Checklist Summary:

This Mozilla Firefox Technology Overview provides the technical security policies, requirements, and implementation details for applying security concepts to Commercial-Off-The-Shelf (COTS) applications. The nearly universal presence of systems on the desktops of all levels of staff provides tremendous opportunities for office automation, communication, data sharing, and collaboration. Unfortunately, this presence also brings about dependence and vulnerabilities. Malicious and mischievous forces have attempted to take advantage of the vulnerabilities and dependencies to disrupt the work processes of the Government. Compounding this problem is the fact that the vendors of software applications have not expended sufficient effort to provide strong security in their applications. Where applications do offer security options, the default settings typically do not provide a strong security posture.

Checklist Role:

• Web Browser

Known Issues:

Not provided.

Target Audience:

Not provided.

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

Although there are a few different operating system platforms for desktop environments, this document addresses applications running on Microsoft Windows platforms. This document does not include specific guidance for UNIX or Linux or Apple desktop environments at this time. The security requirements detailed in this document apply to applications installed on Microsoft Windows Server platforms as well as Microsoft Windows Workstation platforms. On server platforms, the security configuration parameters will be set to at least as restrictive values as those listed in this document. It must be noted that the guidelines specified should be evaluated in a local, representative test environment before implementation within large user populations. The extensive variety of environments makes it impossible to test these guidelines for all potential software configurations. For some environments, failure to test before implementation may lead to a loss of required functionality.

Regulatory Compliance:

DoD Instruction (DoDI) 8500.01

Comments/Warnings/Miscellaneous:

NOTE - Resource fails validation for XCCDF 1.1.4 content. Workaround - Edit the XCCDF file and change the ID element within the xml, replacing the " " (space values) with an "_" (underscore) Example: id="Mozilla Firefox STIG" would become id="Mozilla_Firefox_STIG"

Disclaimer:

Not provided.

Product Support:

Not provided.

Point of Contact:

[email protected]

Sponsor:

DoD

Licensing:

DoD has clarified policy on the use of open source software (OSS) to take advantage of the capabilities available in the Open Source community as long as certain prerequisites are met. DoD no longer requires that operating system software be obtained through a valid vendor channel and have a formal support path, if the source code for the operating system is publicly available for review. From the DoD Chief Information Officer (CIO) memo, Open Source Software (OSS) in Department of Defense (DoD), 28 May 2003: DoD Components acquiring, using or developing OSS must ensure that the OSS complies with the same DoD policies that govern Commercial off the Shelf (COTS) and Government off the Shelf (GOTS) software. This includes, but is not limited to, the requirements that all information assurance (IA) or IA-enabled IT hardware, firmware and software components or products incorporated into DoD information systems whether acquired of originated within DoD: Comply with the evaluation and validation requirements of National Security Telecommunications and Information Systems Security Policy Number 11 and be configured in accordance with DoD approved security and configuration guidelines at http://iase.disa.mil/ and http://www.nsa.gov/ OSS takes several forms and may be acceptable or unacceptable depending on the form: 1. A utility that has publicly available source code is acceptable. 2. A commercial product that incorporates OSS is acceptable because the commercial vendor provides a warranty. 3. Vendor supported OSS is acceptable. 4. A utility that comes compiled and has no warranty is not acceptable. The DoDD 8500.1 states Public domain software products, and other software products with limited or no warranty, such as those commonly known as freeware or shareware, shall only be used in DoD information systems to meet compelling operational requirements. Such products shall be thoroughly assessed for risk and accepted for use by the responsible DAA.

Change History:

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 02/13/2026