UCF STIG Viewer Logo

Application Security and Development Security Technical Implementation Guide


Overview

Date Finding Count (288)
2018-12-24 CAT I (High): 31 CAT II (Med): 235 CAT III (Low): 22
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-69569 High The application must transmit only cryptographically-protected passwords.
V-69343 High The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
V-70363 High The application must not contain embedded authentication data.
V-70365 High The application must have the capability to mark sensitive/classified output when required.
V-69287 High The application must use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion.
V-69281 High Validity periods must be verified on all application messages using WS-Security or SAML assertions.
V-70207 High The application must destroy the session ID value and/or cookie on logoff or browser close.
V-70205 High The application must not expose session IDs.
V-69289 High The application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion.
V-70277 High The application must not be vulnerable to overflow attacks.
V-70293 High Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ.
V-70255 High The application must not store sensitive information in hidden fields.
V-69279 High Messages protected with WS_Security must use time stamps with creation and expiration times.
V-70221 High The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
V-70151 High The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
V-70157 High The application must not display passwords/PINs as clear text.
V-70149 High The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-70245 High The application must protect the confidentiality and integrity of transmitted information.
V-69555 High The application must enforce a minimum 15-character password length.
V-69339 High The application must execute without excessive account permissions.
V-70271 High The application must not be subject to input handling vulnerabilities.
V-70403 High Default passwords must be changed.
V-69329 High The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
V-69527 High The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-70395 High All products must be supported by the vendor or the development team.
V-70397 High The application must be decommissioned when maintenance or support is no longer available.
V-69567 High The application must only store cryptographic representations of passwords.
V-70269 High The application must not be vulnerable to XML-oriented attacks.
V-70267 High The application must not be vulnerable to SQL Injection.
V-70261 High The application must protect from command injection.
V-70257 High The application must protect from Cross-Site Scripting (XSS) vulnerabilities.
V-69241 Medium The application must clear temporary storage and cookies when the session is terminated.
V-69251 Medium The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.
V-69503 Medium The application must prohibit user installation of software without explicit privileged status.
V-70371 Medium At least one tester must be designated to test for security flaws in addition to functional testing.
V-69501 Medium The integrity of the audit tools must be validated by checking the files for changes in the cryptographic hash value.
V-70189 Medium The application must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-70375 Medium An application code review must be performed on the application.
V-69505 Medium The application must enforce access restrictions associated with changes to application configuration.
V-69239 Medium The application must provide a capability to limit the number of logon sessions per user.
V-70379 Medium Flaws found during a code review must be tracked in a defect tracking system.
V-69509 Medium The application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
V-70181 Medium The application must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.
V-70421 Medium Connections between the DoD enclave and the Internet or other public or commercial wide area networks must require a DMZ.
V-70183 Medium The application must terminate all sessions and network connections when non-local maintenance is completed.
V-69461 Medium The application must provide an audit reduction capability that supports on-demand reporting requirements.
V-69463 Medium The application must provide an audit reduction capability that supports on-demand audit review and analysis.
V-69465 Medium The application must provide an audit reduction capability that supports after-the-fact investigations of security incidents.
V-69467 Medium The application must provide a report generation capability that supports on-demand audit review and analysis.
V-69469 Medium The application must provide a report generation capability that supports on-demand reporting requirements.
V-69341 Medium The application must audit the execution of privileged functions.
V-69347 Medium The application administrator must follow an approved process to unlock locked user accounts.
V-69575 Medium The application must prohibit password reuse for a minimum of five generations.
V-69375 Medium The application must provide audit record generation capability for HTTP headers including User-Agent, Referer, GET, and POST.
V-70361 Medium The application must use encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange.
V-69377 Medium The application must provide audit record generation capability for connecting system IP addresses.
V-69371 Medium The application must provide audit record generation capability for session timeouts.
V-69373 Medium The application must record a time stamp indicating when the event occurred.
V-69573 Medium The application must enforce a 60-day maximum password lifetime restriction.
V-69379 Medium The application must record the username or user ID of the user associated with the event.
V-69255 Medium The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission.
V-69285 Medium The application must ensure encrypted assertions, or equivalent confidentiality protections are used when assertion data is passed through an intermediary, and confidentiality of the assertion data is required when passing through the intermediary.
V-69571 Medium The application must enforce 24 hours/1 day as the minimum password lifetime.
V-69283 Medium The application must ensure each unique asserting party provides unique assertion ID references for each SAML assertion.
V-69479 Medium The application must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-69477 Medium The applications must use internal system clocks to generate time stamps for audit records.
V-69475 Medium The application must provide a report generation capability that does not alter original content or time ordering of audit records.
V-70203 Medium The application must set the secure flag on session cookies.
V-69473 Medium The application must provide an audit reduction capability that does not alter original content or time ordering of audit records.
V-70201 Medium The application must set the HTTPOnly flag on session cookies.
V-69471 Medium The application must provide a report generation capability that supports after-the-fact investigations of security incidents.
V-69533 Medium The application must electronically verify Personal Identity Verification (PIV) credentials.
V-70285 Medium The application must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days.
V-70279 Medium The application must remove organization-defined software components after updated versions have been installed.
V-70283 Medium The application performing organization-defined security functions must verify correct operation of security functions.
V-69321 Medium The application must automatically audit account enabling actions.
V-70281 Medium Security-relevant software updates and patches must be kept up to date.
V-69245 Medium The application must automatically terminate the admin user session and log off admin users after a 10 minute idle time period is exceeded.
V-69243 Medium The application must automatically terminate the non-privileged user session and log off non-privileged users after a 15 minute idle time period has elapsed.
V-70289 Medium Unsigned Category 1A mobile code must not be used in the application in accordance with DoD policy.
V-69507 Medium The application must audit who makes configuration changes to the application.
V-69483 Medium The application must protect audit information from any type of unauthorized read access.
V-69481 Medium The application must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
V-69261 Medium Applications with SOAP messages requiring integrity must include the following message elements:-Message ID-Service Request-Timestamp-SAML Assertion (optionally included in messages) and all elements of the message must be digitally signed.
V-69487 Medium The application must protect audit information from unauthorized deletion.
V-69485 Medium The application must protect audit information from unauthorized modification.
V-69491 Medium The application must protect audit tools from unauthorized modification.
V-69489 Medium The application must protect audit tools from unauthorized access.
V-70409 Medium The designer must ensure uncategorized or emerging mobile code is not used in applications.
V-69363 Medium The application must provide audit record generation capability for the creation of session IDs.
V-69361 Medium The application must provide the capability for organization-identified individuals or roles to change the auditing to be performed on all application components, based on all selectable event criteria within organization-defined time thresholds.
V-70359 Medium Procedures must be in place to assure the appropriate physical and technical protection of the backup and restoration of the application.
V-69367 Medium The application must provide audit record generation capability for the renewal of session IDs.
V-69561 Medium The application must enforce password complexity by requiring that at least one numeric character be used.
V-69365 Medium The application must provide audit record generation capability for the destruction of session IDs.
V-70401 Medium Unnecessary built-in application accounts must be disabled.
V-70357 Medium Back-up copies of the application software or source code must be stored in a fire-rated container or stored separately (offsite).
V-69369 Medium The application must not write sensitive data into the application logs.
V-70405 Medium An Application Configuration Guide must be created and included with the application.
V-70425 Medium The Program Manager must verify all levels of program management, designers, developers, and testers receive annual security training pertaining to their job function.
V-70353 Medium Recovery procedures and technical system features must exist so recovery is performed in a secure and verifiable manner. The ISSO will document circumstances inhibiting a trusted recovery.
V-69495 Medium The application must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
V-69293 Medium The application must ensure messages are encrypted when the SessionIndex is tied to privacy data.
V-69409 Medium The application must generate audit records showing starting and ending time for user access to the system.
V-69291 Medium The application must ensure if a OneTimeUse element is used in an assertion, there is only one of the same used in the Conditions element portion of an assertion.
V-69521 Medium The application must be configured to use only functions, ports, and protocols permitted to it in the PPSM CAL.
V-70219 Medium The application must only allow the use of DoD-approved certificate authorities for verification of the establishment of protected sessions.
V-69295 Medium The application must provide automated mechanisms for supporting account management functions.
V-69403 Medium The application must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur.
V-70215 Medium The application must not re-use or recycle session IDs.
V-69401 Medium The application must generate audit records when successful/unsuccessful attempts to delete application database security objects occur.
V-69299 Medium The application must automatically remove or disable temporary user accounts 72 hours after account creation.
V-69407 Medium The application must generate audit records for privileged activities or other system-level access.
V-70211 Medium Applications must validate session identifiers.
V-69405 Medium The application must generate audit records when successful/unsuccessful logon attempts occur.
V-70295 Medium The ISSO must ensure application audit trails are retained for at least 1 year for applications without SAMI data, and 5 years for applications including SAMI data.
V-70297 Medium The ISSO must review audit trails periodically based on system documentation recommendations or immediately upon system security events.
V-70291 Medium The ISSO must ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed.
V-69383 Medium The application must generate audit records when successful/unsuccessful attempts to access security objects occur.
V-69493 Medium The application must protect audit tools from unauthorized deletion.
V-70413 Medium Protections against DoS attacks must be implemented.
V-69497 Medium The application must use cryptographic mechanisms to protect the integrity of audit information.
V-69499 Medium Application audit tools must be cryptographically hashed.
V-70153 Medium The application must map the authenticated identity to the individual user or group account for PKI-based authentication.
V-70163 Medium The application must accept Personal Identity Verification (PIV) credentials from other federal agencies.
V-70349 Medium The application must not be hosted on a general purpose machine if the application is designated as critical or high availability by the ISSO.
V-69389 Medium The application must generate audit records when successful/unsuccessful attempts to modify privileges occur.
V-69399 Medium The application must generate audit records when successful/unsuccessful attempts to delete security levels occur.
V-69253 Medium The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in process.
V-69397 Medium The application must generate audit records when successful/unsuccessful attempts to delete privileges occur.
V-70343 Medium A Software Configuration Management (SCM) plan describing the configuration control and change management process of application objects developed by the organization and the roles and responsibilities of the organization must be created and maintained.
V-69395 Medium The application must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.
V-70341 Medium Access privileges to the Configuration Management (CM) repository must be reviewed every three months.
V-69393 Medium The application must generate audit records when successful/unsuccessful attempts to modify security levels occur.
V-70347 Medium The application services and interfaces must be compatible with and ready for IPv6 networks.
V-69391 Medium The application must generate audit records when successful/unsuccessful attempts to modify security objects occur.
V-70229 Medium The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.
V-69419 Medium The application must initiate session auditing upon startup.
V-70159 Medium The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
V-69311 Medium The application must automatically audit account removal actions.
V-69411 Medium The application must generate audit records when successful/unsuccessful accesses to objects occur.
V-69413 Medium The application must generate audit records for all direct access to the information system.
V-69415 Medium The application must generate audit records for all account creations, modifications, disabling, and termination events.
V-70391 Medium The application must not be subject to error handling vulnerabilities.
V-70185 Medium The application must not be vulnerable to race conditions.
V-69511 Medium The applications must limit privileges to change the software resident within software libraries.
V-69513 Medium An application vulnerability assessment must be conducted.
V-69449 Medium The application must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
V-69257 Medium The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
V-69543 Medium The application must implement replay-resistant authentication mechanisms for network access to privileged accounts.
V-69425 Medium The application must log user actions involving access to data.
V-70237 Medium XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways.
V-69427 Medium The application must log user actions involving changes to data.
V-70235 Medium Applications must prevent unauthorized and unintended information transfer via shared system resources.
V-69421 Medium The application must log application shutdown events.
V-70233 Medium The application must maintain a separate execution domain for each executing process.
V-69423 Medium The application must log destination IP addresses.
V-70231 Medium The application must isolate security functions from non-security functions.
V-69385 Medium The application must generate audit records when successful/unsuccessful attempts to access security levels occur.
V-69387 Medium The application must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.
V-69429 Medium The application must produce audit records containing information to establish when (date and time) the events occurred.
V-69381 Medium The application must generate audit records when successful/unsuccessful attempts to grant privileges occur.
V-70239 Medium The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems.
V-70187 Medium The application must terminate all network connections associated with a communications session at the end of the session.
V-69305 Medium The application must automatically audit account creation.
V-69307 Medium The application must automatically audit account modification.
V-70339 Medium The Configuration Management (CM) repository must be properly patched and STIG compliant.
V-69303 Medium Unnecessary application accounts must be disabled, or deleted.
V-69547 Medium The application must utilize mutual authentication when endpoint device non-repudiation protections are required by DoD policy or by the data owner.
V-69545 Medium The application must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-70145 Medium The application password must not be changeable by users other than the administrator or the user with which the password is associated.
V-69541 Medium The application must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
V-70147 Medium The application must terminate existing user sessions upon account deletion.
V-70197 Medium Applications making SAML assertions must use FIPS-approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement.
V-70191 Medium The application must utilize FIPS-validated cryptographic modules when signing application components.
V-69519 Medium The application must be configured to disable non-essential capabilities.
V-70345 Medium A Configuration Control Board (CCB) that meets at least every release cycle, for managing the Configuration Management (CM) process must be established.
V-70213 Medium Applications must not use URL embedded session IDs.
V-70273 Medium The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
V-70175 Medium Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic communications.
V-69433 Medium When using centralized logging; the application must include a unique identifier in order to distinguish itself from other application logs.
V-70177 Medium Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications.
V-69431 Medium The application must produce audit records containing enough information to establish which component, feature or function of the application triggered the audit event.
V-70171 Medium Applications used for non-local maintenance sessions must audit non-local maintenance and diagnostic sessions for organization-defined auditable events.
V-69437 Medium The application must generate audit records containing information that establishes the identity of any individual or process associated with the event.
V-69435 Medium The application must produce audit records that contain information to establish the outcome of the events.
V-69309 Medium The application must automatically audit account disabling actions.
V-70249 Medium The application must maintain the confidentiality and integrity of information during preparation for transmission.
V-69439 Medium The application must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.
V-70179 Medium Applications used for non-local maintenance sessions must verify remote disconnection at the termination of non-local maintenance and diagnostic sessions.
V-69333 Medium The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.
V-69331 Medium The application must enforce organization-defined discretionary access control policies over defined subjects and objects.
V-69539 Medium The application must use multifactor (e.g., CAC, Alt. Token) authentication for local access to non-privileged accounts.
V-69335 Medium The application must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
V-69557 Medium The application must enforce password complexity by requiring that at least one upper-case character be used.
V-69337 Medium The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-70251 Medium The application must maintain the confidentiality and integrity of information during reception.
V-69531 Medium The application must accept Personal Identity Verification (PIV) credentials.
V-69537 Medium The application must use multifactor (Alt. Token) authentication for local access to privileged accounts.
V-69535 Medium The application must use multifactor (e.g., CAC, Alt. Token) authentication for network access to non-privileged accounts.
V-70195 Medium The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection.
V-69559 Medium The application must enforce password complexity by requiring that at least one lower-case character be used.
V-70253 Medium The application must not disclose unnecessary information to users.
V-69325 Medium Application data protection requirements must be identified and documented.
V-70223 Medium In the event of a system failure, applications must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
V-70167 Medium The application must accept FICAM-approved third-party credentials.
V-70155 Medium The application, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
V-70225 Medium The application must protect the confidentiality and integrity of stored information when required by DoD policy or the information owner.
V-70165 Medium The application must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies.
V-69551 Medium Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS.
V-70411 Medium Production database exports must have database administration credentials and sensitive data removed before releasing the export.
V-69459 Medium The application must provide the capability to filter audit records for events of interest based upon organization-defined criteria.
V-70355 Medium Data backup must be performed at required intervals in accordance with DoD policy.
V-70161 Medium The application must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-70265 Medium The application must validate all input.
V-70227 Medium The application must implement approved cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.
V-69577 Medium The application must allow the use of a temporary password for system logons with an immediate change to a permanent password.
V-70259 Medium The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities.
V-70169 Medium The application must conform to FICAM-issued profiles.
V-69259 Medium The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.
V-69447 Medium The application must be configured to write application logs to a centralized log repository.
V-69529 Medium The application must use multifactor (Alt. Token) authentication for network access to privileged accounts.
V-69445 Medium The application must off-load audit records onto a different system or media than the system being audited.
V-69443 Medium The application must provide centralized management and configuration of the content to be captured in audit records generated by all application components.
V-69441 Medium The application must implement transaction recovery logs when transaction based.
V-70311 Medium The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance.
V-70351 Medium A disaster recovery/continuity plan must exist in accordance with DoD policy based on the applications availability requirements.
V-70313 Medium New IP addresses, data services, and associated ports used by the application must be submitted to the appropriate approving authority for the organization, which in turn will be submitted through the DoD Ports, Protocols, and Services Management (DoD PPSM).
V-69523 Medium The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
V-70193 Medium The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes.
V-69525 Medium The application must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.
V-70317 Medium The application must be registered with the DoD Ports and Protocols Database.
V-70415 Medium The system must alert an administrator when low resource conditions are encountered.
V-70393 Medium The application development team must provide an application incident response plan.
V-70407 Medium If the application contains classified data, a Security Classification Guide must exist containing data elements and their classification.
V-70369 Medium Application files must be cryptographically hashed prior to deploying to DoD operational networks.
V-69565 Medium The application must require the change of at least 8 of the total number of characters when passwords are changed.
V-70247 Medium The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
V-69553 Medium The application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication.
V-70389 Medium Threat models must be documented and reviewed for each application release and updated as required by design and functionality changes or when new threats are discovered.
V-70209 Medium Applications must use system-generated session identifiers that protect against session fixation.
V-69515 Medium The application must prevent program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
V-70307 Medium Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated.
V-69517 Medium The application must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs.
V-70303 Medium The ISSO must ensure active vulnerability testing is performed.
V-70199 Medium The application user interface must be either physically or logically separated from data storage and management interfaces.
V-70301 Medium The ISSO must report all suspected violations of IA policies in accordance with DoD information system IA procedures.
V-69247 Medium Applications requiring user access authentication must provide a logoff capability for user initiated communication session.
V-70263 Medium The application must protect from canonical representation vulnerabilities.
V-69297 Medium Shared/group account credentials must be terminated when members leave the group.
V-69455 Medium The application must shut down by default upon audit failure (unless availability is an overriding concern).
V-69359 Medium For applications providing audit record aggregation, the application must compile audit records from organization-defined information system components into a system-wide audit trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail.
V-69457 Medium The application must provide the capability to centrally review and analyze audit records from multiple components within the system.
V-69451 Medium Applications categorized as having a moderate or high impact must provide an immediate real-time alert to the SA and ISSO (at a minimum) for all audit failure events.
V-69453 Medium The application must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-69563 Medium The application must enforce password complexity by requiring that at least one special character be used.
V-69357 Medium The application must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
V-70241 Medium The web service design must include redundancy mechanisms when used with high-availability systems.
V-70383 Medium Security flaws must be fixed or addressed in the project plan.
V-69549 Medium The application must authenticate all network connected endpoint devices before establishing any connection.
V-70309 Medium The designer must ensure the application does not store configuration and control files in the same directory as user data.
V-70217 Medium The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.
V-69327 Medium The application must utilize organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts.
V-70275 Medium The application must reveal error messages only to the ISSO, ISSM, or SA.
V-70243 Medium An XML firewall function must be deployed to protect web services when exposed to untrusted networks.
V-70381 Medium The changes to the application must be assessed for IA and accreditation impact prior to implementation.
V-70173 Low The application must have a process, feature or function that prevents removal or disabling of emergency accounts.
V-70373 Low Test procedures must be created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to verify the system remains in a secure state.
V-70377 Low Code coverage statistics must be maintained for each release of the application.
V-70423 Low The application must generate audit records when concurrent logons from different workstations occur.
V-69349 Low The application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
V-69323 Low The application must notify System Administrators and Information System Security Officers of account enabling actions.
V-69249 Low The application must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.
V-70367 Low Prior to each release of the application, updates to system, or applying patches; tests plans and procedures must be created and executed.
V-70287 Low The application must notify the ISSO and ISSM of failed security verification tests.
V-70417 Low At least one application administrator must be registered to receive update notifications, or security alerts, when automated alerts are available.
V-70419 Low The application must provide notifications or alerts when product update and security related patches are available.
V-69313 Low The application must notify System Administrators and Information System Security Officers when accounts are created.
V-69319 Low The application must notify System Administrators and Information System Security Officers of account removal actions.
V-69301 Low The application must automatically disable accounts after a 35 day period of account inactivity.
V-69315 Low The application must notify System Administrators and Information System Security Officers when accounts are modified.
V-70399 Low Procedures must be in place to notify users when an application is decommissioned.
V-69353 Low The publicly accessible application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
V-69351 Low The application must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
V-69355 Low The application must display the time and date of the users last successful logon.
V-70387 Low The designer must create and update the Design Document for each release of the application.
V-70385 Low The application development team must follow a set of coding standards.
V-69317 Low The application must notify System Administrators and Information System Security Officers of account disabling actions.