STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:SV-222535r508029_rule
V-222535
SRG-APP-000163
APSC-DV-001670
CAT II
10
Configure the application to disable device accounts after 35 days of inactivity or to utilize DoD PKI certificates that provide an expiration date.
Review the application documentation and interview the application administrator.
If the application is not designed to authenticate devices (such as mobile phones, gateways or other smart devices), or uses DoD PKI certificates to authenticate these devices, this requirement is NA.
Access the user management interface for the application.
Identify application device IDs.
If the application utilizes approved certificates or a centralized authentication store (Active Directory or LDAP) as the authoritative source for application authentication, and the authentication store is configured to meet the requirement to disable device IDs after 35 days of inactivity, this is not a finding.
Accounts such as guest and anonymous as well as roles and groups or other identities used to operate the application or to provide limited guest access are not applicable.
Access the application user management interface and review the account settings that pertain to devices.
Verify the application is configured to disable device accounts that have not been active or logged into the application for the past 35 days.
If the application does not disable accounts used to authenticate devices after 35 days of inactivity, this is a finding.
V-222535
False
APSC-DV-001670
Review the application documentation and interview the application administrator.
If the application is not designed to authenticate devices (such as mobile phones, gateways or other smart devices), or uses DoD PKI certificates to authenticate these devices, this requirement is NA.
Access the user management interface for the application.
Identify application device IDs.
If the application utilizes approved certificates or a centralized authentication store (Active Directory or LDAP) as the authoritative source for application authentication, and the authentication store is configured to meet the requirement to disable device IDs after 35 days of inactivity, this is not a finding.
Accounts such as guest and anonymous as well as roles and groups or other identities used to operate the application or to provide limited guest access are not applicable.
Access the application user management interface and review the account settings that pertain to devices.
Verify the application is configured to disable device accounts that have not been active or logged into the application for the past 35 days.
If the application does not disable accounts used to authenticate devices after 35 days of inactivity, this is a finding.
M
4093