STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The designer must create and update the Design Document for each release of the application.

DISA Rule

SV-222654r561284_rule

Vulnerability Number

V-222654

Group Title

SRG-APP-000516

Rule Version

APSC-DV-003220

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Create and maintain the Design Document for each release of the application and identify the following:

- All external interfaces (from the threat model)
- The nature of information being exchanged
- Categories of sensitive information processed or stored and their specific protection plans
- The protection mechanisms associated with each interface
- User roles required for access control
- Access privileges assigned to each role
- Unique application security requirements
- Categories of sensitive information processed or stored and specific protection plans (e.g., Privacy Act, HIPAA, etc.)
- Restoration priority of subsystems, processes, or information.

Check Contents

This requirement is meant to apply to developers or organizations that are doing application development work. If the organization operating the application is not doing the development or managing the development of the application, the requirement is not applicable.

Ask the application representative for the design document for the application. Review the design document.

Examine the design document and/or the threat model for the application and verify the following information is documented:

- All external interfaces.
- The nature of information being exchanged
- Any protections on the external interface
- User roles required for access control and the access privileges assigned to each role
- Unique security requirements (e.g., encryption of key data elements at rest)
- Categories of sensitive information processed by the application and their specific protection plans (e.g., PII, HIPAA).
- Restoration priority of subsystems, processes, or information
- Verify the organization includes documentation describing the design and implementation details of the security controls employed within the information system with sufficient detail
- Application incident response plan that provides details on how to provide the development team with application vulnerability or bug information.

If the design document is incomplete, this is a finding.

Vulnerability Number

V-222654

Documentable

False

Rule Version

APSC-DV-003220

Severity Override Guidance

This requirement is meant to apply to developers or organizations that are doing application development work. If the organization operating the application is not doing the development or managing the development of the application, the requirement is not applicable.

Ask the application representative for the design document for the application. Review the design document.

Examine the design document and/or the threat model for the application and verify the following information is documented:

- All external interfaces.
- The nature of information being exchanged
- Any protections on the external interface
- User roles required for access control and the access privileges assigned to each role
- Unique security requirements (e.g., encryption of key data elements at rest)
- Categories of sensitive information processed by the application and their specific protection plans (e.g., PII, HIPAA).
- Restoration priority of subsystems, processes, or information
- Verify the organization includes documentation describing the design and implementation details of the security controls employed within the information system with sufficient detail
- Application incident response plan that provides details on how to provide the development team with application vulnerability or bug information.

If the design document is incomplete, this is a finding.

Check Content Reference

M

Target Key

4093

Comments