Configuration management policies are available to the SA and the web administrator.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-23836	WEBPL131	SV-28772r1_rule	DCPR-1 ECPC-1	Low

Description
A Configuration Management Policy and its associated procedures help to ensure the effective implementation of security controls requisite to the organizational goals of integrity, availability, and confidentiality by governing the change process, which is necessary to ensure that unapproved and malformed software, or unapproved configuration changes, are not introduced into the production environment. It should include, but may not be limited to, auditing change, the use of automated change controls, limiting change to authorized personnel with regard to direct changes to production software, and lists of approved or disapproved software.

Description

A Configuration Management Policy and its associated procedures help to ensure the effective implementation of security controls requisite to the organizational goals of integrity, availability, and confidentiality by governing the change process, which is necessary to ensure that unapproved and malformed software, or unapproved configuration changes, are not introduced into the production environment. It should include, but may not be limited to, auditing change, the use of automated change controls, limiting change to authorized personnel with regard to direct changes to production software, and lists of approved or disapproved software.

STIG	Date
Web Policy STIG	2011-10-03

Details

Check Text ( C-29197r1_chk )
If an MOU or an SLA exists between a hosting agency and the information owner, those documents will address the requirement presented in this check. If the hosting agency is responsible for CM, it will provide the proof. If the information owner is responsible for CM, it will provide assurance and supporting information to the hosting agency. The reviewer will have access to this documentation and any supporting materials. The SA and or the web administrator should be in possession of or have access to the most recent Configuration Management Policy as developed by the organization. They should also be able to demonstrate policy compliance. Review the risk assessment, security plan, and any supplements necessary to verify that these procedures are documented. Required elements of CM: 1. An indication of who approves the changes to both administrative configuration changes and the software installed on the production web server. 2. A process that documents and audits web server configuration and web server software changes, approvals, and disapprovals. 3. A process or policy that addresses procedures with regard to what may or may not be configured, changed, or implemented. If a Change Management Policy does not exist, or compliance cannot be demonstrated, this is a finding.

Check Text ( C-29197r1_chk )

If an MOU or an SLA exists between a hosting agency and the information owner, those documents will address the requirement presented in this check. If the hosting agency is responsible for CM, it will provide the proof. If the information owner is responsible for CM, it will provide assurance and supporting information to the hosting agency.

The reviewer will have access to this documentation and any supporting materials.

The SA and or the web administrator should be in possession of or have access to the most recent Configuration Management Policy as developed by the organization. They should also be able to demonstrate policy compliance.

Review the risk assessment, security plan, and any supplements necessary to verify that these procedures are documented.

Required elements of CM:
1. An indication of who approves the changes to both administrative configuration changes and the software installed on the production web server.

2. A process that documents and audits web server configuration and web server software changes, approvals, and disapprovals.

3. A process or policy that addresses procedures with regard to what may or may not be configured, changed, or implemented.

If a Change Management Policy does not exist, or compliance cannot be demonstrated, this is a finding.

Fix Text (F-26218r1_fix)
Documented CM policies and procedures will be made available to the IAO, the SA, or the web administrator.