STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The Configuration Management (CM) repository must be properly patched and STIG compliant.

DISA Rule

SV-222630r508029_rule

Vulnerability Number

V-222630

Group Title

SRG-APP-000516

Rule Version

APSC-DV-002995

Severity

CAT II

CCI(s)

CCI-001795 - The organization implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.
CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Patch the CM system when new security patches are made available and apply the relevant STIGs.

Check Contents

Review the application system documentation and interview the application administrator.

Identify if the STIG is being applied to application developers or organizations responsible for code management or who have and operate an application CM repository. If this is not the case, the requirement is not applicable.

Review CM patch management processes and procedures. Have the system and CM admins demonstrate their patch management processes and verify the system has the latest security patches applied.

Review the ATO documentation and verify the system that operates the CM repository software has had all relevant STIGs applied.

If CM repository is not at the latest security patch level and is not operating on a STIG compliant system, this is a finding.

The Configuration Management (CM) repository must be properly patched and STIG compliant.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments