Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If this is an Impact Level 2 IaaS/PaaS implementation, this requirement is not applicable. Review the architecture for the IaaS. Verify that for dedicated infrastructure mission Impact Levels 4–5, the IaaS implements a security stack that restricts traffic flow inbound and outbound between the IaaS/PaaS and the BCAP or ICAP connection. For IaaS Levels 4–5, if the IaaS does not implement a security stack that restricts traffic flow inbound and outbound between the IaaS/PaaS and the BCAP or ICAP connection, this is a finding.
FedRAMP Moderate, High. For dedicated infrastructure with an ICAP/BCAP connection (Levels 4–5 and on-premise Impact Level 2), ensure the IaaS/PaaS implements a security stack that restricts traffic flow inbound and outbound between the IaaS/PaaS and the BCAP or ICAP connection.
If this is a Software as a Service (SaaS), this is not a finding. If Impact Level 2, but the cloud service provider (CSP) has control over the environment, this is not a finding. Verify that virtual internet-facing applications are configured to traverse the CAP and VDSS prior to communicating with the internet. If virtual internet-facing applications permit direct access to the CSP or the internet, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. Configure virtual internet-facing applications to traverse the CAP and VDSS prior to communicating with the internet.
If this is a Software as a Service (SaaS), this is not applicable. This applies to all Impact Levels. Review the configuration of the IaaS/PaaS. Verify that the IP address of an ACAS server is configured. Verify the flaw remediation data is also being communicated to the cybersecurity service provider (CSSP). If the PaaS/IaaS does not implement scanning using an ACAS server or CSP-provided solution that meets DOD scanning and reporting requirements, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IP address of an ACAS server or another solution that meets DOD scanning and reporting requirements.
This applies to all Impact Levels. If this is a Software as a Service (SaaS) implementation, this is not a finding. Verify the IaaS/PaaS is configured to maintain logical separation of all management and data traffic. If the IaaS/PaaS does not maintain separation of all management and data traffic, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IaaS/PaaS to maintain separation of all management and data traffic.
If this is a Software as a Service (SaaS), this is not applicable. Review the Service Level Agreement and architecture documentation. Verify the virtual IDPS is in place by inspecting the architecture diagrams. Verify it is placed to monitor and protect the IaaS, PaaS, and interconnected host VMs. Verify a secure (encrypted) connection exists between the virtual IDPS capabilities and the CSSP responsible for the mission system/application. If the Mission Owner has not configured the IaaS or PaaS IDPS to monitor and protect the IaaS and interconnected VMs, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. Configure a virtual IDPS to monitor and protect the DOD VMs, services, and applications.
If this is a Software as a Service (SaaS), this is not applicable. Inspect the firewall and/or intrusion detection and prevention system (IDPS) access control lists (ACLs) and filters on the firewall inbound interfaces. Verify these rules are configured for continuous monitoring. Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or unusually high traffic from particular segments or devices. If the IaaS/PaaS does not continuously monitor inbound communications from external systems, other IaaS, or collocated mission applications within the same cloud service environment for unusual or unauthorized activities or conditions, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the firewall and/or IDPS for continuous monitoring of all communications inbound to the virtual IaaS or PaaS. Configure the ACLs and security rules to detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or unusually high traffic from particular segments or devices.
If this is a Software as a Service (SaaS), this is not applicable. Inspect the firewall and/or or intrusion detection and prevention system (IDPS) access control lists (ACLs) and filtering rules that filter traffic on any outbound interface from the IaaS and systems. Verify these rules are configured for continuous monitoring. Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices. If the IaaS/PaaS does not continuously monitor outbound communications to other enclaves and systems for unusual or unauthorized activities or conditions, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the firewall and/or IDPS for continuous monitoring of all communications outbound from the virtual IaaS or PaaS. Configure any ACLs and filtering rules on outbound interfaces to detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices.
This applies to all Impact Levels. If this is a Software as a Service (SaaS) implementation, this is not a finding. Verify that certificate path validation is implemented to ensure revoked user and/or machine credentials are prohibited from establishing a user or machine session. If the cloud IaaS/PaaS is not configured to use OCSP or CRLDP to ensure revoked credentials are prohibited from establishing an allowed session, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IaaS/PaaS to use OCSP or CRLDP to ensure revoked credentials are prohibited from establishing an allowed session. This requirement applies to the use of both user and machine credentials.
This applies to all Impact Levels. If this is a Software as a Service (SaaS) implementation, this is not a finding. Verify that a DOD-approved OCSP responder or CRL is used to validate certificates used for PKI-based authentication. If the cloud IaaS/PaaS is not configured to use DOD-approved OCSP responder or CRL to validate certificates used for PKI-based authentication, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IaaS/PaaS to use DOD-approved OCSP responder or CRL to validate certificates used for PKI-based authentication. Configure the system to implement the following access policy: - Configure CAC/PKI for remote access for privileged users at all Impact Levels. CAC/PKI access is required for nonprivileged users of access to Impact Levels 4–6. - Impact Level 6: When an on-premises, use NSS PKI. Enforce the use of a physical token referred to as the CNSS NSS Hardware Token for the authentication of DOD Mission Owner and CSP privileged and nonprivileged end users. When implementing NSS PKI, use NSS OCSP or CRL resources for checking revocation of NSS certificates and NSS Certificate Authorities and must follow CNSS/NSA instructions for the management and protection of cryptographic keys. CNSS-issued PKI server certificates will be used to identify the CSP’s DOD customer ordering/service management portals and SaaS applications and services contracted by and dedicated to DOD use.