STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Apache Tomcat Application Server 9 Security Technical Implementation Guide

V-223007

CAT III (Low)

Hosted applications must be documented in the system security plan.

Rule ID

SV-223007r961863_rule

STIG

Apache Tomcat Application Server 9 Security Technical Implementation Guide

Version

V3R4

CCIs

CCI-000366

Discussion

The ISSM/ISSO must be cognizant of all applications operating on the Tomcat server, and must address any security implications associated with the operation of the applications. If unknown/undocumented applications are operating on the Tomcat server, these applications increase risk for the system due to not being managed, patched or monitored for unapproved activity on the system.

Check Content

Review the Tomcat servers System Security Plan/server documentation.

Access the Tomcat server and review the $CATALINA_BASE/webapps folder.

Ensure that all webapps are documented in the SSP.

If the applications that are hosted on the Tomcat server are not documented in the SSP, this is a finding.

Fix Text

Document the applications that have an ATO on the Tomcat server.

Retain the information in the SSP and present to the auditor in the event of a CCRI.