STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance.

DISA Rule

SV-222627r508029_rule

Vulnerability Number

V-222627

Group Title

SRG-APP-000516

Rule Version

APSC-DV-002970

Severity

CAT II

CCI(s)

CCI-000363 - The organization defines security configuration checklists to be used to establish and document configuration settings for the information system technology products employed.
CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Configure the application according to the product STIG or when a STIG is not available, utilize:

- commercially accepted practices,
- independent testing results, or
- vendor literature and lock down guides.

Check Contents

Review the application documentation to identify application name, features and version.

Identify if a DoD STIG or NSA guide is available.

If no STIG is available for the product, the application and application components must be configured by the following as available:

- commercially accepted practices,
- independent testing results, or
- vendor literature and lock down guides.

If the application and application components do not have DoD STIG or NSA guidance available and are not configured according to:
commercially accepted practices,
independent testing results,
or vendor literature and lock down guides, this is a finding.

The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments