As part of 10.1.8 release, the following Apache Tomcat STIGs have been addressed in NCM.

V-222932 : Cookies must have secure flag set.
Note: It is not implemented for ncm-as service.

V-222933 : Cookies must have http-only flag set.

V-222949 : Tomcat user UMASK must be set to 0027.

V-222951 : The shutdown port must be disabled.

V-222961 : Applications in privileged mode must be approved by the ISSO.

V-222973 : Tomcat must be configured to limit data exposure between applications.

V-222986 : $CATALINA_HOME folder must be owned by the root user, group tomcat.

V-222987 : $CATALINA_BASE/conf/ folder must be owned by root, group tomcat.

V-222988 : $CATALINA_BASE/logs/ folder must be owned by tomcat user, group tomcat.

V-222989 : $CATALINA_BASE/temp/ folder must be owned by tomcat user, group tomcat.

V-222991 : $CATALINA_BASE/work/ folder must be owned by tomcat user, group tomcat.
Note: The permissions of NCM services and directories are set to minimum required privileges, thus permissions as requested in V-222986, V-222987, V-222988, V-222989, and V-222991 are not required.

V-222993 : Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.

V-223002 : STRICT_SERVLET_COMPLIANCE must be set to true.
Note: It is not implemented for NCMSmartsAdapter and tomcat service.

V-223003 : RECYCLE_FACADES must be set to true.

V-223005 : ENFORCE_ENCODING_IN_GET_WRITER must be set to true.