Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the accreditation package documentation to verify the test and development environment is correctly documented within the network diagrams and site security plan. If the organization's accreditation package does not include the test and development infrastructure in the network diagrams and system security plan, this is a finding.
Document network infrastructure and systems supporting the test and development environment, then include it with the accreditation package.
Review the accreditation package documentation to verify the test and development environment has been granted an IATO to connect to the DISN. If an IATO has not been granted, this is a finding. If the zone environment does not have any connectivity to the DISN or commercial ISP, this requirement is not applicable.
Certify and accredit the test and development infrastructure and supporting systems connecting to the DISN. Keep the IATO with the organization's accreditation package.
Determine whether all systems and network infrastructure devices supporting the test and development environment are registered in an asset management system. If any systems and network infrastructure devices supporting the test and development environment are not registered in an asset management system, this is a finding.
Register the network infrastructure and systems supporting the test and development environment in a DoD asset management program.
Review the network diagrams to determine whether a management network has been established to manage the network infrastructure and systems supporting the test and development environment. If a management network has not been established to manage the test and development environment infrastructure, this is a finding.
Engineer a management network solution and document it within the test and development network diagrams.
Review documentation for impersistent connections or devices to ensure the risk has been thoroughly assessed and approved by the Authorizing Official. If no documented approval is available for impersistent connections, this is a finding.
Create and have on file up-to-date documentation of the authorized risk approval for impersistent connections or devices.
Review development images to determine whether antivirus is installed and configured with current signatures. If antivirus is missing on development systems, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.
Install antivirus with current signatures on development systems.
Review the development images to determine whether a HIDS or HIPS application is installed and configured. If a HIDS or HIPS application is not installed and configured on the development image, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.
Install and configure a HIDS or HIPS application on development system images.
Review the development images to determine whether the OS or a third party firewall has been installed, configured, and enabled. If a firewall is not installed, configured, and enabled, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.
Install, configure, and enable either the OS or a third party firewall on the development system.
Determine whether the organization has a patch management solution in place to apply security patches released by the vendor, and that all systems are up to date. If a patch management solution has not been implemented and is not functioning to update development systems with the latest patches, or all systems are not up to date, this is a finding.
Implement a patch management solution to keep development systems up to date with the latest security patches released by the vendor.
Interview the ISSM/ISSO to determine whether a current Change Control Management policy has been implemented in the organization. If a change management policy has not been created and implemented for the organization, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.
Create a change management policy for the organization for application and system development.
Review the change control documentation for the environment to determine whether the organization has prior approval to move data from the test and development environment to the operational network after final testing. If the organization does not keep a change control log or the log exists but is not current, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.
Create a policy to document all finalized projects to gain approval by the Change Control Authority prior to deploying finalized projects to a DoD operational network.
Determine whether there is a policy in place for code review prior to applications being deployed into a DoD operational network. If a code review policy has not been established, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.
Implement a code review policy for applications before deployment into DoD operational networks.
Review the organization's site security plan and documentation to determine whether there is a list of current authorized users. If a current list of authorized users is missing from the site security plan for the test and development environment, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.
Document all authorized users with access to the development environment and access to source code. If the documentation exists but is not current, bring the documentation up to date.
Determine the data type on systems within the test and development environment. Interview the ISSM or ISSO regarding the connection approval process for housing DoD live operational data or Privacy Act information on any test or development system. If the test and development environment is using live DoD data or Privacy Act information, this is a finding.
Create organizational policies and procedures to prohibit the use of any live operational DoD data or Privacy Act information in the test and development environment.
Determine whether there are procedures in place to prohibit non-IA-compliant systems or devices from accessing any DoD operational network. If no procedure is in place to prohibit connection to any DoD operational network by non-IA-compliant systems, this is a finding.
Prohibit non-IA-compliant systems or devices in the test and development environment from accessing any DoD operational network or live data.
Review the network diagrams to determine whether a tunnel is being used for transport across any untrusted network, such as the DISN or ISP. If a tunnel mechanism is not being used to carry information to other organizations over an untrusted network, this is a finding.
Engineer a solution to establish tunnel mechanisms interconnected between organizations over untrusted networks.
Determine whether the proper encryption standard is deployed for the classification of information being shared between interconnected organizations. Unclassified/FOUO or any need-to-know data will need to use a FIPS 140-2 validated cryptographic module. Classified traffic must use an NSA approved encryption standard. If the proper encryption standard is not in use for sharing information between interconnected sites, this is a finding.
Implement an approved encryption mechanism for the classification of data being shared between interconnected organizations. Unclassified/FOUO or any need-to-know data will need to use a FIPS 140-2 validated cryptographic module. Classified traffic must use an NSA approved encryption standard.
Verify the organization's policies and procedures to prohibit remote access to the test and development environment from external networks. If policies and procedures are not available to prohibit remote access to the test and development environment from external networks, this is a finding.
Prohibit remote access to the test and development environment from external networks.
Review the system plan to determine whether physical hosts are sharing DoD operational and test and development virtual machines.
Engineer a solution to use separate physical hosts for DoD operational and T&D virtual machines.
Verify Authorizing Official-approved MOAs, MOUs, and SLAs are up to date and included with the organization's accreditation package. If the organization does not have MOAs, MOUs, and/or SLAs with the accreditation package, this is a finding.
Create MOUs, MOAs, and/or SLAs with other interconnected organizations, and then gain approval from the organization’s Authorizing Official and add the documentation to the accreditation package.
1. Verify an IA-compliant system has been deployed to scan downloaded data prior to deployment into the T&D environment. Also, review the zone diagrams to ensure the workstation is documented appropriately. 2. Determine if the organization has a NIPRNet connection. A. If the organization has a NIPRNet connection; data must be downloaded through the DoD IAP. B. If the organization does not have a NIPRNet connection, data must be downloaded through a secure, IA-compliant connection. If the organization does not download and scan the downloaded data to a dedicated IA-system and secure IA-compliant connection, this is a finding.
1. Deploy an IA-compliant system to download data. 2. Configure the IA-compliant system to download data through a secure, IA-compliant connection. A. If your organization has a NIPRNet or connection; data must be downloaded through the DoD IAP. B. If your organization does not have a NIPRNet or connection, data must be downloaded through a secure, IA-compliant connection.
Review the organization's policies and procedures document to ensure proper handling of data being transported into the test and development environment. This document must include information for physical and electronic migration of data. If the organization does not have a policy and procedures document created or available for review, this is a finding.
Create a policy for, and document the procedure of, proper handling of data transported into the test and development environment. This document must include information for physical and electronic handling and migration of data.