Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-70311 | APSC-DV-002970 | SV-84933r1_rule | Medium |
| Description |
|---|
| Not all COTS products are covered by a STIG. Those products not covered by a STIG, should follow commercially accepted best practices, independent testing results and vendors lock down guides and recommendations if they are available. |
| STIG | Date |
|---|---|
| Application Security and Development Security Technical Implementation Guide | 2017-03-20 |
Details
| Check Text ( C-70787r1_chk ) |
|---|
| Review the application documentation to identify application name, features and version. Identify if a DoD STIG or NSA guide is available. If no STIG is available for the product, the application and application components must be configured by the following as available: - commercially accepted practices, - independent testing results, or - vendor literature and lock down guides. If the application and application components do not have DoD STIG or NSA guidance available and are not configured according to: commercially accepted practices, independent testing results, or vendor literature and lock down guides, this is a finding. |
| Fix Text (F-76547r1_fix) |
|---|
| Configure the application according to the product STIG or when a STIG is not available, utilize: - commercially accepted practices, - independent testing results, or - vendor literature and lock down guides. |