The production web server staff will have a formal migration plan for removing or upgrading production web server software prior to the date the vendor drops security patch support.

From Web Policy STIG

Part of Change Management policies

Associated with IA controls: DCPR-1

SV-28754r1_rule The production web server staff will have a formal migration plan for removing or upgrading production web server software prior to the date the vendor drops security patch support.

Vulnerability discussion

It is one of the primary duties of the Change Control Board (CCB) to have a complete and detailed inventory of hardware, software, and firmware, inclusive of version, license, and certificate information (such as expiration dates) in order to properly track and plan for change. This requirement will also be reflected in the Continuity of Operations Plan (COOP) within the organization, which forms the basis of contingency planning and recovery.With regards to software, firmware, and hardware expired licenses, certificates, and support agreements that may lead to outages of availability, a process should be in place in order to ensure these are kept current in a timely fashion as determined by the organization. Also, vendor agreements, contact numbers, and support identification protocols should be maintained, kept current, and be readily available to the CCB, the IAO, and the SA for the production web server.Software that has fallen out of warranty and is no longer supported by the vendor presents a significant risk to the computing environment. When software is no longer supported by the vendor, patches are no longer supplied for the particular piece of software which can make an organization vulnerable to attacks. Also, unsupported software is normally not included on various vulnerability notices, such as IAVMs and CVEs, due to the fact that the vendors are not providing this information since the software is not supported. It is important to note that software that fails to meet DoD security guidelines may be denied connection to the network.

Check content

Query the IAO to determine if the site has a detailed process as part of its Configuration Management Plan or COOP to prevent the use of unsupported software and to provide a process to upgrade web server software. If the web server staff cannot provide a copy of the Configuration Management Plan or the COOP that addresses software replacement or upgrade, this is a finding.

Fix text

Develop a Configuration Management Plan or a COOP to address a life cycle methodology approach to managing production web server software.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer