Application Security and Development STIG Version Comparison
Application Security and Development Security Technical Implementation Guide
Comparison
There are 7 differences between versions v6 r1 (July 24, 2024) (the "left" version) and v6 r3 (April 2, 2025) (the "right" version).
Check APSC-DV-001910 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.
The regular view of the left check and right check may be easier to read.
Text Differences
Title
The application must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles.
Check Content
Review the application documentation and interview the application administrator to identify application access methods. If the application is not PKI-enabled due to the hosted data being publicly releasable, this check is Not Applicable. If the application is only deployed to SIPRnet, this requirement is Not Applicable. If the application is not intended to be available to federal government partners this requirement is Not Applicable. This requirement applies to DOD service providers who are relying parties of external (federal government) identity providers. Ask the application administrator to demonstrate how the application conforms to FICAM issued profiles such as SAML or OPENID. If the application is designed to be a service provider utilizing an external identify provider and doesn't does not conform to FICAM-issued profiles, this is a finding.
Discussion
FICAM establishes a federated identity framework for the federal government. FICAM provides government-wide governmentwide services for common Identity, Credential, and Access Management (ICAM) requirements. The FICAM Trust Framework Solutions (TFS) is the federated identity framework for the U.S. federal government. government. The The TFS is a process by which Industry Trust Frameworks (The (the codification of requirements for credentials and their issuance, privacy and security requirements, as well as auditing qualifications and processes) are evaluated and assessed for potential use by the government. This requirement only applies to applications that are intended to be accessible to nonfederal government agencies and other partners or nonorganizational (non-DOD) users. Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM-authentication protocols, such as SAML 2.0, OpenID 2.0 or other protocols such as the FICAM backend Attribute Exchange. This requirement addresses open identity management standards. More information regarding these standards is available here: info.idmanagement.gov/2012/10/what-are-ficam-technical-profiles-and.html https://www.idmanagement.gov/fpki/#federal-pki-policies-and-profiles
Fix
Configure the application to conform to FICAM-issued technical profiles when providing services that rely on external (federal government) identity providers.