STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).

DISA Rule

SV-222556r508029_rule

Vulnerability Number

V-222556

Group Title

SRG-APP-000180

Rule Version

APSC-DV-001870

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the application to identify and authenticate all non-organizational users.

Check Contents

Review the application documentation and interview the application administrator.

If the application does not host non-organizational users, this requirement is not applicable.

Review the application and verify authentication is enabled and required in order for users to access the application.

Review the application user base and determine if all user accounts are documented and assigned to a unique individual.

Review risk acceptance documentation to determine if there are specific accesses identified that do not require authentication.

If the application does not identify and authenticate non-organizational users and there is no risk acceptance documentation approving the exception, this is a finding.

Vulnerability Number

V-222556

Documentable

False

Rule Version

APSC-DV-001870

Severity Override Guidance

Review the application documentation and interview the application administrator.

If the application does not host non-organizational users, this requirement is not applicable.

Review the application and verify authentication is enabled and required in order for users to access the application.

Review the application user base and determine if all user accounts are documented and assigned to a unique individual.

Review risk acceptance documentation to determine if there are specific accesses identified that do not require authentication.

If the application does not identify and authenticate non-organizational users and there is no risk acceptance documentation approving the exception, this is a finding.

Check Content Reference

M

Target Key

4093

Comments