| V-35328 | High | The application server must obscure display of authentication information during the authentication process.
| To prevent the compromise of authentication information during the authentication process, the application server authentication screens must obfuscate input so an unauthorized user can not view a... |
| V-35324 | High | The application server, when using PKI-based authentication, must restrict keystore access to authorized users. | The cornerstone of the PKI is the private key used to encrypt or digitally sign information.
If the private key is stolen, this will lead to the compromise of the authentication and... |
| V-35219 | High | The application server must enforce logical access restrictions associated with changes to application configuration.
| When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or... |
| V-35338 | High | The application server must use DoD or CNS approved PKI Class 3 or Class 4 certificates. | Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing... |
| V-35303 | High | The application server must use CAC based authentication mechanisms for network access to privileged accounts.
| An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
Techniques used to... |
| V-35302 | High | The application server must authenticate users individually prior to using a group authenticator. | To assure individual accountability and prevent unauthorized access, AS users (and any processes acting on behalf of AS users) must be individually identified and authenticated.
A group... |
| V-35304 | High | The application server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data. | Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data. A web service, which is a repeatable process used to make... |
| V-35306 | High | The application server must mutually authenticate web services-based devices when establishing a connection.
| Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device.
Device authentication is... |
| V-35081 | High | The application server must specify administrative users and grant them the sole right to change application security attributes pertaining to application server configuration.
| Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.
Security attributes... |
| V-35299 | High | The application server must uniquely identify and authenticate users (or processes acting on behalf of users).
| To assure accountability and prevent unauthorized access, AS users must be uniquely identified and authenticated.
The application server must uniquely identify and authenticate application... |
| V-35226 | High | The application server must enforce requirements for remote connections to the information system.
| Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy... |
| V-35317 | High | The application server must encrypt stored passwords. | Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are... |
| V-35318 | High | The application server must encrypt passwords during transmission. | Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission.
App servers have the capability to utilize either certificates... |
| V-35319 | High | The application server must utilize encryption when using LDAP for authentication. | Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission.
App servers have the capability to utilize LDAP directories for... |
| V-35738 | High | The application server must enforce approved authorizations for logical access. | Strong access controls are critical to securing the AS. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms... |
| V-35343 | High | The application server must employ NSA-approved cryptography to protect classified information. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-35125 | Medium | Applications providing malicious code protection must support organizational requirements to address the receipt of false positives during malicious code detection, eradication efforts, and the resulting potential impact on the availability of the information system. | In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Malicious code includes... |
| V-35127 | Medium | The application server must verify digital signatures on software components and applications in process. | If the application does not maintain the data security attributes while it processes the data, there is a risk of data compromise.
Encryption is utilized to assist in the maintenance of data... |
| V-35120 | Medium | For those instances where the organization requires encrypted traffic to be visible to information system monitoring tools, the application transmitting the encrypted traffic must make provisions to allow that traffic to be visible to specific system monitoring tool. | There is a recognized need to balance encrypting traffic versus the need to have insight into the traffic from a monitoring perspective.
For some organizations, the need to ensure the... |
| V-35123 | Medium | Intrusion detection software must be able to interconnect using standard protocols to create a system-wide intrusion detection system. | When utilizing intrusion detection software, monitoring components are usually dispersed throughout the network, such as when utilizing HIDS and multiple NIDS sensors. In order to leverage the... |
| V-35684 | Medium | The application must prevent non-privileged users from circumventing malicious code protection capabilities. | Malicious code protection software must be protected so as to prevent a non-privileged user or malicious piece of software from disabling the protection mechanism. A common tactic of malware is to... |
| V-35685 | Medium | Malicious code protection applications must update malicious code protection mechanisms only when directed by a privileged user. | Malicious code protection software must be protected to prevent a non-privileged user or malicious piece of software from manipulating the protection update mechanism.
Malicious code includes... |
| V-35325 | Medium | The application server must ensure that PKI-based authentication maps the authenticated identity to the user account. | The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information.... |
| V-35129 | Medium | The application server must ensure remote sessions for accessing security functions and security-relevant information are audited. | Auditing must be utilized in order to track system activity, assist in diagnosing system issues and provide evidence needed for forensic investigations post security incident.
Remote access by... |
| V-35128 | Medium | Applications providing malicious code protection must support organizational requirements to be configured to perform organization defined action(s) in response to malicious code detection. | Malicious code protection mechanisms include, but are not limited to, anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be... |
| V-35321 | Medium | The application server must enforce password maximum lifetime restrictions. | Password maximum lifetime is defined as: the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it.
App servers have the... |
| V-35452 | Medium | The application server management interface must ensure that users can directly initiate session lock mechanisms which prevent further access to the system. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the... |
| V-35604 | Medium | Applications related to incident tracking must support organizational requirements to employ automated mechanisms to assist in the tracking of security incidents | Incident tracking is a method of monitoring networks and systems for activity indicative of viral infection or system attack.
Monitoring for this type of activity provides the organization with... |
| V-35605 | Medium | Applications used for non-local maintenance sessions must protect those sessions through the use of a strong authenticator tightly bound to the user. | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
| V-35606 | Medium | Applications employed to write data to portable digital media must use cryptographic mechanisms to protect and restrict access to information on portable digital media. | When data is written to portable digital media such as thumb drives, floppy diskettes, compact disks, magnetic tape, etc., there is risk of data loss.
When the organization has determined that... |
| V-35607 | Medium | Application software used to detect the presence of unauthorized software must employ automated detection mechanisms and notify designated organizational officials in accordance with the organization defined frequency.
| Scanning software is purpose-built to check for vulnerabilities in the information system and hosted applications and is also used to enumerate platforms, software flaws, and improper... |
| V-35600 | Medium | Applications managing network connections for devices must authenticate devices before establishing wireless network connections by using bidirectional authentication that are cryptographic. | Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device, as deemed appropriate by the... |
| V-35601 | Medium | Applications managing network connectivity must have the capability to authenticate devices before establishing network connections by using bidirectional authentication that are cryptographic.
| Device authentication is a solution enabling an organization to manage both users and devices.
The application typically uses either shared known information (e.g., Media Access Control [MAC] or... |
| V-35602 | Medium | The application server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent... |
| V-35603 | Medium | Applications that are designed and intended to address incident response scenarios must provide a configurable capability to automatically disable an information system if any of the organization defined security violations are detected.
| When responding to a security incident, a capability must exist allowing authorized personnel to disable a particular system if the system exhibits a security violation and the organization... |
| V-35428 | Medium | The application server must isolate security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to, and protecting the integrity of software. | Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software... |
| V-35608 | Medium | Applications involved in the production, control, and distribution of symmetric cryptographic keys must use NIST-approved or NSA-approved key management technology and processes. | Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures.
In addition to being required for the effective... |
| V-35609 | Medium | Applications involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 certificates or prepositioned keying material. | Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals.
This requirement only addresses Class 3 certificates. CCI-001143 addresses both... |
| V-35689 | Medium | Applications scanning for malicious code must support organizational requirements to configure malicious code protection mechanisms to perform periodic scans of the information system on an organization defined frequency. | Malicious code protection mechanisms include, but are not limited to, anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be... |
| V-35595 | Medium | The application server must use multifactor authentication for network access to non-privileged accounts.
| Multifactor authentication is defined as using two or more factors to achieve authentication.
Rationale for non-applicability: All accounts on the AS are privileged in some manner. The AS is... |
| V-35596 | Medium | The application server must use multifactor authentication for local access to non-privileged accounts.
| Multifactor authentication is defined as using two or more factors to achieve authentication.
Rationale for non-applicability: All accounts on the AS are privileged in some manner. The AS is... |
| V-35590 | Medium | Backup/Disaster Recovery-oriented applications must be capable of backing up user-level information per a defined frequency. | Information system backup is a critical step in maintaining data assurance and availability.
User-level information is data generated by information system and/or application users. In order to... |
| V-35329 | Medium | The Application Server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
| Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and... |
| V-35593 | Medium | The application must support and must not impede organizational requirements to conduct backups of information system documentation, including security-related documentation, per organization defined frequency. | Information system backup is a critical step in maintaining data assurance and availability.
Information system and security related documentation contains information pertaining to system... |
| V-35598 | Medium | Applications using multifactor authentication when accessing privileged accounts via the network must provide one of the factors by a device that is separate from the information system gaining access. | Out Of Band 2 Factor Authentication (OOB2FA) is defined as when one of the authentication factors is provided by a device that is separate from the system that is used to gain access.
For... |
| V-35599 | Medium | Applications using multifactor authentication when accessing non-privileged accounts via the network must provide one of the factors by a device separate from the information system gaining access.
| Out Of Band 2 Factor Authentication is defined as when one of the authentication factors is provided by a device that is separate from the system that is used to gain access.
For example, a... |
| V-35213 | Medium | The application server must protect audit tools from unauthorized access. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.
Depending upon the log format and application, system and application log tools may... |
| V-35217 | Medium | The application server must protect audit data records and integrity by using cryptographic mechanisms.
| Protection of audit records and audit data is of critical importance. Encrypting audit records provides a level of protection that does not rely on host-based protections that can be accidentally... |
| V-35195 | Medium | The application server must provide an audit reduction capability. | Audit reduction is used to reduce the volume of audit records in order to facilitate manual review. Before a security review, the AS administrator may utilize the audit reduction capability to... |
| V-35196 | Medium | The application server must provide a report generation capability for audit reduction data.
| In support of audit review, analysis, and reporting requirements, audit reduction is a technique used to reduce the volume of audit records in order to facilitate a manual review.
In order to... |
| V-35214 | Medium | The application server must protect audit tools from unauthorized modification. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.
Depending upon the log format and application, system and application log tools may... |
| V-35199 | Medium | The application server must automatically process audit records for events of interest based upon selectable, event criteria. | Audit reduction is used to reduce the volume of audit records in order to facilitate manual review. Before a security review information systems and/or applications with an audit reduction... |
| V-35218 | Medium | The application server must protect the audit records generated as a result of remote accesses to privileged accounts and the execution of privileged functions.
| Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place.
Auditing might not be... |
| V-35444 | Medium | The application server must provide system notifications to a list of response personnel who are identified by name and/or role. | Incident response applications are, by their nature, designed to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is the... |
| V-35686 | Medium | The application server must provide notification of failed automated security tests. | The need to verify security functionality applies to all security functions.
For those security functions not able to execute automated self-tests, the organization either implements... |
| V-35448 | Medium | The application server must notify appropriate individuals when account disabling actions are taken. | When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves.... |
| V-35687 | Medium | Applications providing malicious code protection must support organizational requirements to update malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration. | Malicious code protection mechanisms include, but are not limited to, anti-virus and malware detection software. In order to minimize potential negative impact to the organization caused by... |
| V-35135 | Medium | The application server must protect against an individual falsely denying having performed a particular action.
| Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message,... |
| V-35334 | Medium | The application server must employ cryptographic mechanisms to protect information in storage.
| When data is written to digital media such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and... |
| V-35138 | Medium | The application server must validate the binding of the information producers identity to the information.
| Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having... |
| V-35330 | Medium | The Application Server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
| Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and... |
| V-35331 | Medium | The application server must employ cryptographic encryption to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
| Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
| V-35332 | Medium | The application server must employ strong identification and authentication techniques when establishing non-local maintenance and diagnostic sessions
| Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
| V-35322 | Medium | The application server, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor | A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC.
When... |
| V-35529 | Medium | The application server, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms.
| Specific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) employing rule sets or... |
| V-35630 | Medium | The application must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service | A recursive resolving or caching Domain Name System (DNS) server is an example of an information system providing name/address resolution service for local clients.
Authoritative DNS servers are... |
| V-35633 | Medium | Applications must preserve any organization defined system state information in the event of a system failure. | Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality,... |
| V-35632 | Medium | Applications that collectively provide name/address resolution service for an organization must implement internal/external role separation. | A Domain Name System (DNS) server is an example of an information system providing name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are... |
| V-35453 | Medium | The application server must have the ability to retain a session lock remaining in effect until the user re-authenticates using established identification and authentication procedures.
| A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the... |
| V-35636 | Medium | The application server must disable network access by unauthorized components/devices or notify designated organizational officials. | Maintaining system and network integrity requires that all systems on the network are identified and accounted for. Without an accurate accounting of systems utilizing the network, the opportunity... |
| V-35639 | Medium | Only a Honey Pot information system and/or application must include components that proactively seek to identify web-based malicious code. Honey Pot systems must not be shared or used for any purpose other than described. | A Honey Pot is an organization-designated information system and/or application that includes components specifically designed to be the target of malicious attacks for the purpose of detecting,... |
| V-35333 | Medium | The application server must terminate all sessions and network connections when non-local maintenance is completed.
| Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
| V-35320 | Medium | The application server must enforce password minimum lifetime restrictions. | Password minimum lifetime is defined as: the minimum period of time, (typically in days) a user's password must be in effect before the user can change it.
App servers have the capability to... |
| V-35680 | Medium | The application server must provide automated support for the management of distributed security testing. | For those security functions that are not able to execute automated self-tests, the organization either implements compensating security controls or explicitly accepts the risk of not performing... |
| V-35451 | Medium | The application server must initiate a session lock after an organization defined time period of system or application inactivity has transpired. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature... |
| V-35627 | Medium | The application must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems. | A recursive resolving or caching Domain Name System (DNS) server is an example of an information system providing name/address resolution service for local clients.
Authoritative DNS servers are... |
| V-35681 | Medium | Applications providing patch management capabilities must support the organizational requirements to install software updates automatically. | Security faults with software applications and operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security... |
| V-35309 | Medium | The application server must disable device accounts after an organization defined time period of inactivity.
| A device account represents a remote system or device rather than a user.
Inactive device accounts pose a risk to the AS system and the applications residing on the AS. Accounts used for device... |
| V-35308 | Medium | The application server must dynamically manage identifiers, attributes, and associated access authorizations.
| Dynamically managing identifiers typically involves authenticating the remote user or device and then creating and assigning a security token that is used as the identifier.
Attribute management... |
| V-35534 | Medium | Applications must prohibit the transfer of unsanctioned information in accordance with security policy. | The application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.
Information... |
| V-35535 | Medium | The application server must enforce security policies regarding information on interconnected systems. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information),... |
| V-35532 | Medium | Applications, when transferring information between different security domains, must implement or incorporate policy filters that constrain data object and structure attributes according to organizational security policy requirements.
| Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-35533 | Medium | The application server must detect unsanctioned information being transmitted across security domains. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-35736 | Medium | The application server must automatically monitor on atypical usage of accounts. | Atypical account usage is behavior that is not part of normal usage cycles, for example, user account activity occurring after hours or on weekends.
Such a process greatly reduces the risk that... |
| V-35737 | Medium | Service Oriented Architecture (SOA) components of the application server must dynamically manage user privileges and associated access authorizations. | Web services are web applications providing a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data.... |
| V-35301 | Medium | The application server must use CAC based authentication mechanisms for local access to privileged accounts. | Multifactor authentication is defined as: using two or more factors to achieve authentication.
Factors include:
(i) something a user knows (e.g., password/PIN);
(ii) something a user has... |
| V-35300 | Medium | The application server must use multifactor authentication for network access to privileged accounts. | Multifactor authentication is defined as: using two or more factors to achieve authentication.
Factors include:
(i) something a user knows (e.g., password/PIN);
(ii) something a user has... |
| V-35450 | Medium | The application server management interface must ensure that the screen display is obfuscated when an application session lock event occurs. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature... |
| V-35307 | Medium | Applications managing devices must authenticate devices before establishing remote network connections using bidirectional authentication between devices that are cryptographic. | Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device, as deemed appropriate by the... |
| V-35381 | Medium | The application server must ensure authentication of both client and server during the entire session. | This control focuses on communications protection at the session, versus packet level.
At the application layer, session IDs are tokens generated by web applications to uniquely identify an... |
| V-35628 | Medium | The application must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
| A recursive resolving or caching Domain Name System (DNS) server is an example of an information system providing name/address resolution service for local clients.
Authoritative DNS servers are... |
| V-35437 | Medium | The application server must fail securely in the event of an operational failure. | Fail secure is a condition achieved by the application server in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended... |
| V-35436 | Medium | The application server must check the validity of data inputs. | Invalid user input occurs when a user inserts data or characters into an applications data entry fields and the application is unprepared to process that data. This results in unanticipated... |
| V-35435 | Medium | The application server must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.
| Priority protection helps the application server prevent a lower-priority application process from delaying or interfering with any higher-priority application processes. If the application server... |
| V-35434 | Medium | The application server must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks. | Employing increased capacity and bandwidth combined with service redundancy can reduce the susceptibility to some DoS attacks. When utilizing an application server in a high risk environment (such... |
| V-35344 | Medium | The application server must utilize FIPS validated cryptography when protecting unclassified compartmentalized data. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-35088 | Medium | The application server must allow authorized users to associate PKI credentials with information. | Throughout the course of normal usage, authorized users of application servers will have the need to associate security attributes in the form of PKI credentials with information. The AS utilizes... |
| V-35683 | Medium | The application must automatically update malicious code protection mechanisms, including signature definitions. Examples include anti-virus signatures and malware data files employed to identify and/or block malicious software from executing. | Anti-virus and malicious software detection applications utilize signature definitions in order to identify viruses and other malicious software. These signature definitions need to be constantly... |
| V-35234 | Medium | The application server must adhere to the principles of least functionality by providing only essential capabilities.
| Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too insecure to run on a production DoD... |
| V-35236 | Medium | The application server must prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services. | Application servers provide numerous processes, features and functionalities that utilize TCP/IP ports. Some of these processes may be deemed to be unnecessary or too insecure to run on a... |
| V-35542 | Medium | The application server must bind security attributes to information to facilitate information flow policy enforcement.
| The application server enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.... |
| V-35540 | Medium | The application server must uniquely identify destination domains for information transfer. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-35546 | Medium | The application server must enforce information flow control using protected processing domains (e.g., domain type enforcement) as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information),... |
| V-35544 | Medium | The application server must track problems associated with the binding of security attributes to data. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information),... |
| V-35257 | Medium | The application server must back up application server configuration data on an automated basis. | Information system backup is a critical step in maintaining data assurance and availability.
Application server configuration information includes all data relevant to the successful recovery of... |
| V-35549 | Medium | The application server must enforce information flow using dynamic control, based on policy that allows or disallows information flow based on changing conditions or operational considerations. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information),... |
| V-35254 | Medium | The application server must conduct automated backups of application-level information contained in the application server. | Information system backup is a critical step in maintaining data assurance and availability.
Application-level information includes all data relevant to the successful recovery of the... |
| V-35423 | Medium | The application server must be configured to perform complete application deployments. | Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.
When an... |
| V-35569 | Medium | The application server must validate the binding of the reviewers identity to the information at the transfer/release point prior to transfer/release from one security domain to another security domain. | This non-repudiation control enhancement is intended to mitigate the risk that information could be modified between review and transfer/release particularly when transfer is occurring between... |
| V-35659 | Medium | Applications functioning in the capacity of a firewall must check incoming communications to ensure the communications are coming from an authorized source and are routed to an authorized destination. | In regards to boundary controls such as routers and firewalls, examples of restricting and prohibiting communications include restricting external web traffic only to organizational web servers... |
| V-35429 | Medium | The application server must automatically terminate emergency accounts after a DoD-defined time period. | Emergency application accounts are typically created due to an unforeseen operational event or could ostensibly be used in the event of a vendor support visit where a support representative... |
| V-35424 | Medium | The application server must provide a clustering capability. | Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When... |
| V-35425 | Medium | The application server must protect the confidentiality of applications and leverage transmission protection mechanisms such as TLS and SSL VPN when deploying applications. | Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-35426 | Medium | The application server must employ cryptographic mechanisms to ensure confidentiality and integrity of application server log data. | This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to... |
| V-35427 | Medium | The application server must employ cryptographic mechanisms to protect data at rest. | Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Alternative... |
| V-35657 | Medium | The application server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
| In the case of application DoS attacks, care must be taken when designing the application so as to ensure that the application makes the best use of system resources. SQL queries have the... |
| V-35654 | Medium | The application server must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. | When it comes to DoS attacks most of the attention is paid to ensuring that systems and applications are not victims of these attacks.
While it is true that those accountable for systems want to... |
| V-35118 | Medium | Applications providing malware and/or firewall protection must monitor inbound and outbound communications for unauthorized activities or conditions. | Unusual/unauthorized activities or conditions include internal traffic indicating the presence of malicious code within an information system or propagating among system components, the... |
| V-35368 | Medium | The application server must validate the integrity of security attributes exchanged between systems.
| Application servers provide a capability to exchange data between multiple web service hops. In application server terms, this is referred to as message layer security. While transport layer... |
| V-35577 | Medium | The application server must have the capability to produce audit records on hardware-enforced, write-once media.
| Applications are typically designed to incorporate their audit logs into the auditing sub-system hosted by the operating system. However, in some instances application developers may decide to... |
| V-35371 | Medium | The application server, when hosting mobile applet code must be configured to host only digitally signed mobile code. | Mobile code technologies include: Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the... |
| V-35449 | Medium | The application server must notify appropriate individuals when accounts are terminated. | When application accounts are terminated, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes... |
| V-35114 | Medium | Applications providing intrusion and prevention capabilities must prevent non-privileged users from circumventing those capabilities. | Any application providing intrusion detection and prevention capabilities must be architected and implemented so as to prevent non-privileged users from circumventing such protections. This can be... |
| V-35498 | Medium | Applications providing information flow control must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information),... |
| V-35222 | Medium | The application server must employ automated mechanisms for the auditing of enforcement actions. | Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.... |
| V-35223 | Medium | The application server must validate the digital signature of signed web service messages.
| Organizations may require that critical software be signed with a certificate recognized and approved by the organization. This includes messages that are transferred or read by the AS part of a... |
| V-35220 | Medium | The application server must employ automated mechanisms for enforcing access restrictions.
| When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software, and/or application server configuration can potentially have significant... |
| V-35221 | Medium | The application server must automatically record an event in the device audit log each time the server is started.
| If the auditing subsystem is not automatically started when the application server is started, security-related events could go unnoticed.
The AS auditing subsystem must automatically start when... |
| V-35224 | Medium | The application server must limit privileges to change the software resident within software libraries (including privileged programs). | Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one... |
| V-35225 | Medium | The application server must automatically implement safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately. | Any changes to the components of the AS can potentially have significant effects on the overall security of the system.
In order to ensure a prompt response to failed application installations... |
| V-35552 | Medium | Application servers must prevent encrypted data from bypassing content-checking mechanisms. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information),... |
| V-35554 | Medium | Application servers must enforce organization defined limitations on the embedding of data types within other data types. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information),... |
| V-35556 | Medium | Application servers must enforce information flow control on metadata.
| Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information),... |
| V-35537 | Medium | The application server must uniquely identify source domains for information transfer. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-35559 | Medium | The application server must use security policy filters as a basis for making information flow control decisions.
| Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information),... |
| V-35112 | Medium | Applications providing notifications regarding suspicious events must include the capability to notify an organization defined list of response personnel who are identified by name and/or role. | Incident response applications are, by their nature, designed to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is... |
| V-35716 | Medium | The application server must provide automated mechanisms for user account management. | This requirement addresses the user management capability of the application server software, it does not address applications that reside on top of the application server. The automated... |
| V-35419 | Medium | The application server management interface must provide a logout functionality to allow the user to manually terminate the session. | Manually terminating an AS management session allows users to immediately depart the physical vicinity of the system they are logged into without the risk of subsequent system users or... |
| V-35649 | Medium | Applications must support organization defined requirements to load and execute from hardware-enforced, read-only media. | Use of non-modifiable storage ensures the integrity of the software program from the point of creation of the read-only image. Organizations may require the information system to load specified... |
| V-35733 | Medium | The application server must automatically audit account modification. | Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply... |
| V-35652 | Medium | The application server must not share resources used to interface with systems operating at different security levels. | The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on... |
| V-35734 | Medium | The application server must automatically audit account disabling actions and notify appropriate individuals. | When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves.... |
| V-35643 | Medium | The application server must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. | The AS must isolate security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to, and protecting the integrity... |
| V-35415 | Medium | The application server must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded. | If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or... |
| V-35645 | Medium | Applications required to be non-modifiable must support organizational requirements to provide components that contain no writable storage capability. These components must be persistent across restart and/or power on/off. | Organizations may require applications or application components to be non-modifiable or to be stored and executed on non-writable storage. Use of non-modifiable storage ensures the integrity of... |
| V-35647 | Medium | Applications must, for organization defined information system components, load and execute the operating environment from hardware-enforced, read-only media. | Organizations may require the information system to load the operating environment from hardware-enforced, read-only media. The term operating environment is defined as the code upon which... |
| V-35742 | Medium | The Application Server must implement separation of duties by requiring administrative duties to be divided into distinct roles | Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system including the operating system and in applications. It serves... |
| V-35499 | Medium | The application must enforce approved authorizations for controlling the flow of information between interconnected systems. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-35438 | Medium | The application server must employ approved cryptographic mechanisms when transmitting sensitive data.
| Preventing the disclosure of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over... |
| V-35478 | Medium | The application server must display security attributes in human-readable form on each object output from the system to system output devices to identify an organization-identified set of special dissemination, handling, or distribution instructions
| Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.
These attributes are... |
| V-35316 | Medium | The application server must enforce the number of characters that get changed when passwords are changed.
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Use of a complex password helps to increase the time... |
| V-35314 | Medium | The application server must enforce password complexity by the number of numeric characters used.
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Use of a complex password helps to increase the time... |
| V-35315 | Medium | The application server must enforce password complexity by the number of special characters used.
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Use of a complex password helps to increase the time... |
| V-35099 | Medium | The application must prevent the execution of prohibited mobile code. | Decisions regarding the utilization of mobile code within organizational information systems needs to include evaluations which help determine the potential for the code to cause damage to the... |
| V-35310 | Medium | The application server must enforce minimum password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password length is one of several factors that helps... |
| V-35311 | Medium | The application server must prohibit password reuse for the organization defined number of generations.
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
To meet password policy requirements, passwords need... |
| V-35094 | Medium | The application server must support the capability to disable network protocols deemed by the organization to be nonsecure except for explicitly identified components in support of specific operational requirements. | Some networking protocols may not meet organizational security requirements to protect data and components.
Application servers natively host a number of various features such as management... |
| V-35618 | Medium | Applications, when operating as part of a distributed, hierarchical namespace, must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among p | This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the... |
| V-35091 | Medium | The application server must employ automated mechanisms to facilitate the monitoring and control of remote access methods. | Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection.
Application servers provide remote management access and need to provide... |
| V-35090 | Medium | The application server must use cryptography to protect the integrity of the remote access session. | Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the AS configuration. The use of... |
| V-35216 | Medium | The application server must back up audit data and records on an organization defined frequency onto a different system or media than the system the application server itself is running on. | Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system the application server... |
| V-35674 | Medium | Applications performing extrusion detection must be capable of denying network traffic and auditing internal users (or malicious code) posing a threat to external information systems. | Detecting internal actions that may pose a security threat to external information systems is sometimes termed extrusion detection. Extrusion detection at the information system boundary includes... |
| V-35676 | Medium | Applications that serve to protect organizations and individuals from spam messages must incorporate update mechanisms updating protection mechanisms and signature definitions when new application releases are available, in accordance with organizational | Senders of spam messages are continually modifying their tactics and source email addresses in order to elude protection mechanisms. To stay up to date with the changing threat and to identify... |
| V-35671 | Medium | Proxy applications must support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. | External networks are networks outside the control of the organization. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource... |
| V-35215 | Medium | The application server must protect audit tools from unauthorized deletion.
| Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.
Depending upon the log format and application, system and application log tools may... |
| V-35108 | Medium | The application must protect information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion. | Intrusion monitoring applications are, by their nature, designed to monitor and record network and system traffic and activity. They can accumulate a significant amount of sensitive data,... |
| V-35305 | Medium | Applications using multifactor authentication when accessing non-privileged accounts via the network must utilize replay resistant authentication. | An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
Rationale for... |
| V-35567 | Medium | The application server must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released. | Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received... |
| V-35679 | Medium | Applications utilized for integrity verification must detect unauthorized changes to software and information. | Organizations are required to employ integrity verification applications on information systems to look for evidence of information tampering, errors, and omissions. The organization is also... |
| V-35678 | Medium | Applications that are utilized to address the issue of spam and provide protection from spam must automatically update any and all spam protection measures including signature definitions. | Originators of spam emails are constantly changing their source email addresses in order to defeat spam countermeasures; therefore, spam software must be constantly updated to address the changing... |
| V-35562 | Medium | The application server must uniquely authenticate destination domains when transferring information.
| Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-35584 | Medium | Configuration management applications must employ automated mechanisms to centrally verify configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system.
Rather than visiting each and every system... |
| V-35073 | Medium | The application server must maintain and support the use of digital signatures on software components and applications in storage. | Digital signatures enable the system to verify the integrity of the signed object and authenticate the object's signatory. Failure to maintain the binding of digital signatures on software... |
| V-35768 | Medium | The application server must enforce the organization defined time period during which the limit of consecutive invalid access attempts by a user is counted. | By limiting the number of failed login attempts, the risk of unauthorized system access via automated user password guessing, otherwise known as brute forcing, is reduced. Best practice requires... |
| V-35766 | Medium | The application server must limit the number of failed login attempts to an organization defined number of consecutive invalid attempts that occur within an organization defined time period. | Anytime an authentication method is exposed so as to allow for the login to an application, there is a risk that attempts will be made to obtain unauthorized access.
By limiting the number of... |
| V-35539 | Medium | The application server must uniquely authenticate source domains for information transfer. | The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.... |
| V-35342 | Medium | The application server must employ FIPS-validated cryptography to protect unclassified information. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-35312 | Medium | The application server must enforce password complexity by the number of upper case characters used.
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Use of a complex password helps to increase the time... |
| V-35079 | Medium | The application server must bind digital signatures to software components and applications in process. | If the application server does not maintain the data security attributes while it processes the data, there is a risk of data compromise.
Encryption, particularly digital signatures, is utilized... |
| V-35484 | Medium | The application must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights, and including or excluding access to the g
| Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices,... |
| V-35482 | Medium | The application server must employ automated mechanisms enabling authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared. | User-based collaboration and information sharing applications present challenges regarding classification and dissemination of information generated and shared among the application users. These... |
| V-35483 | Medium | The application server must enforce dual authorization, based on organizational policies and procedures for organization defined privileged commands. | Dual authorization requires two distinct approving authorities to approve the use of an application command prior to it being invoked. This capability is typically reserved for specific... |
| V-35480 | Medium | The application server must monitor for unauthorized connections of mobile devices to organizational information systems. | Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g.,... |
| V-35481 | Medium | Applications must not enable information system functionality providing the capability for automatic execution of code on mobile devices without user direction. | Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g.,... |
| V-35361 | Medium | The application server must associate security attributes with information exchanged between information systems. | When data is exchanged between information systems, the security attributes associated with said data needs to be maintained.
Application servers provide a capability to exchange data between... |
| V-35089 | Medium | The application server must utilize cryptography to protect the confidentiality of remote access management sessions. | Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the AS via a network for the purposes of managing the AS. If... |
| V-35313 | Medium | The application server must enforce password complexity by the number of lower case characters used.
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Use of a complex password helps to increase the time... |
| V-35082 | Medium | The application server must maintain the binding of security attributes to information with sufficient assurance that the information/attribute association can be used as the basis for automated policy actions.
| Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.
These attributes are... |
| V-35080 | Medium | The application server must support and maintain the binding of digital signatures on information in transmission. | Digital signatures enable the system to verify the integrity of the signed object and authenticate the object's signatory. Failure to maintain the binding of digital signatures on software... |
| V-35662 | Medium | Boundary protection applications must prevent discovery of specific system components (or devices) composing a managed interface. | This control enhancement is intended to protect the network addresses of information system components that are part of the managed interface from discovery through common tools and techniques... |
| V-35663 | Medium | The application server must employ automated mechanisms to enforce strict adherence to protocol format. | Automated mechanisms used to enforce protocol formats include, deep packet inspection firewalls and XML gateways. These devices verify adherence to the protocol specification (e.g., IEEE) at the... |
| V-35578 | Medium | The application server must support the enforcement of a two-person rule for changes to organization defined application components and system-level information.
| Regarding access restrictions for changes made to organization defined information system components and system level information, any changes to the hardware, software, and/or firmware components... |
| V-35661 | Medium | The application must be capable of implementing host-based boundary protection mechanisms for servers, workstations, and mobile devices. | A host-based boundary protection mechanism is a host-based firewall. Host-based boundary protection mechanisms are employed on mobile devices, such as notebook/laptop computers, and other types of... |
| V-35477 | Medium | The application server must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.
These attributes are... |
| V-35667 | Medium | Any software application designed to function as a firewall must be capable of employing a default deny all configuration. | A firewall default deny all is a firewall configuration setting that will force the administrator to explicitly allow network or application traffic rather than allowing all traffic by default.... |
| V-35664 | Medium | Boundary protection applications must be capable of preventing public access into the organizations internal networks except as appropriately mediated by managed interfaces. | Access into an organization's internal network and to key internal boundaries must be tightly controlled and managed. Applications monitoring and/or controlling communications at the external... |
| V-35572 | Medium | The application must enforce configurable traffic volume thresholds representing auditing capacity for network traffic.
| It is critical that, when a system is at risk of failing to process audit logs as required, actions are automatically taken to mitigate the failure. Audit processing failures include... |
| V-35479 | Medium | The application server must monitor for unauthorized remote connections to the information system on an organization defined frequency.
| Organizations need to monitor for unauthorized remote access connections to information systems in order to determine if break-in attempts or other unauthorized activity is occurring. There are... |
| V-35571 | Medium | The application server must include organization defined additional, detailed information in the audit records for audit events identified by type, location, or subject. | Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not... |
| V-35576 | Medium | The application server must invoke a system shutdown in the event of an audit failure, unless an alternative audit capability exists. | It is critical when a system is at risk of failing to process audit logs as required; it takes action to mitigate the failure. If the system were to continue processing without auditing enabled,... |
| V-35721 | Medium | The application server must provide a mechanism to automatically terminate accounts designated as being temporary or emergency after an organization defined time period. | Temporary application server user accounts could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform... |
| V-35575 | Medium | The application server must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds. | It is critical when a system is at risk of failing to process audit logs as required; actions are automatically taken to mitigate the failure or risk of failure.
Rejecting or delaying network... |
| V-35727 | Medium | The application server must automatically audit account creation.
| Application servers require user accounts for server management purposes, and if the creation of new accounts is not logged, there is limited or no capability to track or alarm on account... |
| V-35103 | Medium | Applications utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights. | Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in... |
| V-35109 | Medium | The application server must take an organization defined list of least-disruptive actions to terminate suspicious events. | System availability is a key tenet of system security. Organizations need to have the flexibility to be able to define the automated actions taken in response to an identified incident. This... |
| V-35778 | Medium | Applications providing malicious code protection must support organizational requirements to configure malicious code protection mechanisms to perform real-time scans of files from external sources as the files are downloaded, opened, or executed. | Malicious code protection mechanisms include, but are not limited to, anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be... |
| V-35775 | Medium | The application must prevent unauthorized and unintended information transfer via shared system resources. | The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on... |
| V-35774 | Medium | The application server must prevent the presentation of information system management-related functionality at an interface utilized by general (i.e., non-privileged) users. | Application Server management functionality includes functions necessary to administer the application server, and requires privileged access via one of the accounts assigned to a management role.... |
| V-35136 | Medium | The application server must associate the identity of the information producer with the information.
| Non-repudiation supports audit requirements to provide the appropriate organizational officials the means to identify who produced specific information in the event of an information transfer.... |
| V-35107 | Medium | The application must either implement compensating security controls or the organization explicitly accepts the risk of not performing the verification as required. | Application security functional testing involves testing the application for conformance to the application's security function specifications, as well as for conformance to the underlying... |
| V-35101 | Medium | The application server must enforce an access control policy that includes or excludes access to application objects to the granularity of a single user. | Including or excluding access to the granularity of a single user means providing the capability to either allow or deny access to application objects on a per single user basis. The requirement... |
| V-35104 | Medium | Mobile code applications must be developed in accordance with DoD-defined mobile code requirements. | Decisions regarding the development of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile... |
| V-35443 | Medium | The application server must directly employ or allow the utilization of automated patch management tools to facilitate flaw remediation. | The organization (including any contractor to the organization) shall promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during... |
| V-35770 | Medium | The Application Server must automatically lock accounts when the maximum number of unsuccessful login attempts is exceeded for an organization defined time period or until the account is unlocked by an administrator. | Anytime an authentication method is exposed so as to allow for the utilization of an application interface, there is a risk that attempts will be made to obtain unauthorized access.
By locking... |
| V-35669 | Medium | Applications providing remote connectivity must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communications path with resources in external networks. | This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings that are not configurable by the user of that device. An example of a... |
| V-35724 | Medium | The application server must automatically disable accounts after an organization defined period of account inactivity. | Inactive user accounts pose a risk to systems and applications. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
Application servers... |
| V-35503 | Medium | The application server must identify data type, specification, and usage when transferring information between different security domains | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information),... |
| V-35641 | Medium | The application server must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.
| Application functionality is typically broken down into modules that perform various tasks or roles. Examples of non-privileged application functionality include, but are not limited to,... |
| V-35431 | Medium | The application server must provide automated mechanisms that can be used to alert security personnel of inappropriate or unusual activities with security implications. | Manual notification procedures do not offer the reliability and speed of an automated notification solution. Application servers must utilize automated mechanisms to alert security personnel of... |
| V-35376 | Medium | The application server must separate hosted application functionality from AS management functionality.
| Application server management functionality includes functions necessary to administer the application server, and requires privileged access via one of the accounts assigned to a management role.... |
| V-35564 | Medium | Applications scanning for malicious code must scan all media used for system maintenance prior to use.
| There are security-related issues arising from software brought into the information system specifically for diagnostic and repair actions. (e.g., a software packet sniffer installed on a system... |
| V-35739 | Medium | The Application Server must enforce non-discretionary access control policies over users and resources. | Non-discretionary access controls are controls determined by policy makers, are managed centrally or by a central authority, and may not be changed at the discretion of ordinary application server... |
| V-35430 | Medium | The application server must implement an application isolation boundary. | Isolating applications is accomplished by means of an isolation boundary (implemented via partitions and domains) that controls access to, and protects the integrity of, the software that... |
| V-35336 | Medium | The application server must establish a trusted communications path between the user and organization defined security functions within the information system.
| Without a trusted communication path, the AS is vulnerable to a man-in-the-middle attack.
Application server user interfaces are used for management of the application server so the... |
| V-35337 | Medium | Application servers must use NIST-approved or NSA-approved key management technology and processes.
| A symmetric encryption key must be protected during transmission. The public portion of an asymmetric key pair can be freely distributed without fear of compromise and the private portion of the... |
| V-35440 | Medium | The application server must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.
| Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and... |
| V-35446 | Medium | The application server must notify administrators when accounts are created. | Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create... |
| V-35502 | Medium | Application servers providing information flow controls must provide the capability for privileged administrators to configure security policy filters to support different organizational security policies. | Application specific examples of flow control enforcement can be found in information protection software (e.g., guards, proxies, gateways and cross domain solutions (CDS)) employing rule sets or... |
| V-35447 | Medium | The application server must notify appropriate individuals when accounts are modified. | Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify... |
| V-35617 | Medium | The application must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.
| This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the... |
| V-35616 | Medium | Applications designed to enforce policy pertaining to the use of mobile code must prevent the automatic execution of mobile code in organization defined software applications and require organization defined actions prior to executing the code.
| Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously.
Mobile code... |
| V-35615 | Medium | Applications designed to enforce policy pertaining to organizational use of mobile code must prevent the download and execution of prohibited mobile code. | Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously.
Mobile code... |
| V-35614 | Medium | Applications designed to address malware issues and/or enforce policy pertaining to organizational use of mobile code must take corrective actions, when unauthorized mobile code is identified. | Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously.
Mobile code... |
| V-35613 | Medium | Applications designed to address malware issues and/or enforce policy pertaining to organizational use of mobile code must implement detection and inspection mechanisms to identify unauthorized mobile code | Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously.
Mobile code... |
| V-35612 | Medium | Applications must support organizational requirements to issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider. | For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy.
For federal agencies operating a legacy public key... |
| V-35611 | Medium | Software and/or firmware used for collaborative computing devices must prohibit remote activation, excluding the organization defined exceptions where remote activation is to be allowed.
| Collaborative computing devices include networked white boards, cameras, and microphones. Collaborative software examples include instant messaging or chat clients.
This requirement is NA. App... |
| V-35610 | Medium | Applications must respond to security function anomalies in accordance with organization defined responses and alternative action(s). | The need to verify security functionality applies to all security functions.
For those security functions not able to execute automated self-tests the organization either implements compensating... |
| V-35741 | Medium | The application server must track problems associated with information transfer.
| When an application transfers data, there is the chance an error or problem with the data transfer may occur. Applications need to track failures and any problems encountered when performing data... |
| V-35740 | Medium | The Application Server must prevent access to organization defined security-relevant information except during secure, non-operable system states. | Security-relevant information is any information within the information system that can potentially impact the operation of security functions in a manner possibly resulting in failure to enforce... |
| V-35743 | Medium | The Application Server must provide a separate, distinct administrative account when accessing AS security functions or security relevant information. | In order to limit exposure, the AS must control access to security functions and security relevant information. To meet this requirement, the AS must provide a privileged account, or admin role... |
| V-35445 | Medium | The application server must use cryptographic mechanisms to protect the integrity of the application server audit tools. | Protecting the integrity of the tools used for auditing purposes is a critical step to ensuring the integrity of audit data. Audit data includes all information (e.g., audit records, audit... |
| V-35745 | Medium | The application server must be able to function within separate processing domains (virtualized systems). | Applications must employ the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in... |
| V-35744 | Medium | The Application Server must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged. | In order to be able to provide a forensic history of activity, the application server must ensure users who are granted a privileged role or those who utilize a separate distinct account when... |
| V-35116 | Medium | The application server must allocate online audit record storage capacity for an organization defined number of continuous days of operation. | The proper management of audit records and logs not only dictates proper archiving processes and procedures be established, it also requires allocating enough storage space to maintain audit logs... |
| V-35500 | Medium | The application server must use explicit security attributes on information, source, and destination objects as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information),... |
| V-35586 | Medium | Configuration management applications must employ automated mechanisms to centrally respond to unauthorized changes to configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system.
Responses to unauthorized changes to... |
| V-35441 | Medium | The application server must restrict error messages so only authorized personnel may view them. | If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be... |
| V-35092 | Medium | The application server must route all remote management access through a centrally managed access control point.
| Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection to the AS.
Application server clusters are multiple application servers... |
| V-35582 | Medium | Configuration management applications must employ automated mechanisms to centrally apply configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system.
Rather than visiting each and every system... |
| V-35580 | Medium | Configuration management applications must employ automated mechanisms to centrally manage configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system.
Rather than visiting each and every system... |
| V-35501 | Medium | Applications providing information flow control must provide the capability for privileged administrators to enable/disable security policy filters. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information),... |
| V-35682 | Medium | Applications serving to determine the state of information system components with regard to flaw remediation (patching) must use automated mechanisms to make that determination. The automation schedule must be determined on an organization defined basis.
| Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report... |
| V-35588 | Medium | Configuration management solutions must track unauthorized, security-relevant configuration changes.
| Configuration settings are the configurable security-related parameters of information technology products that are part of the information system.
Incident Response teams require input from... |
| V-35183 | Medium | The application server must provide the ability to write specified audit record content to an audit log server.
| Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not... |
| V-35182 | Medium | The application server must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
| Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps,... |
| V-35070 | Medium | The application server must define the maximum number of concurrent sessions for an application account globally, by account type, by account, or a combination thereof. | Application management includes the ability to control the number of sessions that utilize an application. Limiting the number of allowed sessions is helpful in limiting risks related to Denial of... |
| V-35117 | Medium | Applications that detect and alarm on security events such as intrusion detection, firewalls, anti-virus, or malware must provide near real-time alert notification. | When an intrusion detection security event occurs it is imperative the application that has detected the event immediately notify the appropriate support personnel so they can respond accordingly.... |
| V-35347 | Medium | The application server must protect the integrity and availability of publicly available information and applications.
| The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications with such protection likely being implemented as part of... |
| V-35341 | Medium | The application server must utilize NSA-approved cryptography when protecting classified compartmentalized data.
| Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-35634 | Medium | The application server must enforce requirements regarding the connection of mobile devices to organizational information systems. | Applications designed to manage the connection of mobile devices to information systems must be able to enforce organizational connectivity requirements or work in conjunction with enterprise... |
| V-35121 | Low | The application server management interface, upon successful logon, must display to the user the date and time of the last logon (access). | Users need to be aware of activity that occurs regarding their application server account. Providing users with information regarding the date and time of their last successful login allows the... |
| V-35439 | Low | The application server must identify potentially security-relevant error conditions. | The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the application server is able to identify and handle... |
| V-35212 | Low | The application server must protect audit information from unauthorized deletion. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve.... |
| V-35192 | Low | The application server must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. | Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a... |
| V-35193 | Low | Application Servers must centralize the review and analysis of audit records from multiple components within the system.
| Segregation of logging data to multiple disparate computer systems is counter-productive and makes log analysis, log event alarming and correlation difficult to implement and manage, particularly... |
| V-35132 | Low | The application server must notify the user of the number of successful logins/accesses occurring during an organization defined time period.
| Users need to be aware of activity that occurs regarding their application account. Providing users with information regarding the number of successful attempts made to login to their account... |
| V-35133 | Low | The application server must notify the user of the number of unsuccessful login/access attempts occurring during an organization defined time period.
| Users need to be aware of activity that occurs regarding their application account. Providing users with information regarding the number of unsuccessful attempts made to login to their account... |
| V-35134 | Low | The application server must notify users of organization defined security-related changes to the users account occurring during the organization defined time period. | DoD may define certain security events as events requiring user notification. An organization may define an event such as a password change to a user's account occurring outside of normal business... |
| V-35335 | Low | The application server must terminate the network connection associated with a communications session at the end of the session or after a DoD-defined time period of inactivity.
| If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or... |
| V-35139 | Low | The application server must compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within an organization defined level of tolerance.
| Audit generation and audit records can be generated from various components within the application server. The list of audited events is the set of events for which audits are to be generated.... |
| V-35161 | Low | The application server must produce audit records containing sufficient information to establish what type of JVM related events and severity levels occurred.
| Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps,... |
| V-35203 | Low | The application server must use internal system clocks to generate time stamps for audit records. | Without the use of an approved and synchronized time source, configured on the systems, events cannot be accurately correlated and analyzed to determine what is transpiring within the AS.
If an... |
| V-35204 | Low | The application server must synchronize with internal information system clocks which, in turn, are synchronized on an organization defined frequency with an organization defined authoritative time source.
| Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events.
Synchronization of system clocks... |
| V-35205 | Low | The application server must protect audit information from any type of unauthorized read access.
| If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In... |
| V-35143 | Low | The application server must generate audit records for the DoD-selected list of auditable events.
| Audit records can be generated from various components within the application server. The list of audited events is the set of events for which audits are to be generated.
This set of events is... |
| V-35142 | Low | The application server must provide a user role which designates which organizational personnel select auditable events.
| Audit records can be generated from various components within the application server, (e.g. , httpd, beans, etc.) From an application perspective, certain specific application functionalities may... |
| V-35140 | Low | The application server must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
| Audit records can be generated from various components within the application server. The list of audited events is the set of events for which audits are to be generated. This set of events is... |
| V-35432 | Low | The application server must protect the integrity of applications during the processes of data aggregation, packaging, and transformation in preparation for deployment.
| Information can be subjected to unauthorized changes (e.g., malicious and/or unintentional modification) at information aggregation or protocol transformation points. It is therefore imperative... |
| V-35141 | Low | The application server must provide audit record generation capability for defined auditable events.
| Audit records can be generated from various components within the application server (e.g. , httpd, beans, etc.). From an application perspective, certain specific application functionalities may... |
| V-35148 | Low | The application server must initiate session auditing upon start up.
| Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.
|
| V-35238 | Low | The application server must utilize automated mechanisms to prevent program execution on the information system.
| The application server must provide a capability to halt or otherwise disable the automatic execution of deployed applications until such time that the application is considered part of the... |
| V-35102 | Low | The application server must display an approved system use notification message or banner before granting access to the system.
| Application servers must display an approved system use notification message or banner before granting access to the system.
System use notification messages are implemented in the form of... |
| V-35157 | Low | The application server must be configured to remotely view all content related to an established administrative user session in real time.
| User sessions for an application server are in the context of server management only. The application server must be configured to log all administrative session data to a remote location for viewing.
|
| V-35150 | Low | The application server must capture, record, and log all content related to an administrative user session.
| User sessions for an application server are in the context of server management only. The application server must be capable of enabling a setting for troubleshooting or debugging purposes which... |
| V-35159 | Low | The application server must produce application server process events and severity levels to establish what type of HTTPD related events and severity levels occurred.
| Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes time stamps,... |
| V-35422 | Low | The application server must generate unique session identifiers with organization defined randomness requirements.
| This requirement focuses on communications protection at the application session, versus network packet level. The intent of this control is to establish grounds for confidence, at each end of a... |
| V-35241 | Low | The application server must implement transaction recovery for transaction-based processes. | Transaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery. Use of transactions prevents databases from being left in inconsistent states due to... |
| V-35163 | Low | The application server must produce process events and security levels to establish what type of AS process events and severity levels occurred.
| Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps,... |
| V-35165 | Low | The application server must produce audit records containing sufficient information to establish when (date and time) the events occurred.
| Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes time stamps,... |
| V-35167 | Low | The application server must produce audit records containing sufficient information to establish where the events occurred.
| Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes time stamps,... |
| V-35190 | Low | The application server must be configured to log the audit subsystem failure notification information that is sent out (e.g., the recipients of the message and the nature of the failure). | It is critical that, when a system is at risk of failing to process audit logs, it detects and takes action to mitigate the failure. Audit processing failures include software/hardware errors,... |
| V-35191 | Low | The application server must be configured to fail over to another system in the event of audit subsystem failure.
| It is critical that, when a system is at risk of failing to process audit logs as required, it detects and takes action to mitigate the failure.
Application servers must be capable of failing... |
| V-35420 | Low | The application server must generate a unique session identifier for each session. | Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of session... |
| V-35421 | Low | The application server must recognize only system-generated session identifiers. | This requirement focuses on communications protection at the application session, versus network packet level. The intent of this control is to establish grounds for confidence at each end of a... |
| V-35098 | Low | The application server management interface must retain the system use notification message or banner on the screen until users take explicit actions to logon for further access.
| To establish acceptance of system usage policy, a click-through banner at application server logon is required. The banner shall prevent further activity on the application server unless and until... |
| V-35735 | Low | The application server must automatically audit account termination and notify appropriate individuals. | When application accounts are terminated, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes... |
| V-35176 | Low | The application server must produce audit records that contain sufficient information to establish the outcome (success or failure) of application server and application events. | Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes but is not limited... |
| V-35096 | Low | The application server management interface must display an approved system use notification message or banner before granting access to the system. | Application servers are required to display an approved system use notification message or banner before granting access to the system, providing privacy and security notices consistent with... |
| V-35131 | Low | In order to inform administrators of failed login attempts made to the administrators account, the application server management interface, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access. | AS administrators need to be aware of activity that occurs regarding their account. Providing AS administrators with information regarding the number of unsuccessful login attempts made to their... |
| V-35105 | Low | The application server must configure auditing to reduce the likelihood of storage capacity being exceeded. | Application servers need to be cognizant of potential audit log storage capacity issues. AS auditing capability is critical for accurate forensic analysis. Alerting administrators when audit log... |
| V-35442 | Low | The application server must activate an alarm or automatically shut down the application server instance if an application component failure is detected. | Predictable failure prevention requires organizational planning to address application server failure issues. If components key to maintaining application server security fail to function, the... |
| V-35170 | Low | The application server must produce audit records containing sufficient information to establish the sources of the events.
| Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not... |
| V-35772 | Low | The application server must protect audit information from unauthorized modification. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In... |
| V-35186 | Low | The application server must alert designated individual organizational officials in the event of an audit processing failure.
| Audit processing failures include, but are not limited to, failures in the application server log capturing mechanisms or audit storage capacity being reached or exceeded. In some instances, it is... |
| V-35185 | Low | The application server must provide a real-time alert when organization defined audit failure events occur.
| It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include software/hardware errors, failures... |
| V-35184 | Low | The application server must provide a warning when allocated audit record storage volume reaches an organization defined percentage of maximum audit record storage capacity.
| It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include software/hardware errors, failures... |
| V-35188 | Low | The application server must notify administrative personnel as a group in the event of audit processing failure.
| Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. To ensure flexibility and ease of use,... |
