The production web server staff will have a formal migration plan for removing or upgrading production web server software prior to the date the vendor drops security patch support.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-23819	WEBPL200	SV-28754r1_rule	DCPR-1	Medium

Description
It is one of the primary duties of the Change Control Board (CCB) to have a complete and detailed inventory of hardware, software, and firmware, inclusive of version, license, and certificate information (such as expiration dates) in order to properly track and plan for change. This requirement will also be reflected in the Continuity of Operations Plan (COOP) within the organization, which forms the basis of contingency planning and recovery. With regards to software, firmware, and hardware expired licenses, certificates, and support agreements that may lead to outages of availability, a process should be in place in order to ensure these are kept current in a timely fashion as determined by the organization. Also, vendor agreements, contact numbers, and support identification protocols should be maintained, kept current, and be readily available to the CCB, the IAO, and the SA for the production web server. Software that has fallen out of warranty and is no longer supported by the vendor presents a significant risk to the computing environment. When software is no longer supported by the vendor, patches are no longer supplied for the particular piece of software which can make an organization vulnerable to attacks. Also, unsupported software is normally not included on various vulnerability notices, such as IAVMs and CVEs, due to the fact that the vendors are not providing this information since the software is not supported. It is important to note that software that fails to meet DoD security guidelines may be denied connection to the network.

Description

It is one of the primary duties of the Change Control Board (CCB) to have a complete and detailed inventory of hardware, software, and firmware, inclusive of version, license, and certificate information (such as expiration dates) in order to properly track and plan for change. This requirement will also be reflected in the Continuity of Operations Plan (COOP) within the organization, which forms the basis of contingency planning and recovery. With regards to software, firmware, and hardware expired licenses, certificates, and support agreements that may lead to outages of availability, a process should be in place in order to ensure these are kept current in a timely fashion as determined by the organization. Also, vendor agreements, contact numbers, and support identification protocols should be maintained, kept current, and be readily available to the CCB, the IAO, and the SA for the production web server. Software that has fallen out of warranty and is no longer supported by the vendor presents a significant risk to the computing environment. When software is no longer supported by the vendor, patches are no longer supplied for the particular piece of software which can make an organization vulnerable to attacks. Also, unsupported software is normally not included on various vulnerability notices, such as IAVMs and CVEs, due to the fact that the vendors are not providing this information since the software is not supported. It is important to note that software that fails to meet DoD security guidelines may be denied connection to the network.

STIG	Date
Web Policy STIG	2011-10-03

Details

Check Text ( C-29115r1_chk )
Query the IAO to determine if the site has a detailed process as part of its Configuration Management Plan or COOP to prevent the use of unsupported software and to provide a process to upgrade web server software. If the web server staff cannot provide a copy of the Configuration Management Plan or the COOP that addresses software replacement or upgrade, this is a finding.

Fix Text (F-26125r1_fix)
Develop a Configuration Management Plan or a COOP to address a life cycle methodology approach to managing production web server software.