Major Provide details on how to validate the version of your software and clearly indicate for which versions of the software guidance is written.
Provide guidance on:
1) How to implement and operate the software securely.
- Detailed instructions on how to configure all available security options and parameters of the software.
- Information on user account requirements and recommendations associated with the use of the product.
- Where the software utilizes other systems for maintenance of tracking data, such as a log server, provide clear and sufficient guidance on the correct and complete setup and/or integration of the software with the log storage system.
- Where third-party or execution-environment features are relied upon for the security of the transmitted data, provide clear and sufficient guidance on how to configure such features are included in the software implementation guidance made available to stakeholders
- Where cryptographic methods provided by third-party software or aspects of the execution environment or platform on which the application is run are relied upon for the protection of sensitive data, provide clear and sufficient detail for correctly configuring these methods during the installation, initialization, or first use of the software in the implementation guidance.
2) How to set configuration options of the execution environment and system components.
- Clear and sufficient guidance for enabling any software security controls, features, or functions where user input or interaction is required to be mapped to this control correctly.
- Clear and sufficient guidance for disabling or changing any authentication credentials or keys for built-in accounts where user input or interaction is required.
- Clear and sufficient guidance for the process of configuring the retention period of sensitive data (transient and persistent) where user input or interaction is required.
- Clear and sufficient guidance on the process of configuring protection methods where user input or interaction is required.
- When any mitigation relies on features of the execution environment, provide guidance to the software users to enable those settings as part of the install process.
- Clear and sufficient guidance for configuring authentication mechanisms where the software recommends, suggests, relies on, or otherwise facilitates the use of additional mechanisms (such as third-party VPNs, remote desktop features, and so on) to facilitate secure non-console access to the system on which the software is executed or directly to the software itself.
3) How to implement security updates.
- Inform users of the software updates, and provide clear and sufficient guidance on how they may be obtained and installed.
4) How and where to report security issues.
This guidance is necessary even when the specific setting either:
- Cannot be controlled by the software once the software is installed by the customer.
- Is the responsibility of the customer and not the software vendor.
- Specifically outline that identification and authentication parameters must not be shared between individuals, programs, or in any way that prevents the unique identification of each access to a critical asset.
5) Does not instruct the user to disable security settings or parameters within the installed environment, such as anti-malware software or firewall or other network-level protection systems.
6) Does not instruct the user to execute the software in a privileged mode higher than what is required by the software.
7) The security defence-in-depth strategy for the product to support installation, operation and maintenance.
- This includes security capabilities implemented by the product and their role in the defence-in-depth strategy, threats addressed by the defence-in-depth strategy, product user mitigation strategies for known security risks associated with the product, including risks associated with legacy code and the security defence in depth measures expected to be provided by the external environment in which the product is to be used.
FedRAMP / Moderate Baseline
*_ CM-6: Configuration Management | Configuration Settings *_
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [United States Government Configuration Baseline (USGCB)] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CM-6 (a) Requirement 1: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.
CM-6 (a) Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).
CM-6 (a) Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc
*_ SA-5: System And Services Acquisition | Information System Documentation *_
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles].
Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-3-supporting-and-tooling-offering/openshift-zero-trust-workload-identity-manager/tasks/phase/specifications/311-T1376/
