Whether it’s Warfighters deployed in the field or remote analysts supporting missions across the globe, mobile devices make these operations possible. But, these endpoints (and your data) need serious protection.

That’s where the Defense Information Systems Agency’s Security Technical Implementation Guides (STIG) come in, setting the baseline for hardened endpoint and application security.

DISA has released new Android 16 and iOS 26 STIGs, and with each major operating system release, these STIGs are updated to ensure mobile security keeps pace with modern threats and capabilities. One of the most significant requirement changes this cycle is that all managed mobile devices must have a mobile threat defense (MTD) solution deployed to remain compliant.

In this post I’ll walk you through the importance of STIGs, why MTD is critical to safeguarding sensitive data and how an MTD solution simplifies compliance across the mobile edge.

STIGs: The gold standard for device security

Think of STIGs as detailed guidelines that tell you exactly how to configure and lock down technology, software, hardware or entire systems to meet Department of War (DoW) security standards.

STIGs ultimately help organizations protect Controlled User Information (CUI) and higher levels of data. Each STIG contains specific requirements (or “controls”) that make up the security baseline.

They (and associated security requirements guides) are linked to security controls defined by National Institute of Standards and Technology (NIST) Special Publication 800-53, breaking them down into actionable, measurable items.

For example, a mobile device STIG might stipulate that:

  • Device passcodes must be complex, with at least X characters.
  • The device must encrypt all data.
  • USB debugging must be disabled. 
  • A mobile threat defense app must be installed.

U.S. military and government agencies rely on STIGs to harden systems that support mission-critical operations. While they’re mandatory for DoW and federal agencies, many defense contractors, healthcare and finance organizations adopt STIGs because they represent proven security best practices.

STIGs provide a baseline to help these organizations maintain compliance with a variety of requirements and policy mandates, such as Cybersecurity Maturity Model Certification (CMMC), NIST, CIS, HIPAA, etc.

Your new mandate: iOS 26 & Android 16 STIGs now require MTD

On the Apple side, the iOS 26/iPadOS 26 STIG added an explicit requirement: to remain compliant, an MTD app must be installed and managed on all DoW iPhones and iPads.

The latest Android 16 STIGs (i.e., Google Android 16 STIG and Samsung Android 16 STIG) introduce a clear mandate as well: a mobile threat defense (MTD) application must be deployed on every managed device. Failure to do so is flagged as a finding during compliance review.

These controls underscore a pivotal shift: Mobile endpoint risk management is no longer just about configuration and lockdown settings. It now includes actively enforcing real-time mobile threat defense to prevent device, network, application and phishing attack vectors on modern devices.

Here's the exact language on MTD from the Android 16 STIG: 

"In the mobile device management (MDM) console, verify an MTD app is listed as a managed app being deployed to site-managed devices. If an MTD app is not installed on the device, this is a finding."

Translation: No MTD means you're out of compliance. It's that simple. However, deploying an MTD solution and ensuring it’s actively protecting against mobile threat vectors is more complex.

Integrating an MDM/MTD approach

Having worked with countless federal and enterprise organizations, I’ve seen firsthand what truly works in the field. Installing and managing an MTD agent is not enough to ensure active protection on mobile endpoints.

Standalone MTD agents often require manual activation after installation and application programming interface (API) integrations with MDM solutions to take action. The most effective approach requires tight integration between your MTD and MDM platforms, and an integrated MDM/MTD agent to ensure seamless activation and protection from mobile threats.

A unified single-agent architecture enables continuous mobile threat protection while automatically enforcing MDM compliance controls, eliminating the complexity and gaps that come with managing separate solutions.

That's where Ivanti Neurons for Mobile Threat Defense comes into play. With Ivanti Neurons for Mobile Threat Defense integrated in both the SaaS-based Ivanti Neurons for MDM and on-prem-based Ivanti Endpoint Manager for Mobile (EPMM), you get a single-agent architecture that's seamless to users but gives administrators complete control and security visibility.

This is what it looks like in practice:

  • Automatic and scalable STIG baseline enforcement for Android and iOS.
  • Users experience a seamless workflow with no additional apps or agents to manage.
  • Risk visibility and policy management live in one unified console.
  • On-device threat protection works even in disconnected, deployed scenarios to protect against device, network, application and phishing attacks.
  • An integrated MDM that manages any modern operating system including iOS, Android, Windows, macOS or ChromeOS.

MDM & MTD for holistic mobile security

Deploying an MTD app is no longer optional. With the Android 16 and iOS 26 STIG both calling for MTD on managed devices via explicit controls, you can’t rely solely on MDM configuration baselines. You need active MTD that gives you holistic security.

With mobile threat vectors like operating system vulnerabilities, malicious mobile apps, phishing via SMS/MMS and network man-in-the-middle attacks, rising rapidly, you need protection that lives on the device itself — not just in the cloud.

Compliance, mission assurance and mobile edge security are top priorities for every modern organization. Ivanti Mobile Threat Defense delivers on all three. Providing STIG-aligned protection across Android and iOS devices, integrating seamlessly into your broader device management platform and defending against device, network, application and phishing attacks to keep your organization resilient and compliant.

Schedule a demo today to see how Ivanti Mobile Threat Defense can keep your agency’s data safe and your mobile fleet audit-ready. For full STIG references and downloads, consult the Defense Information System Agency’s (DISA) STIG library.