May I deploy a product if no STIG exists? I hope this helps you in your justification and position that all DoD application are subject to AI guidance as they are developed or acquired. It is the Scope paragraph that makes the connection back to the 8500.1 language. Later in the same paragraph it does specifically call out custom developed systems. The Scope section of the Application Security and Development STIG does specifically go on to state that this guidance is a requirement for all DoD developed, architected, and administered applications and systems connected to DoD networks.
#Alternative to blackberry link update
I have recommended this language update to the Authority paragraph for future releases of STIGs. However, absence of text stating authority for other application developments should not be used to supersede or exempt any application development from being subject to the 8500.1 guidance. An argument could be made that the STIG text in the Authority section could be made more complete, with better alignment to the 8500.1 language. The Authority section does quote specifics surrounding AI-enabled applications, which are defined as having specific AI considerations and impacts. The Application Security and Development STIG The second consideration is the Application Security and Development STIG itself. To summarize, DISA consensus has always been that the 8500.1 directive applies to all DoD compute assets, unless specifically exempted (such as weapons systems for war fighters). Section 4 (Policy) then goes on to address IA-enabled entities as a separate item.Įnclosure 2 (definitions) contains definitions for Application, DoD Information System, and other terms used in this document.
Section 4 (Policy) paragraph 4.13: All DoD information systems shall be certified and accredited in accordance with DoD instruction 5200.40 (reference (U)). The directive also states as policy: Section 4 (Policy) paragraph 4.1: IA requirements will be identified and included in the design, acquisition, installation, operation, upgrade, or replacement of all DOD information systems ….The directive applies to all applications: Section 2 (Ability and Scope) Paragraph 2.1.2: All DoD-owned, or controlled information systems that receive, process, store, display, or transmit DoD information, regardless of mission assurance category, classification or sensitivity ….The most direct path to your answer appears in the DoD Directive 8500.1 as follows: Please use the Application Server SRG which can be found here: LinkĪre all applications subject to the Application Security and Development STIG? Tomcat AS 8.x STIG – There are no current plans to develop a STIG.Please use the Application Server SRG which can be found here: Link Tomcat AS 7.x STIG – There are no current plans to develop a STIG.Tomcat AS 6.x STIG – There are no current plans to develop a STIG.Please use Oracle 12c Database STIG which can be found here: Link Oracle 18c Release 3 Database STIG – There are no current plans to develop a STIG.Oracle 12c Release 2 Database STIG – There are no current plans to develop a STIG.The Microsoft SharePoint 2010 STIG should be used and can be found here: Link
Microsoft SharePoint 2007 – No STIG was released for Microsoft SharePoint 2007.Microsoft IIS 10 STIG – The current guidance for IIS 10 is to apply the recent IIS 8.5 STIG and can be found here: Link.Please refer to the Microsoft IIS 8.5 Overview document for specifics as to what features and requirements in the Microsoft IIS 8.5 STIG would not apply. There are Microsoft IIS 8.5 features that are not supported by Microsoft IIS 8.0 and would be NOT APPLICABLE in an Microsoft IIS 8.0 environment. Please use the Microsoft IIS 8.5 STIG which can be found here: Link. Microsoft IIS 8.0 STIG – There are no current plans to develop a STIG.Microsoft IIS 7.5 STIG – There are no current plans to develop a STIG.
0 kommentar(er)
