V-222631
SV-222631r961863_rule
CAT II
Access privileges to the Configuration Management (CM) repository must be reviewed every three months.
From: Application Security and Development Security Technical Implementation Guide (V6R4)
Description
<VulnDiscussion>A Configuration Management (CM) repository is used to manage application code versions and to securely store application code.
Incorrect access privileges to the CM repository can lead to malicious code or unintentional code being introduced into the application.
This requirement is intended to be applied to application developers or organizations responsible for code management or who have and operate an application CM repository.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
Review the application system documentation.
Interview the application administrator.
Identify if development of the application is done in house and if application configuration management repository exists.
If application development is not done in house and if a code configuration management repository does not exist, the requirement is not applicable.
Review CM management processes and procedures.
Verify the CM repository access permissions are reviewed at least every three months.
Ask the application administrator or the CM administrator when the last time the CM access privileges were reviewed.
If CM access privileges have not been reviewed within the last three months, this is a finding.
Fix Text
Review access privileges to the CM repository at least every three months.
CCI Reference
CCI-001795- Created
- 2026-04-07 20:08:09
- Last Updated
- 2026-04-07 20:08:09