STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

A Configuration Control Board (CCB) that meets at least every release cycle, for managing the Configuration Management (CM) process must be established.

DISA Rule

SV-222633r508029_rule

Vulnerability Number

V-222633

Group Title

SRG-APP-000516

Rule Version

APSC-DV-003020

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-001795 - The organization implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.

Weight

10

Fix Recommendation

Setup and maintain a Configuration Control Board.

Check Contents

Interview the application representative and determine if application development is performed on site by the organization.

If application development is not done in house, the requirement is not applicable.

If so, determine if a CCB exists. Ask about the membership of the CCB, and identify the primary members. Ask if there is CCB charter documentation.

Interview the application representative and determine how often the CCB meets.

Ask if there is CCB charter documentation. The CCB charter documentation should indicate how often the CCB meets.

If there is no charter documentation, ask when the last time the CCB met and when was the last release of the application.

CCBs do not have to physically meet, and the CCB chair may authorize a release based on phone and/or e-mail conversations.

If there is no evidence of CCB activity or meetings prior to the last release cycle, this is a finding.

Vulnerability Number

V-222633

Documentable

False

Rule Version

APSC-DV-003020

Severity Override Guidance

Interview the application representative and determine if application development is performed on site by the organization.

If application development is not done in house, the requirement is not applicable.

If so, determine if a CCB exists. Ask about the membership of the CCB, and identify the primary members. Ask if there is CCB charter documentation.

Interview the application representative and determine how often the CCB meets.

Ask if there is CCB charter documentation. The CCB charter documentation should indicate how often the CCB meets.

If there is no charter documentation, ask when the last time the CCB met and when was the last release of the application.

CCBs do not have to physically meet, and the CCB chair may authorize a release based on phone and/or e-mail conversations.

If there is no evidence of CCB activity or meetings prior to the last release cycle, this is a finding.

Check Content Reference

M

Target Key

4093

Comments