JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.2p0 | CONFIDENTIAL | CodeSecure Inc |
The categories list for each CodeSonar warning includes any relevant "Finding ID" identifiers from the DISA Application Security and Development STIG.
A broader set of correspondences is shown in Broad Mappings: DISA STIGs.
CSV versions of these tables are provided in DISA-6r1-mapping.csv, DISA-5r3-mapping.csv, DISA-4r3-mapping.csv, and DISA-3r10-mapping.csv.
The categories list for each CodeSonar warning includes any relevant "Finding ID" identifiers from the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG).
We provide mappings for the following versions of the Application Security and Development STIG.
For this version of CodeSonar (9.2p0), the most recent version of the STIG for which mappings are provided is Version 6, Release 1, published June 5, 2024.
The following table shows the CodeSonar warning classes that are associated with DISA STIGs.
(STIG release date June 5, 2024)
A CSV version of this table is provided in DISA-6r1-mapping.csv
| DISA-6r1 | Severity | C/C++ Warning Classes | Ada Warning Classes | Java Warning Classes | C# Warning Classes | Kotlin Warning Classes | Python Warning Classes |
|---|---|---|---|---|---|---|---|
| DISA-6r1:V-222387 The application must provide a capability to limit the number of logon sessions per user. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222388 The application must clear temporary storage and cookies when the session is terminated. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222389 The application must automatically terminate the non-privileged user session and log off non-privileged users after a 15 minute idle time period has elapsed. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222390 The application must automatically terminate the admin user session and log off admin users after a 10 minute idle time period is exceeded. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222391 Applications requiring user access authentication must provide a logoff capability for user initiated communication session. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222392 The application must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions. | low | - | - | - | - | - | - |
| DISA-6r1:V-222393 The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in storage. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222394 The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in process. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222395 The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222396 The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions. | medium | - | - | - | - | - | |
| DISA-6r1:V-222397 The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. | medium | - | - | - | - | - | |
| DISA-6r1:V-222398 Applications with SOAP messages requiring integrity must include the following message elements:-Message ID-Service Request-Timestamp-SAML Assertion (optionally included in messages) and all elements of the message must be digitally signed. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222399 Messages protected with WS_Security must use time stamps with creation and expiration times. | high | - | - | - | - | - | - |
| DISA-6r1:V-222400 Validity periods must be verified on all application messages using WS-Security or SAML assertions. | high | - | - | - | - | - | - |
| DISA-6r1:V-222401 The application must ensure each unique asserting party provides unique assertion ID references for each SAML assertion. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222402 The application must ensure encrypted assertions, or equivalent confidentiality protections are used when assertion data is passed through an intermediary, and confidentiality of the assertion data is required when passing through the intermediary. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222403 The application must use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion. | high | - | - | - | - | - | - |
| DISA-6r1:V-222404 The application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion. | high | - | - | - | - | - | - |
| DISA-6r1:V-222405 The application must ensure if a OneTimeUse element is used in an assertion, there is only one of the same used in the Conditions element portion of an assertion. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222406 The application must ensure messages are encrypted when the SessionIndex is tied to privacy data. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222407 The application must provide automated mechanisms for supporting account management functions. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222408 Shared/group account credentials must be terminated when members leave the group. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222409 The application must automatically remove or disable temporary user accounts 72 hours after account creation. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222410 The application must have a process, feature or function that prevents removal or disabling of emergency accounts. | low | - | - | - | - | - | - |
| DISA-6r1:V-222411 The application must automatically disable accounts after a 35 day period of account inactivity. | low | - | - | - | - | - | - |
| DISA-6r1:V-222412 Unnecessary application accounts must be disabled, or deleted. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222413 The application must automatically audit account creation. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222414 The application must automatically audit account modification. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222415 The application must automatically audit account disabling actions. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222416 The application must automatically audit account removal actions. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222417 The application must notify system administrators (SAs) and information system security officers (ISSOs) when accounts are created. | low | - | - | - | - | - | - |
| DISA-6r1:V-222418 The application must notify system administrators (SAs) and information system security officers (ISSOs) when accounts are modified. | low | - | - | - | - | - | - |
| DISA-6r1:V-222419 The application must notify system administrators (SAs) and information system security officers (ISSOs) of account disabling actions. | low | - | - | - | - | - | - |
| DISA-6r1:V-222420 The application must notify system administrators (SAs) and information system security officers (ISSOs) of account removal actions. | low | - | - | - | - | - | - |
| DISA-6r1:V-222421 The application must automatically audit account enabling actions. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222422 The application must notify system administrators (SAs) and information system security officers (ISSOs) of account enabling actions. | low | - | - | - | - | - | - |
| DISA-6r1:V-222423 Application data protection requirements must be identified and documented. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222424 The application must utilize organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222425 The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | high | - | - | - | - | - | - |
| DISA-6r1:V-222426 The application must enforce organization-defined discretionary access control policies over defined subjects and objects. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222427 The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222428 The application must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222429 The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222430 The application must execute without excessive account permissions. | high | - | - | - | - | - | - |
| DISA-6r1:V-222431 The application must audit the execution of privileged functions. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222432 The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period. | high | - | - | - | - | - | - |
| DISA-6r1:V-222433 The application administrator must follow an approved process to unlock locked user accounts. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222434 The application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application. | low | - | - | - | - | - | - |
| DISA-6r1:V-222435 The application must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. | low | - | - | - | - | - | - |
| DISA-6r1:V-222436 The publicly accessible application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application. | low | - | - | - | - | - | - |
| DISA-6r1:V-222437 The application must display the time and date of the users last successful logon. | low | - | - | - | - | - | - |
| DISA-6r1:V-222438 The application must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222439 For applications providing audit record aggregation, the application must compile audit records from organization-defined information system components into a system-wide audit trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222441 The application must provide audit record generation capability for the creation of session IDs. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222442 The application must provide audit record generation capability for the destruction of session IDs. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222443 The application must provide audit record generation capability for the renewal of session IDs. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222444 The application must not write sensitive data into the application logs. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222445 The application must provide audit record generation capability for session timeouts. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222446 The application must record a time stamp indicating when the event occurred. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222447 The application must provide audit record generation capability for HTTP headers including User-Agent, Referer, GET, and POST. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222448 The application must provide audit record generation capability for connecting system IP addresses. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222449 The application must record the username or user ID of the user associated with the event. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222450 The application must generate audit records when successful/unsuccessful attempts to grant privileges occur. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222451 The application must generate audit records when successful/unsuccessful attempts to access security objects occur. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222452 The application must generate audit records when successful/unsuccessful attempts to access security levels occur. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222453 The application must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222454 The application must generate audit records when successful/unsuccessful attempts to modify privileges occur. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222455 The application must generate audit records when successful/unsuccessful attempts to modify security objects occur. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222456 The application must generate audit records when successful/unsuccessful attempts to modify security levels occur. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222457 The application must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222458 The application must generate audit records when successful/unsuccessful attempts to delete privileges occur. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222459 The application must generate audit records when successful/unsuccessful attempts to delete security levels occur. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222460 The application must generate audit records when successful/unsuccessful attempts to delete application database security objects occur. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222461 The application must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222462 The application must generate audit records when successful/unsuccessful logon attempts occur. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222463 The application must generate audit records for privileged activities or other system-level access. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222464 The application must generate audit records showing starting and ending time for user access to the system. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222465 The application must generate audit records when successful/unsuccessful accesses to objects occur. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222466 The application must generate audit records for all direct access to the information system. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222467 The application must generate audit records for all account creations, modifications, disabling, and termination events. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222468 The application must initiate session auditing upon startup. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222469 The application must log application shutdown events. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222470 The application must log destination IP addresses. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222471 The application must log user actions involving access to data. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222472 The application must log user actions involving changes to data. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222473 The application must produce audit records containing information to establish when (date and time) the events occurred. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222474 The application must produce audit records containing enough information to establish which component, feature or function of the application triggered the audit event. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222475 When using centralized logging; the application must include a unique identifier in order to distinguish itself from other application logs. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222476 The application must produce audit records that contain information to establish the outcome of the events. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222477 The application must generate audit records containing information that establishes the identity of any individual or process associated with the event. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222478 The application must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222479 The application must implement transaction recovery logs when transaction based. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222480 The application must provide centralized management and configuration of the content to be captured in audit records generated by all application components. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222481 The application must off-load audit records onto a different system or media than the system being audited. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222482 The application must be configured to write application logs to a centralized log repository. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222483 The application must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222484 Applications categorized as having a moderate or high impact must provide an immediate real-time alert to the SA and ISSO (at a minimum) for all audit failure events. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222485 The application must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222486 The application must shut down by default upon audit failure (unless availability is an overriding concern). | medium | - | - | - | - | - | - |
| DISA-6r1:V-222487 The application must provide the capability to centrally review and analyze audit records from multiple components within the system. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222488 The application must provide the capability to filter audit records for events of interest based upon organization-defined criteria. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222489 The application must provide an audit reduction capability that supports on-demand reporting requirements. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222490 The application must provide an audit reduction capability that supports on-demand audit review and analysis. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222491 The application must provide an audit reduction capability that supports after-the-fact investigations of security incidents. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222492 The application must provide a report generation capability that supports on-demand audit review and analysis. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222493 The application must provide a report generation capability that supports on-demand reporting requirements. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222494 The application must provide a report generation capability that supports after-the-fact investigations of security incidents. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222495 The application must provide an audit reduction capability that does not alter original content or time ordering of audit records. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222496 The application must provide a report generation capability that does not alter original content or time ordering of audit records. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222497 The applications must use internal system clocks to generate time stamps for audit records. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222498 The application must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | medium | - | - | - | - | - | - |
| DISA-6r1:V-222499 The application must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222500 The application must protect audit information from any type of unauthorized read access. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222501 The application must protect audit information from unauthorized modification. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222502 The application must protect audit information from unauthorized deletion. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222503 The application must protect audit tools from unauthorized access. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222504 The application must protect audit tools from unauthorized modification. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222505 The application must protect audit tools from unauthorized deletion. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222506 The application must back up audit records at least every seven days onto a different system or system component than the system or component being audited. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222507 The application must use cryptographic mechanisms to protect the integrity of audit information. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222508 Application audit tools must be cryptographically hashed. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222509 The integrity of the audit tools must be validated by checking the files for changes in the cryptographic hash value. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222510 The application must prohibit user installation of software without explicit privileged status. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222511 The application must enforce access restrictions associated with changes to application configuration. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222512 The application must audit who makes configuration changes to the application. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222513 The application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222514 The applications must limit privileges to change the software resident within software libraries. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222515 An application vulnerability assessment must be conducted. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222516 The application must prevent program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222517 The application must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222518 The application must be configured to disable non-essential capabilities. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222519 The application must be configured to use only functions, ports, and protocols permitted to it in the PPSM CAL. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222520 The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222521 The application must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222522 The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | high | - | - | - | - | - | - |
| DISA-6r1:V-222523 The application must use multifactor (Alt. Token) authentication for network access to privileged accounts. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222524 The application must accept Personal Identity Verification (PIV) credentials. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222525 The application must electronically verify Personal Identity Verification (PIV) credentials. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222526 The application must use multifactor (e.g., CAC, Alt. Token) authentication for network access to non-privileged accounts. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222527 The application must use multifactor (Alt. Token) authentication for local access to privileged accounts. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222528 The application must use multifactor (e.g., CAC, Alt. Token) authentication for local access to nonprivileged accounts. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222529 The application must ensure users are authenticated with an individual authenticator prior to using a group authenticator. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222530 The application must implement replay-resistant authentication mechanisms for network access to privileged accounts. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222531 The application must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222532 The application must utilize mutual authentication when endpoint device non-repudiation protections are required by DoD policy or by the data owner. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222533 The application must authenticate all network connected endpoint devices before establishing any connection. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222534 Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222535 The application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222536 The application must enforce a minimum 15-character password length. | high | - | - | - | - | - | - |
| DISA-6r1:V-222537 The application must enforce password complexity by requiring that at least one uppercase character be used. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222538 The application must enforce password complexity by requiring that at least one lowercase character be used. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222539 The application must enforce password complexity by requiring that at least one numeric character be used. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222540 The application must enforce password complexity by requiring that at least one special character be used. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222541 The application must require the change of at least eight of the total number of characters when passwords are changed. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222542 The application must only store cryptographic representations of passwords. | high | - | - | - | - | - | |
| DISA-6r1:V-222543 The application must transmit only cryptographically-protected passwords. | high | - | - | - | - | - | |
| DISA-6r1:V-222544 The application must enforce 24 hours/1 day as the minimum password lifetime. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222545 The application must enforce a 60-day maximum password lifetime restriction. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222546 The application must prohibit password reuse for a minimum of five generations. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222547 The application must allow the use of a temporary password for system logons with an immediate change to a permanent password. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222548 The application password must not be changeable by users other than the administrator or the user with which the password is associated. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222549 The application must terminate existing user sessions upon account deletion. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222550 The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | high | - | - | - | - | - | - |
| DISA-6r1:V-222551 The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key. | high | - | - | - | - | - | - |
| DISA-6r1:V-222552 The application must map the authenticated identity to the individual user or group account for PKI-based authentication. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222553 The application, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222554 The application must not display passwords/PINs as clear text. | high | - | - | - | - | - | - |
| DISA-6r1:V-222555 The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. | high | - | - | - | - | - | - |
| DISA-6r1:V-222556 The application must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | medium | - | - | - | - | - | - |
| DISA-6r1:V-222557 The application must accept Personal Identity Verification (PIV) credentials from other federal agencies. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222558 The application must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222559 The application must accept Federal Identity, Credential, and Access Management (FICAM)-approved third-party credentials. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222560 The application must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222561 Applications used for non-local maintenance sessions must audit non-local maintenance and diagnostic sessions for organization-defined auditable events. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222562 Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic communications. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222563 Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222564 Applications used for non-local maintenance sessions must verify remote disconnection at the termination of non-local maintenance and diagnostic sessions. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222565 The application must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222566 The application must terminate all sessions and network connections when nonlocal maintenance is completed. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222567 The application must not be vulnerable to race conditions. | medium | - | - | - | - | - | |
| DISA-6r1:V-222568 The application must terminate all network connections associated with a communications session at the end of the session. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222570 The application must utilize FIPS-validated cryptographic modules when signing application components. | medium | - | - | - | - | - | |
| DISA-6r1:V-222571 The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes. | medium | - | - | - | - | - | |
| DISA-6r1:V-222572 The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection. | medium | - | - | - | - | - | |
| DISA-6r1:V-222573 Applications making SAML assertions must use FIPS-approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222574 The application user interface must be either physically or logically separated from data storage and management interfaces. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222575 The application must set the HTTPOnly flag on session cookies. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222576 The application must set the secure flag on session cookies. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222577 The application must not expose session IDs. | high | - | - | - | - | - | - |
| DISA-6r1:V-222578 The application must destroy the session ID value and/or cookie on logoff or browser close. | high | - | - | - | - | - | - |
| DISA-6r1:V-222579 Applications must use system-generated session identifiers that protect against session fixation. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222580 Applications must validate session identifiers. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222581 Applications must not use URL embedded session IDs. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222582 The application must not re-use or recycle session IDs. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222583 The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. | medium | - | - | - | - | - | |
| DISA-6r1:V-222584 The application must only allow the use of DoD-approved certificate authorities for verification of the establishment of protected sessions. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222585 The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. | high | - | - | - | - | - | - |
| DISA-6r1:V-222586 In the event of a system failure, applications must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222587 The application must protect the confidentiality and integrity of stored information when required by DoD policy or the information owner. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222588 The application must implement approved cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222589 The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy. | medium | - | - | - | - | - | |
| DISA-6r1:V-222590 The application must isolate security functions from non-security functions. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222591 The application must maintain a separate execution domain for each executing process. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222592 Applications must prevent unauthorized and unintended information transfer via shared system resources. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222593 XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222594 The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222595 The web service design must include redundancy mechanisms when used with high-availability systems. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222596 The application must protect the confidentiality and integrity of transmitted information. | high | - | - | - | - | - | |
| DISA-6r1:V-222597 The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). | medium | - | - | - | - | - | - |
| DISA-6r1:V-222598 The application must maintain the confidentiality and integrity of information during preparation for transmission. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222599 The application must maintain the confidentiality and integrity of information during reception. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222600 The application must not disclose unnecessary information to users. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222601 The application must not store sensitive information in hidden fields. | high | - | - | - | - | - | - |
| DISA-6r1:V-222602 The application must protect from Cross-Site Scripting (XSS) vulnerabilities. | high | - | - | - | - | ||
| DISA-6r1:V-222603 The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222604 The application must protect from command injection. | high | - | - | ||||
| DISA-6r1:V-222605 The application must protect from canonical representation vulnerabilities. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222606 The application must validate all input. | medium | - | - | - | - | - | |
| DISA-6r1:V-222607 The application must not be vulnerable to SQL Injection. | high | - | - | ||||
| DISA-6r1:V-222608 The application must not be vulnerable to XML-oriented attacks. | high | - | - | - | |||
| DISA-6r1:V-222609 The application must not be subject to input handling vulnerabilities. | high | - | - | - | - | - | |
| DISA-6r1:V-222610 The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222611 The application must reveal error messages only to the ISSO, ISSM, or SA. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222612 The application must not be vulnerable to overflow attacks. | high |
|
- | - | - | - | - |
| DISA-6r1:V-222613 The application must remove organization-defined software components after updated versions have been installed. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222614 Security-relevant software updates and patches must be kept up to date. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222615 The application performing organization-defined security functions must verify correct operation of security functions. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222616 The application must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222617 The application must notify the ISSO and ISSM of failed security verification tests. | low | - | - | - | - | - | - |
| DISA-6r1:V-222618 Unsigned Category 1A mobile code must not be used in the application in accordance with DoD policy. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222619 The ISSO must ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222620 Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ. | high | - | - | - | - | - | - |
| DISA-6r1:V-222621 The ISSO must ensure application audit trails are retained for at least 1 year for applications without SAMI data, and 5 years for applications including SAMI data. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222622 The ISSO must review audit trails periodically based on system documentation recommendations or immediately upon system security events. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222623 The ISSO must report all suspected violations of IA policies in accordance with DoD information system IA procedures. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222624 The ISSO must ensure active vulnerability testing is performed. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222625 Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222626 The designer must ensure the application does not store configuration and control files in the same directory as user data. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222627 The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222628 New IP addresses, data services, and associated ports used by the application must be submitted to the appropriate approving authority for the organization, which in turn will be submitted through the DoD Ports, Protocols, and Services Management (DoD PPSM) | medium | - | - | - | - | - | - |
| DISA-6r1:V-222629 The application must be registered with the DoD Ports and Protocols Database. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222630 The Configuration Management (CM) repository must be properly patched and STIG compliant. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222631 Access privileges to the Configuration Management (CM) repository must be reviewed every three months. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222632 A Software Configuration Management (SCM) plan describing the configuration control and change management process of application objects developed by the organization and the roles and responsibilities of the organization must be created and maintained. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222633 A Configuration Control Board (CCB) that meets at least every release cycle, for managing the Configuration Management (CM) process must be established. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222634 The application services and interfaces must be compatible with and ready for IPv6 networks. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222635 The application must not be hosted on a general purpose machine if the application is designated as critical or high availability by the ISSO. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222636 A disaster recovery/continuity plan must exist in accordance with DoD policy based on the applications availability requirements. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222637 Recovery procedures and technical system features must exist so recovery is performed in a secure and verifiable manner. The ISSO will document circumstances inhibiting a trusted recovery. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222638 Data backup must be performed at required intervals in accordance with DoD policy. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222639 Back-up copies of the application software or source code must be stored in a fire-rated container or stored separately (offsite). | medium | - | - | - | - | - | - |
| DISA-6r1:V-222640 Procedures must be in place to assure the appropriate physical and technical protection of the backup and restoration of the application. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222641 The application must use encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222642 The application must not contain embedded authentication data. | high | - | - | - | - | - | |
| DISA-6r1:V-222643 The application must have the capability to mark sensitive/classified output when required. | high | - | - | - | - | - | - |
| DISA-6r1:V-222644 Prior to each release of the application, updates to system, or applying patches; tests plans and procedures must be created and executed. | low | - | - | - | - | - | - |
| DISA-6r1:V-222645 Application files must be cryptographically hashed prior to deploying to DoD operational networks. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222646 At least one tester must be designated to test for security flaws in addition to functional testing. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222647 Test procedures must be created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to verify the system remains in a secure state. | low | - | - | - | - | - | - |
| DISA-6r1:V-222648 An application code review must be performed on the application. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222649 Code coverage statistics must be maintained for each release of the application. | low | - | - | - | - | - | - |
| DISA-6r1:V-222650 Flaws found during a code review must be tracked in a defect tracking system. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222651 The changes to the application must be assessed for IA and accreditation impact prior to implementation. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222652 Security flaws must be fixed or addressed in the project plan. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222653 The application development team must follow a set of coding standards. | low | - | - | - | - | - | - |
| DISA-6r1:V-222654 The designer must create and update the Design Document for each release of the application. | low | - | - | - | - | - | - |
| DISA-6r1:V-222655 Threat models must be documented and reviewed for each application release and updated as required by design and functionality changes or when new threats are discovered. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222656 The application must not be subject to error handling vulnerabilities. | medium | - | - | - | - | - | |
| DISA-6r1:V-222657 The application development team must provide an application incident response plan. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222658 All products must be supported by the vendor or the development team. | high | - | - | - | - | - | - |
| DISA-6r1:V-222659 The application must be decommissioned when maintenance or support is no longer available. | high | - | - | - | - | - | - |
| DISA-6r1:V-222660 Procedures must be in place to notify users when an application is decommissioned. | low | - | - | - | - | - | - |
| DISA-6r1:V-222661 Unnecessary built-in application accounts must be disabled. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222662 Default passwords must be changed. | high | - | - | - | - | - | - |
| DISA-6r1:V-222663 An Application Configuration Guide must be created and included with the application. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222664 If the application contains classified data, a Security Classification Guide must exist containing data elements and their classification. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222665 The designer must ensure uncategorized or emerging mobile code is not used in applications. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222666 Production database exports must have database administration credentials and sensitive data removed before releasing the export. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222667 Protections against DoS attacks must be implemented. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222668 The system must alert an administrator when low resource conditions are encountered. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222669 At least one application administrator must be registered to receive update notifications, or security alerts, when automated alerts are available. | low | - | - | - | - | - | - |
| DISA-6r1:V-222670 The application must provide notifications or alerts when product update and security related patches are available. | low | - | - | - | - | - | - |
| DISA-6r1:V-222671 Connections between the DoD enclave and the Internet or other public or commercial wide area networks must require a DMZ. | medium | - | - | - | - | - | - |
| DISA-6r1:V-222672 The application must generate audit records when concurrent logons from different workstations occur. | low | - | - | - | - | - | - |
| DISA-6r1:V-222673 The Program Manager must verify all levels of program management, designers, developers, and testers receive annual security training pertaining to their job function. | medium | - | - | - | - | - | - |
| DISA-6r1:V-265634 The application must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | medium | - | - | - | - | - | - |
(STIG release date July 26, 2023)
A CSV version of this table is provided in DISA-5r3-mapping.csv
| DISA-5r3 | Severity | C/C++ Warning Classes | Ada Warning Classes | Java Warning Classes | C# Warning Classes | Kotlin Warning Classes | Python Warning Classes |
|---|---|---|---|---|---|---|---|
| DISA-5r3:V-69239 The application must provide a capability to limit the number of logon sessions per user. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69241 The application must clear temporary storage and cookies when the session is terminated. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69243 The application must automatically terminate the non-privileged user session and log off non-privileged users after a 15 minute idle time period has elapsed. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69245 The application must automatically terminate the admin user session and log off admin users after a 10 minute idle time period is exceeded. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69247 Applications requiring user access authentication must provide a logoff capability for user initiated communication session. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69249 The application must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions. | low | - | - | - | - | - | - |
| DISA-5r3:V-69251 The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in storage. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69253 The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in process. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69255 The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69257 The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions. | medium | - | - | - | - | - | |
| DISA-5r3:V-69259 The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. | medium | - | - | - | - | - | |
| DISA-5r3:V-69261 Applications with SOAP messages requiring integrity must include the following message elements:-Message ID-Service Request-Timestamp-SAML Assertion (optionally included in messages) and all elements of the message must be digitally signed. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69279 Messages protected with WS_Security must use time stamps with creation and expiration times. | high | - | - | - | - | - | - |
| DISA-5r3:V-69281 Validity periods must be verified on all application messages using WS-Security or SAML assertions. | high | - | - | - | - | - | - |
| DISA-5r3:V-69283 The application must ensure each unique asserting party provides unique assertion ID references for each SAML assertion. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69285 The application must ensure encrypted assertions, or equivalent confidentiality protections are used when assertion data is passed through an intermediary, and confidentiality of the assertion data is required when passing through the intermediary. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69287 The application must use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion. | high | - | - | - | - | - | - |
| DISA-5r3:V-69289 The application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion. | high | - | - | - | - | - | - |
| DISA-5r3:V-69291 The application must ensure if a OneTimeUse element is used in an assertion, there is only one of the same used in the Conditions element portion of an assertion. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69293 The application must ensure messages are encrypted when the SessionIndex is tied to privacy data. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69295 The application must provide automated mechanisms for supporting account management functions. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69297 Shared/group account credentials must be terminated when members leave the group. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69299 The application must automatically remove or disable temporary user accounts 72 hours after account creation. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69301 The application must automatically disable accounts after a 35 day period of account inactivity. | low | - | - | - | - | - | - |
| DISA-5r3:V-69303 Unnecessary application accounts must be disabled, or deleted. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69305 The application must automatically audit account creation. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69307 The application must automatically audit account modification. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69309 The application must automatically audit account disabling actions. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69311 The application must automatically audit account removal actions. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69313 The application must notify System Administrators and Information System Security Officers when accounts are created. | low | - | - | - | - | - | - |
| DISA-5r3:V-69315 The application must notify System Administrators and Information System Security Officers when accounts are modified. | low | - | - | - | - | - | - |
| DISA-5r3:V-69317 The application must notify System Administrators and Information System Security Officers of account disabling actions. | low | - | - | - | - | - | - |
| DISA-5r3:V-69319 The application must notify System Administrators and Information System Security Officers of account removal actions. | low | - | - | - | - | - | - |
| DISA-5r3:V-69321 The application must automatically audit account enabling actions. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69323 The application must notify System Administrators and Information System Security Officers of account enabling actions. | low | - | - | - | - | - | - |
| DISA-5r3:V-69325 Application data protection requirements must be identified and documented. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69327 The application must utilize organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69329 The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | high | - | - | - | - | - | - |
| DISA-5r3:V-69331 The application must enforce organization-defined discretionary access control policies over defined subjects and objects. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69333 The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69335 The application must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69337 The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69339 The application must execute without excessive account permissions. | high | - | - | - | - | - | - |
| DISA-5r3:V-69341 The application must audit the execution of privileged functions. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69343 The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period. | high | - | - | - | - | - | - |
| DISA-5r3:V-69347 The application administrator must follow an approved process to unlock locked user accounts. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69349 The application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application. | low | - | - | - | - | - | - |
| DISA-5r3:V-69351 The application must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. | low | - | - | - | - | - | - |
| DISA-5r3:V-69353 The publicly accessible application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application. | low | - | - | - | - | - | - |
| DISA-5r3:V-69355 The application must display the time and date of the users last successful logon. | low | - | - | - | - | - | - |
| DISA-5r3:V-69357 The application must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69359 For applications providing audit record aggregation, the application must compile audit records from organization-defined information system components into a system-wide audit trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69363 The application must provide audit record generation capability for the creation of session IDs. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69365 The application must provide audit record generation capability for the destruction of session IDs. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69367 The application must provide audit record generation capability for the renewal of session IDs. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69369 The application must not write sensitive data into the application logs. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69371 The application must provide audit record generation capability for session timeouts. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69373 The application must record a time stamp indicating when the event occurred. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69375 The application must provide audit record generation capability for HTTP headers including User-Agent, Referer, GET, and POST. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69377 The application must provide audit record generation capability for connecting system IP addresses. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69379 The application must record the username or user ID of the user associated with the event. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69381 The application must generate audit records when successful/unsuccessful attempts to grant privileges occur. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69383 The application must generate audit records when successful/unsuccessful attempts to access security objects occur. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69385 The application must generate audit records when successful/unsuccessful attempts to access security levels occur. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69387 The application must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69389 The application must generate audit records when successful/unsuccessful attempts to modify privileges occur. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69391 The application must generate audit records when successful/unsuccessful attempts to modify security objects occur. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69393 The application must generate audit records when successful/unsuccessful attempts to modify security levels occur. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69395 The application must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69397 The application must generate audit records when successful/unsuccessful attempts to delete privileges occur. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69399 The application must generate audit records when successful/unsuccessful attempts to delete security levels occur. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69401 The application must generate audit records when successful/unsuccessful attempts to delete application database security objects occur. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69403 The application must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69405 The application must generate audit records when successful/unsuccessful logon attempts occur. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69407 The application must generate audit records for privileged activities or other system-level access. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69409 The application must generate audit records showing starting and ending time for user access to the system. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69411 The application must generate audit records when successful/unsuccessful accesses to objects occur. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69413 The application must generate audit records for all direct access to the information system. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69415 The application must generate audit records for all account creations, modifications, disabling, and termination events. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69419 The application must initiate session auditing upon startup. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69421 The application must log application shutdown events. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69423 The application must log destination IP addresses. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69425 The application must log user actions involving access to data. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69427 The application must log user actions involving changes to data. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69429 The application must produce audit records containing information to establish when (date and time) the events occurred. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69431 The application must produce audit records containing enough information to establish which component, feature or function of the application triggered the audit event. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69433 When using centralized logging; the application must include a unique identifier in order to distinguish itself from other application logs. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69435 The application must produce audit records that contain information to establish the outcome of the events. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69437 The application must generate audit records containing information that establishes the identity of any individual or process associated with the event. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69439 The application must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69441 The application must implement transaction recovery logs when transaction based. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69443 The application must provide centralized management and configuration of the content to be captured in audit records generated by all application components. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69445 The application must off-load audit records onto a different system or media than the system being audited. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69447 The application must be configured to write application logs to a centralized log repository. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69449 The application must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69451 Applications categorized as having a moderate or high impact must provide an immediate real-time alert to the SA and ISSO (at a minimum) for all audit failure events. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69453 The application must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69455 The application must shut down by default upon audit failure (unless availability is an overriding concern). | medium | - | - | - | - | - | - |
| DISA-5r3:V-69457 The application must provide the capability to centrally review and analyze audit records from multiple components within the system. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69459 The application must provide the capability to filter audit records for events of interest based upon organization-defined criteria. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69461 The application must provide an audit reduction capability that supports on-demand reporting requirements. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69463 The application must provide an audit reduction capability that supports on-demand audit review and analysis. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69465 The application must provide an audit reduction capability that supports after-the-fact investigations of security incidents. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69467 The application must provide a report generation capability that supports on-demand audit review and analysis. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69469 The application must provide a report generation capability that supports on-demand reporting requirements. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69471 The application must provide a report generation capability that supports after-the-fact investigations of security incidents. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69473 The application must provide an audit reduction capability that does not alter original content or time ordering of audit records. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69475 The application must provide a report generation capability that does not alter original content or time ordering of audit records. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69477 The applications must use internal system clocks to generate time stamps for audit records. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69479 The application must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | medium | - | - | - | - | - | - |
| DISA-5r3:V-69481 The application must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69483 The application must protect audit information from any type of unauthorized read access. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69485 The application must protect audit information from unauthorized modification. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69487 The application must protect audit information from unauthorized deletion. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69489 The application must protect audit tools from unauthorized access. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69491 The application must protect audit tools from unauthorized modification. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69493 The application must protect audit tools from unauthorized deletion. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69495 The application must back up audit records at least every seven days onto a different system or system component than the system or component being audited. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69497 The application must use cryptographic mechanisms to protect the integrity of audit information. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69499 Application audit tools must be cryptographically hashed. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69501 The integrity of the audit tools must be validated by checking the files for changes in the cryptographic hash value. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69503 The application must prohibit user installation of software without explicit privileged status. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69505 The application must enforce access restrictions associated with changes to application configuration. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69507 The application must audit who makes configuration changes to the application. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69509 The application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69511 The applications must limit privileges to change the software resident within software libraries. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69513 An application vulnerability assessment must be conducted. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69515 The application must prevent program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69517 The application must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69519 The application must be configured to disable non-essential capabilities. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69521 The application must be configured to use only functions, ports, and protocols permitted to it in the PPSM CAL. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69523 The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69525 The application must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69527 The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | high | - | - | - | - | - | - |
| DISA-5r3:V-69529 The application must use multifactor (Alt. Token) authentication for network access to privileged accounts. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69531 The application must accept Personal Identity Verification (PIV) credentials. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69533 The application must electronically verify Personal Identity Verification (PIV) credentials. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69535 The application must use multifactor (e.g., CAC, Alt. Token) authentication for network access to non-privileged accounts. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69537 The application must use multifactor (Alt. Token) authentication for local access to privileged accounts. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69539 The application must use multifactor (e.g., CAC, Alt. Token) authentication for local access to non-privileged accounts. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69541 The application must ensure users are authenticated with an individual authenticator prior to using a group authenticator. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69543 The application must implement replay-resistant authentication mechanisms for network access to privileged accounts. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69545 The application must implement replay-resistant authentication mechanisms for network access to non-privileged accounts. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69547 The application must utilize mutual authentication when endpoint device non-repudiation protections are required by DoD policy or by the data owner. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69549 The application must authenticate all network connected endpoint devices before establishing any connection. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69551 Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69553 The application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69555 The application must enforce a minimum 15-character password length. | high | - | - | - | - | - | - |
| DISA-5r3:V-69557 The application must enforce password complexity by requiring that at least one upper-case character be used. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69559 The application must enforce password complexity by requiring that at least one lower-case character be used. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69561 The application must enforce password complexity by requiring that at least one numeric character be used. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69563 The application must enforce password complexity by requiring that at least one special character be used. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69565 The application must require the change of at least 8 of the total number of characters when passwords are changed. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69567 The application must only store cryptographic representations of passwords. | high | - | - | - | - | - | |
| DISA-5r3:V-69569 The application must transmit only cryptographically-protected passwords. | high | - | - | - | - | - | |
| DISA-5r3:V-69571 The application must enforce 24 hours/1 day as the minimum password lifetime. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69573 The application must enforce a 60-day maximum password lifetime restriction. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69575 The application must prohibit password reuse for a minimum of five generations. | medium | - | - | - | - | - | - |
| DISA-5r3:V-69577 The application must allow the use of a temporary password for system logons with an immediate change to a permanent password. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70145 The application password must not be changeable by users other than the administrator or the user with which the password is associated. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70147 The application must terminate existing user sessions upon account deletion. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70149 The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | high | - | - | - | - | - | - |
| DISA-5r3:V-70151 The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key. | high | - | - | - | - | - | - |
| DISA-5r3:V-70153 The application must map the authenticated identity to the individual user or group account for PKI-based authentication. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70155 The application, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70157 The application must not display passwords/PINs as clear text. | high | - | - | - | - | - | - |
| DISA-5r3:V-70159 The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. | high | - | - | - | - | - | - |
| DISA-5r3:V-70161 The application must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | medium | - | - | - | - | - | - |
| DISA-5r3:V-70163 The application must accept Personal Identity Verification (PIV) credentials from other federal agencies. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70165 The application must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70167 The application must accept FICAM-approved third-party credentials. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70169 The application must conform to FICAM-issued profiles. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70171 Applications used for non-local maintenance sessions must audit non-local maintenance and diagnostic sessions for organization-defined auditable events. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70173 The application must have a process, feature or function that prevents removal or disabling of emergency accounts. | low | - | - | - | - | - | - |
| DISA-5r3:V-70175 Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic communications. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70177 Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70179 Applications used for non-local maintenance sessions must verify remote disconnection at the termination of non-local maintenance and diagnostic sessions. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70181 The application must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70183 The application must terminate all sessions and network connections when non-local maintenance is completed. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70185 The application must not be vulnerable to race conditions. | medium | - | - | - | - | - | |
| DISA-5r3:V-70187 The application must terminate all network connections associated with a communications session at the end of the session. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70189 The application must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70191 The application must utilize FIPS-validated cryptographic modules when signing application components. | medium | - | - | - | - | - | |
| DISA-5r3:V-70193 The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes. | medium | - | - | - | - | - | |
| DISA-5r3:V-70195 The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection. | medium | - | - | - | - | - | |
| DISA-5r3:V-70197 Applications making SAML assertions must use FIPS-approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70199 The application user interface must be either physically or logically separated from data storage and management interfaces. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70201 The application must set the HTTPOnly flag on session cookies. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70203 The application must set the secure flag on session cookies. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70205 The application must not expose session IDs. | high | - | - | - | - | - | - |
| DISA-5r3:V-70207 The application must destroy the session ID value and/or cookie on logoff or browser close. | high | - | - | - | - | - | - |
| DISA-5r3:V-70209 Applications must use system-generated session identifiers that protect against session fixation. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70211 Applications must validate session identifiers. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70213 Applications must not use URL embedded session IDs. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70215 The application must not re-use or recycle session IDs. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70217 The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. | medium | - | - | - | - | - | |
| DISA-5r3:V-70219 The application must only allow the use of DoD-approved certificate authorities for verification of the establishment of protected sessions. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70221 The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. | high | - | - | - | - | - | - |
| DISA-5r3:V-70223 In the event of a system failure, applications must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70225 The application must protect the confidentiality and integrity of stored information when required by DoD policy or the information owner. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70227 The application must implement approved cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70229 The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy. | medium | - | - | - | - | - | |
| DISA-5r3:V-70231 The application must isolate security functions from non-security functions. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70233 The application must maintain a separate execution domain for each executing process. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70235 Applications must prevent unauthorized and unintended information transfer via shared system resources. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70237 XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70239 The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70241 The web service design must include redundancy mechanisms when used with high-availability systems. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70245 The application must protect the confidentiality and integrity of transmitted information. | high | - | - | - | - | - | |
| DISA-5r3:V-70247 The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). | medium | - | - | - | - | - | - |
| DISA-5r3:V-70249 The application must maintain the confidentiality and integrity of information during preparation for transmission. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70251 The application must maintain the confidentiality and integrity of information during reception. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70253 The application must not disclose unnecessary information to users. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70255 The application must not store sensitive information in hidden fields. | high | - | - | - | - | - | - |
| DISA-5r3:V-70257 The application must protect from Cross-Site Scripting (XSS) vulnerabilities. | high | - | - | - | - | ||
| DISA-5r3:V-70259 The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70261 The application must protect from command injection. | high | - | - | ||||
| DISA-5r3:V-70263 The application must protect from canonical representation vulnerabilities. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70265 The application must validate all input. | medium | - | - | - | - | - | |
| DISA-5r3:V-70267 The application must not be vulnerable to SQL Injection. | high | - | - | ||||
| DISA-5r3:V-70269 The application must not be vulnerable to XML-oriented attacks. | high | - | - | - | |||
| DISA-5r3:V-70271 The application must not be subject to input handling vulnerabilities. | high | - | - | - | - | - | |
| DISA-5r3:V-70273 The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70275 The application must reveal error messages only to the ISSO, ISSM, or SA. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70277 The application must not be vulnerable to overflow attacks. | high |
|
- | - | - | - | - |
| DISA-5r3:V-70279 The application must remove organization-defined software components after updated versions have been installed. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70281 Security-relevant software updates and patches must be kept up to date. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70283 The application performing organization-defined security functions must verify correct operation of security functions. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70285 The application must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70287 The application must notify the ISSO and ISSM of failed security verification tests. | low | - | - | - | - | - | - |
| DISA-5r3:V-70289 Unsigned Category 1A mobile code must not be used in the application in accordance with DoD policy. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70291 The ISSO must ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70293 Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ. | high | - | - | - | - | - | - |
| DISA-5r3:V-70295 The ISSO must ensure application audit trails are retained for at least 1 year for applications without SAMI data, and 5 years for applications including SAMI data. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70297 The ISSO must review audit trails periodically based on system documentation recommendations or immediately upon system security events. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70301 The ISSO must report all suspected violations of IA policies in accordance with DoD information system IA procedures. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70303 The ISSO must ensure active vulnerability testing is performed. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70307 Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70309 The designer must ensure the application does not store configuration and control files in the same directory as user data. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70311 The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70313 New IP addresses, data services, and associated ports used by the application must be submitted to the appropriate approving authority for the organization, which in turn will be submitted through the DoD Ports, Protocols, and Services Management (DoD PPSM) | medium | - | - | - | - | - | - |
| DISA-5r3:V-70317 The application must be registered with the DoD Ports and Protocols Database. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70339 The Configuration Management (CM) repository must be properly patched and STIG compliant. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70341 Access privileges to the Configuration Management (CM) repository must be reviewed every three months. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70343 A Software Configuration Management (SCM) plan describing the configuration control and change management process of application objects developed by the organization and the roles and responsibilities of the organization must be created and maintained. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70345 A Configuration Control Board (CCB) that meets at least every release cycle, for managing the Configuration Management (CM) process must be established. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70347 The application services and interfaces must be compatible with and ready for IPv6 networks. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70349 The application must not be hosted on a general purpose machine if the application is designated as critical or high availability by the ISSO. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70351 A disaster recovery/continuity plan must exist in accordance with DoD policy based on the applications availability requirements. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70353 Recovery procedures and technical system features must exist so recovery is performed in a secure and verifiable manner. The ISSO will document circumstances inhibiting a trusted recovery. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70355 Data backup must be performed at required intervals in accordance with DoD policy. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70357 Back-up copies of the application software or source code must be stored in a fire-rated container or stored separately (offsite). | medium | - | - | - | - | - | - |
| DISA-5r3:V-70359 Procedures must be in place to assure the appropriate physical and technical protection of the backup and restoration of the application. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70361 The application must use encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70363 The application must not contain embedded authentication data. | high | - | - | - | - | - | |
| DISA-5r3:V-70365 The application must have the capability to mark sensitive/classified output when required. | high | - | - | - | - | - | - |
| DISA-5r3:V-70367 Prior to each release of the application, updates to system, or applying patches; tests plans and procedures must be created and executed. | low | - | - | - | - | - | - |
| DISA-5r3:V-70369 Application files must be cryptographically hashed prior to deploying to DoD operational networks. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70371 At least one tester must be designated to test for security flaws in addition to functional testing. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70373 Test procedures must be created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to verify the system remains in a secure state. | low | - | - | - | - | - | - |
| DISA-5r3:V-70375 An application code review must be performed on the application. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70377 Code coverage statistics must be maintained for each release of the application. | low | - | - | - | - | - | - |
| DISA-5r3:V-70379 Flaws found during a code review must be tracked in a defect tracking system. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70381 The changes to the application must be assessed for IA and accreditation impact prior to implementation. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70383 Security flaws must be fixed or addressed in the project plan. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70385 The application development team must follow a set of coding standards. | low | - | - | - | - | - | - |
| DISA-5r3:V-70387 The designer must create and update the Design Document for each release of the application. | low | - | - | - | - | - | - |
| DISA-5r3:V-70389 Threat models must be documented and reviewed for each application release and updated as required by design and functionality changes or when new threats are discovered. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70391 The application must not be subject to error handling vulnerabilities. | medium | - | - | - | - | - | |
| DISA-5r3:V-70393 The application development team must provide an application incident response plan. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70395 All products must be supported by the vendor or the development team. | high | - | - | - | - | - | - |
| DISA-5r3:V-70397 The application must be decommissioned when maintenance or support is no longer available. | high | - | - | - | - | - | - |
| DISA-5r3:V-70399 Procedures must be in place to notify users when an application is decommissioned. | low | - | - | - | - | - | - |
| DISA-5r3:V-70401 Unnecessary built-in application accounts must be disabled. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70403 Default passwords must be changed. | high | - | - | - | - | - | - |
| DISA-5r3:V-70405 An Application Configuration Guide must be created and included with the application. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70407 If the application contains classified data, a Security Classification Guide must exist containing data elements and their classification. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70409 The designer must ensure uncategorized or emerging mobile code is not used in applications. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70411 Production database exports must have database administration credentials and sensitive data removed before releasing the export. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70413 Protections against DoS attacks must be implemented. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70415 The system must alert an administrator when low resource conditions are encountered. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70417 At least one application administrator must be registered to receive update notifications, or security alerts, when automated alerts are available. | low | - | - | - | - | - | - |
| DISA-5r3:V-70419 The application must provide notifications or alerts when product update and security related patches are available. | low | - | - | - | - | - | - |
| DISA-5r3:V-70421 Connections between the DoD enclave and the Internet or other public or commercial wide area networks must require a DMZ. | medium | - | - | - | - | - | - |
| DISA-5r3:V-70423 The application must generate audit records when concurrent logons from different workstations occur. | low | - | - | - | - | - | - |
| DISA-5r3:V-70425 The Program Manager must verify all levels of program management, designers, developers, and testers receive annual security training pertaining to their job function. | medium | - | - | - | - | - | - |
(STIG release date April 28, 2017)
A CSV version of this table is provided in DISA-4r3-mapping.csv
| DISA-4r3 | C/C++ Warning Classes | Ada Warning Classes | Java Warning Classes | C# Warning Classes | Kotlin Warning Classes | Python Warning Classes |
|---|---|---|---|---|---|---|
| DISA-4r3:V-69239 The application must provide a capability to limit the number of logon sessions per user. | - | - | - | - | - | - |
| DISA-4r3:V-69241 The application must clear temporary storage and cookies when the session is terminated. | - | - | - | - | - | - |
| DISA-4r3:V-69243 The application must automatically terminate the non-privileged user session and log off non-privileged users after a 15 minute idle time period has elapsed. | - | - | - | - | - | - |
| DISA-4r3:V-69245 The application must automatically terminate the admin user session and log off admin users after a 10 minute idle time period is exceeded. | - | - | - | - | - | - |
| DISA-4r3:V-69247 Applications requiring user access authentication must provide a logoff capability for user initiated communication session. | - | - | - | - | - | - |
| DISA-4r3:V-69249 The application must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions. | - | - | - | - | - | - |
| DISA-4r3:V-69251 The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in storage. | - | - | - | - | - | - |
| DISA-4r3:V-69253 The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in process. | - | - | - | - | - | - |
| DISA-4r3:V-69255 The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission. | - | - | - | - | - | - |
| DISA-4r3:V-69257 The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions. | - | - | - | - | - | |
| DISA-4r3:V-69259 The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. | - | - | - | - | - | |
| DISA-4r3:V-69261 Applications with SOAP messages requiring integrity must include the following message elements:-Message ID-Service Request-Timestamp-SAML Assertion (optionally included in messages) and all elements of the message must be digitally signed. | - | - | - | - | - | - |
| DISA-4r3:V-69279 Messages protected with WS_Security must use time stamps with creation and expiration times. | - | - | - | - | - | - |
| DISA-4r3:V-69281 Validity periods must be verified on all application messages using WS-Security or SAML assertions. | - | - | - | - | - | - |
| DISA-4r3:V-69283 The application must ensure each unique asserting party provides unique assertion ID references for each SAML assertion. | - | - | - | - | - | - |
| DISA-4r3:V-69285 The application must ensure encrypted assertions, or equivalent confidentiality protections are used when assertion data is passed through an intermediary, and confidentiality of the assertion data is required when passing through the intermediary. | - | - | - | - | - | - |
| DISA-4r3:V-69287 The application must use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion. | - | - | - | - | - | - |
| DISA-4r3:V-69289 The application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion. | - | - | - | - | - | - |
| DISA-4r3:V-69291 The application must ensure if a OneTimeUse element is used in an assertion, there is only one of the same used in the Conditions element portion of an assertion. | - | - | - | - | - | - |
| DISA-4r3:V-69293 The application must ensure messages are encrypted when the SessionIndex is tied to privacy data. | - | - | - | - | - | - |
| DISA-4r3:V-69295 The application must provide automated mechanisms for supporting account management functions. | - | - | - | - | - | - |
| DISA-4r3:V-69297 Shared/group account credentials must be terminated when members leave the group. | - | - | - | - | - | - |
| DISA-4r3:V-69299 The application must automatically remove or disable temporary user accounts 72 hours after account creation. | - | - | - | - | - | - |
| DISA-4r3:V-69301 The application must automatically disable accounts after a 35 day period of account inactivity. | - | - | - | - | - | - |
| DISA-4r3:V-69303 Unnecessary application accounts must be disabled, or deleted. | - | - | - | - | - | - |
| DISA-4r3:V-69305 The application must automatically audit account creation. | - | - | - | - | - | - |
| DISA-4r3:V-69307 The application must automatically audit account modification. | - | - | - | - | - | - |
| DISA-4r3:V-69309 The application must automatically audit account disabling actions. | - | - | - | - | - | - |
| DISA-4r3:V-69311 The application must automatically audit account removal actions. | - | - | - | - | - | - |
| DISA-4r3:V-69313 The application must notify System Administrators and Information System Security Officers when accounts are created. | - | - | - | - | - | - |
| DISA-4r3:V-69315 The application must notify System Administrators and Information System Security Officers when accounts are modified. | - | - | - | - | - | - |
| DISA-4r3:V-69317 The application must notify System Administrators and Information System Security Officers of account disabling actions. | - | - | - | - | - | - |
| DISA-4r3:V-69319 The application must notify System Administrators and Information System Security Officers of account removal actions. | - | - | - | - | - | - |
| DISA-4r3:V-69321 The application must automatically audit account enabling actions. | - | - | - | - | - | - |
| DISA-4r3:V-69323 The application must notify System Administrators and Information System Security Officers of account enabling actions. | - | - | - | - | - | - |
| DISA-4r3:V-69325 Application data protection requirements must be identified and documented. | - | - | - | - | - | - |
| DISA-4r3:V-69327 The application must utilize organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts. | - | - | - | - | - | - |
| DISA-4r3:V-69329 The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | - | - | - | - | - | - |
| DISA-4r3:V-69331 The application must enforce organization-defined discretionary access control policies over defined subjects and objects. | - | - | - | - | - | - |
| DISA-4r3:V-69333 The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. | - | - | - | - | - | - |
| DISA-4r3:V-69335 The application must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. | - | - | - | - | - | - |
| DISA-4r3:V-69337 The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | - | - | - | - | - | - |
| DISA-4r3:V-69339 The application must execute without excessive account permissions. | - | - | - | - | - | - |
| DISA-4r3:V-69341 The application must audit the execution of privileged functions. | - | - | - | - | - | - |
| DISA-4r3:V-69343 The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period. | - | - | - | - | - | - |
| DISA-4r3:V-69347 The application administrator must follow an approved process to unlock locked user accounts. | - | - | - | - | - | - |
| DISA-4r3:V-69349 The application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application. | - | - | - | - | - | - |
| DISA-4r3:V-69351 The application must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. | - | - | - | - | - | - |
| DISA-4r3:V-69353 The publicly accessible application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application. | - | - | - | - | - | - |
| DISA-4r3:V-69355 The application must display the time and date of the users last successful logon. | - | - | - | - | - | - |
| DISA-4r3:V-69357 The application must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. | - | - | - | - | - | - |
| DISA-4r3:V-69359 For applications providing audit record aggregation, the application must compile audit records from organization-defined information system components into a system-wide audit trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail. | - | - | - | - | - | - |
| DISA-4r3:V-69361 The application must provide the capability for organization-identified individuals or roles to change the auditing to be performed on all application components, based on all selectable event criteria within organization-defined time thresholds. | - | - | - | - | - | - |
| DISA-4r3:V-69363 The application must provide audit record generation capability for the creation of session IDs. | - | - | - | - | - | - |
| DISA-4r3:V-69365 The application must provide audit record generation capability for the destruction of session IDs. | - | - | - | - | - | - |
| DISA-4r3:V-69367 The application must provide audit record generation capability for the renewal of session IDs. | - | - | - | - | - | - |
| DISA-4r3:V-69369 The application must not write sensitive data into the application logs. | - | - | - | - | - | - |
| DISA-4r3:V-69371 The application must provide audit record generation capability for session timeouts. | - | - | - | - | - | - |
| DISA-4r3:V-69373 The application must record a time stamp indicating when the event occurred. | - | - | - | - | - | - |
| DISA-4r3:V-69375 The application must provide audit record generation capability for HTTP headers including User-Agent, Referer, GET, and POST. | - | - | - | - | - | - |
| DISA-4r3:V-69377 The application must provide audit record generation capability for connecting system IP addresses. | - | - | - | - | - | - |
| DISA-4r3:V-69379 The application must record the username or user ID of the user associated with the event. | - | - | - | - | - | - |
| DISA-4r3:V-69381 The application must generate audit records when successful/unsuccessful attempts to access privileges occur. | - | - | - | - | - | - |
| DISA-4r3:V-69383 The application must generate audit records when successful/unsuccessful attempts to access security objects occur. | - | - | - | - | - | - |
| DISA-4r3:V-69385 The application must generate audit records when successful/unsuccessful attempts to access security levels occur. | - | - | - | - | - | - |
| DISA-4r3:V-69387 The application must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. | - | - | - | - | - | - |
| DISA-4r3:V-69389 The application must generate audit records when successful/unsuccessful attempts to modify privileges occur. | - | - | - | - | - | - |
| DISA-4r3:V-69391 The application must generate audit records when successful/unsuccessful attempts to modify security objects occur. | - | - | - | - | - | - |
| DISA-4r3:V-69393 The application must generate audit records when successful/unsuccessful attempts to modify security levels occur. | - | - | - | - | - | - |
| DISA-4r3:V-69395 The application must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. | - | - | - | - | - | - |
| DISA-4r3:V-69397 The application must generate audit records when successful/unsuccessful attempts to delete privileges occur. | - | - | - | - | - | - |
| DISA-4r3:V-69399 The application must generate audit records when successful/unsuccessful attempts to delete security levels occur. | - | - | - | - | - | - |
| DISA-4r3:V-69401 The application must generate audit records when successful/unsuccessful attempts to delete application database security objects occur. | - | - | - | - | - | - |
| DISA-4r3:V-69403 The application must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur. | - | - | - | - | - | - |
| DISA-4r3:V-69405 The application must generate audit records when successful/unsuccessful logon attempts occur. | - | - | - | - | - | - |
| DISA-4r3:V-69407 The application must generate audit records for privileged activities or other system-level access. | - | - | - | - | - | - |
| DISA-4r3:V-69409 The application must generate audit records showing starting and ending time for user access to the system. | - | - | - | - | - | - |
| DISA-4r3:V-69411 The application must generate audit records when successful/unsuccessful accesses to objects occur. | - | - | - | - | - | - |
| DISA-4r3:V-69413 The application must generate audit records for all direct access to the information system. | - | - | - | - | - | - |
| DISA-4r3:V-69415 The application must generate audit records for all account creations, modifications, disabling, and termination events. | - | - | - | - | - | - |
| DISA-4r3:V-69417 The application must provide the capability for authorized users to select a user session to capture/record or view/hear. | - | - | - | - | - | - |
| DISA-4r3:V-69419 The application must initiate session auditing upon startup. | - | - | - | - | - | - |
| DISA-4r3:V-69421 The application must log application shutdown events. | - | - | - | - | - | - |
| DISA-4r3:V-69423 The application must log destination IP addresses. | - | - | - | - | - | - |
| DISA-4r3:V-69425 The application must log user actions involving access to data. | - | - | - | - | - | - |
| DISA-4r3:V-69427 The application must log user actions involving changes to data. | - | - | - | - | - | - |
| DISA-4r3:V-69429 The application must produce audit records containing information to establish when (date and time) the events occurred. | - | - | - | - | - | - |
| DISA-4r3:V-69431 The application must produce audit records containing enough information to establish which component, feature or function of the application triggered the audit event. | - | - | - | - | - | - |
| DISA-4r3:V-69433 When using centralized logging; the application must include a unique identifier in order to distinguish itself from other application logs. | - | - | - | - | - | - |
| DISA-4r3:V-69435 The application must produce audit records that contain information to establish the outcome of the events. | - | - | - | - | - | - |
| DISA-4r3:V-69437 The application must generate audit records containing information that establishes the identity of any individual or process associated with the event. | - | - | - | - | - | - |
| DISA-4r3:V-69439 The application must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users. | - | - | - | - | - | - |
| DISA-4r3:V-69441 The application must implement transaction recovery logs when transaction based. | - | - | - | - | - | - |
| DISA-4r3:V-69443 The application must provide centralized management and configuration of the content to be captured in audit records generated by all application components. | - | - | - | - | - | - |
| DISA-4r3:V-69445 The application must off-load audit records onto a different system or media than the system being audited. | - | - | - | - | - | - |
| DISA-4r3:V-69447 The application must be configured to write application logs to a centralized log repository. | - | - | - | - | - | - |
| DISA-4r3:V-69449 The application must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity. | - | - | - | - | - | - |
| DISA-4r3:V-69451 Applications categorized as having a moderate or high impact must provide an immediate real-time alert to the SA and ISSO (at a minimum) for all audit failure events. | - | - | - | - | - | - |
| DISA-4r3:V-69453 The application must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. | - | - | - | - | - | - |
| DISA-4r3:V-69455 The application must shut down by default upon audit failure (unless availability is an overriding concern). | - | - | - | - | - | - |
| DISA-4r3:V-69457 The application must provide the capability to centrally review and analyze audit records from multiple components within the system. | - | - | - | - | - | - |
| DISA-4r3:V-69459 The application must provide the capability to filter audit records for events of interest based upon organization-defined criteria. | - | - | - | - | - | - |
| DISA-4r3:V-69461 The application must provide an audit reduction capability that supports on-demand reporting requirements. | - | - | - | - | - | - |
| DISA-4r3:V-69463 The application must provide an audit reduction capability that supports on-demand audit review and analysis. | - | - | - | - | - | - |
| DISA-4r3:V-69465 The application must provide an audit reduction capability that supports after-the-fact investigations of security incidents. | - | - | - | - | - | - |
| DISA-4r3:V-69467 The application must provide a report generation capability that supports on-demand audit review and analysis. | - | - | - | - | - | - |
| DISA-4r3:V-69469 The application must provide a report generation capability that supports on-demand reporting requirements. | - | - | - | - | - | - |
| DISA-4r3:V-69471 The application must provide a report generation capability that supports after-the-fact investigations of security incidents. | - | - | - | - | - | - |
| DISA-4r3:V-69473 The application must provide an audit reduction capability that does not alter original content or time ordering of audit records. | - | - | - | - | - | - |
| DISA-4r3:V-69475 The application must provide a report generation capability that does not alter original content or time ordering of audit records. | - | - | - | - | - | - |
| DISA-4r3:V-69477 The applications must use internal system clocks to generate time stamps for audit records. | - | - | - | - | - | - |
| DISA-4r3:V-69479 The application must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | - | - | - | - | - | - |
| DISA-4r3:V-69481 The application must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision. | - | - | - | - | - | - |
| DISA-4r3:V-69483 The application must protect audit information from any type of unauthorized read access. | - | - | - | - | - | - |
| DISA-4r3:V-69485 The application must protect audit information from unauthorized modification. | - | - | - | - | - | - |
| DISA-4r3:V-69487 The application must protect audit information from unauthorized deletion. | - | - | - | - | - | - |
| DISA-4r3:V-69489 The application must protect audit tools from unauthorized access. | - | - | - | - | - | - |
| DISA-4r3:V-69491 The application must protect audit tools from unauthorized modification. | - | - | - | - | - | - |
| DISA-4r3:V-69493 The application must protect audit tools from unauthorized deletion. | - | - | - | - | - | - |
| DISA-4r3:V-69495 The application must back up audit records at least every seven days onto a different system or system component than the system or component being audited. | - | - | - | - | - | - |
| DISA-4r3:V-69497 The application must use cryptographic mechanisms to protect the integrity of audit information. | - | - | - | - | - | - |
| DISA-4r3:V-69499 Application audit tools must be cryptographically hashed. | - | - | - | - | - | - |
| DISA-4r3:V-69501 The integrity of the audit tools must be validated by checking the files for changes in the cryptographic hash value. | - | - | - | - | - | - |
| DISA-4r3:V-69503 The application must prohibit user installation of software without explicit privileged status. | - | - | - | - | - | - |
| DISA-4r3:V-69505 The application must enforce access restrictions associated with changes to application configuration. | - | - | - | - | - | - |
| DISA-4r3:V-69507 The application must audit who makes configuration changes to the application. | - | - | - | - | - | - |
| DISA-4r3:V-69509 The application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. | - | - | - | - | - | - |
| DISA-4r3:V-69511 The applications must limit privileges to change the software resident within software libraries. | - | - | - | - | - | - |
| DISA-4r3:V-69513 An application vulnerability assessment must be conducted. | - | - | - | - | - | - |
| DISA-4r3:V-69515 The application must prevent program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage. | - | - | - | - | - | - |
| DISA-4r3:V-69517 The application must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs. | - | - | - | - | - | - |
| DISA-4r3:V-69519 The application must be configured to disable non-essential capabilities. | - | - | - | - | - | - |
| DISA-4r3:V-69521 The application must be configured to use only functions, ports, and protocols permitted to it in the PPSM CAL. | - | - | - | - | - | - |
| DISA-4r3:V-69523 The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication. | - | - | - | - | - | - |
| DISA-4r3:V-69525 The application must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication. | - | - | - | - | - | - |
| DISA-4r3:V-69527 The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | - | - | - | - | - | - |
| DISA-4r3:V-69529 The application must use multifactor (Alt. Token) authentication for network access to privileged accounts. | - | - | - | - | - | - |
| DISA-4r3:V-69531 The application must accept Personal Identity Verification (PIV) credentials. | - | - | - | - | - | - |
| DISA-4r3:V-69533 The application must electronically verify Personal Identity Verification (PIV) credentials. | - | - | - | - | - | - |
| DISA-4r3:V-69535 The application must use multifactor (e.g., CAC, Alt. Token) authentication for network access to non-privileged accounts. | - | - | - | - | - | - |
| DISA-4r3:V-69537 The application must use multifactor (Alt. Token) authentication for local access to privileged accounts. | - | - | - | - | - | - |
| DISA-4r3:V-69539 The application must use multifactor (e.g., CAC, Alt. Token) authentication for local access to non-privileged accounts. | - | - | - | - | - | - |
| DISA-4r3:V-69541 The application must ensure users are authenticated with an individual authenticator prior to using a group authenticator. | - | - | - | - | - | - |
| DISA-4r3:V-69543 The application must implement replay-resistant authentication mechanisms for network access to privileged accounts. | - | - | - | - | - | - |
| DISA-4r3:V-69545 The application must implement replay-resistant authentication mechanisms for network access to non-privileged accounts. | - | - | - | - | - | - |
| DISA-4r3:V-69547 The application must utilize mutual authentication when endpoint device non-repudiation protections are required by DoD policy or by the data owner. | - | - | - | - | - | - |
| DISA-4r3:V-69549 The application must authenticate all network connected endpoint devices before establishing any connection. | - | - | - | - | - | - |
| DISA-4r3:V-69551 Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS. | - | - | - | - | - | - |
| DISA-4r3:V-69553 The application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication. | - | - | - | - | - | - |
| DISA-4r3:V-69555 The application must enforce a minimum 15-character password length. | - | - | - | - | - | - |
| DISA-4r3:V-69557 The application must enforce password complexity by requiring that at least one upper-case character be used. | - | - | - | - | - | - |
| DISA-4r3:V-69559 The application must enforce password complexity by requiring that at least one lower-case character be used. | - | - | - | - | - | - |
| DISA-4r3:V-69561 The application must enforce password complexity by requiring that at least one numeric character be used. | - | - | - | - | - | - |
| DISA-4r3:V-69563 The application must enforce password complexity by requiring that at least one special character be used. | - | - | - | - | - | - |
| DISA-4r3:V-69565 The application must require the change of at least 8 of the total number of characters when passwords are changed. | - | - | - | - | - | - |
| DISA-4r3:V-69567 The application must only store cryptographic representations of passwords. | - | - | - | - | - | |
| DISA-4r3:V-69569 The application must transmit only cryptographically-protected passwords. | - | - | - | - | - | |
| DISA-4r3:V-69571 The application must enforce 24 hours/1 day as the minimum password lifetime. | - | - | - | - | - | - |
| DISA-4r3:V-69573 The application must enforce a 60-day maximum password lifetime restriction. | - | - | - | - | - | - |
| DISA-4r3:V-69575 The application must prohibit password reuse for a minimum of five generations. | - | - | - | - | - | - |
| DISA-4r3:V-69577 The application must allow the use of a temporary password for system logons with an immediate change to a permanent password. | - | - | - | - | - | - |
| DISA-4r3:V-70145 The application password must not be changeable by users other than the administrator or the user with which the password is associated. | - | - | - | - | - | - |
| DISA-4r3:V-70147 The application must terminate existing user sessions upon account deletion. | - | - | - | - | - | - |
| DISA-4r3:V-70149 The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | - | - | - | - | - | - |
| DISA-4r3:V-70151 The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key. | - | - | - | - | - | - |
| DISA-4r3:V-70153 The application must map the authenticated identity to the individual user or group account for PKI-based authentication. | - | - | - | - | - | - |
| DISA-4r3:V-70155 The application, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. | - | - | - | - | - | - |
| DISA-4r3:V-70157 The application must not display passwords/PINs as clear text. | - | - | - | - | - | - |
| DISA-4r3:V-70159 The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. | - | - | - | - | - | - |
| DISA-4r3:V-70161 The application must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | - | - | - | - | - | - |
| DISA-4r3:V-70163 The application must accept Personal Identity Verification (PIV) credentials from other federal agencies. | - | - | - | - | - | - |
| DISA-4r3:V-70165 The application must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies. | - | - | - | - | - | - |
| DISA-4r3:V-70167 The application must accept FICAM-approved third-party credentials. | - | - | - | - | - | - |
| DISA-4r3:V-70169 The application must conform to FICAM-issued profiles. | - | - | - | - | - | - |
| DISA-4r3:V-70171 Applications used for non-local maintenance sessions must audit non-local maintenance and diagnostic sessions for organization-defined auditable events. | - | - | - | - | - | - |
| DISA-4r3:V-70173 The application must have a process, feature or function that prevents removal or disabling of emergency accounts. | - | - | - | - | - | - |
| DISA-4r3:V-70175 Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic communications. | - | - | - | - | - | - |
| DISA-4r3:V-70177 Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications. | - | - | - | - | - | - |
| DISA-4r3:V-70179 Applications used for non-local maintenance sessions must verify remote disconnection at the termination of non-local maintenance and diagnostic sessions. | - | - | - | - | - | - |
| DISA-4r3:V-70181 The application must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions. | - | - | - | - | - | - |
| DISA-4r3:V-70183 The application must terminate all sessions and network connections when non-local maintenance is completed. | - | - | - | - | - | - |
| DISA-4r3:V-70185 The application must not be vulnerable to race conditions. | - | - | - | - | - | |
| DISA-4r3:V-70187 The application must terminate all network connections associated with a communications session at the end of the session. | - | - | - | - | - | - |
| DISA-4r3:V-70189 The application must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | - | - | - | - | - | - |
| DISA-4r3:V-70191 The application must utilize FIPS-validated cryptographic modules when signing application components. | - | - | - | - | - | |
| DISA-4r3:V-70193 The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes. | - | - | - | - | - | |
| DISA-4r3:V-70195 The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection. | - | - | - | - | - | |
| DISA-4r3:V-70197 Applications making SAML assertions must use FIPS-approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement. | - | - | - | - | - | - |
| DISA-4r3:V-70199 The application user interface must be either physically or logically separated from data storage and management interfaces. | - | - | - | - | - | - |
| DISA-4r3:V-70201 The application must set the HTTPOnly flag on session cookies. | - | - | - | - | - | - |
| DISA-4r3:V-70203 The application must set the secure flag on session cookies. | - | - | - | - | - | - |
| DISA-4r3:V-70205 The application must not expose session IDs. | - | - | - | - | - | - |
| DISA-4r3:V-70207 The application must destroy the session ID value and/or cookie on logoff or browser close. | - | - | - | - | - | - |
| DISA-4r3:V-70209 Applications must use system-generated session identifiers that protect against session fixation. | - | - | - | - | - | - |
| DISA-4r3:V-70211 Applications must validate session identifiers. | - | - | - | - | - | - |
| DISA-4r3:V-70213 Applications must not use URL embedded session IDs. | - | - | - | - | - | - |
| DISA-4r3:V-70215 The application must not re-use or recycle session IDs. | - | - | - | - | - | - |
| DISA-4r3:V-70217 The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. | - | - | - | - | - | |
| DISA-4r3:V-70219 The application must only allow the use of DoD-approved certificate authorities for verification of the establishment of protected sessions. | - | - | - | - | - | - |
| DISA-4r3:V-70221 The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. | - | - | - | - | - | - |
| DISA-4r3:V-70223 In the event of a system failure, applications must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. | - | - | - | - | - | - |
| DISA-4r3:V-70225 The application must protect the confidentiality and integrity of stored information when required by DoD policy or the information owner. | - | - | - | - | - | - |
| DISA-4r3:V-70227 The application must implement approved cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components. | - | - | - | - | - | - |
| DISA-4r3:V-70229 The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy. | - | - | - | - | - | |
| DISA-4r3:V-70231 The application must isolate security functions from non-security functions. | - | - | - | - | - | - |
| DISA-4r3:V-70233 The application must maintain a separate execution domain for each executing process. | - | - | - | - | - | - |
| DISA-4r3:V-70235 Applications must prevent unauthorized and unintended information transfer via shared system resources. | - | - | - | - | - | - |
| DISA-4r3:V-70237 XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways. | - | - | - | - | - | - |
| DISA-4r3:V-70239 The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems. | - | - | - | - | - | - |
| DISA-4r3:V-70241 The web service design must include redundancy mechanisms when used with high-availability systems. | - | - | - | - | - | - |
| DISA-4r3:V-70243 An XML firewall function must be deployed to protect web services when exposed to untrusted networks. | - | - | - | - | - | - |
| DISA-4r3:V-70245 The application must protect the confidentiality and integrity of transmitted information. | - | - | - | - | - | |
| DISA-4r3:V-70247 The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). | - | - | - | - | - | - |
| DISA-4r3:V-70249 The application must maintain the confidentiality and integrity of information during preparation for transmission. | - | - | - | - | - | - |
| DISA-4r3:V-70251 The application must maintain the confidentiality and integrity of information during reception. | - | - | - | - | - | - |
| DISA-4r3:V-70253 The application must not disclose unnecessary information to users. | - | - | - | - | - | - |
| DISA-4r3:V-70255 The application must not store sensitive information in hidden fields. | - | - | - | - | - | - |
| DISA-4r3:V-70257 The application must protect from Cross-Site Scripting (XSS) vulnerabilities. | - | - | - | - | ||
| DISA-4r3:V-70259 The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities. | - | - | - | - | - | - |
| DISA-4r3:V-70261 The application must protect from command injection. | - | - | ||||
| DISA-4r3:V-70263 The application must protect from canonical representation vulnerabilities. | - | - | - | - | - | - |
| DISA-4r3:V-70265 The application must validate all input. | - | - | - | - | - | |
| DISA-4r3:V-70267 The application must not be vulnerable to SQL Injection. | - | - | ||||
| DISA-4r3:V-70269 The application must not be vulnerable to XML-oriented attacks. | - | - | - | |||
| DISA-4r3:V-70271 The application must not be subject to input handling vulnerabilities. | - | - | - | - | - | |
| DISA-4r3:V-70273 The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | - | - | - | - | - | - |
| DISA-4r3:V-70275 The application must reveal error messages only to the ISSO, ISSM, or SA. | - | - | - | - | - | - |
| DISA-4r3:V-70277 The application must not be vulnerable to overflow attacks. |
|
- | - | - | - | - |
| DISA-4r3:V-70279 The application must remove organization-defined software components after updated versions have been installed. | - | - | - | - | - | - |
| DISA-4r3:V-70281 Security-relevant software updates and patches must be kept up to date. | - | - | - | - | - | - |
| DISA-4r3:V-70283 The application performing organization-defined security functions must verify correct operation of security functions. | - | - | - | - | - | - |
| DISA-4r3:V-70285 The application must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days. | - | - | - | - | - | - |
| DISA-4r3:V-70287 The application must notify the ISSO and ISSM of failed security verification tests. | - | - | - | - | - | - |
| DISA-4r3:V-70289 Unsigned Category 1A mobile code must not be used in the application in accordance with DoD policy. | - | - | - | - | - | - |
| DISA-4r3:V-70291 The ISSO must ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed. | - | - | - | - | - | - |
| DISA-4r3:V-70293 Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ. | - | - | - | - | - | - |
| DISA-4r3:V-70295 The ISSO must ensure application audit trails are retained for at least 1 year for applications without SAMI data, and 5 years for applications including SAMI data. | - | - | - | - | - | - |
| DISA-4r3:V-70297 The ISSO must review audit trails periodically based on system documentation recommendations or immediately upon system security events. | - | - | - | - | - | - |
| DISA-4r3:V-70301 The ISSO must report all suspected violations of IA policies in accordance with DoD information system IA procedures. | - | - | - | - | - | - |
| DISA-4r3:V-70303 The ISSO must ensure active vulnerability testing is performed. | - | - | - | - | - | - |
| DISA-4r3:V-70305 AO risk acceptance must be obtained for all public domain, shareware, freeware, and other software products/libraries with both (1) no source code to review, repair, and extend, and (2) limited or no warranty, when such products are required for mission accomplishment. | - | - | - | - | - | - |
| DISA-4r3:V-70307 Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated. | - | - | - | - | - | - |
| DISA-4r3:V-70309 The designer must ensure the application does not store configuration and control files in the same directory as user data. | - | - | - | - | - | - |
| DISA-4r3:V-70311 The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance. | - | - | - | - | - | - |
| DISA-4r3:V-70313 New IP addresses, data services, and associated ports used by the application must be submitted to the appropriate approving authority for the organization, which in turn will be submitted through the DoD Ports, Protocols, and Services Management (DoD PPSM). | - | - | - | - | - | - |
| DISA-4r3:V-70317 The application must be registered with the DoD Ports and Protocols Database. | - | - | - | - | - | - |
| DISA-4r3:V-70339 The Configuration Management (CM) repository must be properly patched and STIG compliant. | - | - | - | - | - | - |
| DISA-4r3:V-70341 Access privileges to the Configuration Management (CM) repository must be reviewed every three months. | - | - | - | - | - | - |
| DISA-4r3:V-70343 A Software Configuration Management (SCM) plan describing the configuration control and change management process of application objects developed by the organization and the roles and responsibilities of the organization must be created and maintained. | - | - | - | - | - | - |
| DISA-4r3:V-70345 A Configuration Control Board (CCB) that meets at least every release cycle, for managing the Configuration Management (CM) process must be established. | - | - | - | - | - | - |
| DISA-4r3:V-70347 The application services and interfaces must be compatible with and ready for IPv6 networks. | - | - | - | - | - | - |
| DISA-4r3:V-70349 The application must not be hosted on a general purpose machine if the application is designated as critical or high availability by the ISSO. | - | - | - | - | - | - |
| DISA-4r3:V-70351 A disaster recovery/continuity plan must exist in accordance with DoD policy based on the applications availability requirements. | - | - | - | - | - | - |
| DISA-4r3:V-70353 Recovery procedures and technical system features must exist so recovery is performed in a secure and verifiable manner. The ISSO will document circumstances inhibiting a trusted recovery. | - | - | - | - | - | - |
| DISA-4r3:V-70355 Data backup must be performed at required intervals in accordance with DoD policy. | - | - | - | - | - | - |
| DISA-4r3:V-70357 Back-up copies of the application software or source code must be stored in a fire-rated container or stored separately (offsite). | - | - | - | - | - | - |
| DISA-4r3:V-70359 Procedures must be in place to assure the appropriate physical and technical protection of the backup and restoration of the application. | - | - | - | - | - | - |
| DISA-4r3:V-70361 The application must use encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange. | - | - | - | - | - | - |
| DISA-4r3:V-70363 The application must not contain embedded authentication data. | - | - | - | - | - | |
| DISA-4r3:V-70365 The application must have the capability to mark sensitive/classified output when required. | - | - | - | - | - | - |
| DISA-4r3:V-70367 Prior to each release of the application, updates to system, or applying patches; tests plans and procedures must be created and executed. | - | - | - | - | - | - |
| DISA-4r3:V-70369 Application files must be cryptographically hashed prior to deploying to DoD operational networks. | - | - | - | - | - | - |
| DISA-4r3:V-70371 At least one tester must be designated to test for security flaws in addition to functional testing. | - | - | - | - | - | - |
| DISA-4r3:V-70373 Test procedures must be created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to verify the system remains in a secure state. | - | - | - | - | - | - |
| DISA-4r3:V-70375 An application code review must be performed on the application. | - | - | - | - | - | - |
| DISA-4r3:V-70377 Code coverage statistics must be maintained for each release of the application. | - | - | - | - | - | - |
| DISA-4r3:V-70379 Flaws found during a code review must be tracked in a defect tracking system. | - | - | - | - | - | - |
| DISA-4r3:V-70381 The changes to the application must be assessed for IA and accreditation impact prior to implementation. | - | - | - | - | - | - |
| DISA-4r3:V-70383 Security flaws must be fixed or addressed in the project plan. | - | - | - | - | - | - |
| DISA-4r3:V-70385 The application development team must follow a set of coding standards. | - | - | - | - | - | - |
| DISA-4r3:V-70387 The designer must create and update the Design Document for each release of the application. | - | - | - | - | - | - |
| DISA-4r3:V-70389 Threat models must be documented and reviewed for each application release and updated as required by design and functionality changes or when new threats are discovered. | - | - | - | - | - | - |
| DISA-4r3:V-70391 The application must not be subject to error handling vulnerabilities. | - | - | - | - | - | |
| DISA-4r3:V-70393 The application development team must provide an application incident response plan. | - | - | - | - | - | - |
| DISA-4r3:V-70395 All products must be supported by the vendor or the development team. | - | - | - | - | - | - |
| DISA-4r3:V-70397 The application must be decommissioned when maintenance or support is no longer available. | - | - | - | - | - | - |
| DISA-4r3:V-70399 Procedures must be in place to notify users when an application is decommissioned. | - | - | - | - | - | - |
| DISA-4r3:V-70401 Unnecessary built-in application accounts must be disabled. | - | - | - | - | - | - |
| DISA-4r3:V-70403 Default passwords must be changed. | - | - | - | - | - | - |
| DISA-4r3:V-70405 An Application Configuration Guide must be created and included with the application. | - | - | - | - | - | - |
| DISA-4r3:V-70407 If the application contains classified data, a Security Classification Guide must exist containing data elements and their classification. | - | - | - | - | - | - |
| DISA-4r3:V-70409 The designer must ensure uncategorized or emerging mobile code is not used in applications. | - | - | - | - | - | - |
| DISA-4r3:V-70411 Production database exports must have database administration credentials and sensitive data removed before releasing the export. | - | - | - | - | - | - |
| DISA-4r3:V-70413 Protections against DoS attacks must be implemented. | - | - | - | - | - | - |
| DISA-4r3:V-70415 The system must alert an administrator when low resource conditions are encountered. | - | - | - | - | - | - |
| DISA-4r3:V-70417 At least one application administrator must be registered to receive update notifications, or security alerts, when automated alerts are available. | - | - | - | - | - | - |
| DISA-4r3:V-70419 The application must provide notifications or alerts when product update and security related patches are available. | - | - | - | - | - | - |
| DISA-4r3:V-70421 Connections between the DoD enclave and the Internet or other public or commercial wide area networks must require a DMZ. | - | - | - | - | - | - |
| DISA-4r3:V-70423 The application must generate audit records when concurrent logons from different workstations occur. | - | - | - | - | - | - |
| DISA-4r3:V-70425 The Program Manager must verify all levels of program management, designers, developers, and testers receive annual security training pertaining to their job function. | - | - | - | - | - | - |
(STIG release date January 23, 2015)
A CSV version of this table is provided in DISA-3r10-mapping.csv
Mappings for Version 3, release 10 are available for C and C++ warning classes only.
| DISA-3r10 | C/C++ Warning Classes |
|---|---|
| DISA-3r10:V-6127 The designer will ensure applications requiring user authentication are PK-enabled and are designed and implemented to support hardware tokens (e.g., CAC for NIPRNet)., CAC for NIPRNet). | - |
| DISA-3r10:V-6128 The designer and IAO will ensure PK-enabled applications are designed and implemented to use approved credentials authorized under the DoD PKI program. | - |
| DISA-3r10:V-6129 The designer will ensure the application using PKI validates certificates for expiration, confirms origin is from a DoD authorized CA, and verifies the certificate has not been revoked by CRL or OCSP, and CRL cache (if used) is updated at least daily. | - |
| DISA-3r10:V-6130 The designer will ensure the application has the capability to require account passwords that conform to DoD policy. | - |
| DISA-3r10:V-6131 The designer will ensure the application prevents the creation of duplicate accounts. | - |
| DISA-3r10:V-6132 The IAO will ensure all user accounts are disabled which are authorized to have access to the application but have not authenticated within the past 35 days. | - |
| DISA-3r10:V-6133 The IAO will ensure unnecessary built-in application accounts are disabled. | - |
| DISA-3r10:V-6134 The IAO will ensure default passwords are changed. | - |
| DISA-3r10:V-6135 The designer will ensure the appropriate cryptography is used to protect stored DoD information if required by the information owner. | |
| DISA-3r10:V-6136 The designer will ensure data transmitted through a commercial or wireless network is protected using an appropriate form of cryptography. | |
| DISA-3r10:V-6137 The designer will ensure the application uses the Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. | |
| DISA-3r10:V-6138 The designer will ensure the application design includes audits on all access to need-to-know information and key application events. | - |
| DISA-3r10:V-6140 The designer and IAO will ensure the audit trail is readable only by the application and auditors and protected against modification and deletion by unauthorized individuals. | - |
| DISA-3r10:V-6141 The designer will ensure access control mechanisms exist to ensure data is accessed and changed only by authorized personnel. | - |
| DISA-3r10:V-6142 The designer will ensure all access authorizations to data are revoked prior to initial assignment, allocation or reallocation to an unused state. | - |
| DISA-3r10:V-6143 The designer will ensure the application executes with no more privileges than necessary for proper operation. | - |
| DISA-3r10:V-6144 The designer will ensure the application provides a capability to limit the number of logon sessions per user and per application. | - |
| DISA-3r10:V-6145 If the application contains classified data, the Program Manager will ensure a Security Classification Guide exists containing data elements and their classification. | - |
| DISA-3r10:V-6146 The designer will ensure the application has the capability to mark sensitive/classified output when required. | - |
| DISA-3r10:V-6147 The Test Manager will ensure the application does not modify data files outside the scope of the application. | - |
| DISA-3r10:V-6148 The designer will ensure threat models are documented and reviewed for each application release and updated as required by design and functionality changes or new threats are discovered. | - |
| DISA-3r10:V-6149 The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products. |
|
| DISA-3r10:V-6151 The IAO will ensure unnecessary services are disabled or removed. | - |
| DISA-3r10:V-6152 The designer will ensure the application is capable of displaying a customizable click-through banner at logon which prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK" | - |
| DISA-3r10:V-6153 The designer will ensure the application removes authentication credentials on client computers after a session terminates. | - |
| DISA-3r10:V-6154 The designer will ensure the application is organized by functionality and roles to support the assignment of specific roles to specific application functions. | - |
| DISA-3r10:V-6155 The designer will ensure the application provides a capability to terminate a session and log out. | - |
| DISA-3r10:V-6156 The designer will ensure the application does not contain embedded authentication data. | |
| DISA-3r10:V-6157 The designer will ensure the application does not contain invalid URL or path references. |
|
| DISA-3r10:V-6158 The designer will ensure the application only embeds mobile code in e-mail which does not execute automatically when the user opens the e-mail body or attachment. | - |
| DISA-3r10:V-6159 The designer will ensure unsigned Category 1A mobile code is not used in the application in accordance with DoD policy. | - |
| DISA-3r10:V-6160 The designer will ensure unsigned Category 2 mobile code executing in a constrained environment has no access to local system and network resources. | - |
| DISA-3r10:V-6161 The designer will ensure signed Category 1A and Category 2 mobile code signature is validated before executing. | - |
| DISA-3r10:V-6162 The designer will ensure uncategorized or emerging mobile code is not used in applications. | - |
| DISA-3r10:V-6163 The Designer will ensure the application removes temporary storage of files and cookies when the application is terminated. | - |
| DISA-3r10:V-6164 The designer will ensure the application validates all input. | |
| DISA-3r10:V-6165 The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. |
|
| DISA-3r10:V-6166 The designer will ensure the application is not subject to error handling vulnerabilities. | |
| DISA-3r10:V-6167 The designer will ensure application initialization, shutdown, and aborts are designed to keep the application in a secure state. | - |
| DISA-3r10:V-6168 The designer will ensure applications requiring server authentication are PK-enabled. | - |
| DISA-3r10:V-6169 The Program Manager and Designer will ensure the use of new IPs, data services, and associated ports used by the application are submitted to the appropriate approving authority for that organization, which in turn are submitted through the DoD Ports, Protocols, and Services Management (DoD PPSM). | - |
| DISA-3r10:V-6170 The Program Manager and designer will ensure any IA, or IA enabled, products used by the application are NIAP approved or in the NIAP approval process. | - |
| DISA-3r10:V-6171 The IAO will ensure recovery procedures and technical system features exist so recovery is performed in a secure and verifiable manner. The IAO will document circumstances inhibiting a trusted recovery. | - |
| DISA-3r10:V-6172 The IAO will ensure data backup is performed at required intervals in accordance with DoD policy. | - |
| DISA-3r10:V-6173 The IAO will ensure application audit trails are retained for at least 1 year for applications without SAMI data, and 5 years for applications including SAMI data. | - |
| DISA-3r10:V-6174 The IAO will ensure production database exports have database administration credentials and sensitive data removed before releasing the export. | - |
| DISA-3r10:V-6197 The Program Manager will ensure a System Security Plan (SSP) is established to describe the technical, administrative, and procedural IA program and policies governing the DoD information system, and identifying all IA personnel and specific IA requirements and objectives. | - |
| DISA-3r10:V-6198 The Program Manager and IAO will ensure development systems, build systems, test systems, and all components comply with all appropriate DoD STIGs, NSA guides, and all applicable DoD policies. The Test Manager will ensure both client and server machines are STIG compliant. | - |
| DISA-3r10:V-7013 The designer will create and update the Design Document for each release of the application. | - |
| DISA-3r10:V-16773 The Program Manager will provide an Application Configuration Guide to the application hosting providers to include a list of all potential hosting enclaves and connection rules and requirements. | - |
| DISA-3r10:V-16775 The Program Manager will ensure the system has been assigned specific MAC and confidentiality levels. | - |
| DISA-3r10:V-16776 The Program Manager will ensure the development team follows a set of coding standards. | - |
| DISA-3r10:V-16777 The Program Manager will ensure COTS IA and IA enabled products, comply with NIAP/NSA endorsed protection profiles. | - |
| DISA-3r10:V-16778 The Program Manager will document and obtain DAA risk acceptance for all public domain, shareware, freeware, and other software products/libraries with both (1) no source code to review, repair, and extend, and (2) limited or no warranty, when such products are required for mission accomplishment. | - |
| DISA-3r10:V-16779 The Program Manager and designer will ensure the application is registered with the DoD Ports and Protocols Database. | - |
| DISA-3r10:V-16780 The Program Manager will ensure all levels of program management, designers, developers, and testers receive the appropriate security training pertaining to their job function. | - |
| DISA-3r10:V-16781 The Program Manager will ensure a vulnerability management process is in place to include ensuring a mechanism is in place to notify users, and users are provided with a means of obtaining security updates for the application. | - |
| DISA-3r10:V-16782 The Program Manager will ensure a security incident response process for the application is established that defines reportable incidents and outlines a standard operating procedure for incident response to include Information Operations Condition (INFOCON). | - |
| DISA-3r10:V-16783 The Program Manager will ensure procedures are implemented to assure physical handling and storage of information is in accordance with the data's sensitivity. | - |
| DISA-3r10:V-16784 The designer will ensure the user interface services are physically or logically separated from data storage and management services. | - |
| DISA-3r10:V-16785 The designer will ensure the application supports detection and/or prevention of communication session hijacking. | - |
| DISA-3r10:V-16786 The designer will ensure the application installs with unnecessary functionality disabled by default. | - |
| DISA-3r10:V-16787 The designer will ensure the application follows the secure failure design principle. | - |
| DISA-3r10:V-16788 The designer will ensure the application uses encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange. | - |
| DISA-3r10:V-16789 The designer will ensure private keys are accessible only to administrative users. | - |
| DISA-3r10:V-16790 The designer will ensure the application does not connect to a database using administrative credentials or other privileged database accounts. | - |
| DISA-3r10:V-16791 The designer will ensure transaction based applications implement transaction rollback and transaction journaling. | - |
| DISA-3r10:V-16792 The designer will ensure sensitive data held in memory is cryptographically protected when not in use, if required by the information owner, and classified data held in memory is always cryptographically protected when not in use. | - |
| DISA-3r10:V-16793 The designer will ensure the application properly clears or overwrites all memory blocks used to process sensitive data, if required by the information owner, and clears or overwrites all memory blocks used for classified data. | |
| DISA-3r10:V-16794 The designer will ensure the application uses mechanisms assuring the integrity of all transmitted information (including labels and security parameters). | - |
| DISA-3r10:V-16795 The designer will ensure the application does not display account passwords as clear text. | - |
| DISA-3r10:V-16796 The designer will ensure the application transmits account passwords in an approved encrypted format. | |
| DISA-3r10:V-16797 The designer will ensure the application stores account passwords in an approved encrypted format. | |
| DISA-3r10:V-16798 The designer will ensure the application protects access to authentication data by restricting access to authorized users and services. | - |
| DISA-3r10:V-16799 The designer will ensure the application installs with unnecessary accounts disabled, or deleted, by default. | - |
| DISA-3r10:V-16800 The designer will ensure users' accounts are locked after three consecutive unsuccessful logon attempts within one hour. | - |
| DISA-3r10:V-16801 The designer will ensure locked users' accounts can only be unlocked by the application administrator. | - |
| DISA-3r10:V-16802 The designer will ensure the application provides a capability to automatically terminate a session and log out after a system defined session idle time limit is exceeded. | - |
| DISA-3r10:V-16803 The designer and IAO will ensure application resources are protected with permission sets which allow only an application administrator to modify application resource configuration files. | - |
| DISA-3r10:V-16804 The designer will ensure the application does not rely solely on a resource name to control access to a resource. | |
| DISA-3r10:V-16806 The designer will ensure the web application assigns the character set on all web pages. | - |
| DISA-3r10:V-16807 The designer will ensure the application is not vulnerable to SQL Injection, uses prepared or parameterized statements, does not use concatenation or replacement to build SQL queries, and does not directly access the tables in a database. | |
| DISA-3r10:V-16808 The designer will ensure the application is not vulnerable to integer arithmetic issues. |
|
| DISA-3r10:V-16809 The designer will ensure the application does not contain format string vulnerabilities. | |
| DISA-3r10:V-16810 The designer will ensure the application does not allow command injection. | |
| DISA-3r10:V-16811 The designer will ensure the application does not have cross site scripting (XSS) vulnerabilities. | - |
| DISA-3r10:V-16812 The designer will ensure the application has no canonical representation vulnerabilities. | - |
| DISA-3r10:V-16813 The designer will ensure the application does not use hidden fields to control user access privileges or as a part of a security mechanism. | - |
| DISA-3r10:V-16814 The designer will ensure the application does not disclose unnecessary information to users. | - |
| DISA-3r10:V-16815 The designer will ensure the application is not vulnerable to race conditions. | |
| DISA-3r10:V-16816 The designer will ensure the application supports the creation of transaction logs for access and changes to the data. | - |
| DISA-3r10:V-16817 The designer will ensure the application has a capability to notify the user of important login information. | - |
| DISA-3r10:V-16818 The designer will ensure the application has a capability to display the user's time and date of the last change in data content. | - |
| DISA-3r10:V-16819 The designer will ensure development of new mobile code includes measures to mitigate the risks identified. | - |
| DISA-3r10:V-16820 The Release Manager will ensure the access privileges to the configuration management (CM) repository are reviewed every 3 months. | - |
| DISA-3r10:V-16822 The Release Manager will develop an SCM plan describing the configuration control and change management process of objects developed and the roles and responsibilities of the organization. | - |
| DISA-3r10:V-16823 The Release Manager will establish a Configuration Control Board (CCB), that meets at least every release cycle, for managing the CM process. | - |
| DISA-3r10:V-16824 The Test Manager will ensure at least one tester is designated to test for security flaws in addition to functional testing. | - |
| DISA-3r10:V-16825 The Test Manager will ensure the changes to the application are assessed for IA and accreditation impact prior to implementation. | - |
| DISA-3r10:V-16826 The Test Manager will ensure tests plans and procedures are created and executed prior to each release of the application or updates to system patches. | - |
| DISA-3r10:V-16827 The Test Manager will ensure test procedures are created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to ensure the system remains in a secure state. | - |
| DISA-3r10:V-16828 The Test Manager will ensure code coverage statistics are maintained for each release of the application. | - |
| DISA-3r10:V-16829 The Test Manager will ensure a code review is performed before the application is released. | - |
| DISA-3r10:V-16830 The Test Manager will ensure flaws found during a code review are tracked in a defect tracking system. | - |
| DISA-3r10:V-16831 The IAO will ensure active vulnerability testing is performed. | - |
| DISA-3r10:V-16832 The Test Manager will ensure security flaws are fixed or addressed in the project plan. | - |
| DISA-3r10:V-16833 The IAO will ensure if an application is designated critical, the application is not hosted on a general purpose machine. | - |
| DISA-3r10:V-16834 The IAO shall ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by the following in descending order as available: 1) commercially accepted practices, (2) independent testing results, or (3) vendor literature. | - |
| DISA-3r10:V-16835 The IAO will ensure at least one application administrator has registered to receive update notifications, or security alerts, when automated alerts are available. | - |
| DISA-3r10:V-16836 The IAO will ensure the system and installed applications have current patches, security updates, and configuration settings. | - |
| DISA-3r10:V-16837 The IAO will ensure the application is decommissioned when maintenance or support is no longer available. | - |
| DISA-3r10:V-16838 Procedures are not in place to notify users when an application is decommissioned. | - |
| DISA-3r10:V-16839 The IAO will ensure protections against DoS attacks are implemented. | - |
| DISA-3r10:V-16840 The IAO will ensure the system alerts an administrator when low resource conditions are encountered. | - |
| DISA-3r10:V-16841 The IAO will review audit trails periodically based on system documentation recommendations or immediately upon system security events. | - |
| DISA-3r10:V-16842 The IAO will report all suspected violations of IA policies in accordance with DoD information system IA procedures. | - |
| DISA-3r10:V-16844 The IAO will ensure back-up copies of the application software are stored in a fire-rated container and not collocated with operational software. | - |
| DISA-3r10:V-16845 The IAO will ensure procedures are in place to assure the appropriate physical and technical protection of the backup and restoration of the application. | - |
| DISA-3r10:V-16846 The IAO will ensure a disaster recovery plan exists in accordance with DoD policy based on the Mission Assurance Category (MAC). | - |
| DISA-3r10:V-16847 The IAO will ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed. | - |
| DISA-3r10:V-16848 The IAO will ensure passwords generated for users are not predictable and comply with the organization's password policy. | - |
| DISA-3r10:V-16849 The IAO will ensure the application's users do not use shared accounts. | - |
| DISA-3r10:V-16850 The IAO will ensure connections between the DoD enclave and the Internet or other public or commercial wide area networks require a DMZ. | - |
| DISA-3r10:V-19687 The IAO will ensure web servers are on logically separate network segments from the application and database servers if it is a tiered application. | - |
| DISA-3r10:V-19688 The designer and the IAO will ensure physical operating system separation and physical application separation is employed between servers of different data types in the web tier of Increment 1/Phase 1 deployment of the DoD DMZ for Internet-facing applications. | - |
| DISA-3r10:V-19689 The designer will ensure web services are designed and implemented to recognize and react to the attack patterns associated with application-level DoS attacks. | - |
| DISA-3r10:V-19693 The designer will ensure execution flow diagrams are created and used to mitigate deadlock and recursion issues. | - |
| DISA-3r10:V-19694 The IAO will ensure an XML firewall is deployed to protect web services. | - |
| DISA-3r10:V-19695 The designer will ensure web services provide a mechanism for detecting resubmitted SOAP messages. | - |
| DISA-3r10:V-19696 The designer and IAO will ensure digital signatures exist on UDDI registry entries to verify the publisher. | - |
| DISA-3r10:V-19697 The designer and IAO will ensure UDDI versions are used supporting digital signatures of registry entries. | - |
| DISA-3r10:V-19698 The designer and IAO will ensure UDDI publishing is restricted to authenticated users. | - |
| DISA-3r10:V-19699 The IAO will ensure web service inquiries to UDDI provide read-only access to the registry to anonymous users. | - |
| DISA-3r10:V-19700 The IAO will ensure if the UDDI registry contains sensitive information and read access to the UDDI registry is granted only to authenticated users. | - |
| DISA-3r10:V-19701 The designer will ensure SOAP messages requiring integrity, sign the following message elements: -Message ID -Service Request -Timestamp -SAML Assertion (optionally included in messages) | - |
| DISA-3r10:V-19702 The designer will ensure when using WS-Security, messages use timestamps with creation and expiration times. | - |
| DISA-3r10:V-19703 The designer will ensure validity periods are verified on all messages using WS-Security or SAML assertions. | - |
| DISA-3r10:V-19704 The designer shall ensure each unique asserting party provides unique assertion ID references for each SAML assertion. | - |
| DISA-3r10:V-19705 The designer shall ensure encrypted assertions, or equivalent confidentiality protections, when assertion data is passed through an intermediary, and confidentiality of the assertion data is required to pass through the intermediary. | - |
| DISA-3r10:V-19706 The designer will ensure the application is compliant with all DoD IT Standards Registry (DISR) IPv6 profiles. | - |
| DISA-3r10:V-19707 The designer will ensure supporting application services and interfaces have been designed, or upgraded for, IPv6 transport. | - |
| DISA-3r10:V-19708 The designer will ensure the application is compliant with IPv6 multicast addressing and features an IPv6 network configuration options as defined in RFC 4038. | - |
| DISA-3r10:V-19709 The designer will ensure the application is compliant with the IPv6 addressing scheme as defined in RFC 1884. | - |
| DISA-3r10:V-21498 The designer will ensure the application is not vulnerable to XML Injection. | - |
| DISA-3r10:V-21500 The designer will ensure the application does not have CSRF vulnerabilities. | - |
| DISA-3r10:V-21519 The Program Manager will ensure all products are supported by the vendor or the development team. | - |
| DISA-3r10:V-22028 The designer shall use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion. | - |
| DISA-3r10:V-22029 The designer shall use both the <NotBefore> and <NotOnOrAfter> elements or <OneTimeUse> element when using the <Conditions> element in a SAML assertion. | - |
| DISA-3r10:V-22030 The designer will ensure the asserting party uses FIPS approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement. | - |
| DISA-3r10:V-22031 The designer shall ensure messages are encrypted when the SessionIndex is tied to privacy data. | - |
| DISA-3r10:V-22032 The designer shall ensure if a OneTimeUse element is used in an assertion, there is only one used in the Conditions element portion of an assertion. | - |
| DISA-3r10:V-47163 The release manager must ensure application files are cryptographically hashed prior to deploying to DoD operational networks. | - |
CodeSonar provides several predefined management report templates that allow you to automatically generate reports summarizing all the warnings from a particular analysis that are closely mapped to findings in one of the DISA STIG versions listed above.
| DISA Application Security and Development STIG version/release | Warning Class Category Report | Warning Class Category Severity Report |
|---|---|---|
| version 6, release 1 | DISA v6 r1 Report | DISA v6 r1 Severity Report |
| version 5, release 3 | DISA v5 r3 Report | DISA v5 r3 Severity Report |
| version 4, release 3 | DISA v4 r3 Report | DISA v4 r3 Severity Report |
| version 3, release 10 | DISA v3 r10 Report | DISA v3 r10 Severity Report |
You can generate any of these reports from the GUI Analysis page for the analysis of interest. For general instructions, see Task: Generate a Management Report.
CodeSonar ships with several taxonomy presets for DISA-related checks.
| disa |
Enables warning classes such that a given class C is
enabled if all of the following are true.
|
| disa_latest | As for disa, but with only the most recent version for which CodeSonar has mappings. For this version of CodeSonar, the most recent version is Version 6, Release 1 ( June 5, 2024). |
| disa_6r1 | As for disa, but with Version 6, Release 1 (June 5, 2024) only. |
| disa_5r3 | As for disa, but with Version 5, Release 3 (July 26, 2023) only. |
| disa_4r3 | As for disa, but with Version 4, Release 3 (April 28, 2017) only. |
| disa_3r10 | As for disa, but with Version 3 Release 10 (January 23, 2015) only. |
You can apply the disa preset to the CodeSonar build/analysis as shown in the following table.
| Command Line |
Specify -preset disa as part of your
build/analysis command. For example:
codesonar analyze MyProj -preset disa localhost:7340 make
|
|---|---|
| Define as a default preset | Copy disa.conf from $CSONAR/codesonar/presets/ to $CSONAR/codesonar/default_presets/. OR Use the CodeSonar Configuration Tool Modify Analysis Settings option. |
| Windows Build Wizard | Select disa from the Preset list on screen 2. |
| Eclipse Plug-In | Select disa from the Presets list in the Properties dialog. |
| Visual Studio Plug-In | Select disa from the Presets list in the Project Properties dialog. |
Use the same techniques to apply the other DISA-related presets.
To enable checks for all the warning classes associated with a specific DISA STIG Finding ID id, include the following in the project configuration file:
WARNING_FILTER += allow categories:"DISA-version:id"
For example:
WARNING_FILTER += allow categories:"DISA-4r3:V-70363"
To enable checks for several rule numbers, include several WARNING_FILTER lines of this form.
To enable a single warning class check, follow the instructions in the documentation for the corresponding warning class. Warning class documentation links are provided above.
To report problems with this documentation, please visit https://support.codesecure.com/.