STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication.

DISA Rule

SV-222535r508029_rule

Vulnerability Number

V-222535

Group Title

SRG-APP-000163

Rule Version

APSC-DV-001670

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the application to disable device accounts after 35 days of inactivity or to utilize DoD PKI certificates that provide an expiration date.

Check Contents

Review the application documentation and interview the application administrator.

If the application is not designed to authenticate devices (such as mobile phones, gateways or other smart devices), or uses DoD PKI certificates to authenticate these devices, this requirement is NA.

Access the user management interface for the application.

Identify application device IDs.

If the application utilizes approved certificates or a centralized authentication store (Active Directory or LDAP) as the authoritative source for application authentication, and the authentication store is configured to meet the requirement to disable device IDs after 35 days of inactivity, this is not a finding.

Accounts such as guest and anonymous as well as roles and groups or other identities used to operate the application or to provide limited guest access are not applicable.

Access the application user management interface and review the account settings that pertain to devices.

Verify the application is configured to disable device accounts that have not been active or logged into the application for the past 35 days.

If the application does not disable accounts used to authenticate devices after 35 days of inactivity, this is a finding.

Vulnerability Number

V-222535

Documentable

False

Rule Version

APSC-DV-001670

Severity Override Guidance

Review the application documentation and interview the application administrator.

If the application is not designed to authenticate devices (such as mobile phones, gateways or other smart devices), or uses DoD PKI certificates to authenticate these devices, this requirement is NA.

Access the user management interface for the application.

Identify application device IDs.

If the application utilizes approved certificates or a centralized authentication store (Active Directory or LDAP) as the authoritative source for application authentication, and the authentication store is configured to meet the requirement to disable device IDs after 35 days of inactivity, this is not a finding.

Accounts such as guest and anonymous as well as roles and groups or other identities used to operate the application or to provide limited guest access are not applicable.

Access the application user management interface and review the account settings that pertain to devices.

Verify the application is configured to disable device accounts that have not been active or logged into the application for the past 35 days.

If the application does not disable accounts used to authenticate devices after 35 days of inactivity, this is a finding.

Check Content Reference

M

Target Key

4093

Comments