Vuln ID Severity Group Title Rule ID STIG ID Rule Title Discussion IA Controls Check Content Fix Text False Positives False Negatives Documentable Mitigations Potential Impact Third Party Tools Mitigation Control Responsibility Severity Override Guidance Check Content Reference Classification STIG VMS Asset Posture CCI NIST SP 800-53 Revision 4 References Legacy Prisma Cloud Compute Response

V-69249

low

SRG-APP-000297

SV-83871r1_rule

APSC-DV-000100

The application must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.

If a user is not explicitly notified that their application session has been terminated, they cannot be certain that their session did not remain open. Applications with a user access interface must provide an explicit logoff message to the user upon successful termination of the user session.

If the application does not provide an interface for interactive user access, this is not applicable.

Log on to the application with a valid user account. Examine the user interface. Identify the command or link that provides the logoff function.

Activate the user logoff function.

If the application does not provide an explicit logoff message indicating the user session has been terminated, this is a finding.

Design and configure the application to provide an explicit logoff message to users indicating a successful logoff has occurred upon user session termination.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-002364 The information system displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions. NIST SP 800-53 Revision 4 :: AC-12 (1)

AC-12 (1)

Upon logoff the user’s browser session is returned to the logon page.

V-69301

low

SRG-APP-000025

SV-83923r1_rule

APSC-DV-000320

The application must automatically disable accounts after a 35 day period of account inactivity.

Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Applications need to track periods of user inactivity and disable accounts after 35 days of inactivity. Such a process greatly reduces the risk that accounts will be hijacked, leading to a data compromise.

To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

This policy does not apply to either emergency accounts or infrequently used accounts. Infrequently used accounts are local logon administrator accounts used by system administrators when network or normal logon/access is not available. Emergency accounts are administrator accounts created in response to crisis situations.

Examine the application documentation or interview the application representative to identify how the application users are managed.

Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory (AD) for user management or if the application manages user accounts within the application.

If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable.

If the application handles the management tasks for user accounts, access the applications user management utility.

Navigate to the screen where user accounts are configured to be disabled after 35 days of inactivity.

Confirm this setting is active.

If the application is not set to expire inactive accounts after 35 days, or if the application has no ability to expire accounts after 35 days of inactivity, this is a finding.

Design and configure the application to expire user accounts after 35 days of inactivity.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-000017 The information system automatically disables inactive accounts after an organization-defined time period. NIST SP 800-53 :: AC-2 (3) NIST SP 800-53A :: AC-2 (3).1 (ii) NIST SP 800-53 Revision 4 :: AC-2 (3)

AC-2 (3)

Local username/password do not expire based upon inactivity. It is recommended to disable username/password authentication and authentication can be provided by a 3rd party authentications source (e.g. LDAP, SAML, X.509) if this functionality is required. Direct X.509 (DoD CAC) authentication is supported.

V-69313

low

SRG-APP-000291

SV-83935r1_rule

APSC-DV-000380

The application must notify System Administrators and Information System Security Officers when accounts are created.

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSO) exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.

To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Review the application and system documentation.

Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application.

If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable.

Ensure the application is configured to notify system administrators when new accounts are created by identifying system administrators who will be notified when new accounts are created, creating a test account and checking with system administrator to verify notification was received.

If system administrators and ISSOs are not notified when accounts are created, this is a finding.

Configure the application to notify the system administrator and the ISSO when application accounts are created.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-001683 The information system notifies organization-defined personnel or roles for account creation actions. NIST SP 800-53 :: AC-2 (4) NIST SP 800-53A :: AC-2 (4).1 (i&ii) NIST SP 800-53 Revision 4 :: AC-2 (4)

AC-2 (4)

Local user account creation generates an audit. Syslog integration is supported to raise the event external to Prisma Cloud Compute.https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-04/prisma-cloud-compute-edition-admin/audit/logging.html

V-69315

low

SRG-APP-000292

SV-83937r1_rule

APSC-DV-000390

The application must notify System Administrators and Information System Security Officers when accounts are modified.

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSO) exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.

To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Review the application and system documentation.

Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application.

If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable.

Ensure the application is configured to notify system administrators when accounts are modified by identifying system administrators who will be notified when accounts are modified.

Modify a test account and check with a system administrator to verify notification was received.

If system administrators and ISSOs are not notified when accounts are modified, this is a finding.

Configure the application to notify the system administrator and the ISSO when application accounts are modified.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-001684 The information system notifies organization-defined personnel or roles for account modification actions. NIST SP 800-53 :: AC-2 (4) NIST SP 800-53A :: AC-2 (4).1 (i&ii) NIST SP 800-53 Revision 4 :: AC-2 (4)

AC-2 (4)

Local user account modification generates an audit. Syslog integration is supported to raise the event external to Prisma Cloud Compute.https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-04/prisma-cloud-compute-edition-admin/audit/logging.html

V-69317

low

SRG-APP-000293

SV-83939r1_rule

APSC-DV-000400

The application must notify System Administrators and Information System Security Officers of account disabling actions.

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSO) exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.

To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Review the application and system documentation.

Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application.

If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable.

Ensure application is configured to notify system administrators when accounts are disabled by identifying system administrators who will be notified when accounts are disabled.

Disable a test account and check with a system administrator to verify notification was received.

If system administrators and ISSOs are not notified when accounts are disabled, this is a finding.

Configure the application to notify the system administrator and the ISSO when application accounts are disabled.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-001685 The information system notifies organization-defined personnel or roles for account disabling actions. NIST SP 800-53 :: AC-2 (4) NIST SP 800-53A :: AC-2 (4).1 (i&ii) NIST SP 800-53 Revision 4 :: AC-2 (4)

AC-2 (4)

Local user accounts cannot be disabled, only removal.

V-69319

low

SRG-APP-000294

SV-83941r1_rule

APSC-DV-000410

The application must notify System Administrators and Information System Security Officers of account removal actions.

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSO) exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.

To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Review the application and system documentation.

Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application.

If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable.

Ensure application is configured to notify system administrators when accounts are removed by identifying system administrators who will be notified when accounts are removed.

Remove a test account and check with a system administrator to verify notification was received.

If system administrators and ISSOs are not notified when accounts are removed, this is a finding.

Configure the application to notify the system administrator and the ISSO when application accounts are removed.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-001686 The information system notifies organization-defined personnel or roles for account removal actions. NIST SP 800-53 :: AC-2 (4) NIST SP 800-53A :: AC-2 (4).1 (i&ii) NIST SP 800-53 Revision 4 :: AC-2 (4)

AC-2 (4)

Local user account deletion generates an audit. Syslog integration is supported to raise the event external to Prisma Cloud Compute.https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-04/prisma-cloud-compute-edition-admin/audit/logging.html

V-69323

low

SRG-APP-000320

SV-83945r1_rule

APSC-DV-000430

The application must notify System Administrators and Information System Security Officers of account enabling actions.

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable an existing account that has been previously disabled. Notification when account enabling actions occur is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the enabling of application user accounts and notifies administrators and Information System Security Officers (ISSO) exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.

To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Review the application and system documentation.

Interview application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application.

If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable.

Ensure application is configured to notify system administrators when accounts are enabled by identifying system administrators who will be notified when accounts are enabled.

Disable and then enable a test account and check with system administrator to verify notification was received to indicate the account was enabled.

If system administrators and ISSOs are not notified when accounts are enabled, this is a finding.

Configure the application to notify the system administrator and the ISSO when application accounts are enabled.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-002132 The information system notifies organization-defined personnel or roles for account enabling actions. NIST SP 800-53 Revision 4 :: AC-2 (4)

AC-2 (4)

Local user accounts cannot be enabled, only creation.

V-69349

low

SRG-APP-000068

SV-83971r2_rule

APSC-DV-000550

The application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.

Display of the DoD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.

The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for applications that can accommodate banners of 1300 characters:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests—​not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:

"I’ve read & consent to terms in IS user agreem’t."

If the application has no interactive user interface, this requirement is not applicable.

Log on to the application as a user.

Observe the screen and ensure the DoD-approved banner is displayed prior to obtaining access to the application. Refer to the vulnerability discussion for the approved text.

If the only way to access the application is through the OS console, e.g., a fat client application installed on a GFE desktop or laptop, and that GFE is configured to display the DoD banner, an additional banner is not required at the application level.

If the standard DoD-approved banner is not displayed prior to obtaining access, this is a finding.

Configure the application to present the standard DoD-approved banner prior to granting access to the application.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-000048 The information system displays an organization-defined system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. NIST SP 800-53 :: AC-8 a NIST SP 800-53A :: AC-8.1 (ii) NIST SP 800-53 Revision 4 :: AC-8 a

AC-8 a

Custom logon notification banner is not supported at this time (v20_04_177)

V-69351

low

SRG-APP-000069

SV-83973r2_rule

APSC-DV-000560

The application must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.

The banner must be acknowledged by the user prior to allowing the user access to the application. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law.

To establish acceptance of the application usage policy, a click-through banner at application logon is required. The application must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".

If the application has no interactive user interface, this requirement is not applicable.

If the user interface is only available via the OS console, e.g., a fat client application installed on a GFE desktop or laptop, and that GFE is configured to display the DoD banner, this requirement is not applicable.

Access the application and authenticate if necessary. Verify the banner is displayed and action must be taken to accept terms of use.

If the banner is not displayed or no action must be taken to accept terms of use, this is a finding.

Configure the application to retain the standard DoD-approved banner until the user accepts the usage conditions prior to granting access to the application.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-000050 The information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access. NIST SP 800-53 :: AC-8 b NIST SP 800-53A :: AC-8.1 (iii) NIST SP 800-53 Revision 4 :: AC-8 b

AC-8 b

Custom logon notification banner consent is not supported at this time (v20_04_177)

V-69353

low

SRG-APP-000070

SV-83975r1_rule

APSC-DV-000570

The publicly accessible application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.

Display of a standardized and approved use notification before granting access to the publicly accessible application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.

The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for desktops, laptops, and other devices accommodating banners of 1300 characters:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests—​not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:

"I’ve read & consent to terms in IS user agreem’t."

This requirement only applies to publicly accessible applications. If the application is not publicly accessible, this requirement is not applicable.

Access the application and observe the screen to ensure the DoD-approved banner is displayed prior to obtaining full access to the application. Refer to the vulnerability discussion for the approved banner text.

If the standard DoD-approved banner is not displayed prior to obtaining access, this is a finding.

Configure the application to present the standard DoD-approved banner prior to granting access to the application.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-001384 The information system, for publicly accessible systems, displays system use information organization-defined conditions before granting further access. NIST SP 800-53 :: AC-8 c NIST SP 800-53A :: AC-8.2 (i) NIST SP 800-53 Revision 4 :: AC-8 c 1

CCI-001385 The information system, for publicly accessible systems, displays references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities. NIST SP 800-53 :: AC-8 c NIST SP 800-53A :: AC-8.2 (ii) NIST SP 800-53 Revision 4 :: AC-8 c 2

CCI-001386 The information system for publicly accessible systems displays references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities. NIST SP 800-53 :: AC-8 c NIST SP 800-53A :: AC-8.2 (ii) NIST SP 800-53 Revision 4 :: AC-8 c 2

CCI-001387 The information system for publicly accessible systems displays references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities. NIST SP 800-53 :: AC-8 c NIST SP 800-53A :: AC-8.2 (ii) NIST SP 800-53 Revision 4 :: AC-8 c 2

CCI-001388 The information system, for publicly accessible systems, includes a description of the authorized uses of the system. NIST SP 800-53 :: AC-8 c NIST SP 800-53A :: AC-8.2 (iii) NIST SP 800-53 Revision 4 :: AC-8 c 3

AC-8 c 1;AC-8 c 2;AC-8 c 3

Custom logon notification banner consent is not supported at this time (v20_04_177). Prisma Cloud Compute does not have to be accessible from the Internet.

V-69355

low

APSC-DV-000580

SV-83977r1_rule

APSC-DV-000580

The application must display the time and date of the users last successful logon.

Providing a last successful logon date and time stamp notification to the user when they authenticate and access the application allows the user to determine if their application account has been used without their knowledge.

Armed with that information, the user can notify the application administrator and initiate a forensics investigation to identify root cause. Without providing this information to the user, a potential compromise of user accounts could go unnoticed.

Review the application documentation and interview the application administrator.

If the application does not provide a user interface, this requirement is not applicable.

Logon to the application as a test user and verify successful authentication by creating test data, navigating the application functionality or otherwise utilizing the application.

Note the date and time access was granted.

Log out of the application.

Re-authenticate to the application as the same user.

Validate the last logon date and time is displayed in the user interface.

If the date and time the user account was last granted access to the application is not displayed in the user interface, this is a finding.

Design and configure the application to display the date and time when the user was last successfully granted access to the application.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-000052 The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access). NIST SP 800-53 :: AC-9 NIST SP 800-53A :: AC-9.1 NIST SP 800-53 Revision 4 :: AC-9

AC-9

Not supported

V-70173

low

ASDV-PL-000310

SV-84795r1_rule

APSC-DV-000310

The application must have a process, feature or function that prevents removal or disabling of emergency accounts.

Emergency accounts are administrator accounts which are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes.

If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.

Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency account is normally a different account which is created for use by vendors or system maintainers.

To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Review the application documentation and interview the application administrator. Identify if emergency accounts are ever used.

If emergency accounts are not used, this requirement is not applicable.

If emergency accounts are used, validate a procedure, process, feature or function exists that will prevent the emergency account from being deleted or disabled during a crisis situation.

Examples include but are not limited to adding a flag to the account to ensure it is not deleted during a specified emergency period or placing the account in a designated group that is monitored and controlled in accordance with the crisis.

If a process, procedure, function or feature designed to prevent emergency accounts from being deleted or disabled during a crisis situation is not available, this is a finding.

Identify accounts that are created in an emergency situation and ensure procedures or processes are in place to prevent disabling or deleting the account while the emergency is underway.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-000011 The organization creates, enables, modifies, disables, and removes information system accounts in accordance with organization-defined procedures or conditions. NIST SP 800-53 :: AC-2 e NIST SP 800-53A :: AC-2.1 (i) NIST SP 800-53 Revision 4 :: AC-2 f

AC-2 f

Local administrative account password can be recovered in an emergency situation. https://docs.twistlock.com/docs/troubleshooting/troubleshooting/console/forgot_console_passwd.html

V-70287

low

SRG-APP-000275

SV-84909r1_rule

APSC-DV-002780

The application must notify the ISSO and ISSM of failed security verification tests.

If personnel are not notified of failed security verification tests, they will not be able to take corrective action and the unsecure condition(s) will remain.

Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.

Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.

This requirement applies to applications performing security functions and the applications performing security function verification/testing.

Review the application documentation and interview the system administrator to determine if the application performs security function testing.

If the application is not designed or intended to perform security function testing, the requirement is not applicable.

Access the application design documents or have the system administrator provide proof the application is designed to verify the correct operation of security functions.

Review application logs and take note of log entries that indicate security function testing is being performed and verified on startup, restart, or on command by an authorized user.

Review logs to identify if the application has sent notifications to ISSO and ISSM when security verification tests fail.

Review application features and function to identify areas of the management interfaces that specify where failed security verifications tests are to be sent and validate the ISSO and ISSM are configured as recipients.

If the application is designed to perform security function testing and does not notify the ISSO and ISSM of failed verification tests, this is a finding.

Configure the application to send notices to the ISSO and ISSM indicating the application failed a verification test.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-001294 The information system notifies organization-defined personnel or roles of failed security verification tests. NIST SP 800-53 :: SI-6 (1) NIST SP 800-53A :: SI-6 (1).1 NIST SP 800-53 Revision 4 :: SI-6 c

SI-6 c

Prisma Cloud Compute Console and Defender images/container are continually monitored for vulnerabilities, configuration compliance and runtime behaviors changes. Audit events are generated upon any deviation from the defined policies. Alerts can be created to notify specific stakeholders (e.g. ISSO & ISSM).

V-70367

low

ASDV-PL-003130

SV-84989r1_rule

APSC-DV-003130

Prior to each release of the application, updates to system, or applying patches; tests plans and procedures must be created and executed.

Without test plans and procedures for application releases or updates, unexpected results may occur which could lead to a denial of service to the application or components.

This requirement is meant to apply to developers or organizations that are doing development work when releasing a version update or a patch to the application.

If the review is not being done with the developer of the application, this requirement is not applicable.

Ask the application representative to provide tests plans, procedures, and results to ensure they are updated for each application release or updates to system patches.

If test plans, procedures, and results do not exist, or are not updated for each application release, this is a finding.

Execute tests plans prior to release or patch update.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-003004 The organization implements a process for ensuring that organizational plans for conducting security testing associated with organizational information systems continue to be executed in a timely manner. NIST SP 800-53 Revision 4 :: PM-14 a 2

PM-14 a 2

Every release’s new features, improvements, fixes, enhancements and breaking changes are documented https://docs.twistlock.com/docs/releases/release-information/latest.html

V-70373

low

ASDV-PL-003160

SV-84995r1_rule

APSC-DV-003160

Test procedures must be created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to verify the system remains in a secure state.

Secure state assurance cannot be accomplished without testing the system state at least annually to ensure the system remains in a secure state upon initialization, shutdown, and aborts.

Review the process documentation and interview the admin staff.

Identify if testing procedures exist and if they include annual testing to ensure the application remains in a secure state on initialization, shutdown, and aborts.

Checks should include at a minimum, attempts to access the application and application configuration settings without credentials or with improper credentials both locally and remotely.

Dates should be noted as to the last date of testing.

If annual testing procedures do not exist, or if administrators are unable to provide testing dates that indicate the tests were conducted within the last year, this is a finding.

Create test procedures to test the security state of the application and exercise test procedures annually.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-003182 The organization requires the developer of the information system, system component, or information system service to perform testing/evaluation of the as-built system, component, or service subsequent to threat and vulnerability analysis. NIST SP 800-53 Revision 4 :: SA-11 (2)

SA-11 (2)

All releases must pass the stabilization phase before publication.

V-70377

low

ASDV-PL-003180

SV-84999r1_rule

APSC-DV-003180

Code coverage statistics must be maintained for each release of the application.

This requirement is meant to apply to developers or organizations that are doing application development work.

Code coverage statistics describes the overall functionality provided by the application and how much of the source code has been tested during the release cycle.

To avoid the potential for testing the same pieces of code over and over again, code coverage statistics are used to track which aspects or modules of the application are tested.

Some applications are so large that it is not feasible to test every last bit of the application code on one release cycle. In those instances, it is acceptable to prioritize and identify the modules that are critical to the applications security posture and test those first. Rolling over to test other modules later as resources permit. E.g., testing functionality that performs authentication and authorization before testing printing capabilities.

Application developers should keep statistics that show all of the modules of the application and identify which modules were tested and when. This will help testers to keep track of what has been tested and help to verify all functionality is tested.

The developer makes sure that flaws are documented in a defect tracking system.

If the application is smaller in nature and all aspects of the application can be tested, the code coverage statistics would be 100%.

If the organization does not do or manage the application development work for the application, this requirement is not applicable.

Ask the application representative to provide code coverage statistics maintained for the application.

If these code coverage statistics do not exist, this is a finding.

Track application testing and maintain statistics that show how much of the application function was tested.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-003188 The organization defines the specific code that requires the developer of the information system, system component, or information system service to perform a manual code review against using organization-defined process, procedures, and/or techniques. NIST SP 800-53 Revision 4 :: SA-11 (4)

SA-11 (4)

Every release’s new features, improvements, fixes, enhancements and breaking changes are documented https://docs.twistlock.com/docs/releases/release-information/latest.html

V-70385

low

ASDV-PL-003215

SV-85007r1_rule

APSC-DV-003215

The application development team must follow a set of coding standards.

Coding standards are guidelines established by the development team or individual developers that recommend programming style, practices and methods. The coding standards employed will vary based upon the programming language that is being used to develop the application and the development team.

Coding standards often cover the use of white space characters, variable naming conventions, function naming conventions, and comment styles. Implementing coding standards provides many benefits to the development process. These benefits include code readability, coding consistency among both individual and teams of developers as well as ease of code integration.

The following are examples of what will typically be in a coding standards document. This list is an example of what one can expect to find in typical coding standard documents and is not a comprehensive list:

- Indent style conventions - Naming conventions - Line length conventions - Comment conventions - Programming best practices - Programming style conventions

Coding standards allow developers to quickly adapt to code which has been developed by various members of a development team. Coding standards are useful in the code review process as well as in situations where a team member leaves and duties must then be assigned to another team member.

Code conforming to a standard format is easier to read, especially if someone other than the original developer is examining the code. In addition, formatted code can be debugged and corrected faster than unformatted code.

Introducing coding standards can help increase the consistency, reliability, and security of the application by ensuring common programming structures and tasks are handled by similar methods, as well as, reducing the occurrence of common logic errors.

This requirement is meant to apply to developers or organizations that are doing application development work. If the organization operating the application under review is not doing the development or managing the development of the application, the requirement is not applicable.

Ask the application representative about their coding standards. Ask for a coding standards document, review the document and ask the developers if they are aware of and if they use the coding standards. Make a determination if the application developers follow the coding standard.

If the developers do not follow a coding standard, or if a coding standard document does not exist, this is a finding.

Create and maintain a coding standard process and documentation for developers to follow.

Include programming best practices based on the languages being used for application development. Include items that should be standardized across the team that deal with how developers write their application code.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-003233 The organization requires the developer of the information system, system component, or information system service to follow a documented development process. NIST SP 800-53 Revision 4 :: SA-15

SA-15

Prisma Cloud Compute development team adheres to the Palo Alto Networks Systems Development Lifecycle’s policies and procedures.

V-70387

low

ASDV-PL-003220

SV-85009r1_rule

APSC-DV-003220

The designer must create and update the Design Document for each release of the application.

This requirement is meant to apply to developers or organizations that are doing application development work.

The application design document or configuration guide includes configuration settings, recommendations and best practices that pertain to the secure deployment of the application.

It also contains the detailed functional architecture as well as any changes to the application architecture corresponding to a new version release and must be documented to ensure all risks are assessed and mitigated to the maximum extent practical.

Failure to do so may result in unexposed risk, and failure to mitigate the risk leading to failure or compromise of the system.

This requirement is meant to apply to developers or organizations that are doing application development work. If the organization operating the application is not doing the development or managing the development of the application, the requirement is not applicable.

Ask the application representative for the design document for the application. Review the design document.

Examine the design document and/or the threat model for the application and verify the following information is documented:

- All external interfaces. - The nature of information being exchanged - Any protections on the external interface - User roles required for access control and the access privileges assigned to each role - Unique security requirements (e.g., encryption of key data elements at rest) - Categories of sensitive information processed by the application and their specific protection plans (e.g., PII, HIPAA). - Restoration priority of subsystems, processes, or information - Verify the organization includes documentation describing the design and implementation details of the security controls employed within the information system with sufficient detail - Application incident response plan that provides details on how to provide the development team with application vulnerability or bug information.

If the design document is incomplete, this is a finding.

Create and maintain the Design Document for each release of the application and identify the following:

- All external interfaces (from the threat model) - The nature of information being exchanged - Categories of sensitive information processed or stored and their specific protection plans - The protection mechanisms associated with each interface - User roles required for access control - Access privileges assigned to each role - Unique application security requirements - Categories of sensitive information processed or stored and specific protection plans (e.g., Privacy Act, HIPAA, etc.) - Restoration priority of subsystems, processes, or information.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-003233 The organization requires the developer of the information system, system component, or information system service to follow a documented development process. NIST SP 800-53 Revision 4 :: SA-15

SA-15

Every release’s new features, improvements, fixes, enhancements and breaking changes are documented https://docs.twistlock.com/docs/releases/release-information/latest.html

V-70399

low

ASDV-PL-003260

SV-85021r1_rule

APSC-DV-003260

Procedures must be in place to notify users when an application is decommissioned.

When maintenance no longer exists for an application, there are no individuals responsible for making security updates. The application support staff should maintain procedures for decommissioning. The decommissioning process should include notifying users of the pending decommissioning event. If the users are not informed of the decommissioning event, attackers may be able to stand up similar looking system and fool users into attempting to log onto a duplicate system. This can be as simple as a banner informing users.

This risk is primarily geared towards insider threat scenarios and externally accessible applications that provide access to publicly releasable data but should also be applied to internal systems as a best practice.

Interview the application representative to determine if provisions are in place to notify users when an application is decommissioned.

If provisions are not in place to notify users when an application is decommissioned, this is a finding.

Create and establish procedures to notify users when an application is decommissioned.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-003374 The organization documents approval for the continued use of unsupported system components required to satisfy mission/business needs. NIST SP 800-53 Revision 4 :: SA-22 b

SA-22 b

Prisma Cloud Compute Support Lifecycle https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-04/prisma-cloud-compute-edition-admin/welcome/support_lifecycle.html

V-70417

low

ASDV-PL-003340

SV-85039r1_rule

APSC-DV-003340

At least one application administrator must be registered to receive update notifications, or security alerts, when automated alerts are available.

Administrators should register for updates to all COTS and custom-developed software, so when security flaws are identified, they can be tracked for testing and updates of the application can be applied.

Admin personnel should be registered to receive updates to all components of the application, such as Web Server, Application Servers, and Database Servers. Also, if update notifications are provided for any custom-developed software, libraries or third-party tools, deployment personnel must also register for these updates.

Review the components of the application.

Ask the application representative to demonstrate deployment personnel are registered to receive notifications for update notification for all of the application components including custom-developed software, libraries and third-party tools.

If no deployment personnel are registered to receive the alerts, this is a finding.

Register administrators to receive update notifications so they can patch and update applications and application components.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-001285 The organization receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis. NIST SP 800-53 :: SI-5 a NIST SP 800-53A :: SI-5.1 (i) NIST SP 800-53 Revision 4 :: SI-5 a

SI-5 a

Palo Alto Networks license registration includes point of contact information. Release notifications can be requested.

V-70419

low

ASDV-PL-003345

SV-85041r1_rule

APSC-DV-003345

The application must provide notifications or alerts when product update and security related patches are available.

An application vulnerability management and update process must be in place to notify and provide users and administrators with a means of obtaining security patches and updates for the application.

An important part of the maintenance phase of an application is managing vulnerabilities for updated versions of the application after the application is released. When a security flaw is discovered in an application deployed in a production environment, notification to the user community must take place as quickly as possible.

This notification should be planned for in the design phase of the application. This notification should be a warning of any potential risks to the application or data. A notification mechanism will be established to notify users of the vulnerability and the potential risks, the availability of a solution, and/or potential mitigations reducing risks to the application.

Review the components of the application. Interview the application administrator.

Have the application administrator demonstrate the application notification process that occurs when a security patch or product update is available.

The process must include a brief description of the issue and any potential risks related to the issue.

The process must also include information regarding the availability of the patch or update and how it can be obtained as well as any potential mitigations that can be utilized in the interim.

If there is no application security patch or update notification process, this is a finding.

If the application notification process does not include a brief description, information on risks, how to obtain the patch or update and any potential mitigations, this is a finding.

Provide a distribution mechanism for obtaining updates to the application.

Include a description of the issue, a summary of risk as well as potential mitigations and how to obtain the update.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-001286 The organization generates internal security alerts, advisories, and directives as deemed necessary. NIST SP 800-53 :: SI-5 b NIST SP 800-53A :: SI-5.1 (ii) NIST SP 800-53 Revision 4 :: SI-5 b

SI-5 b

Prisma Cloud Compute bell icon in the upper right hand corner of the user interface will display a notification when a new release is available. https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-04/prisma-cloud-compute-edition-admin/welcome/releases.html

V-70423

low

SRG-APP-000506

SV-85045r1_rule

APSC-DV-003360

The application must generate audit records when concurrent logons from different workstations occur.

When an application provides users with the ability to concurrently logon, an event must be recorded that indicates the user has logged on from different workstations. It is important to ensure that audit logs differentiate between the two sessions.

The event data must include the user ID, the workstation information and application session information that provides the details necessary to determine which application session executed what action on the system.

Review the application documentation and interview the application administrator to identify where log records are stored.

Access log records then log on to the application as a regular user from one workstation. Take note of workstation IP address and confirm the address as the source workstation.

Have the application administrator log on to the application from another workstation using the same account.

Validate the IP address of the second workstation is recorded in the logs.

If the application does not create an audit record when concurrent logons occur from different workstations, this is a finding.

Configure the application to log concurrent logons from different workstations.

false

M

Unclass

Application Security and Development Security Technical Implementation Guide :: Version 4, Release: 11 Benchmark Date: 24 Jul 2020

3009

CCI-000172 The information system generates audit records for the events defined in AU-2 d with the content defined in AU-3. NIST SP 800-53 :: AU-12 c NIST SP 800-53A :: AU-12.1 (iv) NIST SP 800-53 Revision 4 :: AU-12 c

AU-12 c

All logon event are audited. To determine concurrent connections the administrator will have to review the Console’s logs.