STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

DISA Rule

SV-222427r508029_rule

Vulnerability Number

V-222427

Group Title

SRG-APP-000038

Rule Version

APSC-DV-000480

Severity

CAT II

CCI(s)

• CCI-001368 - The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure the application to enforce data flow control in accordance with data flow control policies.

Check Contents

Review the application documentation and interview the application and system administrators.

Review application features and functions to determine if the application is designed to control the flow of information within the system.
Identify:

- rulesets,
- data labels, and
- policies

to determine if the application is designed to control the flow of data within the system.

If the application does not provide data flow control capabilities, the requirement is not applicable.

Access the system as a user with access rights that allow the creation of test data or use of existing test data.

Create a test data set and label the data with a data label provided with or by the application, e.g., Personally Identifiable Information (PII) data.

Review the policy to determine where in the system the PII labeled data is allowed and is not allowed to go.

Using application features and functions, attempt to transmit the labeled data to an area that is prohibited by policy.

Verify the flow control policy was enforced and the data was not transmitted.

If the application does not enforce the approved authorizations for controlling data flow, this is a finding.

Vulnerability Number

V-222427

Documentable

False

Rule Version

APSC-DV-000480

Severity Override Guidance

Review the application documentation and interview the application and system administrators.

Review application features and functions to determine if the application is designed to control the flow of information within the system.
Identify:

- rulesets,
- data labels, and
- policies

to determine if the application is designed to control the flow of data within the system.

If the application does not provide data flow control capabilities, the requirement is not applicable.

Access the system as a user with access rights that allow the creation of test data or use of existing test data.

Create a test data set and label the data with a data label provided with or by the application, e.g., Personally Identifiable Information (PII) data.

Review the policy to determine where in the system the PII labeled data is allowed and is not allowed to go.

Using application features and functions, attempt to transmit the labeled data to an area that is prohibited by policy.

Verify the flow control policy was enforced and the data was not transmitted.

If the application does not enforce the approved authorizations for controlling data flow, this is a finding.

Check Content Reference

M

Target Key

4093

Comments