STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must have the capability to mark sensitive/classified output when required.

DISA Rule

SV-222643r508029_rule

Vulnerability Number

V-222643

Group Title

SRG-APP-000516

Rule Version

APSC-DV-003120

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Enable the application to adequately mark sensitive/classified output.

Check Contents

Review the application documentation and interview the application administrator.

Ask the application representative for the application’s classification guide. This guide should document the data elements and their classification.

Determine which application functions to examine, giving preference to report generation capabilities and the most common user transactions that involve sensitive data (FOUO, secret or above).

Log on to the application and perform these in sequence, printing output when applicable. The application representative’s assistance may be required to perform these steps. For each function, note whether the appropriate markings appear on the displayed and printed output. If a classification document does not exist, data must be marked at the highest classification of the system.

Appropriate markings for an application are as follows: For classified data, markings are required at a minimum at the top and the bottom of screens and reports.

For FOUO data, markings are required at a minimum of the bottom of the screen or report. In some cases, technology may prohibit the appropriate markings on printed documents. For example, in some cases, it is not possible to mark all pages top and bottom when a user prints from a browser. If this is the case, ask the application representative if user procedures exist for manually marking printed documents. If procedures do exist, examine the procedures to verify if the users were to follow the procedures the data would be marked correctly.

Ask how these procedures are distributed to the users.

If appropriate markings are not present within the application and it is technically possible to have the markings present, this is a finding.

If it is not technically feasible to meet the minimum marking requirement and no user procedures exist or if followed the procedures will result in incorrect markings, or the procedures are not readily available to users, this is a finding.

In any case of a finding, the finding details should specify which functions failed to produce the desired results.

After completing the test, destroy all printed output using the site’s preferred method for disposal. For example: utilizing a shredder or disposal in burn bags.

Vulnerability Number

V-222643

Documentable

False

Rule Version

APSC-DV-003120

Severity Override Guidance

Review the application documentation and interview the application administrator.

Ask the application representative for the application’s classification guide. This guide should document the data elements and their classification.

Determine which application functions to examine, giving preference to report generation capabilities and the most common user transactions that involve sensitive data (FOUO, secret or above).

Log on to the application and perform these in sequence, printing output when applicable. The application representative’s assistance may be required to perform these steps. For each function, note whether the appropriate markings appear on the displayed and printed output. If a classification document does not exist, data must be marked at the highest classification of the system.

Appropriate markings for an application are as follows: For classified data, markings are required at a minimum at the top and the bottom of screens and reports.

For FOUO data, markings are required at a minimum of the bottom of the screen or report. In some cases, technology may prohibit the appropriate markings on printed documents. For example, in some cases, it is not possible to mark all pages top and bottom when a user prints from a browser. If this is the case, ask the application representative if user procedures exist for manually marking printed documents. If procedures do exist, examine the procedures to verify if the users were to follow the procedures the data would be marked correctly.

Ask how these procedures are distributed to the users.

If appropriate markings are not present within the application and it is technically possible to have the markings present, this is a finding.

If it is not technically feasible to meet the minimum marking requirement and no user procedures exist or if followed the procedures will result in incorrect markings, or the procedures are not readily available to users, this is a finding.

In any case of a finding, the finding details should specify which functions failed to produce the desired results.

After completing the test, destroy all printed output using the site’s preferred method for disposal. For example: utilizing a shredder or disposal in burn bags.

Check Content Reference

M

Target Key

4093

Comments