UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Program Manager will ensure COTS IA and IA enabled products, comply with NIAP/NSA endorsed protection profiles.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16777 APP2080 SV-17777r1_rule DCSR-1 DCSR-2 DCSR-3 Medium
Description
The security posture of the enclave could be compromised if applications are not at the approved NIAP/NSA protection profile. GOTS, or COTS IA and IA enabled IT products, must be in compliance with NIAP/NSA protection profiles in order to protect classified information when the information transits networks which are at a lower classification level than the information being transported.
STIG Date
Application Security and Development Checklist 2013-07-16

Details

Check Text ( C-17754r1_chk )
The Program Manager will ensure COTS IA, and IA enabled products, are used to protect sensitive information when the information transits non DoD owned networks, or the system handling the information is accessible by individuals who are not authorized to access the information on the system, comply with NIAP/NSA approved protection profiles.

The Program Manager will ensure COTS IA, and IA enabled products, are used to protect classified information when the information transits networks, which are at a lower classification level than the information being transported, comply with NIAP/NSA approved protection profiles.

Interview the application representative and determine the IA, and IA enabled COTS products, used in the application. Also, review the confidentiality level for the application.
Public releasable data requires a NIAP/NSA approved protection profile for IA, and IA enabled, COTS products.
Sensitive data requires a NIAP/NSA approved protection profile for IA, and IA enabled, COTS products.
Classified information, when the information transits networks which are at a lower classification level than the information being transported, requires NIAP/NSA approved protection profiles for IA, and IA enabled, COTS products.

The accreditation documentation should list the products that are used. A list of validated products and protection profiles is available on the common criteria website:
http://www.niap-ccevs.org/cc-scheme/pp/index.cfm

1) Compare that list against the approved products. If any of the third party products are not listed or are below the NIAP/NSA approved protection profiles required by the application, it is a finding.
Fix Text (F-16975r1_fix)
Use products with suitable NIAP/NSA protection profiles.