The Release Manager will develop an SCM plan describing the configuration control and change management process of objects developed and the roles and responsibilities of the organization.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16822	APP4030	SV-17822r1_rule	DCPR-1 DCSW-1	Medium

Description
Software Configuration Management (SCM) is very important in tracking code releases, baselines, and managing access to the configuration management repository. The SCM plan identifies what should be under configuration management control. Without an SCM plan, code releases can be tracked and vulnerabilities can be inserted intentionally or unintentionally into the code base of the application.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-17821r1_chk )
The Release Manager will ensure the SCM plan identifies all objects created during the development process subject to configuration control. The Release Manager will ensure the SCM plan maintains procedures for identifying individual application components, as well as, entire application releases during all phases of the software development lifecycle. The Release Manager will ensure the SCM plan identifies and tracks all actions and changes resulting from a change request from initiation to release. The Release Manager will ensure the SCM plan contains procedures to identify, document, review, and authorize any change requests to the application. The Release Manager will ensure the SCM plan defines the responsibilities, the actions to be performed, the tools, techniques and methodologies, and defines an initial set of baselined software components. The Release Manager will ensure the SCM plan objects have security classifications labels. The Release Manager will ensure the SCM plan identifies tools and version numbers used in the software development lifecycle. The Release Manager will ensure the SCM plan identifies mechanisms for controlled access of simultaneous individuals updating the same application component. The Release Manager will ensure the SCM plan assures only authorized changes by authorized persons are possible. The Release Manager will ensure the SCM plan identifies mechanisms to control access and audit changes between different versions of objects subject to configuration control. The Release Manager will ensure the SCM plan identifies mechanisms to track and audit all modifications of objects under configuration control. Audits will include the originator and date and time of the modification. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. Ask the application representative to review the applications SCM plan. The SCM plan should contain the following: • Description of the configuration control and change management process • Types of objects developed • Roles and responsibilities of the organization 1) If the SCM plan does not include the above, this is a CAT II finding. The SCM plan should also contain the following: • Defined responsibilities • Actions to be performed • Tools used in the process • Techniques and methodologies • Initial set of baselined software components 2) If the SCM plan does not include the above, this is a CAT III finding. The SCM plan should identify all objects that are under configuration management control. Ask the application representative to provide access to the configuration management repository and to identify the objects shown in the SCM plan. 3) If the application representative cannot display all types of objects under CM control, this is a CAT III finding. The SCM plan should identify third party tools and respective version numbers. 4) If the SCM plan does not identify third party tools, this is a CAT II finding. The SCM plan should identify mechanisms for controlled access of individuals simultaneously updating the same application component. 5) If the SCM plan does not identify mechanisms for controlled access, this is a CAT III finding. The SCM plan assures only authorized changes by authorized persons are allowed. 6) If the SCM plan does not assure only authorized changes are made, this is a CAT II finding. The SCM plan should identify mechanisms to control access and audit changes between different versions of objects subject to configuration control. 7) If the SCM plan does not identify mechanisms to control access and to audit changes between different versions of objects subject to configuration control, this is a CAT III finding. The SCM plan should have procedures for label versions of application components and application builds under configuration management control. Ask the application representative demonstrate the configuration management repository and contains versions and releases of the application. Ask the application representative to create a build or demonstrate a current release of the application can be recreated. 8) If the application representative cannot display releases and application component versions, this is a CAT II finding. The configuration management repository should track change requests from beginning to end. Ask the application representative to display a completed or in-process change request. 9) If the configuration management repository cannot tracks change requests, this is a CAT III finding. If the application has just completed its first release, there may not be any change requests logged in the configuration management repository. In this case, this finding is not applicable. The configuration management repository should authorize change requests to the application. Ask the application representative to display an authorized change request and identify who is responsible for authorizing change requests. 10) If the configuration management repository does not track authorized change requests, this is a CAT III finding. If the application has just completed its first release, there may not be any change requests logged in the configuration management repository. In this case, this finding is not applicable. The configuration management repository should contain security classification labels for code and documentation in the repository. Classification labels are not applicable to unclassified systems. 11) If there are no classification labels of code and documentation in the configuration management repository, this is a CAT III finding. The configuration management repository should monitor all objects under CM control for auditing. 12) If the configuration management repository does not audit for modifications, this is a CAT II finding. The SCM plan should identify all components required to be IPV6 capable. 13) If the SCM plan does not identify application components as IPV6 capable, this is a CAT III finding.

Check Text ( C-17821r1_chk )

The Release Manager will ensure the SCM plan identifies all objects created during the development process subject to configuration control.

The Release Manager will ensure the SCM plan maintains procedures for identifying individual application components, as well as, entire application releases during all phases of the software development lifecycle.

The Release Manager will ensure the SCM plan identifies and tracks all actions and changes resulting from a change request from initiation to release.

The Release Manager will ensure the SCM plan contains procedures to identify, document, review, and authorize any change requests to the application.

The Release Manager will ensure the SCM plan defines the responsibilities, the actions to be performed, the tools, techniques and methodologies, and defines an initial set of baselined software components.

The Release Manager will ensure the SCM plan objects have security classifications labels.

The Release Manager will ensure the SCM plan identifies tools and version numbers used in the software development lifecycle.

The Release Manager will ensure the SCM plan identifies mechanisms for controlled access of simultaneous individuals updating the same application component.

The Release Manager will ensure the SCM plan assures only authorized changes by authorized persons are possible.

The Release Manager will ensure the SCM plan identifies mechanisms to control access and audit changes between different versions of objects subject to configuration control.

The Release Manager will ensure the SCM plan identifies mechanisms to track and audit all modifications of objects under configuration control. Audits will include the originator and date and time of the modification.

If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable.

Ask the application representative to review the applications SCM plan.

The SCM plan should contain the following:
• Description of the configuration control and change management process
• Types of objects developed
• Roles and responsibilities of the organization

1) If the SCM plan does not include the above, this is a CAT II finding.

The SCM plan should also contain the following:
• Defined responsibilities
• Actions to be performed
• Tools used in the process
• Techniques and methodologies
• Initial set of baselined software components

2) If the SCM plan does not include the above, this is a CAT III finding.

The SCM plan should identify all objects that are under configuration management control. Ask the application representative to provide access to the configuration management repository and to identify the objects shown in the SCM plan.

3) If the application representative cannot display all types of objects under CM control, this is a CAT III finding.

The SCM plan should identify third party tools and respective version numbers.

4) If the SCM plan does not identify third party tools, this is a CAT II finding.

The SCM plan should identify mechanisms for controlled access of individuals simultaneously updating the same application component.

5) If the SCM plan does not identify mechanisms for controlled access, this is a CAT III finding.

The SCM plan assures only authorized changes by authorized persons are allowed.

6) If the SCM plan does not assure only authorized changes are made, this is a CAT II finding.

The SCM plan should identify mechanisms to control access and audit changes between different versions of objects subject to configuration control.

7) If the SCM plan does not identify mechanisms to control access and to audit changes between different versions of objects subject to configuration control, this is a CAT III finding.

The SCM plan should have procedures for label versions of application components and application builds under configuration management control. Ask the application representative demonstrate the configuration management repository and contains versions and releases of the application. Ask the application representative to create a build or demonstrate a current release of the application can be recreated.

8) If the application representative cannot display releases and application component versions, this is a CAT II finding.

The configuration management repository should track change requests from beginning to end. Ask the application representative to display a completed or in-process change request.

9) If the configuration management repository cannot tracks change requests, this is a CAT III finding.

If the application has just completed its first release, there may not be any change requests logged in the configuration management repository. In this case, this finding is not applicable.

The configuration management repository should authorize change requests to the application. Ask the application representative to display an authorized change request and identify who is responsible for authorizing change requests.

10) If the configuration management repository does not track authorized change requests, this is a CAT III finding.

If the application has just completed its first release, there may not be any change requests logged in the configuration management repository. In this case, this finding is not applicable.

The configuration management repository should contain security classification labels for code and documentation in the repository. Classification labels are not applicable to unclassified systems.

11) If there are no classification labels of code and documentation in the configuration management repository, this is a CAT III finding.

The configuration management repository should monitor all objects under CM control for auditing.

12) If the configuration management repository does not audit for modifications, this is a CAT II finding.

The SCM plan should identify all components required to be IPV6 capable.

13) If the SCM plan does not identify application components as IPV6 capable, this is a CAT III finding.

Fix Text (F-17132r1_fix)
Update SCM plan to include missing items.