Skip to content
Catalogs
XCCDF
Application Security and Development Security Technical Implementation Guide
SRG-APP-000516
A Software Configuration Management (SCM) plan describing the configuration control and change management process of application objects developed by the organization and the roles and responsibilities of the organization must be created and maintained.
A Software Configuration Management (SCM) plan describing the configuration control and change management process of application objects developed by the organization and the roles and responsibilities of the organization must be created and maintained. An XCCDF Rule
A Software Configuration Management (SCM) plan describing the configuration control and change management process of application objects developed by the organization and the roles and responsibilities of the organization must be created and maintained.
Medium Severity
<VulnDiscussion>Software Configuration Management (SCM) is very important in tracking code releases, baselines, and managing access to the configuration management repository. The SCM plan identifies what should be under configuration management control.
Without an SCM plan that addresses code security issues, code releases can be tracked and vulnerabilities can be inserted intentionally or unintentionally into the code base of the application.
This requirement is intended to be applied to application developers or organizations responsible for code management or who have and operate an application configuration management repository (CMR).
The SCM plan identifies all objects created during the development process subject to configuration control.
The SCM plan maintains procedures for identifying individual application components, as well as, entire application releases during all phases of the software development lifecycle.
The SCM plan identifies and tracks all actions and changes resulting from a change request from initiation to release.
The SCM plan contains procedures to identify, document, review, and authorize any change requests to the application.
The SCM plan defines the responsibilities, the actions to be performed, the tools, techniques and methodologies, and defines an initial set of baselined software components.
The SCM plan objects have security classifications labels.
The SCM plan identifies tools and version numbers used in the software development lifecycle.
The SCM plan identifies mechanisms for controlled access of simultaneous individuals updating the same application component.
The SCM plan assures only authorized changes by authorized persons are possible.
The SCM plan identifies mechanisms to control access and audit changes between different versions of objects subject to configuration control.
The SCM plan identifies mechanisms to track and audit all modifications of objects under configuration control. Audits include the originator and date and time of the modification.
The SCM plan should contain the following:
- Description of the configuration control and change management process
- Types of objects developed
- Roles and responsibilities of the organization
The SCM plan should also contain the following:
- Defined responsibilities
- Actions to be performed
- Tools used in the process
- Techniques and methodologies
- Initial set of baselined software components
The SCM plan should identify all objects that are under configuration management control.
The SCM plan should identify third-party tools and respective version numbers.
The SCM plan should identify mechanisms for controlled access of individuals simultaneously updating the same application component.
The SCM plan assures only authorized changes by authorized persons are allowed.
The SCM plan should identify mechanisms to control access and audit changes between different versions of objects subject to configuration control.
The SCM plan should have procedures for label versions of application components and application builds under configuration management control.
The configuration management repository (CMR) should track change requests from beginning to end.
The configuration management repository (CMR) should authorize change requests to the application.
The configuration management repository (CMR) should contain security classification labels for code and documentation in the repository. Classification labels are not applicable to unclassified systems.
The configuration management repository (CMR) should monitor all objects under CMR control for auditing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>