STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

DISA Rule

SV-222396r508029_rule

Vulnerability Number

V-222396

Group Title

SRG-APP-000014

Rule Version

APSC-DV-000160

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Design and configure applications to use TLS encryption to protect the confidentiality of remote access sessions.

Check Contents

Review the application documentation and interview the system administrator.

Identify the application encryption capabilities and methods for implementing encryption protection.

For web based applications; open the web browser and access the website URL. Use the browser and determine if the session is protected via TLS. A secure connection is usually indicated in the upper left hand corner of the URL by a padlock icon. Click on the padlock icon and examine the connection information. Determine if TLS encryption is used to secure the session.

For non-web based applications, determine the TCP/IP port, protocol and method used for establishing client connections to the remote server. Review application configuration settings to ensure encryption is specified and via TLS.

If the connection is not secured with TLS, this is a finding.

Vulnerability Number

V-222396

Documentable

False

Rule Version

APSC-DV-000160

Severity Override Guidance

Review the application documentation and interview the system administrator.

Identify the application encryption capabilities and methods for implementing encryption protection.

For web based applications; open the web browser and access the website URL. Use the browser and determine if the session is protected via TLS. A secure connection is usually indicated in the upper left hand corner of the URL by a padlock icon. Click on the padlock icon and examine the connection information. Determine if TLS encryption is used to secure the session.

For non-web based applications, determine the TCP/IP port, protocol and method used for establishing client connections to the remote server. Review application configuration settings to ensure encryption is specified and via TLS.

If the connection is not secured with TLS, this is a finding.

Check Content Reference

M

Target Key

4093

Comments