Title

The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance. (Cat II impact)

Discussion

Not all COTS products are covered by a STIG. Those products not covered by a STIG, should follow commercially accepted best practices, independent testing results and vendors lock down guides and recommendations if they are available.

Check Content

Review the application documentation to identify application name, features and version. Identify if a DoD STIG or NSA guide is available. If no STIG is available for the product, the application and application components must be configured by the following as available: - commercially accepted practices, - independent testing results, or - vendor literature and lock down guides. If the application and application components do not have DoD STIG or NSA guidance available and are not configured according to: commercially accepted practices, independent testing results, or vendor literature and lock down guides, this is a finding.

Fix Text

Configure the application according to the product STIG or when a STIG is not available, utilize: - commercially accepted practices, - independent testing results, or - vendor literature and lock down guides.

Additional Identifiers

Rule ID: SV-222627r879887_rule

Vulnerability ID: V-222627

Group Title: SRG-APP-000516

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.