Check: APSC-DV-003260
Application Security and Development STIG:
APSC-DV-003260
(in versions v5 r3 through v4 r2)
Title
Procedures must be in place to notify users when an application is decommissioned. (Cat III impact)
Discussion
When maintenance no longer exists for an application, there are no individuals responsible for making security updates. The application support staff should maintain procedures for decommissioning. The decommissioning process should include notifying users of the pending decommissioning event. If the users are not informed of the decommissioning event, attackers may be able to stand up similar looking system and fool users into attempting to log onto a duplicate system. This can be as simple as a banner informing users. This risk is primarily geared towards insider threat scenarios and externally accessible applications that provide access to publicly releasable data but should also be applied to internal systems as a best practice.
Check Content
Interview the application representative to determine if provisions are in place to notify users when an application is decommissioned. If provisions are not in place to notify users when an application is decommissioned, this is a finding.
Fix Text
Create and establish procedures to notify users when an application is decommissioned.
Additional Identifiers
Rule ID: SV-222660r879887_rule
Vulnerability ID: V-222660
Group Title: SRG-APP-000516
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-003374 |
The organization documents approval for the continued use of unsupported system components required to satisfy mission/business needs. |