Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-70305 | APSC-DV-002940 | SV-84927r1_rule | Medium |
Description |
---|
The security posture of the enclave could be compromised if untested or unwarranted software is used due to the risk of software failure, hidden vulnerabilities, or other malware embedded in the application. AO risk acceptance approvals must be obtained prior to using this type of software. Public domain software is shareware. There cannot be any assurance the products integrity or security mechanisms exist without conducting a code review or vulnerability analysis. Failure to properly authorize shareware, before it is installed or used, on corporate AISs could result in the compromise of sensitive corporate resources. Software products and libraries with limited or no warranty will not be used in DoD information systems unless they are necessary for mission accomplishment, and there are no alternative IT solutions available. If these products are required, they must be assessed for information assurance impacts, and must be approved for use by the AO. |
STIG | Date |
---|---|
Application Security and Development Security Technical Implementation Guide | 2017-01-09 |
Check Text ( C-70781r1_chk ) |
---|
Verify documented AO approval for all open source, public domain, shareware, freeware, and other software products/libraries with limited or no warranty that are required for mission accomplishment. Review the DoD policies regarding Open Source Software products: http://dodcio.defense.gov/OpenSourceSoftwareFAQ.aspx If Open Source Software, Public Domain Software, Shareware and Freeware, and libraries with limited or no warranty are used in DoD information systems and there are no documented AO approvals, this is a finding. |
Fix Text (F-76541r1_fix) |
---|
Document and obtain the AO acknowledgment and acceptance of risk and approval for all binary or machine executable public domain software products such as freeware/shareware and other software products with no warranty and no source code review capability. Implement policy and procedures to verify the organization is in compliance with software licensing agreements. Implement policy and procedures to verify the organization is in compliance with software usage restrictions. |