SAF‐CLI Security Control Responses
| Associated NIST SP 800-53 Revision 5 Security Control Reference ID | General Security Control Requirement | General Security Control Implementation | SAF-CLI Security Control Response | WIP | Update | Associated Application Security & Development STIG Vulnerability ID |
|---|---|---|---|---|---|---|
| AC-02 f | Ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed. | Establish an account management process. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222619 | |
| AC-02 (01) | The application must provide automated mechanisms for supporting account management functions. | Use automated processes and mechanisms for account management functions. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222407 | |
| AC-02 (02) | The application must automatically remove or disable temporary user accounts 72 hours after account creation. | Configure temporary accounts to be automatically removed or disabled after 72 hours after account creation. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222409 | |
| AC-02 (03) (d) | The application must automatically disable accounts after a 35 day period of account inactivity. | Design and configure the application to expire user accounts after 35 days of inactivity. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222411 | |
| AC-02 (03) (d) | Unnecessary application accounts must be disabled, or deleted. | Design the application so unessential user accounts are not created during installation. Disable or delete all unnecessary application user accounts. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222412 | |
| AC-02 (04) | The application must automatically audit account creation. | Configure the application to write a log entry when a new user account is created. At a minimum, ensure account name, date and time of the event are recorded. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222413 | |
| AC-02 (04) | The application must automatically audit account modification. | Configure the application to write a log entry when a user account is modified. At a minimum, ensure account name, date and time of the event are recorded. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222414 | |
| AC-02 (04) | The application must automatically audit account disabling actions. | Configure the application to write a log entry when a user account is disabled. At a minimum, ensure account name, date and time of the event are recorded. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222415 | |
| AC-02 (04) | The application must automatically audit account removal actions. | Configure the application to write a log entry when a user account is removed. At a minimum, ensure account name, date and time of the event are recorded. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222416 | |
| AC-02 (04) | The application must notify System Administrators and Information System Security Officers when accounts are created. | Configure the application to notify the system administrator and the ISSO when application accounts are created. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222417 | |
| AC-02 (04) | The application must notify System Administrators and Information System Security Officers when accounts are modified. | Configure the application to notify the system administrator and the ISSO when application accounts are modified. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222418 | |
| AC-02 (04) | The application must notify System Administrators and Information System Security Officers of account disabling actions. | Configure the application to notify the system administrator and the ISSO when application accounts are disabled. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222419 | |
| AC-02 (04) | The application must notify System Administrators and Information System Security Officers of account removal actions. | Configure the application to notify the system administrator and the ISSO when application accounts are removed. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222420 | |
| AC-02 (04) | The application must automatically audit account enabling actions. | Configure the application to write a log entry when a user account is enabled. At a minimum, ensure account name, date and time of the event are recorded. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222421 | |
| AC-02 (04) | The application must notify System Administrators and Information System Security Officers of account enabling actions. | Configure the application to notify the system administrator and the ISSO when application accounts are enabled. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222422 | |
| AC-02 (10) | Shared/group account credentials must be terminated when members leave the group. | Create a procedure for deleting either member accounts or the entire group account when members leave the group. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222408 | |
| AC-03 | The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | Design or configure the application to enforce access to application resources. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222425 | |
| AC-03 (04) | The application must enforce organization-defined discretionary access control policies over defined subjects and objects. | Design and configure the application to enforce discretionary access control policies. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222426 | |
| AC-04 | The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. | Configure the application to enforce data flow control in accordance with data flow control policies. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222427 | |
| AC-04 | The application must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. | Configure the application to enforce data flow control in accordance with data flow control policies. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222428 | |
| AC-06 (04) | Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the organization DMZ. | Separate web server from other application tiers and place it on a separate network segment apart from the application and database servers in accordance with organization DMZ data access controls requirements. | The SAF-CLI is a command-line application with no database, therefore this requirement is not applicable. | 10/28/2024 | V-222620 | |
| AC-06 (08) | The application must execute without excessive account permissions. | Configure the application accounts with minimalist privileges. Do not allow the application to operate with admin credentials. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222430 | |
| AC-06 (09) | The application must audit the execution of privileged functions. | Configure the application to write log entries when privileged functions are executed. At a minimum, ensure the specific action taken, date and time of event are recorded. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222431 | |
| AC-06 (10) | The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Modify the application to limit access and prevent the disabling or circumvention of security safeguards. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222429 | |
| AC-07 a | The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period. | Configure the application to enforce an account lock after 3 failed logon attempts occurring within a 15-minute window. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222432 | |
| AC-07 b | The application administrator must follow an approved process to unlock locked user accounts. | Create a standard approved process for unlocking locked application accounts which includes validating user identity prior to unlocking the account. Use that process when unlocking application user accounts. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222433 | |
| AC-08 a | The application must display an approved organization banner before granting access to the application. | Configure the application to present the approved organization banner prior to granting access to the application. | The organization is responsible for managing warning notifications on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222434 | |
| AC-08 b | The application must retain the approved organization banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. | Configure the application to retain the approved organization banner until the user accepts the usage conditions prior to granting access to the application. | The organization is responsible for managing warning notifications on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222435 | |
| AC-08 c 1;AC-08 c 2;AC-08 c 3 | The publicly accessible application must display an approved organization banner before granting access to the application. | Configure the application to present the approved organization banner prior to granting access to the application. | The organization is responsible for managing warning notifications on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222436 | |
| AC-09 | The application must display the time and date of the users last successful logon. | Design and configure the application to display the date and time when the user was last successfully granted access to the application. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222437 | |
| AC-10 | The application must provide a capability to limit the number of logon sessions per user. | Design and configure the application to specify the number of logon sessions that are allowed per user. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222387 | |
| AC-12 | The application must clear temporary storage and cookies when the session is terminated. | Design and configure the application to clear sensitive data from cookies and local storage when the user logs out of the application. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222388 | |
| AC-12 | The application must automatically terminate the non-privileged user session and log off non-privileged users after a 15 minute idle time period has elapsed. | Design and configure the application to terminate the non-privileged users session after 15 minutes of inactivity. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222389 | |
| AC-12 | The application must automatically terminate the admin user session and log off admin users after a 10 minute idle time period is exceeded. | Design and configure the application to terminate the admin users session after 10 minutes of inactivity. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222390 | |
| AC-12 (01) | Applications requiring user access authentication must provide a logoff capability for user initiated communication session. | Design and configure the application to provide all users with the capability to manually terminate their application session. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222391 | |
| AC-12 (02) | The application must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions. | Design and configure the application to provide an explicit logoff message to users indicating a successful logoff has occurred upon user session termination. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222392 | |
| AC-16 a | The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in storage. | Design and configure the application to assign data marking and ensure the marking is retained when the data is stored. | The organization is responsible for applying any organization-defined data markings as needed to the data produced by the SAF-CLI. The SAF-CLI does not perform this function. | 10/28/2024 | V-222393 | |
| AC-16 a | The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in process. | Design and configure the application to retain the data marking when processing data. | The organization is responsible for applying any organization-defined data markings as needed to the data produced by the SAF-CLI. The SAF-CLI does not perform this function. | 10/28/2024 | V-222394 | |
| AC-16 a | The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission. | Design and configure the application to retain the data marking when transmitting data. | The organization is responsible for applying any organization-defined data markings as needed to the data produced by the SAF-CLI. The SAF-CLI does not perform this function. | 10/28/2024 | V-222395 | |
| AC-17 (02) | The application must implement organization-approved encryption to protect the confidentiality of remote access sessions. | Design and configure applications to use TLS encryption to protect the confidentiality of remote access sessions. | The organization is responsible for managing security of remote sessions to the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222396 | |
| AC-17 (02) | The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. | Design and configure applications to use TLS encryption to protect the integrity of remote access sessions. | The organization is responsible for managing security of remote sessions to the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222397 | |
| AC-23 | Application data protection requirements must be identified and documented. | Identify and document the application data elements and the data protection requirements. | The organization is responsible for identifying and documenting protection requirements for input data, command-line arguments provided to the SAF-CLI and to the data produced by the SAF-CLI. The SAF-CLI does not perform this function. | 10/28/2024 | V-222423 | |
| AC-23 | The application must utilize organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts. | Utilize and implement data mining protections when requirements specify it. | Achieved by employing the organization's data loss prevention tools to monitor for data mining activities. | 10/28/2024 | V-222424 | |
| AT-03 (03) | The Program Manager must verify all levels of program management, designers, developers, and testers receive annual security training pertaining to their job function. | Provide application development/operational related security specific annual training for managers, designers, developers, and testers. | All training requirements are established and tracked by the organization. | 10/28/2024 | V-222673 | |
| AU-03 a | The application must log application shutdown events. | Configure the application or application server to record application shutdown events in the event logs. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222469 | |
| AU-03 a | The application must log destination IP addresses. | Configure the application to record the destination IP address of the remote system. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222470 | |
| AU-03 a | The application must log user actions involving access to data. | Identify the specific data elements requiring protection and audit access to the data. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222471 | |
| AU-03 a | The application must log user actions involving changes to data. | Configure the application to log all changes to application data. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222472 | |
| AU-03 b | The application must produce audit records containing information to establish when (date and time) the events occurred. | Configure the application or application server to include the date and the time of the event in the audit logs. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222473 | |
| AU-03 c | The application must produce audit records containing enough information to establish which component, feature or function of the application triggered the audit event. | Configure the application to log which component, feature or functionality of the application triggered the event. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222474 | |
| AU-03 d | When using centralized logging; the application must include a unique identifier in order to distinguish itself from other application logs. | Configure the application logs or the centralized log storage facility so the application name and the hosts hosting the application are uniquely identified in the logs. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222475 | |
| AU-03 e | The application must produce audit records that contain information to establish the outcome of the events. | Configure the application to include the outcome of application functions or events. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222476 | |
| AU-03 f | The application must generate audit records containing information that establishes the identity of any individual or process associated with the event. | Configure the application to log the identity of the user and/or the process associated with the event. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222477 | |
| AU-03 (01) | The application must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users. | Configure the application to log the full text recording of privileged commands or the individual identities of group users. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222478 | |
| AU-03 (01) | The application must implement transaction recovery logs when transaction based. | Configure the application database to utilize transactional logging. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222479 | |
| AU-03 (02) | The application must provide centralized management and configuration of the content to be captured in audit records generated by all application components. | Configure the application to utilize a centralized log management system that provides the capability to configure the content of audit records. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222480 | |
| AU-04 (01) | The application must off-load audit records onto a different system or media than the system being audited. | Configure the application to off-load audit records onto a different system as per approved schedule. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222481 | |
| AU-04 (01) | The application must be configured to write application logs to a centralized log repository. | Configure the application to utilize a centralized log repository and ensure the logs are off-loaded from the application system as quickly as possible. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222482 | |
| AU-05 a | The application must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. | Configure the application to send an alarm in the event the audit system has failed or is failing. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222485 | |
| AU-05 b | The application must shut down by default upon audit failure (unless availability is an overriding concern). | Configure the application to cease processing if the audit system fails or configure the application to continue logging in a manner that compensates for the audit failure. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222486 | |
| AU-05 (01) | The application must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity. | Configure the application to send an immediate alarm to the application admin/SA and the ISSO when the allocated log storage capacity exceeds 75% of usage or exceeds the capacity value the SA and ISSO have determined will provide adequate time to plan for capacity expansion. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222483 | |
| AU-05 (02) | Applications categorized as having a moderate or high impact must provide an immediate real-time alert to the SA and ISSO (at a minimum) for all audit failure events. | Configure the log alerts to send an alarm when the audit system is in danger of failing or has failed. Configure the log alerts to be immediately sent to the application admin/SA and ISSO. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222484 | |
| AU-06 b | The ISSO must report all suspected violations of security policies in accordance with organization procedures. | Create and maintain a policy to report security violations. | Achieved by leveraging or adapting your organization's policies for reporting security violations. | 10/28/2024 | V-222623 | |
| AU-06 (04) | The application must provide the capability to centrally review and analyze audit records from multiple components within the system. | Configure the application so all of the applications logs are available for review from one centralized location. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222487 | |
| AU-06 (10) | The ISSO must review audit trails periodically based on system documentation recommendations or immediately upon system security events. | Establish a scheduled process for reviewing logs. Maintain a log or records of dates and times audit logs are reviewed. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222622 | |
| AU-07 a | The application must provide an audit reduction capability that supports on-demand audit review and analysis. | Configure the application to log to a centralized auditing capability that provides on-demand reports based on the filtered audit event data or design or configure the application to meet the requirement. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222490 | |
| AU-07 a | The application must provide an audit reduction capability that supports on-demand reporting requirements. | Configure the application to generate soft copy, hard copy and/or screen-based reports based on the selected filtered event data. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222489 | |
| AU-07 a | The application must provide an audit reduction capability that supports after-the-fact investigations of security incidents. | Configure the application to provide an audit reduction capability that supports forensic investigations. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222491 | |
| AU-07 a | The application must provide a report generation capability that supports on-demand audit review and analysis. | Design or configure the application to provide an immediate audit review capability or utilize a centralized utility designed for the purpose of on-demand log management and reporting. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222492 | |
| AU-07 a | The application must provide a report generation capability that supports on-demand reporting requirements. | Design or configure the application to provide an on-demand report generation capability or utilize a centralized utility designed for the purpose of on-demand log management and reporting. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222493 | |
| AU-07 a | The application must provide a report generation capability that supports after-the-fact investigations of security incidents. | Design or configure the application to provide after-the-fact report generation capability or utilize a centralized utility designed for the purpose of log management and reporting. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222494 | |
| AU-07 b | The application must provide an audit reduction capability that does not alter original content or time ordering of audit records. | Configure the application to not alter original log content or time ordering of audit records. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222495 | |
| AU-07 b | The application must provide a report generation capability that does not alter original content or time ordering of audit records. | Configure and design the application to not modify source logs when filtering events. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222496 | |
| AU-07 (01) | The application must provide the capability to filter audit records for events of interest based upon organization-defined criteria. | Configure the application filters to search event logs based on defined criteria. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222488 | |
| AU-08 a | The applications must use internal system clocks to generate time stamps for audit records. | Configure the application to use the hosting systems internal clock for audit record generation. | This requirement is inherited from underlying operating system time functions. | 10/28/2024 | V-222497 | |
| AU-08 b | The application must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision. | Configure the application to leverage the underlying operating system as the time source when recording time stamps or design the application to ensure granularity of 1 second as the minimum degree of precision. | This requirement is inherited from underlying operating system time functions. | 10/28/2024 | V-222499 | |
| AU-08 b | The application must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | Configure the application to use the underlying system clock that maps to relevant UTC or GMT timezone. | This requirement is inherited from underlying operating system time functions. | 10/28/2024 | V-222498 | |
| AU-09 | The application must protect audit tools from unauthorized modification. | Configure the application to protect audit tools from unauthorized modifications. Limit users to roles that are assigned the rights to edit or update audit tools and establish file permissions that control access to the audit tools and audit tool capabilities and configuration settings. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222504 | |
| AU-09 | The application must protect audit tools from unauthorized deletion. | Configure the application to protect audit tools from unauthorized deletions. Limit users to roles that are assigned the rights to edit or delete audit tools and establish file permissions that control access to the audit tools and audit tool capabilities and configuration settings. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222505 | |
| AU-09 a | The application must protect audit information from any type of unauthorized read access. | Configure the application to protect audit data from unauthorized access. Limit users to roles that are assigned the rights to view, edit or copy audit data, and establish permissions that control access to the audit logs and audit configuration settings. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222500 | |
| AU-09 a | The application must protect audit information from unauthorized modification. | Configure the application to protect audit data from unauthorized modification and changes. Limit users to roles that are assigned the rights to edit audit data and establish permissions that control access to the audit logs and audit configuration settings. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222501 | |
| AU-09 a | The application must protect audit information from unauthorized deletion. | Configure the application to protect audit data from unauthorized deletion. Limit users to roles that are assigned the rights to delete audit data and establish permissions that control access to the audit logs and audit configuration settings. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222502 | |
| AU-09 a | The application must protect audit tools from unauthorized access. | Configure the application to protect audit data from unauthorized access. Limit users to roles that are assigned the rights to view, edit or copy audit data, and establish file permissions that control access to the audit tools and audit tool capabilities and configuration settings. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222503 | |
| AU-09 (02) | The application must back up audit records at least every seven days onto a different system or system component than the system or component being audited. | Configure application backup settings to backup application audit logs every 7 days. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222506 | |
| AU-09 (03) | The application must use cryptographic mechanisms to protect the integrity of audit information. | Configure the application to create an integrity check consisting of a cryptographic hash or one-way digest that can be used to establish the integrity when storing log files. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222507 | |
| AU-09 (03) | Application audit tools must be cryptographically hashed. | Cryptographically hash the audit tool files used by the application. Store and protect the generated hash values for future reference. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222508 | |
| AU-09 (03) | The integrity of the audit tools must be validated by checking the files for changes in the cryptographic hash value. | Establish a process to periodically check the audit tool cryptographic hashes to ensure the audit tools have not been tampered with. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222509 | |
| AU-10 | The application must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. | Configure the application to provide users with a non-repudiation function in the form of digital signatures when it is required by the organization or by the application design and architecture. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222438 | |
| AU-11 | The ISSO must ensure application audit trails are retained for at least 1 year for applications without SAMI data, and 5 years for applications including SAMI data. | Retain application audit log files for one year and five years for sources and methods intelligence data. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222621 | |
| AU-12 a | The application must provide audit record generation capability for the creation of session IDs. | Enable session ID creation event auditing. | The organization is responsible for managing shell sessions on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222441 | |
| AU-12 a | The application must provide audit record generation capability for the destruction of session IDs. | Enable session ID destruction event auditing. | The organization is responsible for managing shell sessions on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222442 | |
| AU-12 a | The application must provide audit record generation capability for the renewal of session IDs. | Design or reconfigure the application to log session renewal events on those application events that provide changes in the users privileges or permissions to the application. | The organization is responsible for managing shell sessions on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222443 | |
| AU-12 a | The application must not write sensitive data into the application logs. | Design or reconfigure the application to not write sensitive data to the logs. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222444 | |
| AU-12 a | The application must provide audit record generation capability for session timeouts. | Configure the application to record session timeout events in the logs. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222445 | |
| AU-12 a | The application must record a time stamp indicating when the event occurred. | Configure the application to record the time the event occurred when recording the event. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222446 | |
| AU-12 a | The application must provide audit record generation capability for HTTP headers including User-Agent, Referer, GET, and POST. | Configure the web application and/or the web server to log HTTP headers. | The SAF-CLI is a command-line application with no web application and/or web server, therefore this requirement is not applicable. | 10/28/2024 | V-222447 | |
| AU-12 a | The application must provide audit record generation capability for connecting system IP addresses. | Configure the application or application server to log all connecting IP address information | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222448 | |
| AU-12 a | The application must record the username or user ID of the user associated with the event. | Configure the application to record the user ID of the user responsible for the log event entry. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222449 | |
| AU-12 c | The application must generate audit records when successful/unsuccessful attempts to grant privileges occur. | Configure the application to audit successful and unsuccessful attempts to grant privileges. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222450 | |
| AU-12 c | The application must generate audit records when successful/unsuccessful attempts to access security objects occur. | Configure the application to create an audit record for both successful and unsuccessful attempts to access security objects. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222451 | |
| AU-12 c | The application must generate audit records when successful/unsuccessful attempts to access security levels occur. | Configure the application to create an audit record for both successful and unsuccessful attempts to access security levels. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222452 | |
| AU-12 c | The application must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. | Configure the application to create an audit record for both successful and unsuccessful attempts to access protected categories of information. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222453 | |
| AU-12 c | The application must generate audit records when successful/unsuccessful attempts to modify privileges occur. | Configure the application to audit successful and unsuccessful attempts to modify privileges. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222454 | |
| AU-12 c | The application must generate audit records when successful/unsuccessful attempts to modify security objects occur. | Configure the application to create an audit record for both successful and unsuccessful attempts to modify security objects. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222455 | |
| AU-12 c | The application must generate audit records when successful/unsuccessful attempts to modify security levels occur. | Configure the application to create an audit record for both successful and unsuccessful attempts to modify security levels. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222456 | |
| AU-12 c | The application must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. | Configure the application to create an audit record for both successful and unsuccessful attempts to modify protected categories of information. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222457 | |
| AU-12 c | The application must generate audit records when successful/unsuccessful attempts to delete privileges occur. | Configure the application to audit successful and unsuccessful attempts to delete privileges. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222458 | |
| AU-12 c | The application must generate audit records when successful/unsuccessful attempts to delete security levels occur. | Configure the application to create an audit record for both successful and unsuccessful attempts to delete security levels. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222459 | |
| AU-12 c | The application must generate audit records when successful/unsuccessful attempts to delete application database security objects occur. | Configure the application to create an audit record for both successful and unsuccessful attempts to delete database security objects. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222460 | |
| AU-12 c | The application must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur. | Configure the application to create an audit record for both successful and unsuccessful attempts to delete protected categories of information. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222461 | |
| AU-12 c | The application must generate audit records when successful/unsuccessful logon attempts occur. | Configure the application or application server to write a log entry when successful and unsuccessful logon events occur. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222462 | |
| AU-12 c | The application must generate audit records for privileged activities or other system-level access. | Configure the application to write a log entry when privileged activities or other system-level events occur. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222463 | |
| AU-12 c | The application must generate audit records showing starting and ending time for user access to the system. | Configure the application or application server to record the start and end time of user session activity. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222464 | |
| AU-12 c | The application must generate audit records when successful/unsuccessful accesses to objects occur. | Configure the application to log successful and unsuccessful access to application objects. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222465 | |
| AU-12 c | The application must generate audit records for all direct access to the underlying hosting operating system. | Configure the application to log all direct access to the underlying hosting operating system. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222466 | |
| AU-12 c | The application must generate audit records for all account creations, modifications, disabling, and termination events. | Configure the application to log user account creation, modification, disabling, and termination events. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222467 | |
| AU-12 c | The application must generate audit records when concurrent logons from different workstations occur. | Configure the application to log concurrent logons from different workstations. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222672 | |
| AU-12 (01) | For applications providing audit record aggregation, the application must compile audit records from organization-defined information system components into a system-wide audit trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail. | Configure the application to correlate time stamps when aggregating audit records. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222439 | |
| AU-14 (01) | The application must initiate session auditing upon startup. | Configure the application to begin logging application events as soon as the application starts up. | All SAF-CLI activity is simply reported to the 'standard out' of the shell environment from which it is invoked. The organization can choose how to locally store and copy this data to the organization's centralized logging system to retain, protect, search, report and review user and application account activities. | 10/28/2024 | V-222468 | |
| CA-02 (02) | The ISSO must ensure active vulnerability testing is performed. | Perform active vulnerability and fuzz testing of the application. Verify the vulnerability scanning tool is configured to test all application components and functionality. Address discovered vulnerabilities. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning. https://github.com/mitre/saf/security | 10/28/2024 | V-222624 | |
| CM-04 (02) | Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated. | Develop web services to account for deadlock issues. | The SAF-CLI is a command-line application with no web application and/or web server, therefore this requirement is not applicable. | 10/28/2024 | V-222625 | |
| CM-05 | The designer must ensure the application does not store configuration and control files in the same directory as user data. | Separate the application user data into a different directory than the application code and user file permissions to restrict user access to application configuration settings. | The SAF-CLI is a command-line application with no web application and/or web server, therefore this requirement is not applicable. | 10/28/2024 | V-222626 | |
| CM-05 (01) | The application must audit who makes configuration changes to the application. | Configure the application to create log entries that can be used to identify the user accounts that make application configuration changes. | There are no SAF-CLI components for the purposes of initiating changes, including upgrades and modifications. The only way to modify the configuration is through the code development process via Github. | 10/28/2024 | V-222512 | |
| CM-05 (01) (a) | The application must enforce access restrictions associated with changes to application configuration. | Configure the application to limit access to configuration settings to only authorized users. | There are no SAF-CLI components for the purposes of initiating changes, including upgrades and modifications. The only way to modify the configuration is through the code development process via Github. | 10/28/2024 | V-222511 | |
| CM-05 (03) | The application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. | Design and configure the application to have the capability to prevent unsigned patches and packages from being installed. Provide a cryptographic hash value that can be verified by a system administrator prior to installation. | There are no SAF-CLI components for the purposes of initiating changes, including upgrades and modifications. The only way to modify the configuration is through the code development process via Github. | 10/28/2024 | V-222513 | |
| CM-05 (06) | The applications must limit privileges to change the software resident within software libraries. | Configure the application OS file permissions to restrict access to software libraries and configure the application to restrict user access regarding software library update functionality to only authorized users or processes. | SAF-CLI does not provide user roles access to change software components of the application. | 10/28/2024 | V-222514 | |
| CM-06 a | The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance. | Configure the application according to the product STIG or when a STIG is not available, utilize: - commercially accepted practices, - independent testing results, or - vendor literature and lock down guides. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning. https://github.com/mitre/saf/security Additionally, the application is following applicable Application Security and Development STIG requirements and vendor best practices. | 10/28/2024 | V-222627 | |
| CM-06 b | The application must have a process, feature or function that prevents removal or disabling of emergency accounts. | Identify accounts that are created in an emergency situation and ensure procedures or processes are in place to prevent disabling or deleting the account while the emergency is underway. | The organization is responsible for managing accounts, access rights, and auditing on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222410 | |
| CM-06 b | An application vulnerability assessment must be conducted. | Configure the application vulnerability scanners to test all components of the application, conduct vulnerability scans on a regular basis and remediate identified issues. Retain scan results for compliance verification. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning. https://github.com/mitre/saf/security | 10/28/2024 | V-222515 | |
| CM-07 a | The application must be configured to disable non-essential capabilities. | Disable extraneous application functionality that is not required in order to fulfill the application's mission. | SAF-CLI is configured with minimum components required for functionality. | 10/28/2024 | V-222518 | |
| CM-07 b | The application must be configured to use only functions, ports, and protocols permitted to it in the organization. | Configure the application to utilize application ports approved by the organization. | SAF-CLI uses only those services, ports and protocols required for secure functionality. | 10/28/2024 | V-222519 | |
| CM-07 (02) | The application must prevent program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage. | Restrict application execution in accordance with the policy, terms, and conditions specified. | SAF-CLI uses only those services, ports and protocols required for secure functionality. | 10/28/2024 | V-222516 | |
| CM-07 (03) | New IP addresses, data services, and associated ports used by the application must be submitted to the appropriate approving authority for the organization. | Verify the accreditation documentation lists all interfaces and the ports, protocols, and services used. Verify that all ports, protocols, and services are used in accordance with organizational policy. | SAF-CLI uses only those services, ports and protocols required for secure functionality. | 10/28/2024 | V-222628 | |
| CM-07 (03) | The application's ports and protocols must be registered with the organization's approval process. | Register the application ports and protocols with the organization's approval process. | SAF-CLI uses only those services, ports and protocols required for secure functionality. | 10/28/2024 | V-222629 | |
| CM-07 (05) (b) | The application must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs. | Configure the application to utilize a deny-all, permit-by-exception policy when allowing the execution of authorized software. | SAF-CLI uses only those services, ports and protocols required for secure functionality. | 10/28/2024 | V-222517 | |
| CM-09 b | Access privileges to the Configuration Management (CM) repository must be reviewed every three months. | Review access privileges to the CM repository at least every three months. | Access controls to the SAF-CLI master GitHub repository are maintained. Access controls to forks or clones of this repository are the responsibility of the organization maintaining the copy. | 10/28/2024 | V-222631 | |
| CM-09 b | A Configuration Control Board (CCB) that meets at least every release cycle, for managing the Configuration Management (CM) process must be established. | Setup and maintain a Configuration Control Board. | The CCB of the SAF-CLI master GitHub repository is established. The CCB of forks or clones of this repository are the responsibility of the organization maintaining the copy. | 10/28/2024 | V-222633 | |
| CM-09 b | The Configuration Management (CM) repository must be properly patched and STIG compliant. | Patch the CM system when new security patches are made available and apply the relevant STIGs. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is patched accordingly. The application is following this Application Security & Development STIG and using vendor best practices. At- and post-deployment, it is the responsibility of the organization to update it to the latest release of SAF-CLI code, as well as apply patches to the underlying operating system and database. | 10/28/2024 | V-222630 | |
| CM-09 b | A Software Configuration Management (SCM) plan describing the configuration control and change management process of application objects developed by the organization and the roles and responsibilities of the organization must be created and maintained. | Create and update a SCM plan describing the configuration control and change management process of application objects developed by the organization and the roles and responsibilities of the organization. Configure CMR to comply. | The SCM of the SAF-CLI master GitHub repository is maintained. The SCM of forks or clones of this repository are the responsibility of the organization maintaining the copy. | 10/28/2024 | V-222632 | |
| CM-11 (02) | The application must prohibit user installation of software without explicit privileged status. | Configure the application to prohibit user installation of software without explicit permission. | SAF-CLI does not provide the ability to install software components, modules, plugins, or extensions, hence this requirement is not applicable. | 10/28/2024 | V-222510 | |
| CP-02 a 1 | A disaster recovery/continuity plan must exist in accordance with organization policy based on the applications availability requirements. | Create and maintain the disaster recovery/continuity plan. | Inherited as it is the responsibility of the deploying organization/user to ensure compliance with this requirement. | 10/28/2024 | V-222636 | |
| CP-02 a 2 | Recovery procedures and technical system features must exist so recovery is performed in a secure and verifiable manner. The ISSO will document circumstances inhibiting a trusted recovery. | Create and maintain a disaster recovery plan. | Inherited as it is the responsibility of the deploying organization/user to ensure compliance with this requirement. | 10/28/2024 | V-222637 | |
| CP-02 (08) | The application must not be hosted on a general purpose machine if the application is designated as critical or high availability by the ISSO. | Deploy mission critical applications on servers that are not shared by other less critical applications. | Inherited as it is the responsibility of the deploying organization/user to ensure compliance with this requirement. | 10/28/2024 | V-222635 | |
| CP-09 (b) | Data backup must be performed at required intervals in accordance with organization policy. | Develop and implement backup procedures based on risk level of the system and in accordance with organization policy. | Inherited as it is the responsibility of the deploying organization/user to ensure compliance with this requirement. | 10/28/2024 | V-222638 | |
| CP-09 (d) | Back-up copies of the application software or source code must be stored in a fire-rated container or stored separately (offsite). | Store a back-up copy of the application software and source code in a fire-rated container or store it separately (offsite) from their respective environments. | Inherited as it is the responsibility of the deploying organization/user to ensure compliance with this requirement. | 10/28/2024 | V-222639 | |
| CP-09 (d) | Procedures must be in place to assure the appropriate physical and technical protection of the backup and restoration of the application. | Develop and implement procedures to insure that backup and restoration assets are properly protected and stored in an area/location where it is unlikely they would be affected by an event that would affect the primary assets. | Inherited as it is the responsibility of the deploying organization/user to ensure compliance with this requirement. | 10/28/2024 | V-222640 | |
| IA-02 | The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | Configure the application to uniquely identify and authenticate users and user processes. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222522 | |
| IA-02 (01) | The application must use multifactor (Alt. Token) authentication for network access to privileged accounts. | Configure the application to use an Alt. Token when providing network access to privileged application accounts. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222523 | |
| IA-02 (02) | The application must use multifactor (e.g., CAC, Alt. Token) authentication for network access to non-privileged accounts. | Configure the application to require CAC or Alt. Token authentication for non-privileged network access to non-privileged accounts. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222526 | |
| IA-02 (03) | The application must use multifactor (Alt. Token) authentication for local access to privileged accounts. | Configure the application to only use Alt. Tokens when locally accessing privileged application accounts. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222527 | |
| IA-02 (04) | The application must use multifactor (e.g., CAC, Alt. Token) authentication for local access to non-privileged accounts. | Configure the application to require CAC or Alt. Token authentication for non-privileged network access. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222528 | |
| IA-02 (05) | The application must ensure users are authenticated with an individual authenticator prior to using a group authenticator. | Design and configure the application to individually authenticate group account members prior to allowing access. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222529 | |
| IA-02 (08) | The application must implement replay-resistant authentication mechanisms for network access to privileged accounts. | Design and configure the application to utilize replay-resistant mechanisms when authenticating privileged accounts. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222530 | |
| IA-02 (09) | The application must implement replay-resistant authentication mechanisms for network access to non-privileged accounts. | Design and configure the application to utilize replay-resistant mechanisms when authenticating non-privileged accounts. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222531 | |
| IA-02 (12) | The application must accept Personal Identity Verification (PIV) credentials. | Configure the application to require CAC authentication. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222524 | |
| IA-02 (12) | The application must electronically verify Personal Identity Verification (PIV) credentials. | Configure the application to require CAC authentication. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222525 | |
| IA-03 | The application must utilize mutual authentication when endpoint device non-repudiation protections are required by organization policy or by the data owner. | Configure the application to utilize mutual authentication when specified by data protection requirements. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222532 | |
| IA-03 | The application must authenticate all network connected endpoint devices before establishing any connection. | Configure the application to authenticate all network connected endpoint devices/service consumers before establishing connections. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222533 | |
| IA-03 (01) | Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS. | Configure the application to utilize mutual authentication when the application is processing non-releasable data. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222534 | |
| IA-04 e | The application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication. | Configure the application to disable device accounts after 35 days of inactivity or to utilize DoD PKI certificates that provide an expiration date. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222535 | |
| IA-05 h | The application password must not be changeable by users other than the administrator or the user with which the password is associated. | Ensure users are only allowed to change their own passwords. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222548 | |
| IA-05 (01) (a) | The application must enforce password complexity by requiring that at least one upper-case character be used. | Configure the application to require at least one upper-case character in the password. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222537 | |
| IA-05 (01) (a) | The application must enforce password complexity by requiring that at least one lower-case character be used. | Configure the application to require at least one lower-case character in the password. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222538 | |
| IA-05 (01) (a) | The application must enforce password complexity by requiring that at least one numeric character be used. | Configure the application to require at least one numeric character in the password. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222539 | |
| IA-05 (01) (a) | The application must enforce a minimum 15-character password length. | Configure the application to require 15 characters in the password. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222536 | |
| IA-05 (01) (a) | The application must enforce password complexity by requiring that at least one special character be used. | Configure the application to require at least one special character in the password. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222540 | |
| IA-05 (01) (b) | The application must require the change of at least 8 of the total number of characters when passwords are changed. | Configure the application to require the change of at least 8 characters in the password when passwords are changed. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222541 | |
| IA-05 (01) (c) | The application must only store cryptographic representations of passwords. | Use strong cryptographic hash functions when creating password hash values. Utilize random salt values when creating the password hash. Ensure strong access control permissions on data files containing authentication data. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222542 | |
| IA-05 (01) (c) | The application must transmit only cryptographically-protected passwords. | Configure the application to encrypt passwords when they are being transmitted. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222543 | |
| IA-05 (01) (d) | The application must enforce 24 hours/1 day as the minimum password lifetime. | Configure the application to have a minimum password lifetime of 24 hours. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222544 | |
| IA-05 (01) (d) | The application must enforce a 60-day maximum password lifetime restriction. | Configure the application to have a maximum password lifetime of 60 days. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222545 | |
| IA-05 (01) (e) | The application must prohibit password reuse for a minimum of five generations. | Configure the application to prohibit password reuse for up to 5 passwords. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222546 | |
| IA-05 (01) (f) | The application must allow the use of a temporary password for system logons with an immediate change to a permanent password. | Configure the application to specify when a password is temporary and change the temporary password on the first use. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222547 | |
| IA-05 (02) (a) (01) | The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key. | Configure the application or relevant access control mechanism to enforce authorized access to the application private key(s). | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222551 | |
| IA-05 (02) (a) (02) | The application must map the authenticated identity to the individual user or group account for PKI-based authentication. | Configure the application to map certificate information to individual users or group accounts or create a process for automatically determining the individual user or group based on certificate information provided in the logs. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222552 | |
| IA-05 (02) (b) (01) | The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Design the application to construct a certification path to an accepted trust anchor when using PKI-based authentication. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222550 | |
| IA-05 (02) (d) | The application, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. | Implement a Certificate Revocation List (CRL) import process and configure the application to check the CRL if OCSP is not available. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222553 | |
| IA-05 (06) | The application must use encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange. | Use encryption for key exchange. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222641 | |
| IA-05 (07) | The application must not contain embedded authentication data. | Remove embedded authentication data stored in code, configuration files, scripts, HTML file, or any ASCII files. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222642 | |
| IA-05 (13) | The application must terminate existing user sessions upon account deletion. | Configure the application to terminate existing sessions of users whose accounts are deleted. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222549 | |
| IA-06 | The application must not display passwords/PINs as clear text. | Configure the application to obfuscate passwords and PINs when they are being entered so they cannot be read. Design the application so obfuscated passwords cannot be copied and then pasted as clear text. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222554 | |
| IA-07 | The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. | Use FIPS-approved cryptographic modules. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222555 | |
| IA-08 | The application must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | Configure the application to identify and authenticate all non-organizational users. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222556 | |
| IA-08 (01) | The application must accept Personal Identity Verification (PIV) credentials from other federal agencies. | Configure the application to accept PIV credentials when utilizing authentication provided by Federal (Non-DoD) agencies. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222557 | |
| IA-08 (01) | The application must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies. | Configure the application to verify the PIV credentials presented when utilizing authentication provided by Federal (Non-DoD) agencies. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222558 | |
| IA-08 (02) | The application must accept FICAM-approved third-party credentials. | Configure applications intended to be accessible to non-federal government agencies to use FICAM-approved third-party credentials. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222559 | |
| IA-08 (04) | The application must conform to FICAM-issued profiles. | Configure the application to conform to FICAM-issued technical profiles when providing services that rely on external (Federal Government) identity providers. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222560 | |
| IA-11 | The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication. | Configure the application to require reauthentication before user privilege is escalated and user roles are changed. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222520 | |
| IA-11 | The application must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication. | Configure the application to require reauthentication periodically. | The organization is responsible for managing identifying and authenticating organizational users and processes acting on before of organizational users on the operating system on which the SAF-CLI is installed. The organization is also responsible for restricting how users must maintain their authentication credentials. The SAF-CLI does not perform this function. | 10/28/2024 | V-222521 | |
| MA-04 c | The application must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions. | Configure the application to use strong authentication when accessing the application for maintenance purposes. | SAF-CLI does not provide any non-local maintenance and diagnostic capability, this requirement is not applicable. | 10/28/2024 | V-222565 | |
| MA-04 e | The application must terminate all sessions and network connections when non-local maintenance is completed. | Configure the application to expire idle user sessions after 10 minutes of inactivity for admin users and after 15 minutes of inactivity for regular users. | SAF-CLI does not provide any non-local maintenance and diagnostic capability, this requirement is not applicable. | 10/28/2024 | V-222566 | |
| MA-04 (01) (a) | Applications used for non-local maintenance sessions must audit non-local maintenance and diagnostic sessions for organization-defined auditable events. | Configure the application to log when application maintenance functionality is executed remotely. | SAF-CLI does not provide any non-local maintenance and diagnostic capability, this requirement is not applicable. | 10/28/2024 | V-222561 | |
| MA-04 (06) | Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic communications. | Configure the application to encrypt remote application maintenance sessions. | SAF-CLI does not provide any non-local maintenance and diagnostic capability, this requirement is not applicable. | 10/28/2024 | V-222562 | |
| MA-04 (06) | Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications. | Configure the application to encrypt remote application maintenance sessions. | SAF-CLI does not provide any non-local maintenance and diagnostic capability, this requirement is not applicable. | 10/28/2024 | V-222563 | |
| MA-04 (07) | Applications used for non-local maintenance sessions must verify remote disconnection at the termination of non-local maintenance and diagnostic sessions. | Configure the application to verify termination of remote maintenance sessions. | SAF-CLI does not provide any non-local maintenance and diagnostic capability, this requirement is not applicable. | 10/28/2024 | V-222564 | |
| MP-03 a | The application must have the capability to mark sensitive/classified output when required. | Enable the application to adequately mark sensitive/classified output. | The organization is responsible for managing classification and warning banners on the operating system on which the SAF-CLI is installed. The SAF-CLI does not perform this function. | 10/28/2024 | V-222643 | |
| PM-14 a 2 | Prior to each release of the application, updates to system, or applying patches; tests plans and procedures must be created and executed. | Execute tests plans prior to release or patch update. | Automated unit, functional, and integration testing occurs before and after each release. See .GitHub/workflow folder within the source code for related job definitions | 10/28/2024 | V-222644 | |
| SA-04 (05) (a) | Default passwords must be changed. | Configure the application to use strong authenticators instead of passwords when possible. Otherwise, change default passwords to a DoD-approved strength password and follow all guidance for passwords. | SAF-CLI does not implement default passwords | 10/28/2024 | V-222662 | |
| SA-04 (05) (a) | Unnecessary built-in application accounts must be disabled. | Disable unnecessary built-in userids, use other strong authentication when possible and use strong passwords if accounts are necessary for application operation. | SAF-CLI does not implement built-in userids | 10/28/2024 | V-222661 | |
| SA-05 a 1 | If the application contains classified data, a Security Classification Guide must exist containing data elements and their classification. | Create and maintain a security classification guide. | This requirement is the responsibility of the organization deploying instances of SAF-CLI. | 10/28/2024 | V-222664 | |
| SA-05 a 1 | An Application Configuration Guide must be created and included with the application. | Create the application configuration guide in accordance with configuration examples provided in the vulnerability discussion and check. Verify the application configuration guide is distributed along with the application. | Documentation for configuration and deployment is provided at the primary GitHub repository for SAF-CLI. | 10/28/2024 | V-222663 | |
| SA-10 (01) | Application files must be cryptographically hashed prior to deploying to organization operational networks. | Developers/release managers create cryptographic hash values of application files and/or application packages prior to transitioning the application from test to a production environment. They protect cryptographic hash information so it cannot be altered and make a read copy of the hash information available to application Admins so they can validate application packages and files after they download the files. Application Admins validate cryptographic hashes prior to deploying the application to production. | Organization is responsible for cryptographically hashing application files prior to deploying on organization networks. | 10/28/2024 | V-222645 | |
| SA-11 b | The changes to the application must be assessed for IA and accreditation impact prior to implementation. | Review IA impact to the system prior to implementing changes. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is secured/patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. Manual code review is also accomplished via peer review, as well as paired programming throughout code development. | 10/28/2024 | V-222651 | |
| SA-11 e | The application must not be vulnerable to race conditions. | Be aware of potential timing issues related to application programming calls when designing and building the application. Validate that variable values do not change while a switch event is occurring. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning. https://github.com/mitre/saf/security | 10/28/2024 | V-222567 | |
| SA-11 e | Security flaws must be fixed or addressed in the project plan. | Address security flaws within a project plan to ensure they are tracked and addressed by management. | Users are encouraged to submit security issues to the application developers [email protected] as well as submit issues on GitHub | 10/28/2024 | V-222652 | |
| SA-11 (02) | At least one tester must be designated to test for security flaws in addition to functional testing. | Designate personnel to conduct security testing on the applications. | Automated unit, functional, and integration testing occurs before and after each release. | 10/28/2024 | V-222646 | |
| SA-11 (02) | Test procedures must be created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to verify the system remains in a secure state. | Create test procedures to test the security state of the application and exercise test procedures annually. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is secured/patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. Manual code review is also accomplished via peer review, as well as paired programming throughout code development. | 10/28/2024 | V-222647 | |
| SA-11 (04) | An application code review must be performed on the application. | Conduct and document code reviews on the application during development and identify and remediate all known and potential security vulnerabilities prior to releasing the application. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is secured/patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. Manual code review is also accomplished via peer review, as well as paired programming throughout code development. | 10/28/2024 | V-222648 | |
| SA-11 (04) | Code coverage statistics must be maintained for each release of the application. | Track application testing and maintain statistics that show how much of the application function was tested. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is secured/patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. Manual code review is also accomplished via peer review, as well as paired programming throughout code development. | 10/28/2024 | V-222649 | |
| SA-11 (08) | Flaws found during a code review must be tracked in a defect tracking system. | Track software defects in a defect tracking system. | All issues found during code review of primary SAF-CLI repository are logged as issues in GitHub. The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is secured/patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. Manual code review is also accomplished via peer review, as well as paired programming throughout code development. | 10/28/2024 | V-222650 | |
| SA-15 a | The application development team must follow a set of coding standards. | Create and maintain a coding standard process and documentation for developers to follow. Include programming best practices based on the languages being used for application development. Include items that should be standardized across the team that that deal with how developers write their application code. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is secured/patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. Manual code review is also accomplished via peer review, as well as paired programming throughout code development. | 10/28/2024 | V-222653 | |
| SA-15 (04) | Threat models must be documented and reviewed for each application release and updated as required by design and functionality changes or when new threats are discovered. | Establish and maintain threat models and review for each application release and when new threats are discovered. Identify potential mitigations to identified threats. Verify mitigations are implemented to threats based on their risk analysis. | Threat model documentation and implementation of mitigations is the responsibility of the deploying organization. | 10/28/2024 | V-222655 | |
| SA-15 (05) | The application must not be subject to error handling vulnerabilities. | Ensure proper return code and exception handling is implemented throughout the application. | SAF-CLI has automated testing, code reviews, and vulnerability testing to ensure proper return code and exception handling is implemented. | 10/28/2024 | V-222656 | |
| SA-15 (10) | The application development team must provide an application incident response plan. | The development team creates an application incident response plan documenting and establishing a process that at a minimum: - Tracks reported vulnerabilities and bugs - Confirms reported vulnerabilities and bugs - Tracks remediation effort - Notifies application users of available updates that address the reported issues. | All issues found during code review of primary SAF-CLI repository are logged as issues in GitHub. The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is secured/patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. Manual code review is also accomplished via peer review, as well as paired programming throughout code development. | 10/28/2024 | V-222657 | |
| SA-22 a | All products must be supported by the vendor or the development team. | Remove or decommission all unsupported software products in the application. | SAF-CLI is supported by the development team at the primary GitHub repository. | 10/28/2024 | V-222658 | |
| SA-22 a | The application must be decommissioned when maintenance or support is no longer available. | Ensure there is maintenance for the application. | SAF-CLI is supported by the development team at the primary GitHub repository. | 10/28/2024 | V-222659 | |
| SA-22 b | Procedures must be in place to notify users when an application is decommissioned. | Create and establish procedures to notify users when an application is decommissioned. | SAF-CLI maintains a list of supported versions on GitHub | 10/28/2024 | V-222660 | |
| SC-02 | The application user interface must be either physically or logically separated from data storage and management interfaces. | Configure the application so user interface to the application and management interface to the application is separated. | The SAF-CLI is a command-line application with no separate management interface, therefore this requirement is not applicable. | 10/28/2024 | V-222574 | |
| SC-03 | The application must isolate security functions from non-security functions. | Implement controls within the application that limits access to security configuration functionality and isolates regular application function from security-oriented function. | The SAF-CLI is a command-line application with no separate security functions, therefore this requirement is not applicable. | 10/28/2024 | V-222590 | |
| SC-04 | Applications must prevent unauthorized and unintended information transfer via shared system resources. | Configure or design the application to utilize a security control that will implement a boundary that will prevent unauthorized and unintended information transfer via shared system resources. | SAF-CLI does not share information resources via file sharing protocol, nor does it include configuration settings that provide access to data files on the hard drive. | 10/28/2024 | V-222592 | |
| SC-05 | Protections against DoS attacks must be implemented. | Implement mitigations from the threat model for DOS attacks. | Threat model documentation and implementation of mitigations is the responsibility of the deploying organization. | 10/28/2024 | V-222667 | |
| SC-05 (01) | The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems. | Design and deploy the application to utilize controls that will prevent the application from being affected by DoS attacks or being used to attack other systems. This includes but is not limited to utilizing throttling techniques for application traffic such as QoS or implementing logic controls within the application code itself that prevents application use that results in network or system capabilities being exceeded. | DoS protection is dependent on the user-configuration of network protections within their organization. | 10/28/2024 | V-222594 | |
| SC-05 (02) | The web service design must include redundancy mechanisms when used with high-availability systems. | Build the application to address issues that are found in a redundant environment and utilize redundancy mechanisms to provide high availability. | The SAF-CLI is a command-line application with no web application and/or web server, therefore this requirement is not applicable. | 10/28/2024 | V-222595 | |
| SC-07 (13) | Connections between the organization enclave and the Internet or other public or commercial wide area networks must require a DMZ. | Setup a DMZ between organization and public networks. | DMZ configuration is the responsibility of the deploying organization. | 10/28/2024 | V-222671 | |
| SC-08 | The application must protect the confidentiality and integrity of transmitted information. | Configure all of the application systems to require TLS encryption in accordance with data protection requirements. | When the SAF-CLI is used to access APIs to retrieve data for conversion, the user must ensure they provide a secure URL to the API. | 10/28/2024 | V-222596 | |
| SC-08 (01) | The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). | Configure the application to use cryptographic protections to prevent unauthorized disclosure of application data based upon the application architecture. | When the SAF-CLI is used to access APIs to retrieve data for conversion, the user must ensure they provide a secure URL to the API. | 10/28/2024 | V-222597 | |
| SC-08 (02) | The application must maintain the confidentiality and integrity of information during preparation for transmission. | Configure all of the application systems to require TLS encryption. | When the SAF-CLI is used to access APIs to retrieve data for conversion, the user must ensure they provide a secure URL to the API. | 10/28/2024 | V-222598 | |
| SC-08 (02) | The application must not disclose unnecessary information to users. | Configure the application to not display technical details about the application architecture on error events. | The error handlers for users is set to only pass along relevant information. | 10/28/2024 | V-222600 | |
| SC-08 (02) | The application must not store sensitive information in hidden fields. | Design and configure the application to not store sensitive information in hidden fields. | Sensitive information is not stored in hidden fields. | 10/28/2024 | V-222601 | |
| SC-08 (02) | The application must maintain the confidentiality and integrity of information during reception. | Configure all of the application systems to require TLS encryption. | When the SAF-CLI is used to access APIs to retrieve data for conversion, the user must ensure they provide a secure URL to the API. | 10/28/2024 | V-222599 | |
| SC-10 | The application must terminate all network connections associated with a communications session at the end of the session. | Configure or design the application to terminate application network sessions at the end of the session. | There are no open connections to and from other systems as part of the SAF-CLI design and function. | 10/28/2024 | V-222568 | |
| SC-13 b | The application must utilize FIPS-validated cryptographic modules when signing application components. | Utilize FIPS-validated algorithms when signing application components. | At this time, it is unclear if all packages created via Github Actions at the primary SAF-CLI repository are signed using FIPS 140-2 validated cryptographic modules. | 10/28/2024 | V-222570 | |
| SC-13 b | The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes. | Configure the application to use a FIPS-validated hashing algorithm when creating a cryptographic hash. | The organization is responsible for identifying and documenting protection requirements for input data, command-line arguments provided to the SAF-CLI and to the data produced by the SAF-CLI. The SAF-CLI does not perform this function. | 10/28/2024 | V-222571 | |
| SC-13 b | The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection. | Configure the application to use a FIPS-validated cryptographic module. | The organization is responsible for identifying and documenting protection requirements for input data, command-line arguments provided to the SAF-CLI and to the data produced by the SAF-CLI. The SAF-CLI does not perform this function. | 10/28/2024 | V-222572 | |
| SC-13 b | The application must implement organization-approved cryptography to protect sensitive organization information. | Configure application to encrypt stored sensitive mission information | The organization is responsible for identifying and documenting protection requirements for input data, command-line arguments provided to the SAF-CLI and to the data produced by the SAF-CLI. The SAF-CLI does not perform this function. | 10/28/2024 | V-254803 | |
| SC-18 (01) | Unsigned Category 1A mobile code must not be used in the application. | Configure the application so Category 1A mobile code is signed. | SAF-CLI does not use mobile code. | 10/28/2024 | V-222618 | |
| SC-18 (02) | The designer must ensure uncategorized or emerging mobile code is not used in applications. | Remove uncategorized or emerging mobile code from the application or obtain a waiver and risk acceptance to operate. | SAF-CLI does not contain any uncategorized mobile code. | 10/28/2024 | V-222665 | |
| SC-23 | The application must set the HTTPOnly flag on session cookies. | Configure the application to set the HTTPOnly flag on session cookies. | The SAF-CLI is a command-line application with no web application and/or web server, therefore this requirement is not applicable. | 10/28/2024 | V-222575 | |
| SC-23 | The application must set the secure flag on session cookies. | Configure the application to ensure the secure flag is set on session cookies. | The SAF-CLI is a command-line application with no web application and/or web server, therefore this requirement is not applicable. | 10/28/2024 | V-222576 | |
| SC-23 | The application must not expose session IDs. | Configure the application to protect session IDs from interception or from manipulation. | The SAF-CLI is a command-line application with no web application and/or web server, therefore this requirement is not applicable. | 10/28/2024 | V-222577 | |
| SC-23 (01) | The application must destroy the session ID value and/or cookie on logoff or browser close. | Configure the application to destroy session ID cookies once the application session has terminated. | The SAF-CLI is a command-line application with no web application and/or web server, therefore this requirement is not applicable. | 10/28/2024 | V-222578 | |
| SC-23 (03) | The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. | Configure the application to use FIPS 140-2-validated cryptographic modules when the application implements encryption, key exchange, digital signatures, random number generators, and hash functionality. | The organization is responsible for identifying and documenting protection requirements for input data, command-line arguments provided to the SAF-CLI and to the data produced by the SAF-CLI. The SAF-CLI does not perform this function. | 10/28/2024 | V-222583 | |
| SC-23 (03) | Applications must use system-generated session identifiers that protect against session fixation. | Design the application to generate new session IDs with unique values when authenticating user sessions. | The SAF-CLI is a command-line application with no web application and/or web server, therefore this requirement is not applicable. | 10/28/2024 | V-222579 | |
| SC-23 (03) | Applications must validate session identifiers. | Configure the application to configure user session identifiers. | The SAF-CLI is a command-line application with no web application and/or web server, therefore this requirement is not applicable. | 10/28/2024 | V-222580 | |
| SC-23 (03) | Applications must not use URL embedded session IDs. | Configure the application to transmit session ID information via cookies. | The SAF-CLI is a command-line application with no web application and/or web server, therefore this requirement is not applicable. | 10/28/2024 | V-222581 | |
| SC-23 (03) | The application must not re-use or recycle session IDs. | Design the application to not re-use session IDs. | The SAF-CLI is a command-line application with no web application and/or web server, therefore this requirement is not applicable. | 10/28/2024 | V-222582 | |
| SC-23 (05) | The application must only allow the use of organization-approved certificate authorities for verification of the establishment of protected sessions. | Configure the application to utilize organization-approved PKI established CAs when verifying organization-signed certificates. | The SAF-CLI is a command-line application with no web application and/or web server, therefore this requirement is not applicable. | 10/28/2024 | V-222584 | |
| SC-24 | The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. | Fix any vulnerability found when the application is an insecure state (initialization, shutdown and aborts). | The SAF-CLI is a command-line application with no web application and/or web server, therefore this requirement is not applicable. | 10/28/2024 | V-222585 | |
| SC-24 | In the event of a system failure, applications must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. | Create operational configuration documentation that identifies information needed for the application to return back into service or specify no such data is required, and retain data required to determine root cause of application failures. | The SAF-CLI will report to 'standard out' any errors that lead to a crash. | 10/28/2024 | V-222586 | |
| SC-28 | The application must protect the confidentiality and integrity of stored information when required organization policy or the information owner. | Identify data elements that require protection. Document the data types and specify protection requirements and methods used. | The organization is responsible for identifying and documenting protection requirements for input data, command-line arguments provided to the SAF-CLI and to the data produced by the SAF-CLI. The SAF-CLI does not perform this function. | 10/28/2024 | V-222587 | |
| SC-28 (01) | The application must implement approved cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components. | Identify data elements that require protection. Document the data types and specify encryption requirements. Encrypt data according to DoD policy or data owner requirements. | The organization is responsible for identifying and documenting protection requirements for input data, command-line arguments provided to the SAF-CLI and to the data produced by the SAF-CLI. The SAF-CLI does not perform this function. | 10/28/2024 | V-222588 | |
| SC-28 (01) | The application must use appropriate cryptography in order to protect stored organization information when required by the information owner or organization policy. | Identify data elements that require protection. Document the data types and specify encryption requirements. Encrypt organization data using organization-approved encryption solutions. | The organization is responsible for identifying and documenting protection requirements for input data, command-line arguments provided to the SAF-CLI and to the data produced by the SAF-CLI. The SAF-CLI does not perform this function. | 10/28/2024 | V-222589 | |
| SC-28 (02) | Production database exports must have database administration credentials and sensitive data removed before releasing the export. | Remove sensitive data from production database exports. | The SAF-CLI is a command-line application with no database, therefore this requirement is not applicable. | 10/28/2024 | V-222666 | |
| SC-39 | The application must maintain a separate execution domain for each executing process. | Design and configure applications to maintain a separate execution domain for each executing process. | The SAF-CLI is a command-line application with no web application and/or web server, therefore this requirement is not applicable. | 10/28/2024 | V-222591 | |
| SI-02 c | Security-relevant software updates and patches must be kept up to date. | Check for application updates at least weekly and apply patches immediately or in accordance with POA&Ms, IAVMs, CTOs, DTMs or other authoritative patching guidelines or sources. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is patched accordingly. The application is following this Application Security & Development STIG and using vendor best practices. At- and post-deployment, it is the responsibility of the organization to update it to the latest release of SAF-CLI code, as well as apply patches to the underlying operating system. | 10/28/2024 | V-222614 | |
| SI-02 (06) | The application must remove organization-defined software components after updated versions have been installed. | Configure or design the application to remove old components when updating. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is patched accordingly. The application is following this Application Security & Development STIG and using vendor best practices. At- and post-deployment, it is the responsibility of the organization to update it to the latest release of SAF-CLI code, as well as apply patches to the underlying operating system. | 10/28/2024 | V-222613 | |
| SI-04 (12) | The system must alert an administrator when low resource conditions are encountered. | Implement mechanisms to alert system administrators about a low resource condition. | Management of low resource conditions are the responsibility of the deploying organization. | 10/28/2024 | V-222668 | |
| SI-05 a | At least one application administrator must be registered to receive update notifications, or security alerts, when automated alerts are available. | Register administrators to receive update notifications so they can patch and update applications and application components. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is patched accordingly. The application is following this Application Security & Development STIG and using vendor best practices. At- and post-deployment, it is the responsibility of the organization to update it to the latest release of SAF-CLI code, as well as apply patches to the underlying operating system and database. Personnel responsible for receipt/review of patch notifications and GitHub releases are assigned by the organization deploying their SAF-CLI instance. | 10/28/2024 | V-222669 | |
| SI-05 b | The application must provide notifications or alerts when product update and security related patches are available. | Provide a distribution mechanism for obtaining updates to the application. Include a description of the issue, a summary of risk as well as potential mitigations and how to obtain the update. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is patched accordingly. The application is following this Application Security & Development STIG and using vendor best practices. At- and post-deployment, it is the responsibility of the organization to update it to the latest release of SAF-CLI code, as well as apply patches to the underlying operating system. | 10/28/2024 | V-222670 | |
| SI-06 a | The application performing organization-defined security functions must verify correct operation of security functions. | Design the application to verify the correct operation of security functions. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. | 10/28/2024 | V-222615 | |
| SI-06 b | The application must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days. | Design the application to verify the correct operation of security functions on command and on application startup and restart. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. | 10/28/2024 | V-222616 | |
| SI-06 c | The application must notify the ISSO and ISSM of failed security verification tests. | Configure the application to send notices to the ISSO and ISSM indicating the application failed a verification test. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. ISSOs and ISSMs can sign up for alerts from these automated tests. | 10/28/2024 | V-222617 | |
| SI-10 | The application must protect from Cross-Site Scripting (XSS) vulnerabilities. | Verify user input is validated and encode or escape user input to prevent embedded script code from executing. Develop your application using a web template system or a web application development framework that provides auto escaping features rather than building your own escape logic. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is secured/patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. | 10/28/2024 | V-222602 | |
| SI-10 | The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities. | Configure the application to use unpredictable challenge tokens and check the HTTP referrer to ensure the request was issued from the site itself. Implement mitigating controls as required such as using web reputation services. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is secured/patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. | 10/28/2024 | V-222603 | |
| SI-10 | The application must protect from command injection. | Modify the application so as to escape/sanitize special character input or configure the system to protect against command injection attacks based on application architecture. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is secured/patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. | 10/28/2024 | V-222604 | |
| SI-10 | The application must protect from canonical representation vulnerabilities. | A suitable canonical form should be chosen and all user input canonicalized into that form before any authorization decisions are performed. Security checks should be carried out after decoding is completed. Moreover, it is recommended to check that the encoding method chosen is a valid canonical encoding for the symbol it represents. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is secured/patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. | 10/28/2024 | V-222605 | |
| SI-10 | The application must validate all input. | Design and configure the application to validate input prior to executing commands. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is secured/patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. | 10/28/2024 | V-222606 | |
| SI-10 | The application must not be vulnerable to SQL Injection. | Modify the application and remove SQL injection vulnerabilities. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is secured/patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. | 10/28/2024 | V-222607 | |
| SI-10 | The application must not be vulnerable to XML-oriented attacks. | Design the application to utilize components that are not vulnerable to XML attacks. Patch the application components when vulnerabilities are discovered. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is secured/patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. | 10/28/2024 | V-222608 | |
| SI-10 (03) | The application must not be subject to input handling vulnerabilities. | Follow best practice when accepting user input and verify that all input is validated before the application processes the input. Remediate identified vulnerabilities and obtain documented risk acceptance for those issues that cannot be remediated immediately. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is secured/patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. | 10/28/2024 | V-222609 | |
| SI-11 a | The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | Configure the server to not send error messages containing system information or sensitive data to users. Use generic error messages. | The SAF-CLI will report to 'standard out' any errors during execution. | 10/28/2024 | V-222610 | |
| SI-11 b | The application must reveal error messages only to the ISSO, ISSM, or SA. | Configure the server to only send error messages containing system information or sensitive data to privileged users. Use generic error messages for non-privileged users. | The SAF-CLI will report to 'standard out' any errors during execution. | 10/28/2024 | V-222611 | |
| SI-16 | The application must not be vulnerable to overflow attacks. | Design the application to use a language or compiler that performs automatic bounds checking. Use an abstraction library to abstract away risky APIs. Use compiler-based canary mechanisms such as StackGuard, ProPolice, and the Microsoft Visual Studio/GS flag. Use OS-level preventative functionality and control user input validation. Patch applications when overflows are identified in vendor products. | The SAF-CLI GitHub repository undergoes continuous automated dependency, static, and secrets scanning, and each release is secured/patched accordingly. Unit tests are performed via GitHub Actions at every commit, including to validate security functionality. | 10/28/2024 | V-222612 |
- Home
- How to create a release
- Splunk Configuration
- Supplement HDF Configuration
- Validation with Thresholds
- SAF CLI Delta Process
- Mapper Creation Guide for HDF Converters
- How to create a SAF CLI
- How to recommend development of a mapper
- Use unreleased version of a package from the Heimdall monorepo in the SAF CLI
- Troubleshooting