| Checked | Name | Title |
|---|
| ☐ | SV-222387r508029_rule | The application must provide a capability to limit the number of logon sessions per user. |
| ☐ | SV-222388r508029_rule | The application must clear temporary storage and cookies when the session is terminated. |
| ☐ | SV-222389r508029_rule | The application must automatically terminate the non-privileged user session and log off non-privileged users after a 15 minute idle time period has elapsed. |
| ☐ | SV-222390r508029_rule | The application must automatically terminate the admin user session and log off admin users after a 10 minute idle time period is exceeded. |
| ☐ | SV-222391r508029_rule | Applications requiring user access authentication must provide a logoff capability for user initiated communication session. |
| ☐ | SV-222392r508029_rule | The application must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions. |
| ☐ | SV-222393r508029_rule | The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in storage. |
| ☐ | SV-222394r508029_rule | The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in process. |
| ☐ | SV-222395r508029_rule | The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission. |
| ☐ | SV-222396r508029_rule | The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions. |
| ☐ | SV-222397r508029_rule | The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. |
| ☐ | SV-222398r508029_rule | Applications with SOAP messages requiring integrity must include the following message elements:-Message ID-Service Request-Timestamp-SAML Assertion (optionally included in messages) and all elements of the message must be digitally signed. |
| ☐ | SV-222399r508029_rule | Messages protected with WS_Security must use time stamps with creation and expiration times. |
| ☐ | SV-222400r508029_rule | Validity periods must be verified on all application messages using WS-Security or SAML assertions. |
| ☐ | SV-222401r508029_rule | The application must ensure each unique asserting party provides unique assertion ID references for each SAML assertion. |
| ☐ | SV-222402r508029_rule | The application must ensure encrypted assertions, or equivalent confidentiality protections are used when assertion data is passed through an intermediary, and confidentiality of the assertion data is required when passing through the intermediary. |
| ☐ | SV-222403r508029_rule | The application must use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion. |
| ☐ | SV-222404r508029_rule | The application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion. |
| ☐ | SV-222405r508029_rule | The application must ensure if a OneTimeUse element is used in an assertion, there is only one of the same used in the Conditions element portion of an assertion. |
| ☐ | SV-222406r508029_rule | The application must ensure messages are encrypted when the SessionIndex is tied to privacy data. |
| ☐ | SV-222407r508029_rule | The application must provide automated mechanisms for supporting account management functions. |
| ☐ | SV-222408r508029_rule | Shared/group account credentials must be terminated when members leave the group. |
| ☐ | SV-222409r508029_rule | The application must automatically remove or disable temporary user accounts 72 hours after account creation. |
| ☐ | SV-222410r508029_rule | The application must have a process, feature or function that prevents removal or disabling of emergency accounts. |
| ☐ | SV-222411r508029_rule | The application must automatically disable accounts after a 35 day period of account inactivity. |
| ☐ | SV-222412r508029_rule | Unnecessary application accounts must be disabled, or deleted. |
| ☐ | SV-222413r508029_rule | The application must automatically audit account creation. |
| ☐ | SV-222414r508029_rule | The application must automatically audit account modification. |
| ☐ | SV-222415r508029_rule | The application must automatically audit account disabling actions. |
| ☐ | SV-222416r508029_rule | The application must automatically audit account removal actions. |
| ☐ | SV-222417r508029_rule | The application must notify System Administrators and Information System Security Officers when accounts are created. |
| ☐ | SV-222418r508029_rule | The application must notify System Administrators and Information System Security Officers when accounts are modified. |
| ☐ | SV-222419r508029_rule | The application must notify System Administrators and Information System Security Officers of account disabling actions. |
| ☐ | SV-222420r508029_rule | The application must notify System Administrators and Information System Security Officers of account removal actions. |
| ☐ | SV-222421r508029_rule | The application must automatically audit account enabling actions. |
| ☐ | SV-222422r508029_rule | The application must notify System Administrators and Information System Security Officers of account enabling actions. |
| ☐ | SV-222423r508029_rule | Application data protection requirements must be identified and documented. |
| ☐ | SV-222424r508029_rule | The application must utilize organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts. |
| ☐ | SV-222425r508029_rule | The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| ☐ | SV-222426r508029_rule | The application must enforce organization-defined discretionary access control policies over defined subjects and objects. |
| ☐ | SV-222427r508029_rule | The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. |
| ☐ | SV-222428r508029_rule | The application must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. |
| ☐ | SV-222429r508029_rule | The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
| ☐ | SV-222430r508029_rule | The application must execute without excessive account permissions. |
| ☐ | SV-222431r508029_rule | The application must audit the execution of privileged functions. |
| ☐ | SV-222432r508029_rule | The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period. |
| ☐ | SV-222433r508029_rule | The application administrator must follow an approved process to unlock locked user accounts. |
| ☐ | SV-222434r508029_rule | The application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application. |
| ☐ | SV-222435r508029_rule | The application must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. |
| ☐ | SV-222436r508029_rule | The publicly accessible application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application. |
| ☐ | SV-222437r508029_rule | The application must display the time and date of the users last successful logon. |
| ☐ | SV-222438r508029_rule | The application must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. |
| ☐ | SV-222439r561233_rule | For applications providing audit record aggregation, the application must compile audit records from organization-defined information system components into a system-wide audit trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail. |
| ☐ | SV-222441r508029_rule | The application must provide audit record generation capability for the creation of session IDs. |
| ☐ | SV-222442r508029_rule | The application must provide audit record generation capability for the destruction of session IDs. |
| ☐ | SV-222443r508029_rule | The application must provide audit record generation capability for the renewal of session IDs. |
| ☐ | SV-222444r508029_rule | The application must not write sensitive data into the application logs. |
| ☐ | SV-222445r508029_rule | The application must provide audit record generation capability for session timeouts. |
| ☐ | SV-222446r508029_rule | The application must record a time stamp indicating when the event occurred. |
| ☐ | SV-222447r508029_rule | The application must provide audit record generation capability for HTTP headers including User-Agent, Referer, GET, and POST. |
| ☐ | SV-222448r508029_rule | The application must provide audit record generation capability for connecting system IP addresses. |
| ☐ | SV-222449r508029_rule | The application must record the username or user ID of the user associated with the event. |
| ☐ | SV-222450r508029_rule | The application must generate audit records when successful/unsuccessful attempts to grant privileges occur. |
| ☐ | SV-222451r508029_rule | The application must generate audit records when successful/unsuccessful attempts to access security objects occur. |
| ☐ | SV-222452r508029_rule | The application must generate audit records when successful/unsuccessful attempts to access security levels occur. |
| ☐ | SV-222453r508029_rule | The application must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. |
| ☐ | SV-222454r508029_rule | The application must generate audit records when successful/unsuccessful attempts to modify privileges occur. |
| ☐ | SV-222455r508029_rule | The application must generate audit records when successful/unsuccessful attempts to modify security objects occur. |
| ☐ | SV-222456r508029_rule | The application must generate audit records when successful/unsuccessful attempts to modify security levels occur. |
| ☐ | SV-222457r508029_rule | The application must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. |
| ☐ | SV-222458r508029_rule | The application must generate audit records when successful/unsuccessful attempts to delete privileges occur. |
| ☐ | SV-222459r508029_rule | The application must generate audit records when successful/unsuccessful attempts to delete security levels occur. |
| ☐ | SV-222460r508029_rule | The application must generate audit records when successful/unsuccessful attempts to delete application database security objects occur. |
| ☐ | SV-222461r508029_rule | The application must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur. |
| ☐ | SV-222462r508029_rule | The application must generate audit records when successful/unsuccessful logon attempts occur. |
| ☐ | SV-222463r508029_rule | The application must generate audit records for privileged activities or other system-level access. |
| ☐ | SV-222464r508029_rule | The application must generate audit records showing starting and ending time for user access to the system. |
| ☐ | SV-222465r508029_rule | The application must generate audit records when successful/unsuccessful accesses to objects occur. |
| ☐ | SV-222466r508029_rule | The application must generate audit records for all direct access to the information system. |
| ☐ | SV-222467r508029_rule | The application must generate audit records for all account creations, modifications, disabling, and termination events. |
| ☐ | SV-222468r508029_rule | The application must initiate session auditing upon startup. |
| ☐ | SV-222469r508029_rule | The application must log application shutdown events. |
| ☐ | SV-222470r508029_rule | The application must log destination IP addresses. |
| ☐ | SV-222471r508029_rule | The application must log user actions involving access to data. |
| ☐ | SV-222472r508029_rule | The application must log user actions involving changes to data. |
| ☐ | SV-222473r508029_rule | The application must produce audit records containing information to establish when (date and time) the events occurred. |
| ☐ | SV-222474r508029_rule | The application must produce audit records containing enough information to establish which component, feature or function of the application triggered the audit event. |
| ☐ | SV-222475r508029_rule | When using centralized logging; the application must include a unique identifier in order to distinguish itself from other application logs. |
| ☐ | SV-222476r508029_rule | The application must produce audit records that contain information to establish the outcome of the events. |
| ☐ | SV-222477r508029_rule | The application must generate audit records containing information that establishes the identity of any individual or process associated with the event. |
| ☐ | SV-222478r508029_rule | The application must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users. |
| ☐ | SV-222479r508029_rule | The application must implement transaction recovery logs when transaction based. |
| ☐ | SV-222480r508029_rule | The application must provide centralized management and configuration of the content to be captured in audit records generated by all application components. |
| ☐ | SV-222481r508029_rule | The application must off-load audit records onto a different system or media than the system being audited. |
| ☐ | SV-222482r508029_rule | The application must be configured to write application logs to a centralized log repository. |
| ☐ | SV-222483r561236_rule | The application must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity. |
| ☐ | SV-222484r508029_rule | Applications categorized as having a moderate or high impact must provide an immediate real-time alert to the SA and ISSO (at a minimum) for all audit failure events. |
| ☐ | SV-222485r508029_rule | The application must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. |
| ☐ | SV-222486r508029_rule | The application must shut down by default upon audit failure (unless availability is an overriding concern). |
| ☐ | SV-222487r508029_rule | The application must provide the capability to centrally review and analyze audit records from multiple components within the system. |
| ☐ | SV-222488r508029_rule | The application must provide the capability to filter audit records for events of interest based upon organization-defined criteria. |
| ☐ | SV-222489r508029_rule | The application must provide an audit reduction capability that supports on-demand reporting requirements. |
| ☐ | SV-222490r508029_rule | The application must provide an audit reduction capability that supports on-demand audit review and analysis. |
| ☐ | SV-222491r508029_rule | The application must provide an audit reduction capability that supports after-the-fact investigations of security incidents. |
| ☐ | SV-222492r508029_rule | The application must provide a report generation capability that supports on-demand audit review and analysis. |
| ☐ | SV-222493r508029_rule | The application must provide a report generation capability that supports on-demand reporting requirements. |
| ☐ | SV-222494r508029_rule | The application must provide a report generation capability that supports after-the-fact investigations of security incidents. |
| ☐ | SV-222495r508029_rule | The application must provide an audit reduction capability that does not alter original content or time ordering of audit records. |
| ☐ | SV-222496r508029_rule | The application must provide a report generation capability that does not alter original content or time ordering of audit records. |
| ☐ | SV-222497r508029_rule | The applications must use internal system clocks to generate time stamps for audit records. |
| ☐ | SV-222498r508029_rule | The application must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |
| ☐ | SV-222499r508029_rule | The application must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision. |
| ☐ | SV-222500r508029_rule | The application must protect audit information from any type of unauthorized read access. |
| ☐ | SV-222501r561239_rule | The application must protect audit information from unauthorized modification. |
| ☐ | SV-222502r508029_rule | The application must protect audit information from unauthorized deletion. |
| ☐ | SV-222503r561242_rule | The application must protect audit tools from unauthorized access. |
| ☐ | SV-222504r561290_rule | The application must protect audit tools from unauthorized modification. |
| ☐ | SV-222505r561245_rule | The application must protect audit tools from unauthorized deletion. |
| ☐ | SV-222506r508029_rule | The application must back up audit records at least every seven days onto a different system or system component than the system or component being audited. |
| ☐ | SV-222507r508029_rule | The application must use cryptographic mechanisms to protect the integrity of audit information. |
| ☐ | SV-222508r508029_rule | Application audit tools must be cryptographically hashed. |
| ☐ | SV-222509r508029_rule | The integrity of the audit tools must be validated by checking the files for changes in the cryptographic hash value. |
| ☐ | SV-222510r508029_rule | The application must prohibit user installation of software without explicit privileged status. |
| ☐ | SV-222511r508029_rule | The application must enforce access restrictions associated with changes to application configuration. |
| ☐ | SV-222512r508029_rule | The application must audit who makes configuration changes to the application. |
| ☐ | SV-222513r561248_rule | The application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. |
| ☐ | SV-222514r508029_rule | The applications must limit privileges to change the software resident within software libraries. |
| ☐ | SV-222515r508029_rule | An application vulnerability assessment must be conducted. |
| ☐ | SV-222516r508029_rule | The application must prevent program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage. |
| ☐ | SV-222517r508029_rule | The application must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs. |
| ☐ | SV-222518r508029_rule | The application must be configured to disable non-essential capabilities. |
| ☐ | SV-222519r508029_rule | The application must be configured to use only functions, ports, and protocols permitted to it in the PPSM CAL. |
| ☐ | SV-222520r508029_rule | The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication. |
| ☐ | SV-222521r508029_rule | The application must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication. |
| ☐ | SV-222522r508029_rule | The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
| ☐ | SV-222523r508029_rule | The application must use multifactor (Alt. Token) authentication for network access to privileged accounts. |
| ☐ | SV-222524r508029_rule | The application must accept Personal Identity Verification (PIV) credentials. |
| ☐ | SV-222525r508029_rule | The application must electronically verify Personal Identity Verification (PIV) credentials. |
| ☐ | SV-222526r508029_rule | The application must use multifactor (e.g., CAC, Alt. Token) authentication for network access to non-privileged accounts. |
| ☐ | SV-222527r508029_rule | The application must use multifactor (Alt. Token) authentication for local access to privileged accounts. |
| ☐ | SV-222528r508029_rule | The application must use multifactor (e.g., CAC, Alt. Token) authentication for local access to non-privileged accounts. |
| ☐ | SV-222529r508029_rule | The application must ensure users are authenticated with an individual authenticator prior to using a group authenticator. |
| ☐ | SV-222530r508029_rule | The application must implement replay-resistant authentication mechanisms for network access to privileged accounts. |
| ☐ | SV-222531r508029_rule | The application must implement replay-resistant authentication mechanisms for network access to non-privileged accounts. |
| ☐ | SV-222532r508029_rule | The application must utilize mutual authentication when endpoint device non-repudiation protections are required by DoD policy or by the data owner. |
| ☐ | SV-222533r508029_rule | The application must authenticate all network connected endpoint devices before establishing any connection. |
| ☐ | SV-222534r508029_rule | Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS. |
| ☐ | SV-222535r508029_rule | The application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication. |
| ☐ | SV-222536r508029_rule | The application must enforce a minimum 15-character password length. |
| ☐ | SV-222537r508029_rule | The application must enforce password complexity by requiring that at least one upper-case character be used. |
| ☐ | SV-222538r508029_rule | The application must enforce password complexity by requiring that at least one lower-case character be used. |
| ☐ | SV-222539r508029_rule | The application must enforce password complexity by requiring that at least one numeric character be used. |
| ☐ | SV-222540r508029_rule | The application must enforce password complexity by requiring that at least one special character be used. |
| ☐ | SV-222541r508029_rule | The application must require the change of at least 8 of the total number of characters when passwords are changed. |
| ☐ | SV-222542r508029_rule | The application must only store cryptographic representations of passwords. |
| ☐ | SV-222543r508029_rule | The application must transmit only cryptographically-protected passwords. |
| ☐ | SV-222544r508029_rule | The application must enforce 24 hours/1 day as the minimum password lifetime. |
| ☐ | SV-222545r508029_rule | The application must enforce a 60-day maximum password lifetime restriction. |
| ☐ | SV-222546r508029_rule | The application must prohibit password reuse for a minimum of five generations. |
| ☐ | SV-222547r508029_rule | The application must allow the use of a temporary password for system logons with an immediate change to a permanent password. |
| ☐ | SV-222548r561251_rule | The application password must not be changeable by users other than the administrator or the user with which the password is associated. |
| ☐ | SV-222549r508029_rule | The application must terminate existing user sessions upon account deletion. |
| ☐ | SV-222550r508029_rule | The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. |
| ☐ | SV-222551r508029_rule | The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key. |
| ☐ | SV-222552r508029_rule | The application must map the authenticated identity to the individual user or group account for PKI-based authentication. |
| ☐ | SV-222553r508029_rule | The application, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. |
| ☐ | SV-222554r508029_rule | The application must not display passwords/PINs as clear text. |
| ☐ | SV-222555r508029_rule | The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. |
| ☐ | SV-222556r508029_rule | The application must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). |
| ☐ | SV-222557r508029_rule | The application must accept Personal Identity Verification (PIV) credentials from other federal agencies. |
| ☐ | SV-222558r508029_rule | The application must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies. |
| ☐ | SV-222559r508029_rule | The application must accept FICAM-approved third-party credentials. |
| ☐ | SV-222560r508029_rule | The application must conform to FICAM-issued profiles. |
| ☐ | SV-222561r508029_rule | Applications used for non-local maintenance sessions must audit non-local maintenance and diagnostic sessions for organization-defined auditable events. |
| ☐ | SV-222562r508029_rule | Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic communications. |
| ☐ | SV-222563r508029_rule | Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications. |
| ☐ | SV-222564r508029_rule | Applications used for non-local maintenance sessions must verify remote disconnection at the termination of non-local maintenance and diagnostic sessions. |
| ☐ | SV-222565r508029_rule | The application must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions. |
| ☐ | SV-222566r508029_rule | The application must terminate all sessions and network connections when non-local maintenance is completed. |
| ☐ | SV-222567r508029_rule | The application must not be vulnerable to race conditions. |
| ☐ | SV-222568r508029_rule | The application must terminate all network connections associated with a communications session at the end of the session. |
| ☐ | SV-222569r561293_rule | The application must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
| ☐ | SV-222570r508029_rule | The application must utilize FIPS-validated cryptographic modules when signing application components. |
| ☐ | SV-222571r508029_rule | The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes. |
| ☐ | SV-222572r508029_rule | The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection. |
| ☐ | SV-222573r508029_rule | Applications making SAML assertions must use FIPS-approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement. |
| ☐ | SV-222574r508029_rule | The application user interface must be either physically or logically separated from data storage and management interfaces. |
| ☐ | SV-222575r508029_rule | The application must set the HTTPOnly flag on session cookies. |
| ☐ | SV-222576r508029_rule | The application must set the secure flag on session cookies. |
| ☐ | SV-222577r508029_rule | The application must not expose session IDs. |
| ☐ | SV-222578r508029_rule | The application must destroy the session ID value and/or cookie on logoff or browser close. |
| ☐ | SV-222579r508029_rule | Applications must use system-generated session identifiers that protect against session fixation. |
| ☐ | SV-222580r508029_rule | Applications must validate session identifiers. |
| ☐ | SV-222581r508029_rule | Applications must not use URL embedded session IDs. |
| ☐ | SV-222582r508029_rule | The application must not re-use or recycle session IDs. |
| ☐ | SV-222583r508029_rule | The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. |
| ☐ | SV-222584r508029_rule | The application must only allow the use of DoD-approved certificate authorities for verification of the establishment of protected sessions. |
| ☐ | SV-222585r508029_rule | The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. |
| ☐ | SV-222586r508029_rule | In the event of a system failure, applications must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. |
| ☐ | SV-222587r508029_rule | The application must protect the confidentiality and integrity of stored information when required by DoD policy or the information owner. |
| ☐ | SV-222588r508029_rule | The application must implement approved cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components. |
| ☐ | SV-222589r508029_rule | The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy. |
| ☐ | SV-222590r508029_rule | The application must isolate security functions from non-security functions. |
| ☐ | SV-222591r508029_rule | The application must maintain a separate execution domain for each executing process. |
| ☐ | SV-222592r508029_rule | Applications must prevent unauthorized and unintended information transfer via shared system resources. |
| ☐ | SV-222593r561254_rule | XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways. |
| ☐ | SV-222594r561257_rule | The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems. |
| ☐ | SV-222595r508029_rule | The web service design must include redundancy mechanisms when used with high-availability systems. |
| ☐ | SV-222596r508029_rule | The application must protect the confidentiality and integrity of transmitted information. |
| ☐ | SV-222597r561260_rule | The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). |
| ☐ | SV-222598r508029_rule | The application must maintain the confidentiality and integrity of information during preparation for transmission. |
| ☐ | SV-222599r508029_rule | The application must maintain the confidentiality and integrity of information during reception. |
| ☐ | SV-222600r508029_rule | The application must not disclose unnecessary information to users. |
| ☐ | SV-222601r508029_rule | The application must not store sensitive information in hidden fields. |
| ☐ | SV-222602r561263_rule | The application must protect from Cross-Site Scripting (XSS) vulnerabilities. |
| ☐ | SV-222603r508029_rule | The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities. |
| ☐ | SV-222604r508029_rule | The application must protect from command injection. |
| ☐ | SV-222605r561266_rule | The application must protect from canonical representation vulnerabilities. |
| ☐ | SV-222606r508029_rule | The application must validate all input. |
| ☐ | SV-222607r508029_rule | The application must not be vulnerable to SQL Injection. |
| ☐ | SV-222608r508029_rule | The application must not be vulnerable to XML-oriented attacks. |
| ☐ | SV-222609r561269_rule | The application must not be subject to input handling vulnerabilities. |
| ☐ | SV-222610r508029_rule | The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. |
| ☐ | SV-222611r508029_rule | The application must reveal error messages only to the ISSO, ISSM, or SA. |
| ☐ | SV-222612r561272_rule | The application must not be vulnerable to overflow attacks. |
| ☐ | SV-222613r508029_rule | The application must remove organization-defined software components after updated versions have been installed. |
| ☐ | SV-222614r508029_rule | Security-relevant software updates and patches must be kept up to date. |
| ☐ | SV-222615r508029_rule | The application performing organization-defined security functions must verify correct operation of security functions. |
| ☐ | SV-222616r508029_rule | The application must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days. |
| ☐ | SV-222617r508029_rule | The application must notify the ISSO and ISSM of failed security verification tests. |
| ☐ | SV-222618r508029_rule | Unsigned Category 1A mobile code must not be used in the application in accordance with DoD policy. |
| ☐ | SV-222619r508029_rule | The ISSO must ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed. |
| ☐ | SV-222620r508029_rule | Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ. |
| ☐ | SV-222621r508029_rule | The ISSO must ensure application audit trails are retained for at least 1 year for applications without SAMI data, and 5 years for applications including SAMI data. |
| ☐ | SV-222622r508029_rule | The ISSO must review audit trails periodically based on system documentation recommendations or immediately upon system security events. |
| ☐ | SV-222623r508029_rule | The ISSO must report all suspected violations of IA policies in accordance with DoD information system IA procedures. |
| ☐ | SV-222624r508029_rule | The ISSO must ensure active vulnerability testing is performed. |
| ☐ | SV-222625r508029_rule | Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated. |
| ☐ | SV-222626r508029_rule | The designer must ensure the application does not store configuration and control files in the same directory as user data. |
| ☐ | SV-222627r508029_rule | The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance. |
| ☐ | SV-222628r561275_rule | New IP addresses, data services, and associated ports used by the application must be submitted to the appropriate approving authority for the organization, which in turn will be submitted through the DoD Ports, Protocols, and Services Management (DoD PPSM) |
| ☐ | SV-222629r508029_rule | The application must be registered with the DoD Ports and Protocols Database. |
| ☐ | SV-222630r508029_rule | The Configuration Management (CM) repository must be properly patched and STIG compliant. |
| ☐ | SV-222631r508029_rule | Access privileges to the Configuration Management (CM) repository must be reviewed every three months. |
| ☐ | SV-222632r508029_rule | A Software Configuration Management (SCM) plan describing the configuration control and change management process of application objects developed by the organization and the roles and responsibilities of the organization must be created and maintained. |
| ☐ | SV-222633r508029_rule | A Configuration Control Board (CCB) that meets at least every release cycle, for managing the Configuration Management (CM) process must be established. |
| ☐ | SV-222634r508029_rule | The application services and interfaces must be compatible with and ready for IPv6 networks. |
| ☐ | SV-222635r508029_rule | The application must not be hosted on a general purpose machine if the application is designated as critical or high availability by the ISSO. |
| ☐ | SV-222636r508029_rule | A disaster recovery/continuity plan must exist in accordance with DoD policy based on the applications availability requirements. |
| ☐ | SV-222637r508029_rule | Recovery procedures and technical system features must exist so recovery is performed in a secure and verifiable manner. The ISSO will document circumstances inhibiting a trusted recovery. |
| ☐ | SV-222638r508029_rule | Data backup must be performed at required intervals in accordance with DoD policy. |
| ☐ | SV-222639r508029_rule | Back-up copies of the application software or source code must be stored in a fire-rated container or stored separately (offsite). |
| ☐ | SV-222640r508029_rule | Procedures must be in place to assure the appropriate physical and technical protection of the backup and restoration of the application. |
| ☐ | SV-222641r508029_rule | The application must use encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange. |
| ☐ | SV-222642r508029_rule | The application must not contain embedded authentication data. |
| ☐ | SV-222643r508029_rule | The application must have the capability to mark sensitive/classified output when required. |
| ☐ | SV-222644r508029_rule | Prior to each release of the application, updates to system, or applying patches; tests plans and procedures must be created and executed. |
| ☐ | SV-222645r561278_rule | Application files must be cryptographically hashed prior to deploying to DoD operational networks. |
| ☐ | SV-222646r508029_rule | At least one tester must be designated to test for security flaws in addition to functional testing. |
| ☐ | SV-222647r508029_rule | Test procedures must be created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to verify the system remains in a secure state. |
| ☐ | SV-222648r508029_rule | An application code review must be performed on the application. |
| ☐ | SV-222649r508029_rule | Code coverage statistics must be maintained for each release of the application. |
| ☐ | SV-222650r508029_rule | Flaws found during a code review must be tracked in a defect tracking system. |
| ☐ | SV-222651r508029_rule | The changes to the application must be assessed for IA and accreditation impact prior to implementation. |
| ☐ | SV-222652r508029_rule | Security flaws must be fixed or addressed in the project plan. |
| ☐ | SV-222653r561281_rule | The application development team must follow a set of coding standards. |
| ☐ | SV-222654r561284_rule | The designer must create and update the Design Document for each release of the application. |
| ☐ | SV-222655r508029_rule | Threat models must be documented and reviewed for each application release and updated as required by design and functionality changes or when new threats are discovered. |
| ☐ | SV-222656r508029_rule | The application must not be subject to error handling vulnerabilities. |
| ☐ | SV-222657r561287_rule | The application development team must provide an application incident response plan. |
| ☐ | SV-222658r508029_rule | All products must be supported by the vendor or the development team. |
| ☐ | SV-222659r508029_rule | The application must be decommissioned when maintenance or support is no longer available. |
| ☐ | SV-222660r508029_rule | Procedures must be in place to notify users when an application is decommissioned. |
| ☐ | SV-222661r508029_rule | Unnecessary built-in application accounts must be disabled. |
| ☐ | SV-222662r508029_rule | Default passwords must be changed. |
| ☐ | SV-222663r508029_rule | An Application Configuration Guide must be created and included with the application. |
| ☐ | SV-222664r508029_rule | If the application contains classified data, a Security Classification Guide must exist containing data elements and their classification. |
| ☐ | SV-222665r508029_rule | The designer must ensure uncategorized or emerging mobile code is not used in applications. |
| ☐ | SV-222666r508029_rule | Production database exports must have database administration credentials and sensitive data removed before releasing the export. |
| ☐ | SV-222667r508029_rule | Protections against DoS attacks must be implemented. |
| ☐ | SV-222668r508029_rule | The system must alert an administrator when low resource conditions are encountered. |
| ☐ | SV-222669r508029_rule | At least one application administrator must be registered to receive update notifications, or security alerts, when automated alerts are available. |
| ☐ | SV-222670r508029_rule | The application must provide notifications or alerts when product update and security related patches are available. |
| ☐ | SV-222671r508029_rule | Connections between the DoD enclave and the Internet or other public or commercial wide area networks must require a DMZ. |
| ☐ | SV-222672r508029_rule | The application must generate audit records when concurrent logons from different workstations occur. |
| ☐ | SV-222673r508029_rule | The Program Manager must verify all levels of program management, designers, developers, and testers receive annual security training pertaining to their job function. |
STIGQter: STIG Summary: