Mobile encryption security compliance

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Mobile encryption security compliance

    ServiceNow mobile apps (Now Mobile, Mobile Agent, Mobile Onboarding) are designed to comply with stringent encryption security standards required for FedRAMP High and DISA Impact Level 4 authorized environments. This compliance is essential for U.S. Federal, State, and local government customers using the ServiceNow GovCommunityCloud (GCC), ensuring secure mobile access to sensitive government data.

    Show full answer Show less

    Key Features

    • FIPS 140-2 Validated Encryption: All mobile apps use FIPS 140-2 validated encryption modules for data in transit and at rest, including user preferences and offline data.
    • Device Security Enforcement: The apps enforce device passcode or biometric authentication when connecting to FedRAMP and DISA instances to ensure device-level security.
    • Blur Feature: Automatically blurs the app screen when running in the background to prevent data exposure, with specific behaviors on iOS and Android devices.
    • Platform-Specific Compliance:
      • iOS: Utilizes Apple validated cryptographic modules (available from iOS 11+), requiring device passcode for encryption enforcement.
      • Android: Integrates a third-party SDK with FIPS 140-2 validated modules for data at rest encryption, requiring Android 7.0 Nougat or higher and device passcode enforcement.
    • System Properties for Compliance Management:
      • glide.sg.deviceencryptionenabled: Enforces encryption and device passcode requirement; defaults true for FedRAMP/DISA instances, can be enabled on others.
      • glide.sg.offline.enabled: Controls offline mode; disabled by default on FedRAMP/DISA instances, enabled on commercial instances, configurable by administrators.
      • glide.sg.bluruiwhenbackgrounded: Controls screen blur when app is backgrounded; off by default, can be enabled with specific restrictions on Android (disables screen sharing and screenshots).

    Key Outcomes

    By leveraging these encryption and security features, ServiceNow mobile apps provide government customers with:

    • Compliance with federal security standards required for handling sensitive government information.
    • Enhanced protection of mobile data through validated encryption and enforced device security policies.
    • Configurable security settings to balance usability (such as offline mode) with compliance requirements.
    • Improved data privacy when the app is not active, minimizing risk from background data exposure.

    Learn about how ServiceNow mobile apps comply with encryption security standards for the FedRAMP and DISA environments.

    Device PIN and Blur features in the mobile UI.

    ServiceNow GovCommunityCloud (GCC) compliance is designed for U.S. Federal, State, and local government customers. This environment is FedRAMP High and DoD Impact Level 4 authorized and compliant. Each ServiceNow mobile app (Now Mobile, Mobile Agent, and Mobile Onboarding) use FIPS 140-2 validated encryption modules.

    As part of using these validated modules, ServiceNow mobile apps include the following:

    Encryption
    ServiceNow uses FIPS 140-2 validated encryption when connecting to FedRAMP and DISA instances.
    Enforced security feature enablement
    Enforced device PIN or biometric enablement when connecting to FedRAMP and DISA instances.
    Encryption for locally stored data
    Locally stored app data such as user preferences and offline data are encrypted.
    Blur feature
    The blur feature is automatically enabled when the app is in the background.

    iOS FIPS 140-2 Compliance

    • On iOS devices, ServiceNow mobile apps use the Apple validated cryptographic modules. These modules are available on all devices using iOS 11 and up.

    • To enforce iOS FIPS 140-2 encryption, the ServiceNow mobile apps require that a user’s device has a pass code enabled when connecting to a FedRAMP or DISA instance.

    • All locally stored mobile app data such as user preferences and offline data use FIPS 140-2 validated encryption when pass code enablement is confirmed.

    For more information on the Apple validated cryptographic modules, see Apple Platform Certifications

    Android FIPS 140-2 Compliance

    • On Android devices, ServiceNow mobile apps are integrated with a third party SDK that uses a FIPS 140-2 validated module.

    • With this SDK, Android versions of ServiceNow mobile apps are FIPS 140-2 compliant for data at rest. All locally stored app data such as user preferences and offline data use the same level of encryption.
    • ServiceNow mobile apps also require that a device pass code is enabled when a user connects to a FedRAMP or DISA instance.
      Note:
      This feature requires Android version 7.0 Nougat and up.

    For more information on the certificate used with the third party SDK, see https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3220

    Mobile system properties related to compliance

    Enforcing FIPS 140-2 Encryption
    Use the glide.sg.device_encryption_enabled system property to enforce encryption and require that a device pass code is configured. This system property is automatically added and defaults to true for FedRAMP and DISA instances.
    For non-FedRAMP and non-DISA instances, this property defaults to false. Enable this property on these instances to take advantage of encryption and device pass code enablement.
    Disabling offline mode
    On FedRAMP and DISA instances, offline mode is disabled by default when the offline mode plugin is installed. To enable offline mode on a FedRAMP or DISA instance, an administrator must create the glide.sg.offline.enabled system property on the [sys_properties] table, and set the value of this property to true.
    For commercial instances, offline mode is enabled by default when the offline mode plugin is installed. To disable offline mode on a commercial instance, an administrator must create the glide.sg.offline.enabled system property on the [sys_properties] table, and set the value of this property to false.
    For more information on offline mode, see Offline mode.
    Screen blur on background
    Use the glide.sg.blur_ui_when_backgrounded system property to blur the app screen when in background. This property was introduced in the Madrid release.
    Important:
    • The glide.sg.blur_ui_when_backgrounded system property is supported on both iOS and Android devices.
    • By default, the value for this property is set to false, which turns it off.

    • For Android devices, when this property is enabled by setting the value to true, the following restrictions apply:

      • The screen share feature isn't supported and the shared app screen appears black.
      • Users are prevented from taking screenshots.

      These restrictions don't apply to iOS devices when the glide.sg.blur_ui_when_backgrounded property is enabled.

    This property is not overridden for existing customers who upgrade to the Paris release.

    FedRAMP

    The Federal Risk and Authorization Management Program (FedRAMP) creates a set of processes to ensure cloud security for the government. For more detail on this program, see https://www.fedramp.gov/.