| V-23839 | Medium | Change on a production web site is controlled. | One of the greatest potential threats to a production web server comes from the allowance of inappropriately controlled software change.
All change and modification to production web sites must... |
| V-23819 | Medium | The production web server staff will have a formal migration plan for removing or upgrading production web server software prior to the date the vendor drops security patch support. | It is one of the primary duties of the Change Control Board (CCB) to have a complete and detailed inventory of hardware, software, and firmware, inclusive of version, license, and certificate... |
| V-23840 | Medium | Documented procedures and processes exist to recover the production web server and its associated web sites and are included as a part of the COOP. | In the event that a production web site or server needs to be recovered, a current and complete process exists to recover the web server and its associated web sites.
Formed as an integral part... |
| V-23829 | Medium | Production web server scripts are tested before implementation. | Interactive server-side scripts, sometimes referred to as CGI, are a powerful means for enhancing web site functionality. Scripts are often executable at the application layer and can interact... |
| V-23842 | Medium | A process must exist to ensure changes to a production web server’s software or a production web server’s configurable settings are tested and documented before being implemented. | This requirement only addresses the physical web server software (e.g., IIS, Apache, etc.) and web server software configuration changes. It is not related to web site application code, web... |
| V-23846 | Medium | Information on public web servers is reviewed before publication and periodically reviewed after publication.
| The publishing of un-reviewed and unapproved content on a public web server may pose a serious threat to the safety of the warfighter and national security. Security is everyone’s responsibility... |
| V-23822 | Medium | Incident Response procedures must exist for web servers and sites. | It is a requirement that all DoD information sites have developed and implemented Incident Response (IR) policies and procedures. In the event that an unexpected occurrence disrupts the web... |
| V-23835 | Medium | The sensitivity level of all data for publication on a production web site is known and documented. | It is important to be aware of the data sensitivity level and security category of information being published on a web site so that appropriate safeguards may be applied. Such safeguards may... |
| V-23838 | Low | A current baseline configuration for the web server is maintained at all times. | The Web Server STIG and the OS STIG can provide guidance with respect to the creation of a baseline configuration for web servers. However, changes to the server configuration over time will occur... |
| V-23841 | Low | The SA and the web administrator are aware of mobile code technology deployed on servers under their administration. | Mobile code technologies represent a major threat vector with respect to the protection of DoD assets. Because this technology is continually evolving, guidance offered by DoD and NIST is also... |
| V-23844 | Low | Web server access logs are generated and retained according to DoDI 8500.2 requirements. | Audit trails (logs) are required, as a minimum, to determine accountability according to DoDI 8500.2. They also provide the accountability functionality of a C2-level trusted requirement. Auditing... |
| V-23833 | Low | Trained staff are not available to respond to web server or web content problems. | Many web sites are available 24 hours per day, 7 days a week, and the potential for problems relating to the web server operations are significant. Operating staff may discover a problem with the... |
| V-23834 | Low | All interactive CGI programs used on the production web server will be documented. | Common Gateway Interface (CGI) is a standard protocol that defines how web server software can delegate the generation of web pages to an external application or the web browser. These web... |
| V-23836 | Low | Configuration management policies are available to the SA and the web administrator. | A Configuration Management Policy and its associated procedures help to ensure the effective implementation of security controls requisite to the organizational goals of integrity, availability,... |
