Skip to content

Application Security and Development Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000386

    <GroupDescription></GroupDescription>
    Group
  • The application must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs.

    &lt;VulnDiscussion&gt;Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Usin...
    Rule Medium Severity
  • SRG-APP-000141

    <GroupDescription></GroupDescription>
    Group
  • The application must be configured to disable non-essential capabilities.

    &lt;VulnDiscussion&gt;It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objecti...
    Rule Medium Severity
  • SRG-APP-000142

    <GroupDescription></GroupDescription>
    Group
  • The application must be configured to use only functions, ports, and protocols permitted to it in the PPSM CAL.

    &lt;VulnDiscussion&gt;In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e....
    Rule Medium Severity
  • SRG-APP-000389

    <GroupDescription></GroupDescription>
    Group
  • SRG-APP-000176

    <GroupDescription></GroupDescription>
    Group
  • The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

    &lt;VulnDiscussion&gt;Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When applica...
    Rule Medium Severity
  • SRG-APP-000390

    <GroupDescription></GroupDescription>
    Group
  • The application must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.

    &lt;VulnDiscussion&gt;Without reauthenticating devices, unidentified or unknown devices may be introduced; thereby facilitating malicious activity....
    Rule Medium Severity
  • SRG-APP-000148

    <GroupDescription></GroupDescription>
    Group
  • The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

    &lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...
    Rule High Severity
  • SRG-APP-000149

    <GroupDescription></GroupDescription>
    Group
  • The application must use multifactor (Alt. Token) authentication for network access to privileged accounts.

    &lt;VulnDiscussion&gt;Multifactor authentication requires using two or more factors to achieve authentication and access. Factors include: (i) som...
    Rule Medium Severity
  • SRG-APP-000391

    <GroupDescription></GroupDescription>
    Group
  • The application must electronically verify Personal Identity Verification (PIV) credentials.

    &lt;VulnDiscussion&gt;The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use...
    Rule Medium Severity
  • SRG-APP-000150

    <GroupDescription></GroupDescription>
    Group
  • The application must use multifactor (e.g., CAC, Alt. Token) authentication for network access to non-privileged accounts.

    &lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to ...
    Rule Medium Severity
  • SRG-APP-000151

    <GroupDescription></GroupDescription>
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules