AO risk acceptance must be obtained for all public domain, shareware, freeware, and other software products/libraries with both (1) no source code to review, repair, and extend, and (2) limited or no warranty, when such products are required for mission accomplishment.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-70305	APSC-DV-002940	SV-84927r1_rule		Medium

Description
The security posture of the enclave could be compromised if untested or unwarranted software is used due to the risk of software failure, hidden vulnerabilities, or other malware embedded in the application. AO risk acceptance approvals must be obtained prior to using this type of software. Public domain software is shareware. There cannot be any assurance the products integrity or security mechanisms exist without conducting a code review or vulnerability analysis. Failure to properly authorize shareware, before it is installed or used, on corporate AISs could result in the compromise of sensitive corporate resources. Software products and libraries with limited or no warranty will not be used in DoD information systems unless they are necessary for mission accomplishment, and there are no alternative IT solutions available. If these products are required, they must be assessed for information assurance impacts, and must be approved for use by the AO.

Description

The security posture of the enclave could be compromised if untested or unwarranted software is used due to the risk of software failure, hidden vulnerabilities, or other malware embedded in the application. AO risk acceptance approvals must be obtained prior to using this type of software. Public domain software is shareware. There cannot be any assurance the products integrity or security mechanisms exist without conducting a code review or vulnerability analysis. Failure to properly authorize shareware, before it is installed or used, on corporate AISs could result in the compromise of sensitive corporate resources. Software products and libraries with limited or no warranty will not be used in DoD information systems unless they are necessary for mission accomplishment, and there are no alternative IT solutions available. If these products are required, they must be assessed for information assurance impacts, and must be approved for use by the AO.

STIG	Date
Application Security and Development Security Technical Implementation Guide	2017-03-20

Details

Check Text ( C-70781r1_chk )
Verify documented AO approval for all open source, public domain, shareware, freeware, and other software products/libraries with limited or no warranty that are required for mission accomplishment. Review the DoD policies regarding Open Source Software products: http://dodcio.defense.gov/OpenSourceSoftwareFAQ.aspx If Open Source Software, Public Domain Software, Shareware and Freeware, and libraries with limited or no warranty are used in DoD information systems and there are no documented AO approvals, this is a finding.

Check Text ( C-70781r1_chk )

Verify documented AO approval for all open source, public domain, shareware, freeware, and other software products/libraries with limited or no warranty that are required for mission accomplishment.

Review the DoD policies regarding Open Source Software products:

http://dodcio.defense.gov/OpenSourceSoftwareFAQ.aspx

If Open Source Software, Public Domain Software, Shareware and Freeware, and libraries with limited or no warranty are used in DoD information systems and there are no documented AO approvals, this is a finding.

Fix Text (F-76541r1_fix)
Document and obtain the AO acknowledgment and acceptance of risk and approval for all binary or machine executable public domain software products such as freeware/shareware and other software products with no warranty and no source code review capability. Implement policy and procedures to verify the organization is in compliance with software licensing agreements. Implement policy and procedures to verify the organization is in compliance with software usage restrictions.

Fix Text (F-76541r1_fix)

Document and obtain the AO acknowledgment and acceptance of risk and approval for all binary or machine executable public domain software products such as freeware/shareware and other software products with no warranty and no source code review capability.

Implement policy and procedures to verify the organization is in compliance with software licensing agreements. Implement policy and procedures to verify the organization is in compliance with software usage restrictions.