STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission.

DISA Rule

SV-222395r508029_rule

Vulnerability Number

V-222395

Group Title

SRG-APP-000314

Rule Version

APSC-DV-000130

Severity

CAT II

CCI(s)

• CCI-002264 - The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission.

Weight

10

Fix Recommendation

Design and configure the application to retain the data marking when transmitting data.

Check Contents

Review the application documentation and interview the application administrator.

Identify if the application requirements include data marking also determine if the application processes classified, FOUO or other data that is required to be marked.

Access the user interface for the application and navigate through the application. Perform an application action that will transmit marked data that is contained within the application.

If the application does not contain classified, FOUO or have data marking requirements, or if the application does not transmit data, this requirement is not applicable.

E.g., create a test record and assign a data marking to the data element. Save the test record, close the data entry fields and navigate to display the test record. Initiate the application processes to transmit data. Access remote system or have person with access to remote system verify the data marking is retained after the data transmission.

If application data required to be marked does not retain its marking when it is being transmitted by the application, this is a finding.

Vulnerability Number

V-222395

Documentable

False

Rule Version

APSC-DV-000130

Severity Override Guidance

Review the application documentation and interview the application administrator.

Identify if the application requirements include data marking also determine if the application processes classified, FOUO or other data that is required to be marked.

Access the user interface for the application and navigate through the application. Perform an application action that will transmit marked data that is contained within the application.

If the application does not contain classified, FOUO or have data marking requirements, or if the application does not transmit data, this requirement is not applicable.

E.g., create a test record and assign a data marking to the data element. Save the test record, close the data entry fields and navigate to display the test record. Initiate the application processes to transmit data. Access remote system or have person with access to remote system verify the data marking is retained after the data transmission.

If application data required to be marked does not retain its marking when it is being transmitted by the application, this is a finding.

Check Content Reference

M

Target Key

4093

Comments