Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16823 | APP4040 | SV-17823r1_rule | DCCB-1 DCCB-2 | Medium |
Description |
---|
Software Configuration Management (SCM) is very important in tracking code releases, baselines, and managing access to the configuration management repository. The SCM plan identifies what should be under configuration management control. Without an SCM plan code, and a CCB, releases can be tracked and vulnerabilities can be inserted intentionally or unintentionally into the code base of the application. |
STIG | Date |
---|---|
Application Security and Development STIG | 2014-04-03 |
Check Text ( C-17822r1_chk ) |
---|
Interview the application representative and determine if a CCB exists. Ask about the membership of the CCB, and identify the primary members. Ask if there is a CCB charter documentation. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. 1) If there is no evidence of CCB, it is a CAT II finding. 2) If the IAM is not part of the CCB, it is a CAT II finding. Interview the application representative and determine how often the CCB meets. Ask if there is CCB charter documentation. The CCB charter documentation should indicate how often the CCB meets. If there is no charter documentation, ask when the last time the CCB met and when was the last release of the application. CCB's do not have to physically meet, and the CCB chair may authorize a release based on phone and/or e-mail conversations. 3) If there is not evidence of a CCB meeting during every release cycle, this a CAT III finding. |
Fix Text (F-17134r1_fix) |
---|
Setup and maintain a configuration control board. |