STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide

Version: 4

Release: 9 Benchmark Date: 25 Jan 2019

CheckedNameTitle
SV-83861r1_ruleThe application must provide a capability to limit the number of logon sessions per user.
SV-83863r1_ruleThe application must clear temporary storage and cookies when the session is terminated.
SV-83865r1_ruleThe application must automatically terminate the non-privileged user session and log off non-privileged users after a 15 minute idle time period has elapsed.
SV-83867r1_ruleThe application must automatically terminate the admin user session and log off admin users after a 10 minute idle time period is exceeded.
SV-83869r1_ruleApplications requiring user access authentication must provide a logoff capability for user initiated communication session.
SV-83871r1_ruleThe application must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.
SV-83873r1_ruleThe application must associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.
SV-83875r1_ruleThe application must associate organization-defined types of security attributes having organization-defined security attribute values with information in process.
SV-83877r1_ruleThe application must associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission.
SV-83879r1_ruleThe application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
SV-83881r1_ruleThe application must implement cryptographic mechanisms to protect the integrity of remote access sessions.
SV-83883r1_ruleApplications with SOAP messages requiring integrity must include the following message elements:-Message ID-Service Request-Timestamp-SAML Assertion (optionally included in messages) and all elements of the message must be digitally signed.
SV-83901r1_ruleMessages protected with WS_Security must use time stamps with creation and expiration times.
SV-83903r1_ruleValidity periods must be verified on all application messages using WS-Security or SAML assertions.
SV-83905r2_ruleThe application must ensure each unique asserting party provides unique assertion ID references for each SAML assertion.
SV-83907r1_ruleThe application must ensure encrypted assertions, or equivalent confidentiality protections are used when assertion data is passed through an intermediary, and confidentiality of the assertion data is required when passing through the intermediary.
SV-83909r1_ruleThe application must use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion.
SV-83911r1_ruleThe application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion.
SV-83913r1_ruleThe application must ensure if a OneTimeUse element is used in an assertion, there is only one of the same used in the Conditions element portion of an assertion.
SV-83915r1_ruleThe application must ensure messages are encrypted when the SessionIndex is tied to privacy data.
SV-83917r1_ruleThe application must provide automated mechanisms for supporting account management functions.
SV-83919r1_ruleShared/group account credentials must be terminated when members leave the group.
SV-83921r1_ruleThe application must automatically remove or disable temporary user accounts 72 hours after account creation.
SV-83923r1_ruleThe application must automatically disable accounts after a 35 day period of account inactivity.
SV-83925r1_ruleUnnecessary application accounts must be disabled, or deleted.
SV-83927r1_ruleThe application must automatically audit account creation.
SV-83929r1_ruleThe application must automatically audit account modification.
SV-83931r1_ruleThe application must automatically audit account disabling actions.
SV-83933r1_ruleThe application must automatically audit account removal actions.
SV-83935r1_ruleThe application must notify System Administrators and Information System Security Officers when accounts are created.
SV-83937r1_ruleThe application must notify System Administrators and Information System Security Officers when accounts are modified.
SV-83939r1_ruleThe application must notify System Administrators and Information System Security Officers of account disabling actions.
SV-83941r1_ruleThe application must notify System Administrators and Information System Security Officers of account removal actions.
SV-83943r1_ruleThe application must automatically audit account enabling actions.
SV-83945r1_ruleThe application must notify System Administrators and Information System Security Officers of account enabling actions.
SV-83947r1_ruleApplication data protection requirements must be identified and documented.
SV-83949r1_ruleThe application must utilize organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts.
SV-83951r1_ruleThe application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
SV-83953r1_ruleThe application must enforce organization-defined discretionary access control policies over defined subjects and objects.
SV-83955r1_ruleThe application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.
SV-83957r1_ruleThe application must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
SV-83959r1_ruleThe application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
SV-83961r1_ruleThe application must execute without excessive account permissions.
SV-83963r1_ruleThe application must audit the execution of privileged functions.
SV-83965r1_ruleThe application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
SV-83969r1_ruleThe application administrator must follow an approved process to unlock locked user accounts.
SV-83971r2_ruleThe application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
SV-83973r2_ruleThe application must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
SV-83975r1_ruleThe publicly accessible application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
SV-83977r1_ruleThe application must display the time and date of the users last successful logon.
SV-83979r1_ruleThe application must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
SV-83981r1_ruleFor applications providing audit record aggregation, the application must compile audit records from organization-defined information system components into a system-wide audit trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail.
SV-83983r1_ruleThe application must provide the capability for organization-identified individuals or roles to change the auditing to be performed on all application components, based on all selectable event criteria within organization-defined time thresholds.
SV-83985r1_ruleThe application must provide audit record generation capability for the creation of session IDs.
SV-83987r1_ruleThe application must provide audit record generation capability for the destruction of session IDs.
SV-83989r1_ruleThe application must provide audit record generation capability for the renewal of session IDs.
SV-83991r1_ruleThe application must not write sensitive data into the application logs.
SV-83993r2_ruleThe application must provide audit record generation capability for session timeouts.
SV-83995r1_ruleThe application must record a time stamp indicating when the event occurred.
SV-83997r1_ruleThe application must provide audit record generation capability for HTTP headers including User-Agent, Referer, GET, and POST.
SV-83999r1_ruleThe application must provide audit record generation capability for connecting system IP addresses.
SV-84001r1_ruleThe application must record the username or user ID of the user associated with the event.
SV-84003r2_ruleThe application must generate audit records when successful/unsuccessful attempts to grant privileges occur.
SV-84005r1_ruleThe application must generate audit records when successful/unsuccessful attempts to access security objects occur.
SV-84007r1_ruleThe application must generate audit records when successful/unsuccessful attempts to access security levels occur.
SV-84009r1_ruleThe application must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.
SV-84011r1_ruleThe application must generate audit records when successful/unsuccessful attempts to modify privileges occur.
SV-84013r1_ruleThe application must generate audit records when successful/unsuccessful attempts to modify security objects occur.
SV-84015r1_ruleThe application must generate audit records when successful/unsuccessful attempts to modify security levels occur.
SV-84017r1_ruleThe application must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.
SV-84019r1_ruleThe application must generate audit records when successful/unsuccessful attempts to delete privileges occur.
SV-84021r1_ruleThe application must generate audit records when successful/unsuccessful attempts to delete security levels occur.
SV-84023r1_ruleThe application must generate audit records when successful/unsuccessful attempts to delete application database security objects occur.
SV-84025r1_ruleThe application must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur.
SV-84027r1_ruleThe application must generate audit records when successful/unsuccessful logon attempts occur.
SV-84029r1_ruleThe application must generate audit records for privileged activities or other system-level access.
SV-84031r1_ruleThe application must generate audit records showing starting and ending time for user access to the system.
SV-84033r1_ruleThe application must generate audit records when successful/unsuccessful accesses to objects occur.
SV-84035r1_ruleThe application must generate audit records for all direct access to the information system.
SV-84037r1_ruleThe application must generate audit records for all account creations, modifications, disabling, and termination events.
SV-84041r1_ruleThe application must initiate session auditing upon startup.
SV-84043r1_ruleThe application must log application shutdown events.
SV-84045r1_ruleThe application must log destination IP addresses.
SV-84047r1_ruleThe application must log user actions involving access to data.
SV-84049r1_ruleThe application must log user actions involving changes to data.
SV-84051r1_ruleThe application must produce audit records containing information to establish when (date and time) the events occurred.
SV-84053r1_ruleThe application must produce audit records containing enough information to establish which component, feature or function of the application triggered the audit event.
SV-84055r1_ruleWhen using centralized logging; the application must include a unique identifier in order to distinguish itself from other application logs.
SV-84057r1_ruleThe application must produce audit records that contain information to establish the outcome of the events.
SV-84059r1_ruleThe application must generate audit records containing information that establishes the identity of any individual or process associated with the event.
SV-84061r1_ruleThe application must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.
SV-84063r1_ruleThe application must implement transaction recovery logs when transaction based.
SV-84065r1_ruleThe application must provide centralized management and configuration of the content to be captured in audit records generated by all application components.
SV-84067r1_ruleThe application must off-load audit records onto a different system or media than the system being audited.
SV-84069r1_ruleThe application must be configured to write application logs to a centralized log repository.
SV-84071r1_ruleThe application must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
SV-84073r1_ruleApplications categorized as having a moderate or high impact must provide an immediate real-time alert to the SA and ISSO (at a minimum) for all audit failure events.
SV-84075r1_ruleThe application must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
SV-84077r1_ruleThe application must shut down by default upon audit failure (unless availability is an overriding concern).
SV-84079r1_ruleThe application must provide the capability to centrally review and analyze audit records from multiple components within the system.
SV-84081r1_ruleThe application must provide the capability to filter audit records for events of interest based upon organization-defined criteria.
SV-84083r1_ruleThe application must provide an audit reduction capability that supports on-demand reporting requirements.
SV-84085r1_ruleThe application must provide an audit reduction capability that supports on-demand audit review and analysis.
SV-84087r1_ruleThe application must provide an audit reduction capability that supports after-the-fact investigations of security incidents.
SV-84089r1_ruleThe application must provide a report generation capability that supports on-demand audit review and analysis.
SV-84091r1_ruleThe application must provide a report generation capability that supports on-demand reporting requirements.
SV-84093r1_ruleThe application must provide a report generation capability that supports after-the-fact investigations of security incidents.
SV-84095r1_ruleThe application must provide an audit reduction capability that does not alter original content or time ordering of audit records.
SV-84097r1_ruleThe application must provide a report generation capability that does not alter original content or time ordering of audit records.
SV-84099r1_ruleThe applications must use internal system clocks to generate time stamps for audit records.
SV-84101r1_ruleThe application must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
SV-84103r1_ruleThe application must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
SV-84105r1_ruleThe application must protect audit information from any type of unauthorized read access.
SV-84107r1_ruleThe application must protect audit information from unauthorized modification.
SV-84109r1_ruleThe application must protect audit information from unauthorized deletion.
SV-84111r1_ruleThe application must protect audit tools from unauthorized access.
SV-84113r1_ruleThe application must protect audit tools from unauthorized modification.
SV-84115r1_ruleThe application must protect audit tools from unauthorized deletion.
SV-84117r1_ruleThe application must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
SV-84119r1_ruleThe application must use cryptographic mechanisms to protect the integrity of audit information.
SV-84121r1_ruleApplication audit tools must be cryptographically hashed.
SV-84123r1_ruleThe integrity of the audit tools must be validated by checking the files for changes in the cryptographic hash value.
SV-84125r1_ruleThe application must prohibit user installation of software without explicit privileged status.
SV-84127r1_ruleThe application must enforce access restrictions associated with changes to application configuration.
SV-84129r1_ruleThe application must audit who makes configuration changes to the application.
SV-84131r1_ruleThe application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
SV-84133r1_ruleThe applications must limit privileges to change the software resident within software libraries.
SV-84135r1_ruleAn application vulnerability assessment must be conducted.
SV-84137r1_ruleThe application must prevent program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
SV-84139r1_ruleThe application must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs.
SV-84141r1_ruleThe application must be configured to disable non-essential capabilities.
SV-84143r1_ruleThe application must be configured to use only functions, ports, and protocols permitted to it in the PPSM CAL.
SV-84145r1_ruleThe application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
SV-84147r1_ruleThe application must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.
SV-84149r1_ruleThe application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
SV-84151r1_ruleThe application must use multifactor (Alt. Token) authentication for network access to privileged accounts.
SV-84153r1_ruleThe application must accept Personal Identity Verification (PIV) credentials.
SV-84155r1_ruleThe application must electronically verify Personal Identity Verification (PIV) credentials.
SV-84157r1_ruleThe application must use multifactor (e.g., CAC, Alt. Token) authentication for network access to non-privileged accounts.
SV-84159r1_ruleThe application must use multifactor (Alt. Token) authentication for local access to privileged accounts.
SV-84161r1_ruleThe application must use multifactor (e.g., CAC, Alt. Token) authentication for local access to non-privileged accounts.
SV-84163r1_ruleThe application must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
SV-84165r1_ruleThe application must implement replay-resistant authentication mechanisms for network access to privileged accounts.
SV-84167r1_ruleThe application must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
SV-84169r1_ruleThe application must utilize mutual authentication when endpoint device non-repudiation protections are required by DoD policy or by the data owner.
SV-84171r1_ruleThe application must authenticate all network connected endpoint devices before establishing any connection.
SV-84173r1_ruleService-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS.
SV-84175r2_ruleThe application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication.
SV-84177r1_ruleThe application must enforce a minimum 15-character password length.
SV-84179r1_ruleThe application must enforce password complexity by requiring that at least one upper-case character be used.
SV-84181r1_ruleThe application must enforce password complexity by requiring that at least one lower-case character be used.
SV-84183r1_ruleThe application must enforce password complexity by requiring that at least one numeric character be used.
SV-84185r1_ruleThe application must enforce password complexity by requiring that at least one special character be used.
SV-84187r1_ruleThe application must require the change of at least 8 of the total number of characters when passwords are changed.
SV-84189r1_ruleThe application must only store cryptographic representations of passwords.
SV-84191r1_ruleThe application must transmit only cryptographically-protected passwords.
SV-84193r1_ruleThe application must enforce 24 hours/1 day as the minimum password lifetime.
SV-84195r1_ruleThe application must enforce a 60-day maximum password lifetime restriction.
SV-84197r1_ruleThe application must prohibit password reuse for a minimum of five generations.
SV-84199r1_ruleThe application must allow the use of a temporary password for system logons with an immediate change to a permanent password.
SV-84767r1_ruleThe application password must not be changeable by users other than the administrator or the user with which the password is associated.
SV-84769r2_ruleThe application must terminate existing user sessions upon account deletion.
SV-84771r1_ruleThe application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
SV-84773r1_ruleThe application, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
SV-84775r1_ruleThe application must map the authenticated identity to the individual user or group account for PKI-based authentication.
SV-84777r1_ruleThe application, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
SV-84779r2_ruleThe application must not display passwords/PINs as clear text.
SV-84781r2_ruleThe application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
SV-84783r1_ruleThe application must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
SV-84785r1_ruleThe application must accept Personal Identity Verification (PIV) credentials from other federal agencies.
SV-84787r1_ruleThe application must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies.
SV-84789r1_ruleThe application must accept FICAM-approved third-party credentials.
SV-84791r1_ruleThe application must conform to FICAM-issued profiles.
SV-84793r1_ruleApplications used for non-local maintenance sessions must audit non-local maintenance and diagnostic sessions for organization-defined auditable events.
SV-84795r1_ruleThe application must have a process, feature or function that prevents removal or disabling of emergency accounts.
SV-84797r1_ruleApplications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic communications.
SV-84799r1_ruleApplications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications.
SV-84801r1_ruleApplications used for non-local maintenance sessions must verify remote disconnection at the termination of non-local maintenance and diagnostic sessions.
SV-84803r1_ruleThe application must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.
SV-84805r1_ruleThe application must terminate all sessions and network connections when non-local maintenance is completed.
SV-84807r1_ruleThe application must not be vulnerable to race conditions.
SV-84809r1_ruleThe application must terminate all network connections associated with a communications session at the end of the session.
SV-84811r2_ruleThe application must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SV-84813r2_ruleThe application must utilize FIPS-validated cryptographic modules when signing application components.
SV-84815r2_ruleThe application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes.
SV-84817r1_ruleThe application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection.
SV-84819r1_ruleApplications making SAML assertions must use FIPS-approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement.
SV-84821r1_ruleThe application user interface must be either physically or logically separated from data storage and management interfaces.
SV-84823r1_ruleThe application must set the HTTPOnly flag on session cookies.
SV-84825r1_ruleThe application must set the secure flag on session cookies.
SV-84827r1_ruleThe application must not expose session IDs.
SV-84829r1_ruleThe application must destroy the session ID value and/or cookie on logoff or browser close.
SV-84831r1_ruleApplications must use system-generated session identifiers that protect against session fixation.
SV-84833r1_ruleApplications must validate session identifiers.
SV-84835r1_ruleApplications must not use URL embedded session IDs.
SV-84837r1_ruleThe application must not re-use or recycle session IDs.
SV-84839r1_ruleThe application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.
SV-84841r1_ruleThe application must only allow the use of DoD-approved certificate authorities for verification of the establishment of protected sessions.
SV-84843r1_ruleThe application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
SV-84845r1_ruleIn the event of a system failure, applications must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
SV-84847r1_ruleThe application must protect the confidentiality and integrity of stored information when required by DoD policy or the information owner.
SV-84849r1_ruleThe application must implement approved cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.
SV-84851r1_ruleThe application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.
SV-84853r1_ruleThe application must isolate security functions from non-security functions.
SV-84855r1_ruleThe application must maintain a separate execution domain for each executing process.
SV-84857r1_ruleApplications must prevent unauthorized and unintended information transfer via shared system resources.
SV-84859r1_ruleXML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways.
SV-84861r1_ruleThe application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems.
SV-84863r1_ruleThe web service design must include redundancy mechanisms when used with high-availability systems.
SV-84865r1_ruleAn XML firewall function must be deployed to protect web services when exposed to untrusted networks.
SV-84867r1_ruleThe application must protect the confidentiality and integrity of transmitted information.
SV-84869r1_ruleThe application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
SV-84871r1_ruleThe application must maintain the confidentiality and integrity of information during preparation for transmission.
SV-84873r1_ruleThe application must maintain the confidentiality and integrity of information during reception.
SV-84875r1_ruleThe application must not disclose unnecessary information to users.
SV-84877r1_ruleThe application must not store sensitive information in hidden fields.
SV-84879r1_ruleThe application must protect from Cross-Site Scripting (XSS) vulnerabilities.
SV-84881r1_ruleThe application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities.
SV-84883r1_ruleThe application must protect from command injection.
SV-84885r1_ruleThe application must protect from canonical representation vulnerabilities.
SV-84887r1_ruleThe application must validate all input.
SV-84889r1_ruleThe application must not be vulnerable to SQL Injection.
SV-84891r1_ruleThe application must not be vulnerable to XML-oriented attacks.
SV-84893r1_ruleThe application must not be subject to input handling vulnerabilities.
SV-84895r1_ruleThe application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
SV-84897r1_ruleThe application must reveal error messages only to the ISSO, ISSM, or SA.
SV-84899r1_ruleThe application must not be vulnerable to overflow attacks.
SV-84901r1_ruleThe application must remove organization-defined software components after updated versions have been installed.
SV-84903r1_ruleSecurity-relevant software updates and patches must be kept up to date.
SV-84905r1_ruleThe application performing organization-defined security functions must verify correct operation of security functions.
SV-84907r1_ruleThe application must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days.
SV-84909r1_ruleThe application must notify the ISSO and ISSM of failed security verification tests.
SV-84911r1_ruleUnsigned Category 1A mobile code must not be used in the application in accordance with DoD policy.
SV-84913r1_ruleThe ISSO must ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed.
SV-84915r1_ruleApplication web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ.
SV-84917r1_ruleThe ISSO must ensure application audit trails are retained for at least 1 year for applications without SAMI data, and 5 years for applications including SAMI data.
SV-84919r1_ruleThe ISSO must review audit trails periodically based on system documentation recommendations or immediately upon system security events.
SV-84923r1_ruleThe ISSO must report all suspected violations of IA policies in accordance with DoD information system IA procedures.
SV-84925r1_ruleThe ISSO must ensure active vulnerability testing is performed.
SV-84929r1_ruleExecution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated.
SV-84931r1_ruleThe designer must ensure the application does not store configuration and control files in the same directory as user data.
SV-84933r1_ruleThe ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance.
SV-84935r1_ruleNew IP addresses, data services, and associated ports used by the application must be submitted to the appropriate approving authority for the organization, which in turn will be submitted through the DoD Ports, Protocols, and Services Management (DoD PPSM).
SV-84939r2_ruleThe application must be registered with the DoD Ports and Protocols Database.
SV-84961r1_ruleThe Configuration Management (CM) repository must be properly patched and STIG compliant.
SV-84963r1_ruleAccess privileges to the Configuration Management (CM) repository must be reviewed every three months.
SV-84965r1_ruleA Software Configuration Management (SCM) plan describing the configuration control and change management process of application objects developed by the organization and the roles and responsibilities of the organization must be created and maintained.
SV-84967r2_ruleA Configuration Control Board (CCB) that meets at least every release cycle, for managing the Configuration Management (CM) process must be established.
SV-84969r1_ruleThe application services and interfaces must be compatible with and ready for IPv6 networks.
SV-84971r1_ruleThe application must not be hosted on a general purpose machine if the application is designated as critical or high availability by the ISSO.
SV-84973r1_ruleA disaster recovery/continuity plan must exist in accordance with DoD policy based on the applications availability requirements.
SV-84975r1_ruleRecovery procedures and technical system features must exist so recovery is performed in a secure and verifiable manner. The ISSO will document circumstances inhibiting a trusted recovery.
SV-84977r1_ruleData backup must be performed at required intervals in accordance with DoD policy.
SV-84979r1_ruleBack-up copies of the application software or source code must be stored in a fire-rated container or stored separately (offsite).
SV-84981r1_ruleProcedures must be in place to assure the appropriate physical and technical protection of the backup and restoration of the application.
SV-84983r1_ruleThe application must use encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange.
SV-84985r1_ruleThe application must not contain embedded authentication data.
SV-84987r1_ruleThe application must have the capability to mark sensitive/classified output when required.
SV-84989r1_rulePrior to each release of the application, updates to system, or applying patches; tests plans and procedures must be created and executed.
SV-84991r2_ruleApplication files must be cryptographically hashed prior to deploying to DoD operational networks.
SV-84993r1_ruleAt least one tester must be designated to test for security flaws in addition to functional testing.
SV-84995r1_ruleTest procedures must be created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to verify the system remains in a secure state.
SV-84997r1_ruleAn application code review must be performed on the application.
SV-84999r1_ruleCode coverage statistics must be maintained for each release of the application.
SV-85001r1_ruleFlaws found during a code review must be tracked in a defect tracking system.
SV-85003r1_ruleThe changes to the application must be assessed for IA and accreditation impact prior to implementation.
SV-85005r1_ruleSecurity flaws must be fixed or addressed in the project plan.
SV-85007r1_ruleThe application development team must follow a set of coding standards.
SV-85009r1_ruleThe designer must create and update the Design Document for each release of the application.
SV-85011r1_ruleThreat models must be documented and reviewed for each application release and updated as required by design and functionality changes or when new threats are discovered.
SV-85013r1_ruleThe application must not be subject to error handling vulnerabilities.
SV-85015r1_ruleThe application development team must provide an application incident response plan.
SV-85017r2_ruleAll products must be supported by the vendor or the development team.
SV-85019r1_ruleThe application must be decommissioned when maintenance or support is no longer available.
SV-85021r1_ruleProcedures must be in place to notify users when an application is decommissioned.
SV-85023r1_ruleUnnecessary built-in application accounts must be disabled.
SV-85025r1_ruleDefault passwords must be changed.
SV-85027r1_ruleAn Application Configuration Guide must be created and included with the application.
SV-85029r1_ruleIf the application contains classified data, a Security Classification Guide must exist containing data elements and their classification.
SV-85031r2_ruleThe designer must ensure uncategorized or emerging mobile code is not used in applications.
SV-85033r1_ruleProduction database exports must have database administration credentials and sensitive data removed before releasing the export.
SV-85035r1_ruleProtections against DoS attacks must be implemented.
SV-85037r2_ruleThe system must alert an administrator when low resource conditions are encountered.
SV-85039r1_ruleAt least one application administrator must be registered to receive update notifications, or security alerts, when automated alerts are available.
SV-85041r1_ruleThe application must provide notifications or alerts when product update and security related patches are available.
SV-85043r1_ruleConnections between the DoD enclave and the Internet or other public or commercial wide area networks must require a DMZ.
SV-85045r1_ruleThe application must generate audit records when concurrent logons from different workstations occur.
SV-85047r2_ruleThe Program Manager must verify all levels of program management, designers, developers, and testers receive annual security training pertaining to their job function.