys_properties] table, and set the value of this property to false.
    For more information on offline mode, see Offline mode.
    Screen blur on background
    Use the glide.sg.blur_ui_when_backgrounded system property to blur the app screen when in background. This property was introduced in the Madrid release.
    Important:
    • The glide.sg.blur_ui_when_backgrounded system property is supported on both iOS and Android devices.
    • By default, the value for this property is set to false, which turns it off.

    • For Android devices, when this property is enabled by setting the value to true, the following restrictions apply:

      • The screen share feature isn't supported and the shared app screen appears black.
      • Users are prevented from taking screenshots.

      These restrictions don't apply to iOS devices when the glide.sg.blur_ui_when_backgrounded property is enabled.

    This property is not overridden for existing customers who upgrade to the Paris release.

    FedRAMP

    The Federal Risk and Authorization Management Program (FedRAMP) creates a set of processes to ensure cloud security for the government. For more detail on this program, see https://www.fedramp.gov/.