The Program Manager will document and obtain DAA risk acceptance for all public domain, shareware, freeware, and other software products/libraries with both (1) no source code to review, repair, and extend, and (2) limited or no warranty, when such products are required for mission accomplishment.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16778	APP2090	SV-17778r1_rule	DCPD-1	Medium

Description
The security posture of the enclave could be compromised if untested or unwarranted software is used due to the risk of software failure, hidden vulnerabilities, or other malware embedded in the application. The Program Manager and IAO must get DAA approval prior to using this type of software for risk acceptance. Public domain software is shareware. There cannot be any assurance the products integrity or security mechanisms exist without conducting a code review or vulnerability analysis. Failure to properly authorize shareware, before it is installed or used, on corporate AISs could result in the compromise of sensitive corporate resources.

Description

The security posture of the enclave could be compromised if untested or unwarranted software is used due to the risk of software failure, hidden vulnerabilities, or other malware embedded in the application. The Program Manager and IAO must get DAA approval prior to using this type of software for risk acceptance. Public domain software is shareware. There cannot be any assurance the products integrity or security mechanisms exist without conducting a code review or vulnerability analysis. Failure to properly authorize shareware, before it is installed or used, on corporate AISs could result in the compromise of sensitive corporate resources.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-17755r1_chk )
Policy: The Program Manager will obtain DAA approval for all open source, public domain, shareware, freeware, and other software products/libraries with limited or no warranty but are required for mission accomplishment. The designer will document all open source, public domain, shareware, freeware, and other software products/libraries that have limited or no warranty, but which are required for mission accomplishment. Software products and libraries with limited or no warranty will not be used in DoD information systems unless they are necessary for mission accomplishment, and there are no alternative IT solutions available. If these products are required, they must be assessed for information assurance impacts, and must be approved for use by the DAA. Review the DoD policy regarding Open Source Software products: http://www.defenselink.mil/cio-nii/docs/OpenSourceInDoD.pdf Open Source Software: Copyrighted software distributed under a license that provides everyone the right to use, modify, and redistribute the source code of software. Public Domain Software: Software not protected by any copyright laws providing the right to use, modify, and redistribute without permission or payment to the author. Shareware: Copyrighted software distributed under a license that provides a trial right to use and redistribute the binaries. For continued usage, users are required to pay a fee. Freeware: Copyrighted software distributed under a license that provides a right to use and redistribute the binaries. Unlike shareware, there is no charge for continued use. Commercial Software: Copyrighted software sold for profit by businesses, also referred to as COTS software. 1) If software products (e.g., Open Source Software, Public Domain Software, Shareware and Freeware) and libraries with limited or no warranty are used in DoD information systems except when they are necessary for mission accomplishment and there are no alternative IT solutions available, it is a finding.

Check Text ( C-17755r1_chk )

Policy:

The Program Manager will obtain DAA approval for all open source, public domain, shareware, freeware, and other software products/libraries with limited or no warranty but are required for mission accomplishment.

The designer will document all open source, public domain, shareware, freeware, and other software products/libraries that have limited or no warranty, but which are required for mission accomplishment.

Software products and libraries with limited or no warranty will not be used in DoD information systems unless they are necessary for mission accomplishment, and there are no alternative IT solutions available. If these products are required, they must be assessed for information assurance impacts, and must be approved for use by the DAA.

Review the DoD policy regarding Open Source Software products:
http://www.defenselink.mil/cio-nii/docs/OpenSourceInDoD.pdf

Open Source Software: Copyrighted software distributed under a license that provides everyone the right to use, modify, and redistribute the source code of software.

Public Domain Software: Software not protected by any copyright laws providing the right to use, modify, and redistribute without permission or payment to the author.

Shareware: Copyrighted software distributed under a license that provides a trial right to use and redistribute the binaries. For continued usage, users are required to pay a fee.

Freeware: Copyrighted software distributed under a license that provides a right to use and redistribute the binaries. Unlike shareware, there is no charge for continued use.

Commercial Software: Copyrighted software sold for profit by businesses, also referred to as COTS software.

1) If software products (e.g., Open Source Software, Public Domain Software, Shareware and Freeware) and libraries with limited or no warranty are used in DoD information systems except when they are necessary for mission accomplishment and there are no alternative IT solutions available, it is a finding.

Fix Text (F-16976r1_fix)
Document and obtain the DAA's acknowledgment and acceptance of risk and approval for all binary or machine executable public domain software products such as freeware/shareware and other software products with no warranty and no source code review capability. Implement policy and procedures to ensure the organization is in compliance with software licensing agreements. Implement policy and procedures to ensure the organization is in compliance with software usage restrictions.

Fix Text (F-16976r1_fix)

Document and obtain the DAA's acknowledgment and acceptance of risk and approval for all binary or machine executable public domain software products such as freeware/shareware and other software products with no warranty and no source code review capability.

Implement policy and procedures to ensure the organization is in compliance with software licensing agreements. Implement policy and procedures to ensure the organization is in compliance with software usage restrictions.