Application & Workload
Organizations must ensure that all commercial off-the-shelf (COTS) and internally built applications are kept up to date and secure. This includes all the applications, systems, and services running in an infrastructure, either locally on-premises, externally in the cloud, or both in the case of hybrid environments.
User access should be based off of authentication to each specific application not their network. It is imperative to have a complete understanding of all application components and libraries, including 3rd party and open source to identify new vulnerabilities and patches. Security patches and software updates should be applied immediately to eliminate newly developed vulnerabilities. Software development teams must follow secure application development best practices and application vetting tools applied to validate code.
Maintain an accurate and up to date list of internal and commercial off-the-shelf (COTS) applications in use across your organization. Ensure that applications are continuously updated to the latest versions with current security patches and identify common vulnerabilities and exposures (CVEs) impacting your corporate applications.
Software Bill of Materials
Identify all third party components, open source libraries and propriety code utilized within each individual application so that your organization can respond quickly to any vulnerabilities within the application code.
Comply with the Continuous Monitoring Annex of the Mobile Access Capability Package to collect, aggregate, correlate and analyze security event data from commercial solutions for classified (CSfC) components within your network.