STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 6 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Application Security and Development Security Technical Implementation Guide

V-222627

CAT II (Medium)

The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance.

Rule ID

SV-222627r961863_rule

STIG

Application Security and Development Security Technical Implementation Guide

Version

V6R4

CCIs

CCI-000363

Discussion

Not all COTS products are covered by a STIG. Those products not covered by a STIG, should follow commercially accepted best practices, independent testing results and vendors lock down guides and recommendations if they are available.

Check Content

Review the application documentation to identify application name, features and version.

Identify if a DoD STIG or NSA guide is available.

If no STIG is available for the product, the application and application components must be configured by the following as available: 

- commercially accepted practices, 
- independent testing results, or 
- vendor literature and lock down guides.

If the application and application components do not have DoD STIG or NSA guidance available and are not configured according to: 
commercially accepted practices, 
independent testing results,
or vendor literature and lock down guides, this is a finding.

Fix Text

Configure the application according to the product STIG or when a STIG is not available, utilize:

- commercially accepted practices,
- independent testing results, or
- vendor literature and lock down guides.