STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must prevent program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.

DISA Rule

SV-222516r508029_rule

Vulnerability Number

V-222516

Group Title

SRG-APP-000384

Rule Version

APSC-DV-001480

Severity

CAT II

CCI(s)

• CCI-001764 - The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.

Weight

10

Fix Recommendation

Restrict application execution in accordance with the policy, terms, and conditions specified.

Check Contents

Review the application documentation and interview the application administrator to determine if policies, rules, or restrictions exist regarding application usage or terms which authorize the conditions of application use.

If the policy, terms, or conditions state there are no usage restrictions, this requirement is not applicable.

Interview the application administrator, review policy, terms, and conditions documents to determine what the terms and conditions of application usage are.

Have the application administrator demonstrate how the program execution is restricted in accordance with the policy terms and conditions. Typical methods include but are not limited to the use of Windows Group Policy, AppLocker, Software Restriction Policies, Java Security Manager, and Role-Based Access Control (RBAC).

If application requirements or policy documents specify application execution restriction requirements and the execution of the application or its subcomponents are not restricted in accordance with requirements or policy, this is a finding.

Vulnerability Number

V-222516

Documentable

False

Rule Version

APSC-DV-001480

Severity Override Guidance

Review the application documentation and interview the application administrator to determine if policies, rules, or restrictions exist regarding application usage or terms which authorize the conditions of application use.

If the policy, terms, or conditions state there are no usage restrictions, this requirement is not applicable.

Interview the application administrator, review policy, terms, and conditions documents to determine what the terms and conditions of application usage are.

Have the application administrator demonstrate how the program execution is restricted in accordance with the policy terms and conditions. Typical methods include but are not limited to the use of Windows Group Policy, AppLocker, Software Restriction Policies, Java Security Manager, and Role-Based Access Control (RBAC).

If application requirements or policy documents specify application execution restriction requirements and the execution of the application or its subcomponents are not restricted in accordance with requirements or policy, this is a finding.

Check Content Reference

M

Target Key

4093

Comments