The Program Manager will ensure COTS IA and IA enabled products, comply with NIAP/NSA endorsed protection profiles.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16777	APP2080	SV-17777r1_rule	DCSR-1 DCSR-2 DCSR-3	Medium

Description
The security posture of the enclave could be compromised if applications are not at the approved NIAP/NSA protection profile. GOTS, or COTS IA and IA enabled IT products, must be in compliance with NIAP/NSA protection profiles in order to protect classified information when the information transits networks which are at a lower classification level than the information being transported.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-17754r1_chk )
The Program Manager will ensure COTS IA, and IA enabled products, are used to protect sensitive information when the information transits non DoD owned networks, or the system handling the information is accessible by individuals who are not authorized to access the information on the system, comply with NIAP/NSA approved protection profiles. The Program Manager will ensure COTS IA, and IA enabled products, are used to protect classified information when the information transits networks, which are at a lower classification level than the information being transported, comply with NIAP/NSA approved protection profiles. Interview the application representative and determine the IA, and IA enabled COTS products, used in the application. Also, review the confidentiality level for the application. Public releasable data requires a NIAP/NSA approved protection profile for IA, and IA enabled, COTS products. Sensitive data requires a NIAP/NSA approved protection profile for IA, and IA enabled, COTS products. Classified information, when the information transits networks which are at a lower classification level than the information being transported, requires NIAP/NSA approved protection profiles for IA, and IA enabled, COTS products. The accreditation documentation should list the products that are used. A list of validated products and protection profiles is available on the common criteria website: http://www.niap-ccevs.org/cc-scheme/pp/index.cfm 1) Compare that list against the approved products. If any of the third party products are not listed or are below the NIAP/NSA approved protection profiles required by the application, it is a finding.

Check Text ( C-17754r1_chk )

The Program Manager will ensure COTS IA, and IA enabled products, are used to protect sensitive information when the information transits non DoD owned networks, or the system handling the information is accessible by individuals who are not authorized to access the information on the system, comply with NIAP/NSA approved protection profiles.

The Program Manager will ensure COTS IA, and IA enabled products, are used to protect classified information when the information transits networks, which are at a lower classification level than the information being transported, comply with NIAP/NSA approved protection profiles.

Interview the application representative and determine the IA, and IA enabled COTS products, used in the application. Also, review the confidentiality level for the application.
Public releasable data requires a NIAP/NSA approved protection profile for IA, and IA enabled, COTS products.
Sensitive data requires a NIAP/NSA approved protection profile for IA, and IA enabled, COTS products.
Classified information, when the information transits networks which are at a lower classification level than the information being transported, requires NIAP/NSA approved protection profiles for IA, and IA enabled, COTS products.

The accreditation documentation should list the products that are used. A list of validated products and protection profiles is available on the common criteria website:
http://www.niap-ccevs.org/cc-scheme/pp/index.cfm

1) Compare that list against the approved products. If any of the third party products are not listed or are below the NIAP/NSA approved protection profiles required by the application, it is a finding.

Fix Text (F-16975r1_fix)
Use products with suitable NIAP/NSA protection profiles.