The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance.

From Application Security and Development Security Technical Implementation Guide

Part of ASDV-PL-002970

Associated with: CCI-000363

SV-84933r1_rule The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance.

Vulnerability discussion

Not all COTS products are covered by a STIG. Those products not covered by a STIG, should follow commercially accepted best practices, independent testing results and vendors lock down guides and recommendations if they are available.

Check content

Review the application documentation to identify application name, features and version. Identify if a DoD STIG or NSA guide is available. If no STIG is available for the product, the application and application components must be configured by the following as available: - commercially accepted practices, - independent testing results, or - vendor literature and lock down guides. If the application and application components do not have DoD STIG or NSA guidance available and are not configured according to: commercially accepted practices, independent testing results, or vendor literature and lock down guides, this is a finding.

Fix text

Configure the application according to the product STIG or when a STIG is not available, utilize: - commercially accepted practices, - independent testing results, or - vendor literature and lock down guides.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer