Title

The production web server staff will have a formal migration plan for removing or upgrading production web server software prior to the date the vendor drops security patch support. (Cat II impact)

Discussion

It is one of the primary duties of the Change Control Board (CCB) to have a complete and detailed inventory of hardware, software, and firmware, inclusive of version, license, and certificate information (such as expiration dates) in order to properly track and plan for change. This requirement will also be reflected in the Continuity of Operations Plan (COOP) within the organization, which forms the basis of contingency planning and recovery. With regards to software, firmware, and hardware expired licenses, certificates, and support agreements that may lead to outages of availability, a process should be in place in order to ensure these are kept current in a timely fashion as determined by the organization. Also, vendor agreements, contact numbers, and support identification protocols should be maintained, kept current, and be readily available to the CCB, the IAO, and the SA for the production web server. Software that has fallen out of warranty and is no longer supported by the vendor presents a significant risk to the computing environment. When software is no longer supported by the vendor, patches are no longer supplied for the particular piece of software which can make an organization vulnerable to attacks. Also, unsupported software is normally not included on various vulnerability notices, such as IAVMs and CVEs, due to the fact that the vendors are not providing this information since the software is not supported. It is important to note that software that fails to meet DoD security guidelines may be denied connection to the network.

Check Content

Query the IAO to determine if the site has a detailed process as part of its Configuration Management Plan or COOP to prevent the use of unsupported software and to provide a process to upgrade web server software. If the web server staff cannot provide a copy of the Configuration Management Plan or the COOP that addresses software replacement or upgrade, this is a finding.

Fix Text

Develop a Configuration Management Plan or a COOP to address a life cycle methodology approach to managing production web server software.

Additional Identifiers

Rule ID: SV-28754r1_rule

Vulnerability ID: V-23819

Group Title: Change Management policies

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.