A DoD reference document, such as a security technical implementation guide or security recommendation guide constitutes the primary source for security configuration or implementation guidance for the deployment of newly acquired IA- and IA-enabled IT products that require use of the product's IA capabilities. If a DoD reference document is not available, the following are acceptable in descending order as available: (1) Commercially accepted practices (e.g., SANS); (2) Independent testing results (e.g., ICSA); or (3) Vendor literature.
|MAC / CONF||Impact||Subject Area|
|MACIII||High||Security Design and Configuration|
|Default configuration settings and parameters are often times not the most secure. Security vulnerabilities can be exploited by malicious individuals causing severe damage to DoD computing environments. Adhering to the latest security technical implementation guide or security recommendation provides organizations a higher degree of assurance that products are secure.|
| 1. Refer to the system security architecture document (or a similar document that outlines the various system components security configuration requirements) to identify each configurable system component . |
2. Identify the operating system or major software feature of each component that requires configuration.
3. Using the DIACAP Knowledge Base or other repository, access the appropriate DISA STIG for the operating system, software application, or device.
4. Follow the STIG’s manual or automated configuration guidance for the operating system, software application, or device.