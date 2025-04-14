STIG ID Description

APSC-DV-000060 The application must clear temporary storage and cookies when the session is terminated.

APSC-DV-000170 The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.

APSC-DV-000500 The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

APSC-DV-000510 The application must execute without excessive account permissions.

APSC-DV-000530 The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.

APSC-DV-000580 The application must display the time and date of the users last successful logon.

APSC-DV-000590 The application must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

APSC-DV-000650 The application must not write sensitive data into the application logs.

APSC-DV-000670 The application must record a time stamp indicating when the event occurred.

APSC-DV-000700 The application must record the username or user ID of the user associated with the event.

APSC-DV-000940 The application must log application shutdown events.

APSC-DV-000950 The application must log destination IP addresses.

APSC-DV-000960 The application must log user actions involving access to data.

APSC-DV-000970 The application must log user actions involving changes to data.

APSC-DV-001120 The application must shut down by default upon audit failure (unless availability is an overriding concern).

APSC-DV-001280 The application must protect audit information from any type of unauthorized read access.

APSC-DV-001290 The application must protect audit information from unauthorized modification.

APSC-DV-001300 The application must protect audit information from unauthorized deletion.

APSC-DV-001350 The application must use cryptographic mechanisms to protect the integrity of audit information.

APSC-DV-001360 Application audit tools must be cryptographically hashed.

APSC-DV-001370 The integrity of the audit tools must be validated by checking the files for changes in the cryptographic hash value.

APSC-DV-001390 The application must prohibit user installation of software without explicit privileged status.

APSC-DV-001550 The application must use multifactor (Alt. Token) authentication for network access to privileged accounts.

APSC-DV-001580 The application must use multifactor (e.g., CAC, Alt. Token) authentication for network access to non-privileged accounts.

APSC-DV-001590 The application must use multifactor (Alt. Token) authentication for local access to privileged accounts.

APSC-DV-001600 The application must use multifactor (e.g., CAC, Alt. Token) authentication for local access to non-privileged accounts.

APSC-DV-001650 The application must authenticate all network connected endpoint devices before establishing any connection.

APSC-DV-001660 Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS.

APSC-DV-001680 The application must enforce a minimum 15-character password length.

APSC-DV-001690 The application must enforce password complexity by requiring that at least one upper-case character be used.

APSC-DV-001700 The application must enforce password complexity by requiring that at least one lower-case character be used.

APSC-DV-001710 The application must enforce password complexity by requiring that at least one numeric character be used.

APSC-DV-001720 The application must enforce password complexity by requiring that at least one special character be used.

APSC-DV-001740 The application must only store cryptographic representations of passwords.

APSC-DV-001750 The application must transmit only cryptographically-protected passwords.

APSC-DV-001770 The application must enforce a 60-day maximum password lifetime restriction.

APSC-DV-001795 The application password must not be changeable by users other than the administrator or the user with which the password is associated.

APSC-DV-001810 The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

APSC-DV-001820 The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key.

APSC-DV-001830 The application must map the authenticated identity to the individual user or group account for PKI-based authentication.

APSC-DV-001840 The application, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

APSC-DV-001850 The application must not display passwords/PINs as clear text.

APSC-DV-001970 The application must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.

APSC-DV-001995 The application must not be vulnerable to race conditions.

APSC-DV-002000 The application must terminate all network connections associated with a communications session at the end of the session.

APSC-DV-002220 The application must set the secure flag on session cookies.

APSC-DV-002230 The application must not expose session IDs.

APSC-DV-002240 The application must destroy the session ID value and/or cookie on logoff or browser close.

APSC-DV-002250 Applications must use system-generated session identifiers that protect against session fixation.

APSC-DV-002260 Applications must validate session identifiers.

APSC-DV-002280 The application must not re-use or recycle session IDs.

APSC-DV-002300 The application must only allow the use of DoD-approved certificate authorities for verification of the establishment of protected sessions.

APSC-DV-002310 The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.

APSC-DV-002370 The application must maintain a separate execution domain for each executing process.

APSC-DV-002380 Applications must prevent unauthorized and unintended information transfer via shared system resources.

APSC-DV-002390 XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways.

APSC-DV-002400 The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems.

APSC-DV-002440 The application must protect the confidentiality and integrity of transmitted information.

APSC-DV-002460 The application must maintain the confidentiality and integrity of information during preparation for transmission.

APSC-DV-002470 The application must maintain the confidentiality and integrity of information during reception.

APSC-DV-002480 The application must not disclose unnecessary information to users.

APSC-DV-002485 The application must not store sensitive information in hidden fields.

APSC-DV-002490 The application must protect from Cross-Site Scripting (XSS) vulnerabilities.

APSC-DV-002500 The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities.

APSC-DV-002510 The application must protect from command injection.

APSC-DV-002520 The application must protect from canonical representation vulnerabilities.

APSC-DV-002530 The application must validate all input.

APSC-DV-002540 The application must not be vulnerable to SQL Injection.

APSC-DV-002550 The application must not be vulnerable to XML-oriented attacks.

APSC-DV-002560 The application must not be subject to input handling vulnerabilities.

APSC-DV-002570 The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

APSC-DV-002590 The application must not be vulnerable to overflow attacks.

APSC-DV-003100 The application must use encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange.

APSC-DV-003110 The application must not contain embedded authentication data.

APSC-DV-003235 The application must not be subject to error handling vulnerabilities.

APSC-DV-003300 The designer must ensure uncategorized or emerging mobile code is not used in applications.