Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the accreditation package documentation to verify the test and development environment is correctly documented within the network diagrams and site security plan. If the organization's accreditation package does not include the test and development infrastructure in the network diagrams and system security plan, this is a finding.
Document network infrastructure and systems supporting the test and development environment, then include it with the accreditation package.
Review the accreditation package documentation to verify the test and development environment has been granted an IATO to connect to the DISN. If an IATO has not been granted, this is a finding. If the zone environment does not have any connectivity to the DISN or commercial ISP, this requirement is not applicable.
Certify and accredit the test and development infrastructure and supporting systems connecting to the DISN. Keep the IATO with the organization's accreditation package.
Determine whether all systems and network infrastructure devices supporting the test and development environment are registered in an asset management system. If any systems and network infrastructure devices supporting the test and development environment are not registered in an asset management system, this is a finding.
Register the network infrastructure and systems supporting the test and development environment in a DoD asset management program.
Review the network diagrams to determine whether a management network has been established to manage the network infrastructure and systems supporting the test and development environment. If a management network has not been established to manage the test and development environment infrastructure, this is a finding.
Engineer a management network solution and document it within the test and development network diagrams.
Review documentation for impersistent connections or devices to ensure the risk has been thoroughly assessed and approved by the Authorizing Official. If no documented approval is available for impersistent connections, this is a finding.
Create and have on file up-to-date documentation of the authorized risk approval for impersistent connections or devices.
Review the organization's network diagrams to determine whether network segments for development have been established and outlined in the documentation. If application development occurs on DoD operational networks, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.
Designate network segments for applications and systems development. Document these designated network segments in the network diagrams for the T&D environment.
Review development images to determine whether antivirus is installed and configured with current signatures. If antivirus is missing on development systems, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.
Install antivirus with current signatures on development systems.
Review the development images to determine whether a HIDS or HIPS application is installed and configured. If a HIDS or HIPS application is not installed and configured on the development image, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.
Install and configure a HIDS or HIPS application on development system images.
Review the development images to determine whether the OS or a third party firewall has been installed, configured, and enabled. If a firewall is not installed, configured, and enabled, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.
Install, configure, and enable either the OS or a third party firewall on the development system.
Determine whether the organization has a patch management solution in place to apply security patches released by the vendor, and that all systems are up to date. If a patch management solution has not been implemented and is not functioning to update development systems with the latest patches, or all systems are not up to date, this is a finding.
Implement a patch management solution to keep development systems up to date with the latest security patches released by the vendor.
Interview the ISSM/ISSO to determine whether a current Change Control Management policy has been implemented in the organization. If a change management policy has not been created and implemented for the organization, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.
Create a change management policy for the organization for application and system development.
Review the change control documentation for the environment to determine whether the organization has prior approval to move data from the test and development environment to the operational network after final testing. If the organization does not keep a change control log or the log exists but is not current, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.
Create a policy to document all finalized projects to gain approval by the Change Control Authority prior to deploying finalized projects to a DoD operational network.
Determine whether there is a policy in place for code review prior to applications being deployed into a DoD operational network. If a code review policy has not been established, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.
Implement a code review policy for applications before deployment into DoD operational networks.
Review the organization's site security plan and documentation to determine whether there is a list of current authorized users. If a current list of authorized users is missing from the site security plan for the test and development environment, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.
Document all authorized users with access to the development environment and access to source code. If the documentation exists but is not current, bring the documentation up to date.
Determine the data type on systems within the test and development environment. Interview the ISSM or ISSO regarding the connection approval process for housing DoD live operational data or Privacy Act information on any test or development system. If the test and development environment is using live DoD data or Privacy Act information, this is a finding.
Create organizational policies and procedures to prohibit the use of any live operational DoD data or Privacy Act information in the test and development environment.
Review the network diagrams and physically check to see whether the organization has a gateway implemented for the test and development environment. If the organization has not documented or implemented a gateway for the test and development environment, this is a finding.
Install a gateway to separate the test and development environment from the DoD operational network. Document it in the test and development network diagrams.
Review the latest version of the PPS CAL for those ports, protocols, and services visible to DoD-managed components. If the organization is using ports, protocols, or services deemed not acceptable by the PPS CAL or requiring Authorization Official approval without proper documentation, this is a finding.
Configure all ports, protocols, and services visible to DoD-managed components as described in the DoDI 8551.1 PPSM policy.
Install and configure a firewall to separate DoD operational and test and development environments.
Install and configure a firewall to separate DoD operational and test and development environments.
Determine whether a deny-by-default security posture has been implemented for both ingress and egress traffic for the test and development environment. If the organization is not using a deny-by-default security posture for ingress and ingress traffic for the test and development environment, this is a finding.
Implement a deny-by-default security posture for both ingress and egress traffic between network segments in the test and development environment.
Determine whether a deny-by-default security posture has been implemented for both ingress and egress traffic between the test and development environment and DoD operational networks. If the organization is not using a deny-by-default security posture for traffic between the test and development environment and DoD operational networks, this is a finding.
Implement a deny-by-default security posture for both ingress and egress traffic between the test and development environment and DoD operational networks.
Determine whether a deny-by-default security posture has been implemented for both ingress and egress traffic between the test and development environments. If the organization is not using a deny-by-default security posture for traffic between the test and development environments, this is a finding.
Implement a deny-by-default security posture for both ingress and egress traffic between test and development environments.
Determine whether the proper encryption standard is deployed for the classification of the network where remote access is performed. Unclassified/FOUO or any need-to-know data will need to use a FIPS 140-2 validated cryptographic module. Classified traffic must use an NSA approved encryption standard. If the proper encryption standard is not in use for remote access, this is a finding.
Implement an approved encryption mechanism for the classification of the network for remote access. Unclassified/FOUO or any need-to-know data will need to use a FIPS 140-2 validated cryptographic module. Classified traffic must use an NSA approved encryption standard.
Determine whether split tunneling is prohibited for remote access VPNs connecting to the test and development environment. If the VPN policy allows split tunneling, this is a finding.
Configure VPNs to prohibit split tunneling when connecting to the test and development environment.
Determine whether the organization has a connection approval policy on the installation of operating systems within the test and development environment. The policy must include either physically disconnecting or blocking the system at the firewall in order to achieve complete isolation from any network traffic. If no connection approval policy has been developed, this is a finding.
Create a policy to ensure the test or development system is physically disconnected or blocked at the firewall from any external network during the installation of an operating system.
Review the system plan to determine whether physical hosts are sharing DoD operational and test and development virtual machines.
Engineer a solution to use separate physical hosts for DoD operational and T&D virtual machines.
1. Verify an IA-compliant system has been deployed to scan downloaded data prior to deployment into the T&D environment. Also, review the zone diagrams to ensure the workstation is documented appropriately. 2. Determine if the organization has a NIPRNet connection. A. If the organization has a NIPRNet connection; data must be downloaded through the DoD IAP. B. If the organization does not have a NIPRNet connection, data must be downloaded through a secure, IA-compliant connection. If the organization does not download and scan the downloaded data to a dedicated IA-system and secure IA-compliant connection, this is a finding.
1. Deploy an IA-compliant system to download data. 2. Configure the IA-compliant system to download data through a secure, IA-compliant connection. A. If your organization has a NIPRNet or connection; data must be downloaded through the DoD IAP. B. If your organization does not have a NIPRNet or connection, data must be downloaded through a secure, IA-compliant connection.
Review the organization's policies and procedures document to ensure proper handling of data being transported into the test and development environment. This document must include information for physical and electronic migration of data. If the organization does not have a policy and procedures document created or available for review, this is a finding.
Create a policy for, and document the procedure of, proper handling of data transported into the test and development environment. This document must include information for physical and electronic handling and migration of data.