STIGQter STIGQter: STIG Summary: McAfee Application Control 8.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

A McAfee Application Control written policy must be documented to outline the organization-specific variables for application whitelisting.

DISA Rule

SV-213316r506897_rule

Vulnerability Number

V-213316

Group Title

SRG-APP-000386

Rule Version

MCAC-PO-000100

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Document fully the written policy for the McAfee Application Control software, to include processes for password management, vetting application for whitelist/blocking, frequency of reviewing application whitelist, and settings for other requirements in this STIG.

Submit the written policy to be initially approved by and maintained by the Information System Security Officer/Information System Security Manager (ISSO/ISSM/AO) at that location.

Formalize a change control process to ensure changes to the written policy are made in a controlled manner.

Formalize a review process requiring signed acceptance by the ISSO/ISSM/AO for any changes made to the written policy.

If a formal Change Advisory Board (CAB) or Configuration Control Board (CCB) exists, the McAfee Application Control written policy must be under the CAB/CCB oversight.

Check Contents

Consult with the ISSO/ISSM to review the organizational-specific written policy for the McAfee Application Control software.

If no written policy exists, this is a finding.

Vulnerability Number

V-213316

Documentable

False

Rule Version

MCAC-PO-000100

Severity Override Guidance

Consult with the ISSO/ISSM to review the organizational-specific written policy for the McAfee Application Control software.

If no written policy exists, this is a finding.

Check Content Reference

M

Target Key

3982

Comments