STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

If the application contains classified data, a Security Classification Guide must exist containing data elements and their classification.

DISA Rule

SV-222664r508029_rule

Vulnerability Number

V-222664

Group Title

SRG-APP-000516

Rule Version

APSC-DV-003290

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Create and maintain a security classification guide.

Check Contents

If the application does not process classified information, this check is not applicable.

The application may already be covered by a higher level program or other classification guide. If the classification guide is not written specifically to the application, the sensitive application data should be reviewed to determine whether it is contained in the classification guide.

DoD 5200.01R identifies requirements for security classification and/or declassification guides.

http://www.dtic.mil/whs/directives/corres/pdf/520001_vol1.pdf

Security classification guides shall provide the following information:

Identify specific items, elements, or categories of information to be protected.

State the specific classification to be assigned to each item or element of information and, when useful, specify items of information that are unclassified.

Provide declassification instructions for each item or element of information, to include the applicable exemption category for information exempted from automatic declassification.

State a concise reason for classification for each item, element, or category of information that, at a minimum, cites the applicable classification categories in Section 1.5 of E.O. 12958.

Identify any special handling caveats that apply to items, elements, or categories of information.

Identify, by name or personal identifier and position title, the original classification authority approving the guide and the date of that approval.

Provide a point-of-contact for questions about the guide and suggestions for improvement.

For information exempted from automatic declassification because its disclosure would reveal foreign government information or violate a statute, treaty, or international agreement, the security classification guide will identify the government or specify the applicable statute, treaty, or international agreement, as appropriate.

If the security classification guide does not exist, or does not contain application data elements and their classification, this is a finding.

Vulnerability Number

V-222664

Documentable

False

Rule Version

APSC-DV-003290

Severity Override Guidance

If the application does not process classified information, this check is not applicable.

The application may already be covered by a higher level program or other classification guide. If the classification guide is not written specifically to the application, the sensitive application data should be reviewed to determine whether it is contained in the classification guide.

DoD 5200.01R identifies requirements for security classification and/or declassification guides.

http://www.dtic.mil/whs/directives/corres/pdf/520001_vol1.pdf

Security classification guides shall provide the following information:

Identify specific items, elements, or categories of information to be protected.

State the specific classification to be assigned to each item or element of information and, when useful, specify items of information that are unclassified.

Provide declassification instructions for each item or element of information, to include the applicable exemption category for information exempted from automatic declassification.

State a concise reason for classification for each item, element, or category of information that, at a minimum, cites the applicable classification categories in Section 1.5 of E.O. 12958.

Identify any special handling caveats that apply to items, elements, or categories of information.

Identify, by name or personal identifier and position title, the original classification authority approving the guide and the date of that approval.

Provide a point-of-contact for questions about the guide and suggestions for improvement.

For information exempted from automatic declassification because its disclosure would reveal foreign government information or violate a statute, treaty, or international agreement, the security classification guide will identify the government or specify the applicable statute, treaty, or international agreement, as appropriate.

If the security classification guide does not exist, or does not contain application data elements and their classification, this is a finding.

Check Content Reference

M

Target Key

4093

Comments