Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If the DoD account owners are required to use the CSP’s IdAM system to administer user accounts and service configurations, this is not a finding. Review the site's approval documentation to ensure an individual or entity has been appointed to manage the cloud management service portal. This may be a group or contracted service. Verify the cloud service offering has been configured to allow only these individuals for portal service and virtual instance configuration. If the cloud Mission Owner Authorizing Official has not configured the cloud service offering for access using PKI, this is a finding.
Have the Mission Owner's AO appoint an individual or entity to manage portal services. Application and enclave administrators should also be appointed. Configure access for these individuals using PKI to access and configure services and virtual instances.
Verify the Mission Owner has implemented a solution for centralized logging and SIEM services to capture and store the log records produced by the VM management and applications on the virtual enclave/platform. If the Mission Owner has not implemented a solution for centralized logging and SIEM services to capture and store the log records produced by the VM management and applications on the virtual enclave/platform, this is a finding.
Implement a solution for centralized logging and SIEM services to capture and store the log records produced by the VM management and applications on the virtual enclave/platform.
If this is an Impact Level 2, off-premise implementation, this requirement is not applicable. Review the architecture for the virtual enclave/platform. Verify that for dedicated infrastructure mission Impact Levels 4-6 and on Premise Level 2, the virtual enclave implements a security stack that restricts traffic flow inbound and outbound to/from the virtual enclave to the BCAP or ICAP connection. For Virtual Enclave Levels 4-6 or on Premise Impact Level 2 implementations, if the virtual enclave does not implement a security stack that restricts traffic flow inbound and outbound to/from the virtual enclave to the BCAP or ICAP connection, this is a finding.
For dedicated infrastructure with an ICAP/BCAP connection (Levels 4-6 and on Premise Impact Level 2), ensure that the virtual enclave implements a security stack that restricts traffic flow inbound and outbound to/from the virtual enclave to the BCAP or ICAP connection.
If this is Impact Level 2, this is not a finding. Review the configuration of the virtual enclave router. Verify that virtual Internet-facing applications are configured to traverse the CAP and VDSS prior to communicating with the Internet. If virtual Internet-facing applications permit direct access to the CSP or the Internet, this is a finding.
Configure virtual Internet-facing applications to traverse the CAP and VDSS prior to communicating with the Internet.
Review the configuration of the virtual enclave. Verify that the IP address of an ACAS server is configured. Verify the ACAS data is also being communicated to the CNDSP. If the virtual enclave does not implement scanning using an ACAS server, this is a finding.
Configure scanning using an ACAS server by configuring the IP address of the elected server.
Verify that a FIPS 140-2 compliant communication protocol is configured for communication between the implemented systems/applications and the DoD OCSP responders on NIPRNet or SIPRNet as applicable. If the cloud IaaS does not implement a secure (encrypted) connection or path between the implemented systems/applications and the DoD OCSP responders on NIPRNet or SIPRNet as applicable, this is a finding.
Configure the virtual enclave/virtual platform to implement an encrypted path that is FIPS 140-2 compliant between the implemented systems/applications and the DoD OCSP responders on NIPRNet or SIPRNet as applicable.
If the CSP's infrastructure is used, this is not applicable. Verify the virtual enclave/platform is configured to maintain logical separation of all management, user, and data traffic using encryption. If the virtual enclave/platform does not maintain separation of all management, user, and data traffic, this is a finding.
Configure the virtual enclave/platform/OS to maintain separation of all management, user, and data traffic.
If the implementation is categorized as Impact Level 4-6, this not applicable. Review the approval documentation. Verify that the cloud service offering is listed in either the FedRAMP or DISA PA DoD Cloud Catalog when hosting Unclassified, public-releasable, DoD information. If Unclassified, public-releasable DoD information is being hosted in the virtual enclave/platform and the cloud service offering is not listed in either the FedRAMP or DISA PA DoD Cloud Catalog, this is a finding.
Select and configure a cloud service offering listed in FedRAMP or DISA PA DoD Cloud Catalog when hosting Unclassified, public-releasable, DoD information. Specify in the SLA with the CSP and third-party providers compliance with applicable STIG configurations.
If the implementation is categorized as Impact Level 2 or 6, this is not applicable. Review the approval documentation and the DISA PA Cloud Catalog. Verify that the cloud service offering is listed in the DISA PA DoD Cloud Catalog. Verify the offering is listed as Impact Level 4 or higher. If sensitive but unclassified information is being hosted in the virtual enclave/platform and the cloud service offering is not listed in the DISA PA DoD Cloud Catalog, Impact Level 4 or higher, this is a finding.
Select and configure a cloud service offering listed in the DISA PA DoD Cloud Catalog for use with Impact Level 4 or higher. Specify in the SLA with the CSP and third-party providers compliance with applicable STIG configurations.
If the implementation is categorized as Impact Level 2-5, this not a finding. Review the approval documentation and the DISA PA Cloud Catalog. Verify that the Cloud Service Offering is listed in the DISA PA DoD Cloud Catalog. Verify the Cloud Service Offering is listed in the DISA PA DoD Cloud Catalog at Level 6 when hosting Classified DoD information. If Classified DoD information is being hosted in the virtual enclave/platform and the cloud service offering is not listed in the DISA PA DoD Cloud Catalog, Impact Level 6 or higher, this is a finding.
Select and configure a cloud service offering listed in the DISA PA DoD Cloud Catalog for use with Impact Level 6 when hosting Classified DoD information. Specify in the SLA with the CSP and third-party providers compliance with applicable STIG configurations.
Request the cloud service cloud approval documentation. Verify the virtual enclave/platform/software is registered in the service/application with the DoD whitelist for both inbound and outbound traffic. If the Mission Owner has configured/used ports and protocols that have not been registered with the DoD whitelist, this is a finding.
Register the virtual enclave/platform/software service/application with the DoD whitelist for both inbound and outbound traffic. Configure the DoD whitelist with the ports and protocols needed to support applications and services used in the cloud environment.
Verify the CSP’s cloud service offering is registered in SNAP for the connection approval and it is the one being used in the cloud management portal. If the cloud service is not registered in SNAP, this is a finding. If the IP address that is registered in SNAP is not configured for use with the approved cloud environment, this is a finding.
Register the virtual enclave/platform/software CSP’s cloud service offering in SNAP for the connection approval. Configure the IP address that is registered in SNAP for use by the cloud service offering using the cloud management portal.
If cloud services are managed by the CSP, verify separation requirements are addressed in the SLA. Verify the virtual enclave/virtual platform is configured to either disable or remove cloud services and helper VMs that are no longer required based on mission requirements. If the virtual enclave/virtual platform has not been configured to either disable or remove cloud services and helper VMs that are no longer required based on mission requirements, this is a finding.
Configure the virtual enclave/virtual platform to be configured to either disable or remove cloud services and helper VMs that are no longer required based on mission requirements. Cloud services are added, removed, and updated by the cloud service portal management entity via the management plane.
If this is a Level 2 cloud, this is not a finding. For dedicated infrastructure with a DODIN connection (Levels 4-6), review the architecture diagrams. Verify that the virtual firewall ACLs, IPS rules, and/or routing tables that restrict traffic flow inbound and outbound to/from the virtual enclave to the DODIN connection comply with the boundary requirements of DoDI 8551. Verify all traffic from the CSP enclave and other sources are blocked by these methods. If the cloud IaaS/PaaS is not configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments, this is a finding.
For dedicated infrastructure with a DODIN connection (Levels 4-6), configure the IaaS/PaaS virtual firewall, IPS, and/or routing methods that restrict traffic flow inbound and outbound to/from the virtual enclave to the DODIN connection IAW DoDI 8551 and block all traffic from all other sources.
Verify the virtual enclave/platform is configured to use an identity provider. If the virtual enclave/virtual platform has not implemented an identify provider, this is a finding.
Configure the virtual enclave/platform to use an identity provider. Mission Owners may choose to use the CSP's CAC services (based on level), use a DoD federated offering, or install a virtual AD.
Review the configuration of the virtual enclave/platform. Verify that the IP address of an HBSS agent control server on NIPRNet is configured. Verify that a FIPS 140-2 compliant communication protocol is configured for communication with the server. Verify the HBSS data is also being communicated to the CNDSP. If the cloud IaaS/PaaS does not implement a secure (encrypted) connection or path between the HBSS agents and their control server, this is a finding.
Configure the virtual enclave/virtual platform to implement an encrypted path that is FIPS 140-2 compliant between the virtual OS's HBSS agents and their control server. Configure visibility by the Mission Owner’s CNDSP.
Verify that a FIPS 140-2 compliant communication protocol is configured for communication between the ACAS server and its assigned ACAS Security Center. If the cloud IaaS does not implement a secure (encrypted) connection or path between the ACAS server and its assigned ACAS Security Center, this is a finding.
Configure the virtual enclave/virtual platform to implement an encrypted path that is FIPS 140-2 compliant between the ACAS server and its assigned ACAS Security Center.
Verify the virtual platform employs automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal enclave scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). If the cloud IaaS/PaaS does not employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal enclave scans not covered by HBSS; and annually, for external scans by CNDSP, this is a finding.
Configure the virtual platform to use automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal enclave scans not covered by HBSS; and annually, for external scans by CNDSP.
If this is a premise or Level 2 implementation, this requirement is not applicable. Review SLA and architecture documentation. Verify the virtual IDPS is in place by inspecting the architecture diagrams. Verify that it is placed to monitor and protect the virtual enclave, platform, and interconnected host VMs. Inspect the virtual IDPS configuration. Verify a secure (encrypted) connection exists between the virtual IDPS capabilities and the CNDSP responsible for the mission system/application. If the Mission Owner has not configured the virtual enclave or platform IDPS to monitor and protect the virtual enclave(s) and interconnected VMs, this is a finding.
Configure a virtual IDPS to monitor and protect Mission Owner enclaves and applications hosted in an off-premise cloud.
If this is a premise or Level 2 implementation, this requirement is not applicable. Inspect the ACLs for inbound interfaces from other enclaves for the firewalls. Verify these rules are configured for continuous monitoring. Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices. If the virtual enclave does not continuously monitor inbound communications from other virtual enclaves within the same cloud service environment for unusual or unauthorized activities or conditions, this is a finding.
Configure the firewall and IDPS for continuous monitoring of all communications inbound to the virtual enclave or platform. Configure the ACLs and security rules to detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices.
If this is a premise or Level 2 implementation, this requirement is not applicable. Inspect the ACLs for outbound interfaces from other enclaves for the firewalls. Verify these rules are configured for continuous monitoring. Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices. If the virtual enclave does not continuously monitor outbound communications from other virtual enclaves within the same cloud service environment for unusual or unauthorized activities or conditions, this is a finding.
Configure the firewall and IDPS for continuous monitoring of all communications outbound to the virtual enclave or platform. Configure the ACLs and security rules to detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices.
If this is Impact Level 2, this is not applicable. Verify the virtual platform is configured to use encryption to protect all DoD files housed in the virtual storage service. If the virtual platform is not configured to use encryption to protect all DoD files housed in the virtual storage service, this is a finding.
Configure the cloud instance to use encryption to protect all DoD files housed in the virtual storage service.