Requirement:
The cybersecurity requirements for external web applications must include at least the following:
Sub-Controls:
2-15-3-1:
Requirement:
Use of web application firewall.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Web applications must be identified, including:
- Purchased external applications
- Internally developed applications
- If there are web applications purchased and operated by a third party, the following must be done:
- Ensure the supplier's compliance with cybersecurity policies and standard controls including the use of a web application firewall system
- If there are internally developed applications or external applications purchased from a third-party that are operated by the organization, the following must be done:
- Identify the firewall technologies that the organization wishes to acquire, including but not limited to:
- Firewall with pre-managed rules managed by the system itself
- A firewall with the option to customize the rules by the organization
- Identify and assign several application firewall systems that include the technologies supplied by the organization, while defining the positive and negative aspects of each system separately
- Identify and assign a specific firewall system to be used for the organization's external web applications
- Implement and install the firewall system for all web applications operated by the organization
- Identify the firewall technologies that the organization wishes to acquire, including but not limited to:
- Include an application and install the firewall in the application development lifecycle to ensure the protection of future applications
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Documents indicating the identification and documentation of the requirements of this ECC in the policies or procedures of the organization approved by the representative (e.g., electronic copy or official hard copy)
- Screenshot of web application firewall used by the organization
2-15-3-2:
Requirement:
Adoption of the multi-tier architecture principle.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Web applications must be identified, including:
- Purchased external applications
- Internally developed applications
- Current web applications used in the organization must be identified
- If there are web applications purchased and operated by a third party, the following must be done:
- Ensure the supplier's compliance with cybersecurity policies and standard controls including the use of multi-tier architecture principle
- If there are internally developed applications or external applications purchased from a third-party that are operated by the organization, the following must be done:
- Determine the tiers of the architecture principle appropriate to the nature of the web application, which must not be less than three tiers:
- Database Tier
- Business Tier
- Presentation/Client Tier
- Identify relevant departments to implement the multi-tiered architecture principle
- Apply the principle of multi-tier architecture, which must not be less than three tiers for all web applications of the organization
- Determine the tiers of the architecture principle appropriate to the nature of the web application, which must not be less than three tiers:
- Include and use the multi-tier architecture principle in the application development life cycle to ensure the protection of future applications
Expected Deliverables:
- A document approved policy indicating the identification and documentation of the requirements related to this control
- A document approved procedure indicating the identification and documentation of the requirements related to this control
- Sample of web application designs that demonstrate the use of a multi-tier architecture principle for the organization's web application
- Sample of web application designs that demonstrate the use of a multi-tier architecture principle for the organization's web application purchased from a third party
2-15-3-3:
Requirement:
Use of secure protocols (e.g., HTTPS).
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Web applications must be identified, including:
- Purchased external applications
- Internally developed applications
- Current web applications used in the organization must be identified
- If there are web applications purchased and operated by a third party, the following must be done:
- Ensure the supplier's compliance with cybersecurity policies and standard controls including the use of secure protocols
- If there are internally developed applications or external applications purchased from a third-party that are operated by the organization, the following must be done:
- Define the secure communication protocol to be applied to the organization's web applications, including but not limited to:
- Hypertext Transfer Protocol Secure (HTTPS)
- Secure File Transfer Protocol (SFTP)
- Transport Layer Security Protocol (TLS)
- Implement and install secure communication protocols in the organization's external web applications to protect them
- Define the secure communication protocol to be applied to the organization's web applications, including but not limited to:
- Include an application and install the secure communication protocols development lifecycle to ensure the protection of future applications
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Screenshot from a web application showing the use of HTTPS in its link
2-15-3-4:
Requirement:
Clarification of the secure usage policy for users.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Document the secure use policy for the organization's web applications for users
- Ensure that the secure use policy is shared on the organization's web applications through the external network (extranet) and not the intranet
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Secure Use of Web Application Users Policy
- Screenshot from the organization's website indicating the publication of the secure usage policy for users
2-15-3-5:
Requirement:
User authentication based on defined number and factors of authentication, as a result of impact assessment of authentication failure and bypass for users' access.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Multi-Factor Authentication of user access to web application. (Whether web applications are purchased and operated by a third party, developed internally, or web applications purchased from a third party but operated by the organization)
- Include the implementation requirement for multi-factor authentication in the application development lifecycle to ensure the protection of future applications
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Multiple screenshots showing entry process including MFA
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.