STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

DISA Rule

SV-222438r508029_rule

Vulnerability Number

V-222438

Group Title

SRG-APP-000080

Rule Version

APSC-DV-000590

Severity

CAT II

CCI(s)

• CCI-000166 - The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

Weight

10

Fix Recommendation

Configure the application to provide users with a non-repudiation function in the form of digital signatures when it is required by the organization or by the application design and architecture.

Check Contents

Review the application documentation, the design requirements if available and interview the application administrator.

Identify application services or application commands that are formerly required and designed to provide non-repudiation services (e.g., digital signatures).

If the application documentation specifically states that non-repudiation services for application users are not defined as part of the application design, this requirement is not applicable.

Email is one example of an application specifically required to provide non-repudiation services for application users within the DoD.

Interview the application administrators and have them describe which aspect of the application, if any, is required to provide digital signatures.

Access the application as a test user or observe the application administrator as they demonstrate the applications signature capabilities.

If the application is required to provide non-repudiation services and does not, or if the non-repudiation functionality fails on demonstration, this is a finding.

Vulnerability Number

V-222438

Documentable

False

Rule Version

APSC-DV-000590

Severity Override Guidance

Review the application documentation, the design requirements if available and interview the application administrator.

Identify application services or application commands that are formerly required and designed to provide non-repudiation services (e.g., digital signatures).

If the application documentation specifically states that non-repudiation services for application users are not defined as part of the application design, this requirement is not applicable.

Email is one example of an application specifically required to provide non-repudiation services for application users within the DoD.

Interview the application administrators and have them describe which aspect of the application, if any, is required to provide digital signatures.

Access the application as a test user or observe the application administrator as they demonstrate the applications signature capabilities.

If the application is required to provide non-repudiation services and does not, or if the non-repudiation functionality fails on demonstration, this is a finding.

Check Content Reference

M

Target Key

4093

Comments