STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.

DISA Rule

SV-222393r508029_rule

Vulnerability Number

V-222393

Group Title

SRG-APP-000311

Rule Version

APSC-DV-000110

Severity

CAT II

CCI(s)

• CCI-002262 - The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.

Weight

10

Fix Recommendation

Design and configure the application to assign data marking and ensure the marking is retained when the data is stored.

Check Contents

Review the application documentation and interview the application administrator.

Determine if the application processes classified, FOUO, or other data that is required to be marked and identify if the application requirements specify data markings of any other types of data.

If the application does not contain classified, FOUO, or other data that is required to be marked, this requirement is not applicable.

Review the database or other storage mechanism and have the application administrator identify and demonstrate how the application assigns and maintains data markings while the data is in storage.

Typical methods for marking data include utilizing a table or data base field that contains the marking information and associating the marking information with the data.

If application data required to be marked is not marked and does not retain its marking while it is being stored, this is a finding.

Vulnerability Number

V-222393

Documentable

False

Rule Version

APSC-DV-000110

Severity Override Guidance

Review the application documentation and interview the application administrator.

Determine if the application processes classified, FOUO, or other data that is required to be marked and identify if the application requirements specify data markings of any other types of data.

If the application does not contain classified, FOUO, or other data that is required to be marked, this requirement is not applicable.

Review the database or other storage mechanism and have the application administrator identify and demonstrate how the application assigns and maintains data markings while the data is in storage.

Typical methods for marking data include utilizing a table or data base field that contains the marking information and associating the marking information with the data.

If application data required to be marked is not marked and does not retain its marking while it is being stored, this is a finding.

Check Content Reference

M

Target Key

4093

Comments