UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Configuration Management (CM) repository must be properly patched and STIG compliant.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222630 APSC-DV-002995 SV-222630r508029_rule Medium
Description
A Configuration Management (CM) repository is used to manage application code versions and to securely store application code. Failure to properly apply security patches and secure the software Configuration Management system could affect the confidentiality and integrity of the application source-code. Compromise of the Configuration Management system could lead to unauthorized changes to applications including the addition of malware, root kits, back doors, logic bombs or other malicious functions into valid application code. This requirement is intended to be applied to application developers or organizations responsible for code management or who have and operate an application CM repository.
STIG Date
Application Security and Development Security Technical Implementation Guide 2020-09-30

Details

Check Text ( C-24300r493798_chk )
Review the application system documentation and interview the application administrator.

Identify if the STIG is being applied to application developers or organizations responsible for code management or who have and operate an application CM repository. If this is not the case, the requirement is not applicable.

Review CM patch management processes and procedures. Have the system and CM admins demonstrate their patch management processes and verify the system has the latest security patches applied.

Review the ATO documentation and verify the system that operates the CM repository software has had all relevant STIGs applied.

If CM repository is not at the latest security patch level and is not operating on a STIG compliant system, this is a finding.
Fix Text (F-24289r493799_fix)
Patch the CM system when new security patches are made available and apply the relevant STIGs.