| V-23839 ||Medium ||Change on a production web site is controlled. ||One of the greatest potential threats to a production web server comes from the allowance of inappropriately controlled software change.
All change and modification to production web sites must... |
| V-23819 ||Medium ||The production web server staff will have a formal migration plan for removing or upgrading production web server software prior to the date the vendor drops security patch support. ||It is one of the primary duties of the Change Control Board (CCB) to have a complete and detailed inventory of hardware, software, and firmware, inclusive of version, license, and certificate... |
| V-23840 ||Medium ||Documented procedures and processes exist to recover the production web server and its associated web sites and are included as a part of the COOP. ||In the event that a production web site or server needs to be recovered, a current and complete process exists to recover the web server and its associated web sites.
Formed as an integral part... |
| V-23829 ||Medium ||Production web server scripts are tested before implementation. ||Interactive server-side scripts, sometimes referred to as CGI, are a powerful means for enhancing web site functionality. Scripts are often executable at the application layer and can interact... |
| V-23842 ||Medium ||A process must exist to ensure changes to a production web server’s software or a production web server’s configurable settings are tested and documented before being implemented. ||This requirement only addresses the physical web server software (e.g., IIS, Apache, etc.) and web server software configuration changes. It is not related to web site application code, web... |
| V-23846 ||Medium ||Information on public web servers is reviewed before publication and periodically reviewed after publication.
||The publishing of un-reviewed and unapproved content on a public web server may pose a serious threat to the safety of the warfighter and national security. Security is everyone’s responsibility... |
| V-23822 ||Medium ||Incident Response procedures must exist for web servers and sites. ||It is a requirement that all DoD information sites have developed and implemented Incident Response (IR) policies and procedures. In the event that an unexpected occurrence disrupts the web... |
| V-23835 ||Medium ||The sensitivity level of all data for publication on a production web site is known and documented. ||It is important to be aware of the data sensitivity level and security category of information being published on a web site so that appropriate safeguards may be applied. Such safeguards may... |
| V-23838 ||Low ||A current baseline configuration for the web server is maintained at all times. ||The Web Server STIG and the OS STIG can provide guidance with respect to the creation of a baseline configuration for web servers. However, changes to the server configuration over time will occur... |
| V-23841 ||Low ||The SA and the web administrator are aware of mobile code technology deployed on servers under their administration. ||Mobile code technologies represent a major threat vector with respect to the protection of DoD assets. Because this technology is continually evolving, guidance offered by DoD and NIST is also... |
| V-23844 ||Low ||Web server access logs are generated and retained according to DoDI 8500.2 requirements. ||Audit trails (logs) are required, as a minimum, to determine accountability according to DoDI 8500.2. They also provide the accountability functionality of a C2-level trusted requirement. Auditing... |
| V-23833 ||Low ||Trained staff are not available to respond to web server or web content problems. ||Many web sites are available 24 hours per day, 7 days a week, and the potential for problems relating to the web server operations are significant. Operating staff may discover a problem with the... |
| V-23834 ||Low ||All interactive CGI programs used on the production web server will be documented. ||Common Gateway Interface (CGI) is a standard protocol that defines how web server software can delegate the generation of web pages to an external application or the web browser. These web... |
| V-23836 ||Low ||Configuration management policies are available to the SA and the web administrator. ||A Configuration Management Policy and its associated procedures help to ensure the effective implementation of security controls requisite to the organizational goals of integrity, availability,... |