STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application development team must provide an application incident response plan.

DISA Rule

SV-222657r561287_rule

Vulnerability Number

V-222657

Group Title

SRG-APP-000516

Rule Version

APSC-DV-003236

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.
CCI-003289 - The organization requires the developer of the information system, system component, or information system service to provide an incident response plan.

Weight

Fix Recommendation

The development team creates an application incident response plan documenting and establishing a process that at a minimum:

- Tracks reported vulnerabilities and bugs
- Confirms reported vulnerabilities and bugs
- Tracks remediation effort
- Notifies application users of available updates that address the reported issues.

Check Contents

If the application is a COTS application and the development team is not accessible to interview this requirement is not applicable.

Interview the application development team members. Request and review the application incident response plan.

Ensure the plan includes an implemented process that:

- Tracks reported vulnerabilities and bugs
- Confirms reported vulnerabilities and bugs
- Tracks remediation effort
- Notifies application users of available updates that address the reported issues.

If the application incident response plan does not exist and at a minimum does not implement the aforementioned processes, this is a finding.

The application development team must provide an application incident response plan.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments