STIG ID - BACF1005: Review AC=1 Modules in APF-Authorized Libraries Required Annually

Severity
: 2 - Medium
An annual review of all modules with authorization code AC-1 that reside in APF-authorized libraries must be performed. Your organization's Information System Security Officer (ISSO) is responsible for maintaining documentation that identifies the integrity and justification of Vendor APF-authorized libraries. For non-vendor APF-authorized libraries, the ISSO maintains the source and documentation identifying the integrity and justification that describes the AC=1 module process. Having undocumented or unauthorized AC=1 modules poses a possible risk to the confidentiality, integrity, and availability of the system and presents a clear risk to the operating system,
ACF2
, and customer data.
The organization will ensure that an annual review of all AC=1 modules that reside in APF-authorized libraries is performed.
This STIG article provides guidance to ensure an annual review is performed.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. Utilize system solutions like
    Auditor
    to generate reports identifying APF-Authorized libraries and modules with authorization code AC=1.
  2. If documentation for vendor AC=1 modules in the APF-Authorized libraries identifying the integrity and justification are maintained by the ISSO,
    your organization does not have an audit finding
    .
  3. If documentation and source code for non-vendor AC=1 modules in the APF-authorized libraries identifying the integrity and justification are maintained by the ISSO,
    your organization does not have an audit finding
    .
  4. If no documentation or source code is maintained for AC=1 modules in APF-Authorized and non-APF-Authorized libraries,
    your organization has an audit finding
    . See Remediate Auditing Finding.
Remediate Audit Finding
Follow these steps:
The ISSO will work with the responsible system programmers to ensure:
  1. Record documentation or source code for AC=1 modules that reside in the APF-Authorized and non-APF-Authorized libraries.
  2. Perform a review of APF-Authorized and non-APF-Authorized libraries on an annual basis.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000643, CCI-001829
CCI
:
CCI-000643
Published Date
:
2009-09-21
Definition
:
The organization obtains vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): SA-5 (1)
NIST: NIST SP 800-53A (v1): SA-5 (1).1 (i) SA-5(2).1 (i)
CCI
:
CCI-001829
Published Date
:
2013-03-05
Definition
:
The organization reviews information system privileges per an organization-defined frequency.
Type
:
policy
Reference
:
NIST: NIST SP 800-53 Revision 4 (v4) CM-5 (5) (b)