V-222627
SV-222627r961863_rule
CAT II
The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance.
From: Application Security and Development Security Technical Implementation Guide (V6R4)
Description
<VulnDiscussion>Not all COTS products are covered by a STIG. Those products not covered by a STIG, should follow commercially accepted best practices, independent testing results and vendors lock down guides and recommendations if they are available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
Review the application documentation to identify application name, features and version.
Identify if a DoD STIG or NSA guide is available.
If no STIG is available for the product, the application and application components must be configured by the following as available:
- commercially accepted practices,
- independent testing results, or
- vendor literature and lock down guides.
If the application and application components do not have DoD STIG or NSA guidance available and are not configured according to:
commercially accepted practices,
independent testing results,
or vendor literature and lock down guides, this is a finding.
Fix Text
Configure the application according to the product STIG or when a STIG is not available, utilize:
- commercially accepted practices,
- independent testing results, or
- vendor literature and lock down guides.
CCI Reference
CCI-000363- Created
- 2026-04-07 20:08:09
- Last Updated
- 2026-04-07 20:08:09