Configuration of Software to Have Secure Settings by Default, v1.1
Specifies requirements in accordance with NIST Secure Software Development Framework (SSDF), version 1.1, Practice PW.9: Configuration of Software to Have Secure Settings by Default. Requires an organization to help improve the security of the software at the time of installation to reduce the likelihood of the software being deployed with weak security settings, putting it at greater risk of compromise.
Assessment Steps (2)
|
1
Determination of Secure Software Baseline Configuration (DeterminationofSecureSoftwareBaselineConfiguration)
Does the organization define a secure baseline by determining how to configure each setting that has an effect on security or a security-related setting so that the default settings are secure and do not weaken the security functions provided by the platform, network infrastructure, or services?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
|
2
Implementation and Documentation of Default Software Configuration Settings (ImplementationandDocumentationofDefaultSoftwareConfigurationSettings)
Does the organization implement the default settings (or groups of default settings, if applicable), and document each setting for software administrators?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
Conformance Criteria (2)
|
Determination of Secure Software Baseline Configuration
The organization must define a secure baseline by determining how to configure each setting that has an effect on security or a security-related setting so that the default settings are secure and do not weaken the security functions provided by the platform, network infrastructure, or services.
Citation
SSDF
Task PW.9.1
|
|
Implementation and Documentation of Default Software Configuration Settings
The organization must implement the default settings (or groups of default settings, if applicable), and document each setting for software administrators.
Citation
SSDF
Task PW.9.2
|