UCF STIG Viewer Logo

The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222627 APSC-DV-002970 SV-222627r864411_rule Medium
Description
Not all COTS products are covered by a STIG. Those products not covered by a STIG, should follow commercially accepted best practices, independent testing results and vendors lock down guides and recommendations if they are available.
STIG Date
Application Security and Development Security Technical Implementation Guide 2022-09-21

Details

Check Text ( C-24297r493789_chk )
Review the application documentation to identify application name, features and version.

Identify if a DoD STIG or NSA guide is available.

If no STIG is available for the product, the application and application components must be configured by the following as available:

- commercially accepted practices,
- independent testing results, or
- vendor literature and lock down guides.

If the application and application components do not have DoD STIG or NSA guidance available and are not configured according to:
commercially accepted practices,
independent testing results,
or vendor literature and lock down guides, this is a finding.
Fix Text (F-24286r493790_fix)
Configure the application according to the product STIG or when a STIG is not available, utilize:

- commercially accepted practices,
- independent testing results, or
- vendor literature and lock down guides.