Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6170 | APP2070 | SV-6170r1_rule | DCAS-1 | Low |
Description |
---|
IA or IA enabled products that have not been evaluated by NIAP may degrade the security posture of the enclave, if they do not operate as expected, be configured incorrectly, or have hidden security flaws. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-2963r1_chk ) |
---|
List all IA or IA enabled products that are part of the application. Such products must be satisfactorily evaluated and validated either prior to purchase or as a condition of purchase; i.e., vendors will warrant, in their responses to a solicitation and as a condition of the contract, that the vendor's products will be satisfactorily validated within a period of time specified in the solicitation and the contract. Purchase contracts shall specify that product validation will be maintained for updated versions or modifications by subsequent evaluation or through participation in the National IA Partnership (NIAP) / Common Criteria Evaluated Products. 1) If the products have not been evaluated or are in the process of being evaluated, it is a finding. According to NSTISSP 11, an IA enabled product is a product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. To meet the intent of NSTISSP 11, acquired IA enabled products must be evaluated if the IA features are going to be used to perform one of following security services: availability, integrity, confidentiality, authentication, or non-repudiation. Therefore, the determination of whether an IA enabled product must be evaluated will be dependent upon how that particular product will be used within the consumer's system architecture. Examples of such products include security enabled web browsers, screening routers, and security enabled messaging systems. Although NSTISSP 11 uses both terms, the policy as stated applies equally to both types of products. A list of certified products is available on the common criteria website: http://www.commoncriteriaportal.org/products.html Below are definitions of IA and IA enabled products from DoD Instruction 8500.2. IA Product - Product or technology whose primary purpose is to provide security services e.g., confidentiality, authentication, integrity, access control or non-repudiation of data; correct known vulnerabilities; and/or provide layered defense against various categories of non-authorized or malicious penetrations of information systems or networks. Examples include such products as data/network encryptors, firewalls, and intrusion detection devices. IA Enabled Product - Product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. Examples include such products as security-enabled web browsers, screening routers, trusted operating systems, and security-enabled messaging systems. |
Fix Text (F-16974r1_fix) |
---|
Limit the acquisition of all IA, and IA enabled Commercial-off-the-Shelf (COTS) IT products, to products that have been evaluated or validated through The International Common Criteria (CC) for Information Security Technology Evaluation Mutual Recognition Arrangement or The NIAP Evaluation and Validation Program. IA and IA enabled COTS IT Products containing encryption capabilities are required to be evaluated and validated through The FIPS Validation Program |