UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Application Security and Development Security Technical Implementation Guide


Overview

Date Finding Count (286)
2024-06-05 CAT I (High): 32 CAT II (Med): 232 CAT III (Low): 22
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-222400 High Validity periods must be verified on all application messages using WS-Security or SAML assertions.
V-222404 High The application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion.
V-222612 High The application must not be vulnerable to overflow attacks.
V-222578 High The application must destroy the session ID value and/or cookie on logoff or browser close.
V-222430 High The application must execute without excessive account permissions.
V-222432 High The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
V-222577 High The application must not expose session IDs.
V-222609 High The application must not be subject to input handling vulnerabilities.
V-222608 High The application must not be vulnerable to XML-oriented attacks.
V-222602 High The application must protect from Cross-Site Scripting (XSS) vulnerabilities.
V-222601 High The application must not store sensitive information in hidden fields.
V-222607 High The application must not be vulnerable to SQL Injection.
V-222604 High The application must protect from command injection.
V-222403 High The application must use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion.
V-222585 High The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
V-222550 High The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-222522 High The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-222554 High The application must not display passwords/PINs as clear text.
V-222596 High The application must protect the confidentiality and integrity of transmitted information.
V-222399 High Messages protected with WS_Security must use time stamps with creation and expiration times.
V-222658 High All products must be supported by the vendor or the development team.
V-222659 High The application must be decommissioned when maintenance or support is no longer available.
V-222551 High The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
V-222620 High Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ.
V-222536 High The application must enforce a minimum 15-character password length.
V-222643 High The application must have the capability to mark sensitive/classified output when required.
V-222542 High The application must only store cryptographic representations of passwords.
V-222543 High The application must transmit only cryptographically-protected passwords.
V-222425 High The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
V-222642 High The application must not contain embedded authentication data.
V-222662 High Default passwords must be changed.
V-222555 High The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
V-222541 Medium The application must require the change of at least eight of the total number of characters when passwords are changed.
V-222395 Medium The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission.
V-222491 Medium The application must provide an audit reduction capability that supports after-the-fact investigations of security incidents.
V-222409 Medium The application must automatically remove or disable temporary user accounts 72 hours after account creation.
V-222408 Medium Shared/group account credentials must be terminated when members leave the group.
V-222560 Medium The application must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles.
V-222561 Medium Applications used for non-local maintenance sessions must audit non-local maintenance and diagnostic sessions for organization-defined auditable events.
V-222566 Medium The application must terminate all sessions and network connections when nonlocal maintenance is completed.
V-222567 Medium The application must not be vulnerable to race conditions.
V-222564 Medium Applications used for non-local maintenance sessions must verify remote disconnection at the termination of non-local maintenance and diagnostic sessions.
V-222565 Medium The application must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.
V-222401 Medium The application must ensure each unique asserting party provides unique assertion ID references for each SAML assertion.
V-222568 Medium The application must terminate all network connections associated with a communications session at the end of the session.
V-222402 Medium The application must ensure encrypted assertions, or equivalent confidentiality protections are used when assertion data is passed through an intermediary, and confidentiality of the assertion data is required when passing through the intermediary.
V-222405 Medium The application must ensure if a OneTimeUse element is used in an assertion, there is only one of the same used in the Conditions element portion of an assertion.
V-222407 Medium The application must provide automated mechanisms for supporting account management functions.
V-222406 Medium The application must ensure messages are encrypted when the SessionIndex is tied to privacy data.
V-222618 Medium Unsigned Category 1A mobile code must not be used in the application in accordance with DoD policy.
V-222619 Medium The ISSO must ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed.
V-222413 Medium The application must automatically audit account creation.
V-222610 Medium The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
V-222579 Medium Applications must use system-generated session identifiers that protect against session fixation.
V-222613 Medium The application must remove organization-defined software components after updated versions have been installed.
V-222614 Medium Security-relevant software updates and patches must be kept up to date.
V-222615 Medium The application performing organization-defined security functions must verify correct operation of security functions.
V-222616 Medium The application must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days.
V-222481 Medium The application must off-load audit records onto a different system or media than the system being audited.
V-222480 Medium The application must provide centralized management and configuration of the content to be captured in audit records generated by all application components.
V-222483 Medium The application must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
V-222482 Medium The application must be configured to write application logs to a centralized log repository.
V-222485 Medium The application must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-222484 Medium Applications categorized as having a moderate or high impact must provide an immediate real-time alert to the SA and ISSO (at a minimum) for all audit failure events.
V-222487 Medium The application must provide the capability to centrally review and analyze audit records from multiple components within the system.
V-222486 Medium The application must shut down by default upon audit failure (unless availability is an overriding concern).
V-222489 Medium The application must provide an audit reduction capability that supports on-demand reporting requirements.
V-222488 Medium The application must provide the capability to filter audit records for events of interest based upon organization-defined criteria.
V-222431 Medium The application must audit the execution of privileged functions.
V-222624 Medium The ISSO must ensure active vulnerability testing is performed.
V-222575 Medium The application must set the HTTPOnly flag on session cookies.
V-222574 Medium The application user interface must be either physically or logically separated from data storage and management interfaces.
V-222576 Medium The application must set the secure flag on session cookies.
V-222478 Medium The application must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.
V-222570 Medium The application must utilize FIPS-validated cryptographic modules when signing application components.
V-222573 Medium Applications making SAML assertions must use FIPS-approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement.
V-222572 Medium The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection.
V-222474 Medium The application must produce audit records containing enough information to establish which component, feature or function of the application triggered the audit event.
V-222475 Medium When using centralized logging; the application must include a unique identifier in order to distinguish itself from other application logs.
V-222476 Medium The application must produce audit records that contain information to establish the outcome of the events.
V-222477 Medium The application must generate audit records containing information that establishes the identity of any individual or process associated with the event.
V-222470 Medium The application must log destination IP addresses.
V-222471 Medium The application must log user actions involving access to data.
V-222472 Medium The application must log user actions involving changes to data.
V-222473 Medium The application must produce audit records containing information to establish when (date and time) the events occurred.
V-222562 Medium Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic communications.
V-222563 Medium Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications.
V-222603 Medium The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities.
V-222600 Medium The application must not disclose unnecessary information to users.
V-222606 Medium The application must validate all input.
V-222605 Medium The application must protect from canonical representation vulnerabilities.
V-222391 Medium Applications requiring user access authentication must provide a logoff capability for user initiated communication session.
V-222497 Medium The applications must use internal system clocks to generate time stamps for audit records.
V-222655 Medium Threat models must be documented and reviewed for each application release and updated as required by design and functionality changes or when new threats are discovered.
V-222557 Medium The application must accept Personal Identity Verification (PIV) credentials from other federal agencies.
V-222469 Medium The application must log application shutdown events.
V-222468 Medium The application must initiate session auditing upon startup.
V-222467 Medium The application must generate audit records for all account creations, modifications, disabling, and termination events.
V-222466 Medium The application must generate audit records for all direct access to the information system.
V-222465 Medium The application must generate audit records when successful/unsuccessful accesses to objects occur.
V-222464 Medium The application must generate audit records showing starting and ending time for user access to the system.
V-222463 Medium The application must generate audit records for privileged activities or other system-level access.
V-222461 Medium The application must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur.
V-222460 Medium The application must generate audit records when successful/unsuccessful attempts to delete application database security objects occur.
V-222500 Medium The application must protect audit information from any type of unauthorized read access.
V-222501 Medium The application must protect audit information from unauthorized modification.
V-222502 Medium The application must protect audit information from unauthorized deletion.
V-222503 Medium The application must protect audit tools from unauthorized access.
V-222504 Medium The application must protect audit tools from unauthorized modification.
V-222505 Medium The application must protect audit tools from unauthorized deletion.
V-222506 Medium The application must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
V-222507 Medium The application must use cryptographic mechanisms to protect the integrity of audit information.
V-222636 Medium A disaster recovery/continuity plan must exist in accordance with DoD policy based on the applications availability requirements.
V-222509 Medium The integrity of the audit tools must be validated by checking the files for changes in the cryptographic hash value.
V-222634 Medium The application services and interfaces must be compatible with and ready for IPv6 networks.
V-222635 Medium The application must not be hosted on a general purpose machine if the application is designated as critical or high availability by the ISSO.
V-222632 Medium A Software Configuration Management (SCM) plan describing the configuration control and change management process of application objects developed by the organization and the roles and responsibilities of the organization must be created and maintained.
V-222633 Medium A Configuration Control Board (CCB) that meets at least every release cycle, for managing the Configuration Management (CM) process must be established.
V-222630 Medium The Configuration Management (CM) repository must be properly patched and STIG compliant.
V-222631 Medium Access privileges to the Configuration Management (CM) repository must be reviewed every three months.
V-222588 Medium The application must implement approved cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.
V-222589 Medium The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.
V-222556 Medium The application must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-222580 Medium Applications must validate session identifiers.
V-222581 Medium Applications must not use URL embedded session IDs.
V-222582 Medium The application must not re-use or recycle session IDs.
V-222583 Medium The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.
V-222584 Medium The application must only allow the use of DoD-approved certificate authorities for verification of the establishment of protected sessions.
V-222586 Medium In the event of a system failure, applications must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
V-222587 Medium The application must protect the confidentiality and integrity of stored information when required by DoD policy or the information owner.
V-222526 Medium The application must use multifactor (e.g., CAC, Alt. Token) authentication for network access to non-privileged accounts.
V-222390 Medium The application must automatically terminate the admin user session and log off admin users after a 10 minute idle time period is exceeded.
V-222524 Medium The application must accept Personal Identity Verification (PIV) credentials.
V-222427 Medium The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.
V-222452 Medium The application must generate audit records when successful/unsuccessful attempts to access security levels occur.
V-222453 Medium The application must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.
V-222450 Medium The application must generate audit records when successful/unsuccessful attempts to grant privileges occur.
V-222657 Medium The application development team must provide an application incident response plan.
V-222456 Medium The application must generate audit records when successful/unsuccessful attempts to modify security levels occur.
V-222457 Medium The application must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.
V-222454 Medium The application must generate audit records when successful/unsuccessful attempts to modify privileges occur.
V-222455 Medium The application must generate audit records when successful/unsuccessful attempts to modify security objects occur.
V-222458 Medium The application must generate audit records when successful/unsuccessful attempts to delete privileges occur.
V-222459 Medium The application must generate audit records when successful/unsuccessful attempts to delete security levels occur.
V-222393 Medium The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.
V-222651 Medium The changes to the application must be assessed for IA and accreditation impact prior to implementation.
V-222513 Medium The application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
V-222512 Medium The application must audit who makes configuration changes to the application.
V-222511 Medium The application must enforce access restrictions associated with changes to application configuration.
V-222510 Medium The application must prohibit user installation of software without explicit privileged status.
V-222517 Medium The application must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs.
V-222516 Medium The application must prevent program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
V-222388 Medium The application must clear temporary storage and cookies when the session is terminated.
V-222389 Medium The application must automatically terminate the non-privileged user session and log off non-privileged users after a 15 minute idle time period has elapsed.
V-222629 Medium The application must be registered with the DoD Ports and Protocols Database.
V-222387 Medium The application must provide a capability to limit the number of logon sessions per user.
V-222519 Medium The application must be configured to use only functions, ports, and protocols permitted to it in the PPSM CAL.
V-222518 Medium The application must be configured to disable non-essential capabilities.
V-222599 Medium The application must maintain the confidentiality and integrity of information during reception.
V-222451 Medium The application must generate audit records when successful/unsuccessful attempts to access security objects occur.
V-222611 Medium The application must reveal error messages only to the ISSO, ISSM, or SA.
V-222593 Medium XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways.
V-222592 Medium Applications must prevent unauthorized and unintended information transfer via shared system resources.
V-222591 Medium The application must maintain a separate execution domain for each executing process.
V-222590 Medium The application must isolate security functions from non-security functions.
V-222597 Medium The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
V-222595 Medium The web service design must include redundancy mechanisms when used with high-availability systems.
V-222594 Medium The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems.
V-222515 Medium An application vulnerability assessment must be conducted.
V-222621 Medium The ISSO must ensure application audit trails are retained for at least 1 year for applications without SAMI data, and 5 years for applications including SAMI data.
V-222445 Medium The application must provide audit record generation capability for session timeouts.
V-222444 Medium The application must not write sensitive data into the application logs.
V-222447 Medium The application must provide audit record generation capability for HTTP headers including User-Agent, Referer, GET, and POST.
V-222446 Medium The application must record a time stamp indicating when the event occurred.
V-222441 Medium The application must provide audit record generation capability for the creation of session IDs.
V-222394 Medium The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in process.
V-222443 Medium The application must provide audit record generation capability for the renewal of session IDs.
V-222442 Medium The application must provide audit record generation capability for the destruction of session IDs.
V-222449 Medium The application must record the username or user ID of the user associated with the event.
V-222448 Medium The application must provide audit record generation capability for connecting system IP addresses.
V-222527 Medium The application must use multifactor (Alt. Token) authentication for local access to privileged accounts.
V-222656 Medium The application must not be subject to error handling vulnerabilities.
V-222525 Medium The application must electronically verify Personal Identity Verification (PIV) credentials.
V-222650 Medium Flaws found during a code review must be tracked in a defect tracking system.
V-222523 Medium The application must use multifactor (Alt. Token) authentication for network access to privileged accounts.
V-222652 Medium Security flaws must be fixed or addressed in the project plan.
V-222521 Medium The application must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.
V-222398 Medium Applications with SOAP messages requiring integrity must include the following message elements:-Message ID-Service Request-Timestamp-SAML Assertion (optionally included in messages) and all elements of the message must be digitally signed.
V-222552 Medium The application must map the authenticated identity to the individual user or group account for PKI-based authentication.
V-222528 Medium The application must use multifactor (e.g., CAC, Alt. Token) authentication for local access to nonprivileged accounts.
V-222529 Medium The application must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
V-222397 Medium The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.
V-265634 Medium The application must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-222623 Medium The ISSO must report all suspected violations of IA policies in accordance with DoD information system IA procedures.
V-222539 Medium The application must enforce password complexity by requiring that at least one numeric character be used.
V-222396 Medium The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
V-222622 Medium The ISSO must review audit trails periodically based on system documentation recommendations or immediately upon system security events.
V-222531 Medium The application must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
V-222625 Medium Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated.
V-222533 Medium The application must authenticate all network connected endpoint devices before establishing any connection.
V-222532 Medium The application must utilize mutual authentication when endpoint device non-repudiation protections are required by DoD policy or by the data owner.
V-222535 Medium The application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication.
V-222534 Medium Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS.
V-222537 Medium The application must enforce password complexity by requiring that at least one uppercase character be used.
V-222646 Medium At least one tester must be designated to test for security flaws in addition to functional testing.
V-222645 Medium Application files must be cryptographically hashed prior to deploying to DoD operational networks.
V-222641 Medium The application must use encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange.
V-222438 Medium The application must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
V-222439 Medium For applications providing audit record aggregation, the application must compile audit records from organization-defined information system components into a system-wide audit trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail.
V-222514 Medium The applications must limit privileges to change the software resident within software libraries.
V-222553 Medium The application, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
V-222648 Medium An application code review must be performed on the application.
V-222628 Medium New IP addresses, data services, and associated ports used by the application must be submitted to the appropriate approving authority for the organization, which in turn will be submitted through the DoD Ports, Protocols, and Services Management (DoD PPSM)
V-222640 Medium Procedures must be in place to assure the appropriate physical and technical protection of the backup and restoration of the application.
V-222626 Medium The designer must ensure the application does not store configuration and control files in the same directory as user data.
V-222520 Medium The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
V-222530 Medium The application must implement replay-resistant authentication mechanisms for network access to privileged accounts.
V-222627 Medium The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance.
V-222548 Medium The application password must not be changeable by users other than the administrator or the user with which the password is associated.
V-222549 Medium The application must terminate existing user sessions upon account deletion.
V-222545 Medium The application must enforce a 60-day maximum password lifetime restriction.
V-222544 Medium The application must enforce 24 hours/1 day as the minimum password lifetime.
V-222673 Medium The Program Manager must verify all levels of program management, designers, developers, and testers receive annual security training pertaining to their job function.
V-222671 Medium Connections between the DoD enclave and the Internet or other public or commercial wide area networks must require a DMZ.
V-222540 Medium The application must enforce password complexity by requiring that at least one special character be used.
V-222546 Medium The application must prohibit password reuse for a minimum of five generations.
V-222423 Medium Application data protection requirements must be identified and documented.
V-222421 Medium The application must automatically audit account enabling actions.
V-222547 Medium The application must allow the use of a temporary password for system logons with an immediate change to a permanent password.
V-222433 Medium The application administrator must follow an approved process to unlock locked user accounts.
V-222426 Medium The application must enforce organization-defined discretionary access control policies over defined subjects and objects.
V-222424 Medium The application must utilize organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts.
V-222429 Medium The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-222428 Medium The application must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
V-222462 Medium The application must generate audit records when successful/unsuccessful logon attempts occur.
V-222598 Medium The application must maintain the confidentiality and integrity of information during preparation for transmission.
V-222499 Medium The application must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
V-222668 Medium The system must alert an administrator when low resource conditions are encountered.
V-222559 Medium The application must accept Federal Identity, Credential, and Access Management (FICAM)-approved third-party credentials.
V-222558 Medium The application must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies.
V-222665 Medium The designer must ensure uncategorized or emerging mobile code is not used in applications.
V-222664 Medium If the application contains classified data, a Security Classification Guide must exist containing data elements and their classification.
V-222667 Medium Protections against DoS attacks must be implemented.
V-222666 Medium Production database exports must have database administration credentials and sensitive data removed before releasing the export.
V-222661 Medium Unnecessary built-in application accounts must be disabled.
V-222663 Medium An Application Configuration Guide must be created and included with the application.
V-222416 Medium The application must automatically audit account removal actions.
V-222414 Medium The application must automatically audit account modification.
V-222415 Medium The application must automatically audit account disabling actions.
V-222412 Medium Unnecessary application accounts must be disabled, or deleted.
V-222638 Medium Data backup must be performed at required intervals in accordance with DoD policy.
V-222538 Medium The application must enforce password complexity by requiring that at least one lowercase character be used.
V-222639 Medium Back-up copies of the application software or source code must be stored in a fire-rated container or stored separately (offsite).
V-222508 Medium Application audit tools must be cryptographically hashed.
V-222498 Medium The application must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-222637 Medium Recovery procedures and technical system features must exist so recovery is performed in a secure and verifiable manner. The ISSO will document circumstances inhibiting a trusted recovery.
V-222496 Medium The application must provide a report generation capability that does not alter original content or time ordering of audit records.
V-222571 Medium The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes.
V-222494 Medium The application must provide a report generation capability that supports after-the-fact investigations of security incidents.
V-222495 Medium The application must provide an audit reduction capability that does not alter original content or time ordering of audit records.
V-222492 Medium The application must provide a report generation capability that supports on-demand audit review and analysis.
V-222493 Medium The application must provide a report generation capability that supports on-demand reporting requirements.
V-222490 Medium The application must provide an audit reduction capability that supports on-demand audit review and analysis.
V-222479 Medium The application must implement transaction recovery logs when transaction based.
V-222434 Low The application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
V-222436 Low The publicly accessible application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
V-222411 Low The application must automatically disable accounts after a 35 day period of account inactivity.
V-222617 Low The application must notify the ISSO and ISSM of failed security verification tests.
V-222654 Low The designer must create and update the Design Document for each release of the application.
V-222653 Low The application development team must follow a set of coding standards.
V-222647 Low Test procedures must be created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to verify the system remains in a secure state.
V-222644 Low Prior to each release of the application, updates to system, or applying patches; tests plans and procedures must be created and executed.
V-222435 Low The application must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
V-222437 Low The application must display the time and date of the users last successful logon.
V-222649 Low Code coverage statistics must be maintained for each release of the application.
V-222392 Low The application must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.
V-222670 Low The application must provide notifications or alerts when product update and security related patches are available.
V-222422 Low The application must notify system administrators (SAs) and information system security officers (ISSOs) of account enabling actions.
V-222672 Low The application must generate audit records when concurrent logons from different workstations occur.
V-222420 Low The application must notify system administrators (SAs) and information system security officers (ISSOs) of account removal actions.
V-222669 Low At least one application administrator must be registered to receive update notifications, or security alerts, when automated alerts are available.
V-222660 Low Procedures must be in place to notify users when an application is decommissioned.
V-222417 Low The application must notify system administrators (SAs) and information system security officers (ISSOs) when accounts are created.
V-222410 Low The application must have a process, feature or function that prevents removal or disabling of emergency accounts.
V-222418 Low The application must notify system administrators (SAs) and information system security officers (ISSOs) when accounts are modified.
V-222419 Low The application must notify system administrators (SAs) and information system security officers (ISSOs) of account disabling actions.