Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Application Security and Development Security Technical Implementation Guide
SRG-APP-000516
An Application Configuration Guide must be created and included with the application.
An Application Configuration Guide must be created and included with the application.
An XCCDF Rule
Details
Profiles
Prose
An Application Configuration Guide must be created and included with the application.
Medium Severity
<VulnDiscussion>The Application Configuration Guide is any document or collection of documents used to configure the application. These documents may be part of a user guide, secure configuration guide, or any guidance that satisfies the requirements provided herein. Configuration examples include but are not limited to: - Encryption Settings - PKI Certificate Configuration Settings - Password Settings - Auditing configuration - AD configuration - Backup and disaster recovery settings - List of hosting enclaves and network connection requirements - Deployment configuration settings - Known security assumptions, implications, system level protections, best practices, and required permissions Development systems, build systems, and test systems must operate in a standardized environment. These settings are to be documented in the Application Configuration Guide. Examples include but are not limited to: - List of development systems, build systems, and test systems. - Versions of compilers used - Build options when creating applications and components - Versions of COTS software (used as part of the application) - Operating systems and versions - For web applications, which browsers and what versions are supported. All deployment configuration settings are to be documented in the Application Configuration Guide and the Application Configuration Guide must be made available to application hosting providers and application/system administrators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>