MARADMINS : 657/13
R 132052Z DEC 13
UNCLASSIFIED/
MARADMIN 657/13
MSGID/GENADMIN/CMC WASHINGTON DC/C4//
SUBJ/REQUIREMENTS FOR NETWORK SECURITY SOURCE CODE REVIEW//
REF/A/DOD/20021024//
REF/B/DOD/20030206//
REF/C/CJCS/20110209//
REF/D/SECNAV/20051101//
REF/E/USMC/20120718//
REF/F/DISA/20130924//
NARR/REF A, DOD DIRECTIVE 8500.1, IS THE DEPARTMENT OF DEFENSE (DOD) DIRECTIVE 8500.1 ON INFORMATION ASSURANCE. REF B, DOD INSTRUCTION 8500.2, IS THE DEPARTMENT OF DEFENSE (DOD) INFORMATION ASSURANCE (IA) IMPLEMENTATION. REF C IS THE CHAIRMAN OF THE JOINT CHIEFS INSTRUCTION ON INFORMATION ASSURANCE AND SUPPORT TO COMPUTER NETWORK DEFENSE. REF D, SECNAV M-5239.1, IS THE DEPARTMENT OF THE NAVY INFORMATION ASSURANCE PROGRAM IA MANUAL. REF E, MCO 5239.2, IS THE MARINE CORPS INFORMATION ASSURANCE PROGRAM (MCIAP). REF F, APPLICATION SECURITY AND DEVELOPMENT STIG.//
POC/R. LETTEER/CIV/CHIEF, CY DIV/TEL: 703-693-3490/E-MAIL: RAY.LETTEER(AT)USMC.MIL//
POC/S. NICHOLSEN/LTCOL/DEPUTY, CY DIV/TEL: 703-693-3490/E-MAIL: SCOTT.NICHOLSEN(AT)USMC.MIL//
POC/J. CARRIER/CIV/C4 ASSESSMENT/TEL: 703-693-3490/E-MAIL: JASON.B.CARRIER(AT)USMC.MIL//
GENTEXT/RMKS/1. BACKGROUND. AS A RESULT OF RECENT CYBER SECURITY ASSESSMENTS CONDUCTED BY HEADQUARTERS MARINE CORPS (HQMC) COMMAND, CONTROL, COMMUNICATIONS, AND COMPUTERS (C4), WHITE TEAM, MARINE CORPS OPERATIONAL TESTING EVALUATION ACTIVITY (MCOTEA), AND THE MARINE CORPS WEB RISK ASSESSMENT CELL (MCWRAC), WE HAVE IDENTIFIED THAT SYSTEM, APPLICATION AND PROGRAM OF RECORD OWNERS HAVE BEEN DEFICIENT IN MEETING THE APPLICATION SECURITY REQUIREMENTS MANDATED IN THE REFERENCES.
2. PURPOSE. THE PURPOSE OF THIS MARADMIN IS TO PROVIDE ADDITIONAL GUIDANCE ON THE SECURITY REQUIREMENTS AND SUPPORTING ARTIFACTS REQUIRED FOR ALL APPLICATIONS DEVELOPED FOR THE MCEN, TO INCLUDE GOVERNMENT OFF THE SHELF (GOTS) WHEN SUBMITTED WITH USMC CUSTOM ADDITIONS, MODIFIED COMMERCIAL OFF THE SHELF (MCOTS), AND ANY CUSTOM SOFTWARE OPERATED ON BEHALF OF THE USMC. APPLICATIONS THAT ARE SPECIFICALLY COVERED BY ANOTHER APPLICABLE DOD STIG ARE NOT SUBJECT TO THIS MARADMIN.
3. ACTION. EFFECTIVE IMMEDIATELY, PROGRAM MANAGERS (PM), PROGRAM OFFICERS (PO), INFORMATION ASSURANCE MANAGERS (IAM), INFORMATION SYSTEM SECURITY ENGINEERS (ISSE), AND USMC VALIDATORS MUST BEGIN INCLUDING AUTOMATED SOFTWARE CODE REVIEWS ARTIFACTS WITH CERTIFICATION AND ACCREDITATION PACKAGES FOR ALL SOFTWARE AND APPLICATIONS INTRODUCED OR OPERATED ON THE MCEN. PM/PO SHOULD BEGIN PLANNING FOR THE PROCUREMENT OF CODE REVIEW TOOLS, SUCH AS HP FORTIFY, IBM APPSCAN, OR CODE SONAR. AUTOMATED SOURCE CODE TOOLS MUST INCLUDE ABILITY TO PROVIDE AUDIT REPORTS TO THE CURRENT VERSION OF THE DISA APPLICATION AND DEVELOPMENT STIG, AND IDENTIFY THE ROOT CAUSE OF SOFTWARE SECURITY VULNERABILITIES IN SOURCE CODE AND GENERATE AN ACCURATE, RISK-RANKED LIST OF ISSUES WITH DETAILED GUIDANCE ON HOW TO FIX THE VULNERABILITIES AT THE LINE-OF-CODE LEVEL. BEGINNING 6 MARCH 2014, ALL APPLICATIONS WILL MEET THE SECURITY CONTROL REQUIREMENTS OUTLINED WITHIN THE REFERENCES AND THE APPLICATION SECURITY AND DEVELOPMENT SECURITY TECHNICAL IMPLEMENTATION GUIDES (STIG). AS EVIDENCE TO SUPPORT THE REQUIREMENTS OF THIS MARADMIN, APPLICATION SECURITY ARTIFACTS ARE REQUIRED TO BE SUBMITTED WITH THE DIACAP PACKAGE AND UPLOADED INT MCCAST. THE APPLICATION SECURITY ARTIFACTS ARE ENCOMPASS THE FOLLOWING:
(1) SYSTEM SECURITY PLAN (WILL DOCUMENT APPLICATION SECURITY APPROACH)
(2) APPLICATION CONFIGURATION GUIDE AND APPLICATION MAP
(3) STANDARDIZED ENVIRONMENT (DOCUMENT THE HOSTING REQUIREMENTS FOR THE APPLICATION)
(4) SECURITY CLASSIFICATION GUIDE (FOR DATA PROCESSED BY THE APPLICATION)
(5) SECURE CODE TRAINING ARTIFACT FOR DEVELOPERS (TO INCLUDE, AT A MINIMUM, EVIDENCE OF SECURITY AWARENESS TRAINING AND/OR TRAINING CERTIFICATE)
(6) APPLICATION THREAT MODEL
(7) AUTOMATED CODE REVIEW ARTIFACTS (REPORTS TO INCLUDE EVALUATED APPLICATION, THE METHOD AND TOOL USED FOR EVALUATION, AND IDENTIFIED ROOT CAUSES OF SOFTWARE SECURITY VULNERABILITIES IN CORRELATED AND PRIORITIZED FORMAT)
(8) CONFIGURATION MANAGEMENT PLAN
4. APPLICABILITY. THIS MARADMIN APPLIES TO ANY CUSTOM USMC SOFTWARE SUBMITTED FOR ACCREDITATION FOR DEPLOYMENT ON THE MCEN NIPRNET OR SIPRNET. ANY APPLICATION SUBMITTED FOR VALIDATION VIA THE CERTIFICATION AND ACCREDITATION PROCESS WILL BE REQUIRED TO POSSESS THE ARTIFACTS LISTED ABOVE. ANY SYSTEM, APPLICATION, OR PROGRAM OF RECORD CURRENTLY ACCREDITED OR WITHIN THE VALIDATION CYCLE FOR CERTIFICATION WILL NOT BE SUBJECT TO ADDITIONAL REQUIREMENTS UNTIL THE EXPIRATION OF ITS ACCREDITATION. ALL APPLICATIONS ARE SUBJECT TO A PENETRATION TEST PERFORMED BY THE MCWRAC.
5. THIS UPDATED GUIDANCE IS EFFECTIVE AS OF 15 DECEMBER 2013.
6. POINT OF CONTACT FOR THIS ISSUE IS MR. JASON B. CARRIER (703) 693-3490 (JASON.B.CARRIER(AT)USMC.MIL).
7. CANCELLATION. THIS BULLETIN REMAINS IN EFFECT UNTIL INCORPORATED INTO ENTERPRISE CYBERSECURITY DIRECTIVE 018 - MARINE CORPS CERTIFICATION AND ACCREDITATION PROCESS.
8. RELEASE AUTHORIZATION. RELEASE AUTHORIZED BY BGEN K. J. NALLY, DIRECTOR, COMMAND, CONTROL, COMMUNICATIONS, AND COMPUTERS/CHIEF INFORMATION OFFICER OF THE MARINE CORPS.//