The IAO shall ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by the following in descending order as available: 1) commercially accepted practices, (2) independent testing results, or (3) vendor literature.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16834	APP6020	SV-17834r1_rule	DCCS-1	Medium

Description
Not all COTS products are covered by a STIG. Those products not covered by a STIG, should be minimally configured to vendors recommendation guidelines.

STIG	Date
Application Security and Development STIG	2014-04-03

Details

Check Text ( C-17840r1_chk )
If a DoD STIG or NSA guide is not available, application and application components will be configured by the following in descending order as available: (1) commercially accepted practices, (2) independent testing results, or (3) vendor literature. 1) If the application and application components do not have DoD STIG or NSA guidance available and not configured by (1) commercially accepted practices, (2) independent testing results, or (3) vendor literature, it is a finding.

Check Text ( C-17840r1_chk )

If a DoD STIG or NSA guide is not available, application and application components will be configured by the following in descending order as available: (1) commercially accepted practices, (2) independent testing results, or (3) vendor literature.

1) If the application and application components do not have DoD STIG or NSA guidance available and not configured by (1) commercially accepted practices, (2) independent testing results, or (3) vendor literature, it is a finding.

Fix Text (F-17151r1_fix)
If a DoD STIG or NSA guide is not available, configured the application using the following in descending order as available: (1) commercially accepted practices, (2) independent testing results, or (3) vendor literature.