NIPRNet DoD DMZ Policy Requirements VV2R1

b

The DMZ systems, to include boundary IA control devices, must deny those services not expressly permitted based on the DoD Ports, Protocols, and Services (PPS) registry of Internet facing services.

Medium - V-14849 - SV-15617r3_rule

RMF Control

Severity

M

CCI

Version

DMZ-SVC6.1

Vuln IDs

V-14849

Rule IDs

SV-15617r3_rule

If an organization cannot identify what ports and protocols are necessary for operational traffic, then there is no way to identify what ports, protocols and services should be denied at the perimeter or allowed as valid traffic flows.Information Assurance ManagerDCPP-1

Checks: C-13285r3_chk

Obtain IA device information and ensure each permitted service, port and protocol, is registered in the DoD PPS database. Review the architecture and determine if the DMZ permits only those approved services based on the DoD PPS registry. PPSM website is available for additional information: http://iase.disa.mil/ports/index.html.

Fix: F-14392r3_fix

Configure the DMZ systems (to include boundary IA control devices) to permit only approved Ports, Protocols, and Services (PPS) based on the DoD PPS registry of Internet facing services.

b

DMZ systems must support, or have the capability to utilize, an automated patch capability for all services.

Medium - V-14862 - SV-15630r3_rule

RMF Control

Severity

M

CCI

Version

DMZ-NET3

Vuln IDs

V-14862

Rule IDs

SV-15630r3_rule

As the DoD DMZ components are critical to the protection of the private DoD data assets within the NIPRNet, it is important to ensure all systems are up-to-date with security patches and fixes. As the DoD DMZ is an enterprise system, it is necessary to ensure this is an automated approach to ensure timely distribution and installation of all security related patches and fixes. Patches and fixes to a device are necessary in maintaining the security posture of the network. If one system has been compromised or exposed to vulnerability, the entire DoD DMZ is at risk.Information Assurance ManagerVIVM-1

Checks: C-13299r3_chk

Work with the IAM to determine if there is an automated patch distribution system for security related patches for all services. Review each technology to determine if there is a fully functional automated patch distribution solution. This does not negate the need for patch testing prior to installation. Patches should not be automatically pushed to devices and servers or both, prior to testing in a non-production environment. Each asset and the DMZ system as a whole must support and utilize an automated patch capability.

Fix: F-14405r2_fix

Configure the DMZ systems to utilize an automated patch capability for all services within the DoD DMZ.

b

DoD DMZs must provide Network Operations (NetOps) reporting to the appropriate CNDSPs.

Medium - V-14864 - SV-15632r3_rule

RMF Control

Severity

M

CCI

Version

DMZ-NET4.1

Vuln IDs

V-14864

Rule IDs

SV-15632r3_rule

Sending alert data to the appropriate personnel is critical to ascertain the extent the potential issue may be compromising DoD data or network availability. If the alert data is not sent as quickly as possible, it may be too late to take action upon the event to avoid compromise. Components within or supporting a NIPRNet DoD DMZ must provide NetOps alert and log data to the appropriate local CNDSP and Combatant Command, or Agency Network Operations Centers (NOC) in near real-time. Information Assurance ManagerECAT-1

Checks: C-13302r3_chk

Review the DMZ Concept of Operations (CONOPS) policy and procedures along with system device configuration and implementation documentation to ensure reporting requirements include providing NetOps alert and log data to the appropriate local CNDSP, and Combatant Command or Agency NOC, in near real-time without significant delay so the alert or log data does not become non-actionable. NOTE: Transmission in near real-time means the data is transmitted as it is generated or shortly thereafter. The data is not queued. NOTE: This finding can be reduced to a CAT III in the event the component is polled regularly and often so the alert or log data does not become non-actionable.

Fix: F-14407r3_fix

Provide NetOps alert and log data, for all components within or supporting a NIPRNet DoD DMZ, to the appropriate local CNDSP and COCOM, or Agency NOC in near real-time without significant delay such that the alert or log data does not become non-actionable.

c

The DoD DMZ must be designed so all Internet facing application and service data traffic traverses the existing DoD owned and controlled Internet Service Routers (ISR)/Internet Access Points (IAP) at the DoD to Internet boundary.

High - V-14873 - SV-15641r3_rule

RMF Control

Severity

H

CCI

Version

DMZ-8

Vuln IDs

V-14873

Rule IDs

SV-15641r3_rule

The DoD DMZ architecture security check-points are logically located at the Internet Access points for the DoD. The security architecture was designed to protect NIPRNet assets and DoD data by funneling all traffic inbound to the DoD network through the IAPs/ISRs. This effort would be completely undermined if the traffic flows and application data were to traverse anything other than the IAPs/ISRs. Information Assurance ManagerEBBD-1, EBBD-2, EBBD-3

Checks: C-13314r3_chk

Review the DMZ architecture to ensure all Internet facing service traffic traverses the IAPs and no other Internet connection. The intent is to avoid multiple entrance points and to ensure all traffic is visible to the sensor grid and the security devices located in the Special Purpose Extension.

Fix: F-14416r3_fix

Design the DoD DMZ so all Internet facing application and service traffic flows traverse the existing DoD ISR/IAPs at the Internet boundary. There will be no alternate connections. All data traffic must flow through DoD controlled and maintained Internet boundaries.

b

Critical and maintenance level security patches must be tested and applied within the time period specified in the sites configuration management plan or any Information Assurance Vulnerability Management (IAVM) issuances by USCYBERCOM.

Medium - V-14899 - SV-15667r3_rule

RMF Control

Severity

M

CCI

Version

DMZ-PAT2/3

Vuln IDs

V-14899

Rule IDs

SV-15667r3_rule

As the DoD DMZ components are critical to the protection of the private DoD data assets within the NIPRNet, it is important to ensure all systems are up to date with security patches and fixes. As the DoD DMZ is an enterprise system, it is necessary to ensure timely distribution and installation of all security related patches and fixes. Patches and fixes to a device are necessary in maintaining the security posture of the network. Information Assurance ManagerVIVM-1

Checks: C-13335r3_chk

Review the DMZ CONOPS to determine if policy and procedures are in place to test and apply critical and maintenance level security related patches to all devices in the DMZ within the time frame identified in the sites configuration management plan. Devices must be in compliance with all USCYBERCOM issued IAVM notices and any critical emerging threats and vulnerabilities. Ensure all appropriate mitigations are in place until all patches can be applied to systems.

Fix: F-14442r3_fix

Test and apply all critical and maintenance level security related patches within the time period as specified in the sites configuration management plan (as part of the CONOPS).

c

Operating System (OS) and application separation must be maintained for different data types within the DoD DMZ.

High - V-14910 - SV-15678r3_rule

RMF Control

Severity

H

CCI

Version

DMZ-LPSR10

Vuln IDs

V-14910

Rule IDs

SV-15678r3_rule

Separation is required to protect private services and data from restricted and unrestricted data. The intent of the DoD DMZ initiative is to protect private data and services from those that are Internet facing, and to have situational awareness of all traffic coming in to the NIPRNet. Separation is also critical to protect Restricted data from what has been approved for public release. Data types within the DoD DMZ are Unrestricted (U) and Restricted (R). Private (P) data types are not contained within the DoD DMZ. Information Assurance ManagerECSC-1

Checks: C-13346r3_chk

1. Unrestricted (U) / Restricted (R): Verify restricted and unrestricted operating systems and services are on logically different servers. Logical application and OS separation is required, at a minimum, for separation between Unrestricted (U) and Restricted (R) data types. This can be achieved using virtualization technologies. Note: Logical separation via virtualization can be achieved; however, virtualization is only permissible when type 1 hypervisors are used. A type 1 hypervisor sits on bare metal server hardware and hosts guest operating systems. Virtualized systems follow the same rules of non-virtualized systems. Example: Unrestricted Web application or OS and Restricted Web application or OS can either be on separate physical servers (preferred) or they can be virtualized using a type 1 hypervisor (logical separation). 2. U/R and P: Physical OS and application separation must be maintained between U/R systems and Private systems. Verify U/R applications and OSs are physically separate from Private data applications and OSs. Note: Systems housing private data will not be located in the DoD DMZ. Example: Unrestricted or Restricted Web applications and OSs must be on separate physical servers from Private Web applications and OSs. Refer to the DoD DMZ Technology Overview and DoD DMZ FAQs for details and definitions of the 3 data types.

Fix: F-14453r3_fix

Configure the DMZ systems to maintain physical OS and application separation between U/R data and services and private data and services.

b

The DMZ systems must include an automated backup schema to include full, incremental, and differential backups as appropriate to meet disaster recovery requirements as defined by the DMZ CONOPS.

Medium - V-14911 - SV-15679r3_rule

RMF Control

Severity

M

CCI

Version

DMZ-STO1

Vuln IDs

V-14911

Rule IDs

SV-15679r3_rule

Backup and recovery are integral to maintaining the availability requirements of the DMZ. If backups are not performed in accordance with the recovery requirements, the data may not be available in the event of loss or failure. Information Assurance ManagerCODB-2

Checks: C-13347r3_chk

Review the DMZ backup policy to ensure systems are backed-up via an automated process, in accordance with the defined backup and recovery process identified in the DoD DMZ CONOPS.

Fix: F-14454r3_fix

Employ an automated backup schema to include full/incremental/differential backups as appropriate to meet disaster recovery requirements as defined by the DoD DMZ CONOPS.

a

System backups must be stored on appropriate media capable of guaranteeing file integrity for a minimum of 5 years.

Low - V-14912 - SV-15680r3_rule

RMF Control

Severity

L

CCI

Version

DMZ-STO3

Vuln IDs

V-14912

Rule IDs

SV-15680r3_rule

If backups are not properly processed, protected, and stored on appropriate media, recovery of system failure or implementation of a contingency plan would not include the data necessary to fully recover in the time required to ensure continued mission support.Information Assurance ManagerECSC-1

Checks: C-13348r2_chk

Review the DMZ backup policy to ensure storage medium is capable of 5 year retention and retrieval and a support device capable of reading the data must be maintained.

Fix: F-14455r2_fix

Utilize appropriate media capable of guaranteeing file integrity for a minimum of 5 years for all system backups, and maintain a support device capable of reading the data.

b

DMZ backup and archive security procedures and processes must ensure unauthorized users cannot gain access.

Medium - V-14913 - SV-15681r3_rule

RMF Control

Severity

M

CCI

Version

DMZ-STO4

Vuln IDs

V-14913

Rule IDs

SV-15681r3_rule

Protection of backup and restoral assets is essential for the successful restoral of operations after a catastrophic failure or damage to the system or data files. Failure to follow proper procedures may result in the permanent loss of system data and/or the loss of system capability resulting in failure of the customer’s mission.Information Assurance ManagerECLP-1

Checks: C-13349r3_chk

Review the backup policy to ensure permissions and procedures are in place to validate personnel for approval to access or request access to backups and archives.

Fix: F-14456r3_fix

Only those personnel with granted appropriate levels of access can request or gain access to backups and archives.

a

The DMZ system must include an automated process of verifying correct backup media has been written to and restored from.

Low - V-14914 - SV-15682r3_rule

RMF Control

Severity

L

CCI

Version

DMZ-STO6

Vuln IDs

V-14914

Rule IDs

SV-15682r3_rule

If backups are not properly processed and protected, recovery of system failure or implementation of a contingency plan would not include the data necessary to fully recover in the time required to ensure continued mission support.Information Assurance ManagerECSC-1

Checks: C-13350r2_chk

Review the backup process and procedures to ensure an automated means of backup media verification is present.

Fix: F-14457r2_fix

Verify correct backup media has been written to and restored from, via an automated process.

b

The DMZ system must include a process to correctly label storage media based on sensitivity level and content (unrestricted vs. restricted data).

Medium - V-14915 - SV-15683r3_rule

RMF Control

Severity

M

CCI

Version

DMZ-STO7

Vuln IDs

V-14915

Rule IDs

SV-15683r3_rule

If storage media used for backups is not properly labeled and protected, recovery of system failure or implementation of a contingency plan would not include the information necessary to fully recover in the time required to ensure continued mission support.Information Assurance ManagerECML-1

Checks: C-13351r2_chk

Review a sampling of backup data to ensure sensitivity labeling is present to differentiate between data types. Review the CONOPS to ensure a process is documented for labeling of backup data.

Fix: F-14458r2_fix

Include processes in the CONOPs to correctly label removable storage media based on sensitivity level and content (unrestricted vs. restricted data).

b

The DMZ system must have a documented Disaster Recovery Plan (DRP).

Medium - V-14920 - SV-15688r3_rule

RMF Control

Severity

M

CCI

Version

DMZ-STO12

Vuln IDs

V-14920

Rule IDs

SV-15688r3_rule

Failure to provide for restoration of mission and business essential functions will result in mission failure in the event of natural disaster, fire, or other catastrophic failure of the Information System.Information Assurance ManagerCODP-2

Checks: C-13356r3_chk

Review the Disaster Recovery Plan for the DoD DMZ to ensure it is in compliance with minimum restoration guidelines as established by the DMZ CONOPS. The DRP must include business recovery plans, system and facility contingency plans, and plan acceptance.

Fix: F-14463r3_fix

Develop a DRP providing for the resumption of mission, or business essential functions, within the specified period of time as defined by DMZ CONOPS. A DRP must include business recovery plans, system and facility contingency plans, and plan acceptance.

b

The DoD DMZ system must include documented procedures ensuring all critical systems, to include infrastructure devices such as routers and firewalls and their associated configurations, are backed up and stored appropriately.

Medium - V-14921 - SV-15689r3_rule

RMF Control

Severity

M

CCI

Version

DMZ-STO13

Vuln IDs

V-14921

Rule IDs

SV-15689r3_rule

Backup and recovery are integral to maintaining the availability requirements of the DMZ. If backups of critical systems and infrastructure devices are not performed in accordance with the disaster recovery requirements, the network or critical components may not be available in the event of loss or failure.Information Assurance ManagerCOSW-1

Checks: C-13357r3_chk

Review the Disaster Recovery or Continuity of Operations Plan (COOP) to ensure process and procedures are in place for backing up and storing critical infrastructure device operating systems and configurations.

Fix: F-14464r3_fix

Develop documented procedures ensuring all critical systems, to include infrastructure devices such as routers and their associated configuration files, are backed up and copies of the operating system and other critical software are stored in a fire rated container or otherwise not collocated with the operational equipment or software.

b

The DoD DMZ system must include documented procedures ensuring data backup is performed at the frequency specified in the CONOPS, and recovery media is stored off-site at a location.

Medium - V-14922 - SV-15690r3_rule

RMF Control

Severity

M

CCI

Version

DMZ-STO14

Vuln IDs

V-14922

Rule IDs

SV-15690r3_rule

Backup and recovery are integral to maintaining the availability requirements of the DMZ. If backups of DMZ systems and infrastructure devices are not performed daily and in accordance with the disaster recovery requirements, the network or critical components may not be available in the event of loss or failure. If backups are not properly processed and protected, recovery of system failure or implementation of a contingency plan would not include the data necessary to fully recover in the time required to ensure continued mission support.Information Assurance ManagerCODB-2

Checks: C-13358r2_chk

Review the Continuity of Operations Plan (COOP) to ensure processes and procedures are in place for back-up and storage of data in accordance with the frequency as defined in the DoD DMZ CONOPS.

Fix: F-14465r2_fix

Document procedures ensuring data backup is performed in accordance with the DMZ CONOPS, and recovery media is stored off-site at a location affording protection of the data in accordance the CONOPS and data availability requirements and confidentiality level.

a

Procedures must be in place to restore the logging system/program if the program goes down, or must be shut down and restarted.

Low - V-14930 - SV-15698r4_rule

RMF Control

Severity

L

CCI

Version

DMZ-SYS9.3

Vuln IDs

V-14930

Rule IDs

SV-15698r4_rule

As the logging system is a repository, and provides analysis for, alert and event data from all DoD DMZ systems it is critical to ensure the system is restored to service quickly and securely in order to maintain the data flow of security events throughout the DMZ. Without the logging service available, security relevant event data will not be captured and analyzed.Information Assurance ManagerECSC-1

Checks: C-13367r3_chk

Review the logging server documentation to ensure procedures are in place to bring the system back on-line in case of shutdown or failure.

Fix: F-14474r2_fix

Document procedures to restore the log program efficiently if the program goes down, or must be shut down.

a

The Security Information Manager (SIM) must send and process inbound event and/or alert data in near real time with no manual intervention.

Low - V-14931 - SV-15699r3_rule

RMF Control

Severity

L

CCI

Version

DMZ-SIM2.1

Vuln IDs

V-14931

Rule IDs

SV-15699r3_rule

SIM technology provides the ability to perform real-time analysis of security alerts generated by network hardware and applications. If the process of sending event and log data to the SIM is slow, or is a manual process, security relevant data may not be received quickly enough for defensive action to be taken if a live attack on a DoD host or network happens.Information Assurance ManagerECAT-2

Checks: C-13368r3_chk

Review the SIM documentation to ensure event or alert data is sent in near real time and is not using a manual process such as FTP. The devices must automatically send SIM data with no manual intervention. Near real time refers to the delay introduced, by automated data processing or network transmission, between the occurrence of an event and the use of the processed data.

Fix: F-14475r3_fix

Configure the SIM to send and process inbound event and/or alert data in near real time with no manual intervention required.

b

The Security Information Manager (SIM) must use an industry standard database.

Medium - V-14933 - SV-15701r3_rule

RMF Control

Severity

M

CCI

Version

DMZ-SIM4.1

Vuln IDs

V-14933

Rule IDs

SV-15701r3_rule

For consistency, scalability, interoperability, security patching, and vendor support, it is important for the SIM to use industry standard applications. Information Assurance ManagerDCAS-1

Checks: C-13370r3_chk

Review the vendor documentation to ensure the SIM uses an industry standard database, not a “homegrown” database, which has been evaluated against a NIAP/NSA approved Protection Profile.

Fix: F-14477r2_fix

Employ a SIM using an industry standard database.

a

The Security Information Manager (SIM) stored database backup must be encrypted using FIPS 140-2 validated cryptography. Unrestricted and restricted database backup may be stored on the same media, yet must be encrypted so the database storing unrestricted data cannot restore data residing in the restricted database.

Low - V-14934 - SV-15702r3_rule

RMF Control

Severity

L

CCI

Version

DMZ-SIM4.6

Vuln IDs

V-14934

Rule IDs

SV-15702r3_rule

Unrestricted data is public and has been approved for public release. Restricted data requires authentication and has not been approved for public release. It is important for these two data types to be separate and not accessible to any application that may breach this separation and inadvertently provide restricted data to the public. Information Assurance ManagerECCR-2

Checks: C-13371r3_chk

Review the SIM backup procedures to ensure encryption is utilized for restricted and unrestricted backup of SIM data. The backup procedures must ensure there is segmentation between restricted and unrestricted data types. File and database access restrictions will also be in place to reduce the potential of exposure of the restricted data.

Fix: F-14478r3_fix

Encrypt all data on the SIM stored database backup, using FIPS 140-2 validated cryptography, so the unrestricted database cannot restore the restricted database when utilizing the same media.

a

The Security Information Manager (SIM) must maintain 30 days online, 1 year off-line worth of meta-data readily available to the analyst.

Low - V-14937 - SV-15705r3_rule

RMF Control

Severity

L

CCI

Version

DMZ-SIM13.5

Vuln IDs

V-14937

Rule IDs

SV-15705r3_rule

If data is not available for analytical review, security events may not be aggregated and correlated. Data must be readily available as security events may take place days/weeks apart that are seemingly unrelated; however, upon analysis, it could be determined the events are in fact related and the events can drive actions to be taken to avoid additional compromise. Information Assurance ManagerECRR-1

Checks: C-13374r3_chk

Review the back-up procedures and the on-line configuration to ensure the SIM data is stored for a minimum of 30 days online and 1 year off-line and readily available in accordance with the DoD DMZ CONOPS.

Fix: F-14481r3_fix

Configure the SIM to maintain 30 days worth of security event data online and 1 year offline, readily available to the analyst.

b

Reverse web proxy cryptographic components must be Federal Information Processing Standard (FIPS) 140-2 validated.

Medium - V-14942 - SV-15710r3_rule

RMF Control

Severity

M

CCI

Version

DMZ-RWP7.12

Vuln IDs

V-14942

Rule IDs

SV-15710r3_rule

FIPS 140-2 validation ensures the integrity of the validated cryptographic algorithm. FIPS 140-2 is a requirement of the Federal Government and mandated by most DoD policies regarding the use of encryption within the DoD.Information Assurance ManagerECCT-1

Checks: C-13362r3_chk

Review the RWP vendor documentation and the National Institute of Standards and Technology (NIST) Validation website (http://csrc.nist.gov/cryptval/140-1/1401val.htm) to determine if the encryption components have been validated against FIPS 140-2.

Fix: F-14469r2_fix

Utilize only reverse web proxy cryptographic components that are FIPS 140-2 validated.

a

Procedures must be in place to restore the Security Information Manager (SIM) service if the application/system fails or must be shut down.

Low - V-14957 - SV-15725r3_rule

RMF Control

Severity

L

CCI

Version

DMZ-SIM11.3

Vuln IDs

V-14957

Rule IDs

SV-15725r3_rule

As the SIM is the repository, and provides analysis for, alert and event data from all DoD DMZ systems it is critical to ensure the system is restored to service quickly and securely in order to maintain the data flow of security events throughout the DMZ. Without the SIM service available, security relevant event data will not be captured and analyzed. Information Assurance ManagerECND-1

Checks: C-13373r3_chk

Review the SIM server/system documentation to ensure procedures are in place to efficiently bring the system back on-line in case of shutdown or failure. The application security event logs must continue if the SIM goes down. The recovery process and times must be in accordance with the DoD DMZ CONOPS.

Fix: F-14480r3_fix

Document and implement the procedures to restore the SIM service if the program/system fails or must be shut down.

b

Local console access, KVM, or terminal services must be provided or available for local out-of-band management within the DMZ in case of management network failure.

Medium - V-14968 - SV-15736r4_rule

RMF Control

Severity

M

CCI

Version

DMZ-OOBMGT3

Vuln IDs

V-14968

Rule IDs

SV-15736r4_rule

A local console access solution must be available for access to devices or systems in case of management network failure. If the management network fails due to a device within the infrastructure, and there is no other means of accessing the device, the availability of the DMZ system at large could be compromised. Information Assurance ManagerECSC-1

Checks: C-13391r3_chk

Review the management network architecture to determine if local console access, KVM, or terminal services are available for local management network, for failover purposes. Review the management architecture against the most current version and release of the Network Infrastructure STIGs.

Fix: F-14498r3_fix

Provide local management for devices within a DMZ via console and/or KVM or terminal server, in case of local management network failure.

b

DMZ system components utilizing PKI must request PKI certificates from a DoD approved Certificate Authority (CA).

Medium - V-14970 - SV-15738r3_rule

RMF Control

Severity

M

CCI

Version

DMZ-PKI1.1

Vuln IDs

V-14970

Rule IDs

SV-15738r3_rule

To protect the integrity and authenticity of PKI certificates, it is critical that systems obtain their PKI certificates from an approved DoD Certificate Authority. Otherwise, there is no guarantee of proper access and authorization. Information Assurance ManagerIATS-2

Checks: C-13393r3_chk

Review the DMZ CONOPS and associated policy to determine if systems within the DMZ are required to request certificates only from a DoD approved CA. A list of DoD approved CAs can be obtained from the following URL: http://iase.disa.mil/pki/eca/index.html. Self-signing certificates are not authorized.

Fix: F-14500r3_fix

Require DMZ system components to request PKI certificates from a DoD approved CA. Self signed certificates are not authorized on DMZ components.

b

DMZ system components utilizing DoD PKI must support DoD approved PKI Certificate Revocation List (CRL) or DoD Online Certificate Status Protocol (OCSP) policy.

Medium - V-14971 - SV-15739r3_rule

RMF Control

Severity

M

CCI

Version

DMZ-PKI1.2

Vuln IDs

V-14971

Rule IDs

SV-15739r3_rule

To protect the integrity and authenticity of PKI certificates, it is critical that systems support and use the DoD approved CRLs and OCSPs. Otherwise, there is no guarantee of trusted validation of a PKI certificate. Information Assurance ManagerIATS-1

Checks: C-13394r3_chk

Review the DMZ CONOPS and associated policy to determine if systems within the DMZ are required to support and utilize DoD approved PKI CRL policy. DoD OCSP must be supported by DMZ components and devices and is the first choice for CRL validation.

Fix: F-14501r3_fix

Configure DMZ system components to support and utilize DoD approved PKI CRL or DoD OCSP policy.

b

DoD DMZ servers (all components) must report denied traffic and application transactions to the local log aggregation/SIM capability in real time, generated automatically, not as a manual or batch process.

Medium - V-15033 - SV-15801r3_rule

RMF Control

Severity

M

CCI

Version

DMZ-NET5

Vuln IDs

V-15033

Rule IDs

SV-15801r3_rule

Denied transactions could be an indication of potential malicious activity on a system or network. Logging the denied traffic or transaction may provide analysts with information regarding attempts to gain unauthorized access. Information Assurance ManagerECAT-1

Checks: C-13462r2_chk

Review the DMZ reporting procedures to ensure denied traffic and application transactions, at any component within the DMZ, are reported to the local log aggregation/SIM capability in real time.

Fix: F-14563r3_fix

Configure the DMZ system to report denied traffic and application transactions to the appropriate local log aggregation/SIM capability in real time, generated automatically, not as a manual process or batch process.

b

The DMZ architecture must be designed so appropriate network separation is maintained for devices performing IA functions for different DMZ services.

Medium - V-15096 - SV-15864r4_rule

RMF Control

Severity

M

CCI

Version

DMZ-LPSR6

Vuln IDs

V-15096

Rule IDs

SV-15864r4_rule

Separation is required to protect private services and data from restricted and unrestricted data. The intent of the DoD DMZ initiative is to protect private data and services from those that are Internet facing, and to have situational awareness of all traffic coming in to the NIPRNet. Separation is also critical to protect restricted data from what has been approved for public release. Separating the IA devices performing functions on behalf of the different data types, helps to ensure the integrity of the architecture and protect DoD private data. Information Assurance ManagerDCPA-1

Checks: C-13537r3_chk

Verify the devices providing IA for different DMZ services include, but are not limited to email security gateway, reverse web proxy, DNS proxy, and FTP proxy are implemented at a minimum on logical, separate VLANs, or on physically different network segments. The separation is for the IA controls on a per application basis (e.g., the RWP must be logically separated from the email security gateway (EMSG)). This does not imply a load balancer function cannot reside on a Web Application Firewall. Infrastructure devices such as firewalls and IDS/IPS are not required to be separate as their functionality is to monitor all traffic, not application specific traffic types.

Fix: F-14626r3_fix

Design the DMZ architecture so logical network separation is maintained between devices performing IA functions for different IA services such as, Simple Mail Transfer Protocol (SMTP) and Hypertext Transfer Protocol (HTTP). This requirement is for singular IA function devices, not infrastructure devices such as firewalls and IDS/IPS

b

Each CC/S/A/FA operating or maintaining a DoD DMZ must develop a Concept of Operations (CONOPS). The CONOPS will be built in accordance with requirements in the DoD DMZ STIGs and DoD DMZ Engineering Plan.

Medium - V-17354 - SV-18405r2_rule

RMF Control

Severity

M

CCI

Version

DMZ-REQ

Vuln IDs

V-17354

Rule IDs

SV-18405r2_rule

Configuration management is a key component to the security architecture of the DoD DMZ. The development, maintenance, and review of the CONOPS ensures the security requirements for the implementation are being maintained and updated as necessary to protect DoD assets and data. Information Assurance ManagerDCFA-1

Checks: C-18060r2_chk

Review the DoD DMZ accreditation documentation to ensure all components comprising the DMZ and the network architecture are in compliance with the DoD NIPRNet DMZ Functional Requirements document and the DoD DMZ Engineering Plan (may be obtained from the Defense Knowledge Online (DKO) web portal). The CC/S/A/FA will develop a CONOPS in accordance with the DMZ Engineering Plan and should contain at a minimum, backup and recovery policies, configuration management plan, complete DMZ system and device details, architecture diagrams and traffic flows, operational policies, procedures, and responsibilities, and Network Operations (NetOps) tasks.

Fix: F-17258r2_fix

Develop a DoD DMZ CONOPS for any CC/S/A/FA DoD DMZ implementation. The CONOPS will be developed and maintained for each DoD DMZ instantiation which contains, at a minimum, backup and recovery policies, configuration management plan, system details, operational policies and procedures, architecture, and NetOps tasks.

c

Every device within the DoD DMZ must utilize a dedicated physical network interface for management functions via physical separation.

High - V-17355 - SV-18406r2_rule

RMF Control

Severity

H

CCI

Version

DMZ-OOBMGT1.1.1

Vuln IDs

V-17355

Rule IDs

SV-18406r2_rule

Management interfaces provide immediate access to the privileged roles and configuration of devices and therefore need to be dedicated and separate from those supporting general user or production roles. Information Assurance ManagerECSC-1

Checks: C-18061r2_chk

Review the management interfaces on the infrastructure devices to ensure they have a physical interface dedicated to the management network. Ensure IP forwarding is not allowed (disabled) on the interface OR must have an access list that only permits the management interface to communicate with the management network.

Fix: F-17259r2_fix

Configure each device within the DoD DMZ to utilize a dedicated, physical interface for management functions only. There will be no other role associated with the management interface.

c

Traffic traversing the management network must be encrypted using Federal Information Processing Standard (FIPS) 140-2 validated cryptography.

High - V-17356 - SV-18407r2_rule

RMF Control

Severity

H

CCI

Version

DMZ-OOBMGT4

Vuln IDs

V-17356

Rule IDs

SV-18407r2_rule

Management traffic consists of privileged user account information and device configuration data. Access to this sensitive information could lead to direct access to platform or system. Therefore, it requires encryption to ensure the confidentiality and integrity of the session. Information Assurance ManagerECNK-1

Checks: C-18062r2_chk

Review the infrastructure devices to ensure all management traffic is encrypted using FIPS 140-2 validated cryptography. Ensure clear text traffic services such as telnet and FTP are not enabled for the management interfaces. If the device cannot support the use of encryption for certain types of management traffic to the management server, this must be documented and approved.

Fix: F-17260r2_fix

Encrypt management traffic within a DMZ using FIPS 140-2 validated cryptography, for example, Transport Layer Security (TLS) v1, Secure Shell (SSH), etc., which are configured in accordance with the Network Infrastructure STIGs.

b

The DMZ architecture, and all associated boundary IA control devices, must deny all inbound and outbound services except those specifically implemented or permitted.

Medium - V-17357 - SV-18408r2_rule

RMF Control

Severity

M

CCI

Version

DMZ-SVC6

Vuln IDs

V-17357

Rule IDs

SV-18408r2_rule

Allowing unknown traffic into the DMZ can make all devices susceptible within the DMZ to an attack. In addition, it is the DMZ owner's responsibility to protect the NIPRNet by filtering traffic and only allowing what is specifically authorized. Information Assurance ManagerECSC-1

Checks: C-18063r2_chk

Review the ACLs on the boundary infrastructure devices such as routers and firewalls, or both, against the DMZ CONOPS and system documentation to ensure operational necessity of ports, protocols, and services is still accurate. The system documentation should have the operational statements to confirm current need for services permitted. The DMZ architecture will deny access to unnecessary or non-documented services.

Fix: F-17261r2_fix

Configure the DMZ architecture, and more specifically, the IA devices, to deny all inbound and outbound services except those specifically implemented or permitted based on documented operational necessity.

b

DoD DMZ systems must be IPv6 capable.

Medium - V-17359 - SV-18410r2_rule

RMF Control

Severity

M

CCI

Version

DMZ-GS4.3

Vuln IDs

V-17359

Rule IDs

SV-18410r2_rule

As the DoD transitions from IPv4 to IPv6 is it critical that the DoD DMZ IA devices are capable of supporting the IPv6 protocol. If the devices do not support IPv6, additional funding and time will be spent acquiring IPv6 capable systems. IPv6 traffic must be transitioned appropriately and if an IA device is not capable of supporting or detecting the protocol, malicious IPv6 traffic may infiltrate the DMZ. Information Assurance ManagerECSC-1

Checks: C-18065r2_chk

Review a sampling of system documentation to ensure the devices within the DMZ infrastructure are IPv6 capable. Review against the most current version of the Network Infrastructure and Backbone Transport STIGs, as well as the DoD Milestone Objective 3 (MO3) guidance, for additional IPv6 requirements.

Fix: F-17263r2_fix

Employ only IPv6 capable DMZ components.

c

DoD DMZ IA devices using signatures for detection must be updated at least daily.

High - V-17360 - SV-18411r2_rule

RMF Control

Severity

H

CCI

Version

DMZ-GS6

Vuln IDs

V-17360

Rule IDs

SV-18411r2_rule

Detection signatures must be updated daily to ensure zero day attacks are caught prior to propagation throughout the DMZ. Information Assurance ManagerECSC-1

Checks: C-18066r2_chk

Review a sampling of DMZ IA systems to ensure if they use a signature detection capability, (for example, a content checking mechanism), they are configured to update signatures at least daily, from a trusted source as approved by the IAM.

Fix: F-17264r2_fix

Update signatures at least daily for IA system components using signatures for detection.

c

Network separation must be maintained for different data types within the DoD DMZ.

High - V-17362 - SV-18413r2_rule

RMF Control

Severity

H

CCI

Version

DMZ-LPSR5

Vuln IDs

V-17362

Rule IDs

SV-18413r2_rule

Separation is required to protect private services and data from restricted and unrestricted data. The intent of the DoD DMZ initiative is to protect private data and services from those that are Internet facing, and to have situational awareness of all traffic coming in to the NIPRNet. Separation is also critical to protect restricted data from what has been approved for public release. This is the fundamental principle behind the DoD DMZ, to protect the private assets from the Internet. Completely isolating the traffic so anything inbound from the Internet requires separate switching infrastructure. The traffic can aggregate at the firewall.Information Assurance ManagerDCPA-1

Checks: C-18068r2_chk

1. U/R: Logical network separation is required, at a minimum, for separation between Unrestricted (U) and Restricted (R) data types. Logical separation can be achieved with the utilization of VLANS. Verify restricted and unrestricted servers are installed on separate VLANS. 2. U/R and P: Physical network separation must be maintained between U/R network components and Private network components. Verify U/R systems are physically separate from Private data systems. Systems housing private data will not be located in the DoD DMZ. Refer to the DoD DMZ Technology Overview and DoD DMZ Engineering Plan for details and definitions of the 3 data types.

Fix: F-17266r2_fix

Configure the DoD DMZ systems to maintain physical network separation between unrestricted/restricted and private data and services, and logical network separation between unrestricted and restricted data types.

c

A resource/device must not be shared for termination of encrypted private traffic and unrestricted/ restricted applications or services. Physical separation must exist between U/R and private data types.

High - V-17364 - SV-18415r2_rule

RMF Control

Severity

H

CCI

Version

DMZ-LPSR12

Vuln IDs

V-17364

Rule IDs

SV-18415r2_rule

Termination end points must not share resources for any private application. Private means services are NIPRNet only and not accessible to the Internet. Unrestricted or restricted services are accessible from the Internet. Therefore, in order to maintain separation, the types of data must not share resources. The DMZ architecture and placement forces the separation for U/R vice Private traffic. This requirement is for the termination device to not be shared between U/R traffic which will reside in the DMZ (internet facing) and Private traffic which will not reside in the DMZ and only be accessible via the NIPRNet. Although the bulk encrypted traffic riding the same circuit to point of presence, the traffic will need to be routed appropriately to the correct termination device dependent on the data type. It would require 2 different termination devices (e.g., Reverse Web Proxy (RWP)), one for Private and one for U/R.Information Assurance ManagerECSC-1

Checks: C-18070r2_chk

Verify any device (e.g., RWP) terminating encrypted traffic for a private application does not also provide any service to restricted or unrestricted applications and services. Verify upstream switch, routers, and firewalls, block the termination device from Internet access.

Fix: F-17268r2_fix

Configure the devices terminating encrypted traffic for private applications/services, so they do not also provide any service for restricted or unrestricted applications. The termination device must not be reachable from the Internet.

c

The DoD DMZ must be connected to the Internet and NIPRNet with a peering, or completely dedicated perimeter, in-line firewall that performs deep packet inspection

High - V-17866 - SV-19171r2_rule

RMF Control

Severity

H

CCI

Version

DMZ-13

Vuln IDs

V-17866

Rule IDs

SV-19171r2_rule

Basic security requires fire walling technologies to inspect and secure traffic between the DoD DMZ and the Internet or the NIPRNet. Information Assurance ManagerEBBD-1, EBBD-2, EBBD-3

Checks: C-13325r3_chk

Review the DMZ architecture to determine if a perimeter firewall, or separate firewall, configured in accordance with the Firewall STIGs, is in place and operational between the DMZ, Internet, and NIPRNet. This is a separate requirement from the General Business LAN firewall requirement in the Network Infrastructure STIGs. The Firewall STIG details the deep packet inspection requirement for firewalls.

Fix: F-14429r3_fix

Connect the DoD DMZ to the Internet and NIPRNet via peering, or completely dedicated perimeter, in-line firewall that performs deep packet inspection.

b

The DoD DMZ must have a dedicated management network for device management and security information traffic flows.

Medium - V-26837 - SV-34115r1_rule

RMF Control

Severity

M

CCI

Version

DMZ-MGMT

Vuln IDs

V-26837

Rule IDs

SV-34115r1_rule

From an architectural point of view, providing a dedicated network for the management of network systems is the best first step in any management strategy. No production traffic resides on a management network. The biggest advantage to implementation of a management network is providing support and maintenance to the network that has become degraded or compromised. During an outage or degradation period the in-band management link may not be available. The consequences of loss of availability of a MAC I system is unacceptable and could include the immediate and sustained loss of mission effectiveness. Mission Assurance Category I systems require the most stringent protection measures. Maintenance support for key IT assets must be available to respond 24x7 immediately upon failure.Information Assurance ManagerECSC-1

Checks: C-34551r1_chk

Review the DoD DMZ architecture to ensure there is a separate, dedicated management network for all privileged level device access and all IA related traffic flows.

Fix: F-30128r1_fix

Engineer the management network so all security related traffic, privileged level access to devices, etc., will traverse a dedicated management network.

b

The DoD DMZ must contain an RWP for all http/https traffic flows.

Medium - V-26872 - SV-34152r1_rule

RMF Control

Severity

M

CCI

Version

DMZ-RWP

Vuln IDs

V-26872

Rule IDs

SV-34152r1_rule

An integral component within the DoD DMZ architecture is the utilization of a RWP for application traffic flows. The RWP brokers the HTTP/HTTPS connection so there is not a direct connection between the DoD host and the Internet. A direct connection to the Internet provides a direct avenue for attack against DoD hosting systems.Information Assurance ManagerEBBD-1, EBBD-2

Checks: C-34556r1_chk

Review the DMZ architecture to ensure all http/https traffic flows through a reverse web proxy and all http/https connections are brokered by the RWP. The RWP will employ, at a minimum, logical separation between Unrestricted data and Restricted data with separate VLANs at the subnets.

Fix: F-30058r1_fix

Employ a RWP as part of the DMZ architecture and require all HTTP/HTTPS connections to be brokered by the RWP.

b

The DoD DMZ Reverse Web Proxy (RWP) must support the use of TLSv1 and SSLv3.

Medium - V-26874 - SV-34154r1_rule

RMF Control

Severity

M

CCI

Version

DMZ-RWP1

Vuln IDs

V-26874

Rule IDs

SV-34154r1_rule

As DoD policy, to include the STIGs, requires the use of newer encryption standards such as SSLv3 and TLSv1, it is important to ensure all information assurance devices, such as the RWP, support the newer standards.Information Assurance ManagerECSC-1

Checks: C-34559r1_chk

Review the RWP vendor documentation to ensure the RWP supports the use of TLSv1 and SSLv3.

Fix: F-30060r1_fix

Ensure the reverse web proxy supports the use of TLSv1 and SSLv3.

b

The DoD DMZ must contain a Security Information Manager (SIM) providing real-time analysis of security alerts generated by DoD DMZ components, to include the supporting network infrastructure.

Medium - V-26880 - SV-34160r1_rule

RMF Control

Severity

M

CCI

Version

DMZ-SIM

Vuln IDs

V-26880

Rule IDs

SV-34160r1_rule

As the SIM is the repository for alert and event data from all DoD DMZ systems, it is a critical security component of the DoD DMZ architecture. The SIM provides the capability to process inbound event and/or alert data with business logic in near real time and to capture security relevant event data and logs which is used by security analysts to detect anomalies throughout the network and connected systems.Information Assurance ManagerECSC-1

Checks: C-34564r1_chk

Review the DMZ architecture to ensure a SIM is located within the DMZ to capture and process security relevant event data.

Fix: F-30062r1_fix

Deploy a SIM within the DoD DMZ providing real-time analysis of security alerts generated by DoD DMZ network hardware and applications.

b

A syslog server must be deployed in the management network.

Medium - V-27203 - SV-34502r1_rule

RMF Control

Severity

M

CCI

Version

DMZ-SYSLOG

Vuln IDs

V-27203

Rule IDs

SV-34502r1_rule

Logging is a critical security function and sending log data to a central repository such as a syslog server provides the information for further analysis. Information Assurance ManagerECAT-1

Checks: C-34736r1_chk

Review the DMZ architecture to ensure a syslog server in deployed and operational within the management network to send log data from DMZ devices.

Fix: F-30134r1_fix

Deploy a syslog server within the DoD DMZ management network architecture.

Checks: C-13285r3_chk

Fix: F-14392r3_fix

Generate Mitigation Statement:

Checks: C-13299r3_chk

Fix: F-14405r2_fix

Generate Mitigation Statement:

Checks: C-13302r3_chk

Fix: F-14407r3_fix

Generate Mitigation Statement:

Checks: C-13314r3_chk

Fix: F-14416r3_fix

Generate Mitigation Statement:

Checks: C-13335r3_chk

Fix: F-14442r3_fix

Generate Mitigation Statement:

Checks: C-13346r3_chk

Fix: F-14453r3_fix

Generate Mitigation Statement:

Checks: C-13347r3_chk

Fix: F-14454r3_fix

Generate Mitigation Statement:

Checks: C-13348r2_chk

Fix: F-14455r2_fix

Generate Mitigation Statement:

Checks: C-13349r3_chk

Fix: F-14456r3_fix

Generate Mitigation Statement:

Checks: C-13350r2_chk

Fix: F-14457r2_fix

Generate Mitigation Statement:

Checks: C-13351r2_chk

Fix: F-14458r2_fix

Generate Mitigation Statement:

Checks: C-13356r3_chk

Fix: F-14463r3_fix

Generate Mitigation Statement:

Checks: C-13357r3_chk

Fix: F-14464r3_fix

Generate Mitigation Statement:

Checks: C-13358r2_chk

Fix: F-14465r2_fix

Generate Mitigation Statement:

Checks: C-13367r3_chk

Fix: F-14474r2_fix

Generate Mitigation Statement:

Checks: C-13368r3_chk

Fix: F-14475r3_fix

Generate Mitigation Statement:

Checks: C-13370r3_chk

Fix: F-14477r2_fix

Generate Mitigation Statement:

Checks: C-13371r3_chk

Fix: F-14478r3_fix

Generate Mitigation Statement:

Checks: C-13374r3_chk

Fix: F-14481r3_fix

Generate Mitigation Statement:

Checks: C-13362r3_chk

Fix: F-14469r2_fix

Generate Mitigation Statement:

Checks: C-13373r3_chk

Fix: F-14480r3_fix

Generate Mitigation Statement:

Checks: C-13391r3_chk

Fix: F-14498r3_fix

Generate Mitigation Statement:

Checks: C-13393r3_chk

Fix: F-14500r3_fix

Generate Mitigation Statement:

Checks: C-13394r3_chk

Fix: F-14501r3_fix

Generate Mitigation Statement:

Checks: C-13462r2_chk

Fix: F-14563r3_fix

Generate Mitigation Statement:

Checks: C-13537r3_chk

Fix: F-14626r3_fix

Generate Mitigation Statement:

Checks: C-18060r2_chk

Fix: F-17258r2_fix