A Configuration Control Board (CCB) that meets at least every release cycle, for managing the Configuration Management (CM) process must be established.

From Application Security and Development Security Technical Implementation Guide

Part of ASDV-PL-003020

Associated with: CCI-001795

SV-84967r1_rule A Configuration Control Board (CCB) that meets at least every release cycle, for managing the Configuration Management (CM) process must be established.

Vulnerability discussion

Software Configuration Management (SCM) is very important in tracking code releases, baselines, and managing access to the configuration management repository. The SCM plan identifies what should be under configuration management control. Without an SCM plan code, and a CCB, releases can be tracked and vulnerabilities can be inserted intentionally or unintentionally into the code base of the application.This requirement is intended to be applied to application developers or organizations responsible for code management or who have and operate an application CM repository.

Check content

Interview the application representative and determine if application development is performed on site by the organization. If application development is not done in house, the requirement is not applicable. If so, determine if a CCB exists. Ask about the membership of the CCB, and identify the primary members. Ask if there is CCB charter documentation. Interview the application representative and determine how often the CCB meets. Ask if there is CCB charter documentation. The CCB charter documentation should indicate how often the CCB meets. If there is no charter documentation, ask when the last time the CCB met and when was the last release of the application. CCBs do not have to physically meet, and the CCB chair may authorize a release based on phone and/or e-mail conversations. If there is no evidence of CCB activity or meetings prior to the last release cycle, this is a finding.

Fix text

Setup and maintain a Configuration Control Board.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer