The Program Manager will ensure a security incident response process for the application is established that defines reportable incidents and outlines a standard operating procedure for incident response to include Information Operations Condition (INFOCON).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16782	APP2140	SV-17782r1_rule	VIIR-1 VIIR-2	Medium

Description
Without a plan, training, and assistance, users will not know what actions needs to be taken in the event of system attack or system/application compromise. This could result in additional compromise and theft, or degraded system capability.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-17758r1_chk )
Verify that the organization provides or uses an incident support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents. The support resource must be an integral part of the organization’s incident response capability. This capability is addressed by the DOD CNDSP Program but participation at the organization level must be verified. Interview the application representative to determine if a security incident response process for the application is established. 1) If a security incident response process for the application is not documented, it is a finding. Interview the application representative to determine if a security incident response process contains the following: Identified CNDSP. Reportable incidents are defined. INFCON outlined in the incident response standard operating procedures. A provision exists for user training and annual refresher training. Establishment of an incident response team. Procedure for the plan to be exercised annually. 2) If a security incident response process is not adequate, it is a finding. Interview the application representative to determine if a security incident response process for the application is followed. 3) If a security incident response process for the application is not followed, it is a finding.

Check Text ( C-17758r1_chk )

Verify that the organization provides or uses an incident support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents. The support resource must be an integral part of the organization’s incident response capability. This capability is addressed by the DOD CNDSP Program but participation at the organization level must be verified.

Interview the application representative to determine if a security incident response process for the application is established.

1) If a security incident response process for the application is not documented, it is a finding.

Interview the application representative to determine if a security incident response process contains the following:
Identified CNDSP.
Reportable incidents are defined.
INFCON outlined in the incident response standard operating procedures.
A provision exists for user training and annual refresher training.
Establishment of an incident response team.
Procedure for the plan to be exercised annually.

2) If a security incident response process is not adequate, it is a finding.

Interview the application representative to determine if a security incident response process for the application is followed.

3) If a security incident response process for the application is not followed, it is a finding.

Fix Text (F-16980r1_fix)
Fully participate in the DOD CNDSP Program as described in DoD Instruction 8530.2 or develop an Incident response Plan. Exercise the Incident Response Plan annually. Provide for user incident response training. Provide an incident support resource that offers advice and assistance to users for the handling and reporting of security incidents. The support resource must be an integral part of the organization's incident response capability.

Fix Text (F-16980r1_fix)

Fully participate in the DOD CNDSP Program as described in DoD Instruction 8530.2 or develop an Incident response Plan.
Exercise the Incident Response Plan annually.
Provide for user incident response training.
Provide an incident support resource that offers advice and assistance to users for the handling and reporting of security incidents.
The support resource must be an integral part of the organization's incident response capability.