The Program Manager will provide an Application Configuration Guide to the application hosting providers to include a list of all potential hosting enclaves and connection rules and requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16773	APP2020	SV-17773r1_rule	DCID-1 EBCR-1	Medium

Description
The security posture of the enclave could be degraded if an Application Configuration Guide is not available and followed by application developers.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-17749r1_chk )
Detailed policy requirements: The Program Manager will provide an Application Configuration Guide to the application hosting providers. The Program Manager will provide a list of all potential hosting enclaves and connection rules and requirements. The Program Manager will ensure development systems, build systems, and test systems have a standardized environment and are documented in the Application Configuration Guide. The Designer will ensure known security assumptions, implications, system level protections, best practices, and required permissions are documented in the Application Configuration Guide. The Designer will ensure deployment configuration settings are documented in the Application Configuration Guide. The IAO will ensure the application is deployed in a manner consistent with the Application Configuration Guide provided by the developers. The Application Configuration Guide is any document or collection of documents used to configure the application. These documents may be part of a user guide, secure configuration guide, or any guidance that satisfies the requirements below: The Application Configuration Guide must be made available to application hosting providers. The Application Configuration Guide will contain a list of all potential hosting enclaves and connection rules and requirements. Development systems, build systems, and test systems must operate in a standardized environment. These settings are to be documented in the Application Configuration Guide. Examples include: • Versions of compilers used • Build options when creating applications and components • Versions of COTS software (used as part of the application) • For web applications, which browsers and what versions are supported All known security assumptions, implications, system level protections, best practices, and required permissions are documented in the Application Configuration Guide. All deployment configuration settings are documented in the Application Configuration Guide. Examples include: • Encryptions Settings • PKI Certificate Configuration Settings • Password Settings All deployment configuration settings from the Application Configuration Guide should be implemented. Ask the application representative for Application Configuration Guide or other guidance where these requirements are documented. Verify the configuration settings have been implemented. 1) If any of the above information is missing, or the Application Configuration Guide does not exist, it is a finding. 2) If the settings in the Application Configuration Guide are not implemented, it is a finding.

Check Text ( C-17749r1_chk )

Detailed policy requirements:

The Program Manager will provide an Application Configuration Guide to the application hosting providers. The Program Manager will provide a list of all potential hosting enclaves and connection rules and requirements.
The Program Manager will ensure development systems, build systems, and test systems have a standardized environment and are documented in the Application Configuration Guide. The Designer will ensure known security assumptions, implications, system level protections, best practices, and required permissions are documented in the Application Configuration Guide. The Designer will ensure deployment configuration settings are documented in the Application Configuration Guide. The IAO will ensure the application is deployed in a manner consistent with the Application Configuration Guide provided by the developers.

The Application Configuration Guide is any document or collection of documents used to configure the application. These documents may be part of a user guide, secure configuration guide, or any guidance that satisfies the requirements below:

The Application Configuration Guide must be made available to application hosting providers.

The Application Configuration Guide will contain a list of all potential hosting enclaves and connection rules and requirements.

Development systems, build systems, and test systems must operate in a standardized environment. These settings are to be documented in the Application Configuration Guide.
Examples include:
• Versions of compilers used
• Build options when creating applications and components
• Versions of COTS software (used as part of the application)
• For web applications, which browsers and what versions are supported

All known security assumptions, implications, system level protections, best practices, and required permissions are documented in the Application Configuration Guide.

All deployment configuration settings are documented in the Application Configuration Guide.
Examples include:
• Encryptions Settings
• PKI Certificate Configuration Settings
• Password Settings

All deployment configuration settings from the Application Configuration Guide should be implemented.

Ask the application representative for Application Configuration Guide or other guidance where these requirements are documented. Verify the configuration settings have been implemented.

1) If any of the above information is missing, or the Application Configuration Guide does not exist, it is a finding.

2) If the settings in the Application Configuration Guide are not implemented, it is a finding.

Fix Text (F-16969r1_fix)
Create and maintain an Application Configuration Guide and provide it to the application hosting facility.