Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Test and Development Zone D Security Technical Implementation Guide

V1R3 · · · Released 22 Jan 2016 · 22 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

Digest of Updates vs. V1R2 · 23 Oct 2015 −15 ✎ 1

Comparison against the immediately-prior release (V1R2). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Removed rules 15

  • V-14306 Medium Development is performed on platforms that are not STIG compliant and/or within a non-STIG compliant infrastructure.
  • V-14307 Medium Network infrastructure devices, such as router, switches, firewalls, etc., that support the Test/Development enclave are not STIG compliant.
  • V-14308 Medium Documentation which details the description and function of each system, the zone the system resides in, the SA of the system, applications, OS, and hardware of the system is incomplete or missing.
  • V-14309 Medium Systems in test and development zones are connected to a DoD production network without security controls, as required by the appropriate STIGs. A Connection Approval Process (CAP) has not been used prior to connection to a DoD network.
  • V-14310 Medium Test and development systems are not physically disconnected or blocked at the firewall from external networks during the installation of an operating system.
  • V-14311 Medium Development is performed in a Zone D test enclave.
  • V-14312 High Zone D systems have direct connectivity to a DoD network.
  • V-14371 High Zone D systems contain production or “live” DoD data or privacy act information and are connected to an external network.
  • V-14372 High DoD client workstations/laptops, used for DoD official business, interact or connect (to include remote access) to a Zone D system or network.
  • V-14465 Medium Non-STIG’d systems connect or communicate with STIG compliant production systems via a remote access solution.
  • V-14466 High Virtual machine guest operating systems (OS) which are used to access a T&D zone communicate with the host OS or a production OS.
  • V-14467 High In a virtual machine remote access solution, T&D client traffic is not restricted such that all network traffic can only flow to and from the T&D zone.
  • V-14468 Medium Non-production “guests” communicate with DoD networks via the LAN.
  • V-3918 Medium Test and development systems are not connected to an isolated network separated from production systems.
  • V-3919 Medium Out of band access is not utilized to access a test and development enclave remotely.

Content changes 1

  • V-39621 Medium description The organization must sanitize data transferred to test and development environments from DoD operational networks for testing to remove personal and sensitive information exempt from the Freedom of Information Act.
Sort by
b
Network infrastructure and systems supporting the test and development environment must be documented within the organizations accreditation package.
Medium - V-39344 - SV-51202r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0010
Vuln IDs
  • V-39344
Rule IDs
  • SV-51202r1_rule
Up-to-date documentation is essential in assisting with the management, auditing, and security of the network infrastructure used to support the test and development environment. Network diagrams are important because they show the overall layout where devices are physically located within the network infrastructure. Diagrams also show the relationship and connectivity between devices where possible intrusive attacks could take place. Having up-to-date network diagrams will also help show what the security, traffic, and physical impact of adding a system will be on the network.Information Assurance OfficerInformation Assurance ManagerDCHW-1
Checks: C-46619r2_chk

Review the accreditation package documentation to verify the test and development environment is correctly documented within the network diagrams and site security plan. If the organization's accreditation package does not include the test and development infrastructure in the network diagrams and system security plan, this is a finding.

Fix: F-44359r2_fix

Document network infrastructure and systems supporting the test and development environment, then include it with the accreditation package.

b
Network infrastructure and systems supporting the test and development environment must follow DoD certification and accreditation procedures before connecting to a DoD operational network or Internet Service Provider.
Medium - V-39345 - SV-51203r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0020
Vuln IDs
  • V-39345
Rule IDs
  • SV-51203r1_rule
Prior to connecting to a live operational network, such as the DISN, systems, at minimum, receive an IATO. A system without an IATO does not show adequate effort to meet IA controls and security requirements and may pose a risk to other computers or systems connecting to the operational network.Information Assurance OfficerInformation Assurance ManagerEBCR-1
Checks: C-46707r5_chk

Review the accreditation package documentation to verify the test and development environment has been granted an IATO to connect to the DISN. If an IATO has not been granted, this is a finding. If the zone environment does not have any connectivity to the DISN or commercial ISP, this requirement is not applicable.

Fix: F-44662r1_fix

Certify and accredit the test and development infrastructure and supporting systems connecting to the DISN. Keep the IATO with the organization's accreditation package.

b
Network infrastructure and systems supporting the test and development environment must be registered in a DoD asset management system.
Medium - V-39433 - SV-51291r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0030
Vuln IDs
  • V-39433
Rule IDs
  • SV-51291r1_rule
An asset management system is used to send out notifications on vulnerabilities in commercial and military information infrastructures as they are discovered. If the organization's assets are not registered with an asset management system, administrators will not be notified of important vulnerabilities such as viruses, denial of service attacks, system weaknesses, back doors, and other potentially harmful situations. Additionally, there will be no way to enter, track, or resolve findings during a review.VIVM-1
Checks: C-46812r1_chk

Determine whether all systems and network infrastructure devices supporting the test and development environment are registered in an asset management system. If any systems and network infrastructure devices supporting the test and development environment are not registered in an asset management system, this is a finding.

Fix: F-44446r2_fix

Register the network infrastructure and systems supporting the test and development environment in a DoD asset management program.

b
Network infrastructure and systems supporting the test and development environment must be managed from a management network.
Medium - V-39434 - SV-51292r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0040
Vuln IDs
  • V-39434
Rule IDs
  • SV-51292r1_rule
It is important to restrict administrative access to the supporting network infrastructure and systems in the test and development environment, as it reduces the risk of data theft or interception from an attacker on the operational network.ECSC-1
Checks: C-46708r2_chk

Review the network diagrams to determine whether a management network has been established to manage the network infrastructure and systems supporting the test and development environment. If a management network has not been established to manage the test and development environment infrastructure, this is a finding.

Fix: F-44447r2_fix

Engineer a management network solution and document it within the test and development network diagrams.

b
The organization must document impersistent connections to the test and development environment with approval by the organizations Authorizing Official.
Medium - V-39435 - SV-51293r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0050
Vuln IDs
  • V-39435
Rule IDs
  • SV-51293r1_rule
An impersistent connection is any temporary connection needed to another test and development environment or DoD operational network where testing is not feasible. As any unvetted connection or device will create additional risk and compromise the entire environment, it is up to the Authorizing Official for the organization to accept the risk of an impersistent connection.EBCR-1, ECSD-1
Checks: C-46709r3_chk

Review documentation for impersistent connections or devices to ensure the risk has been thoroughly assessed and approved by the Authorizing Official. If no documented approval is available for impersistent connections, this is a finding.

Fix: F-44448r4_fix

Create and have on file up-to-date documentation of the authorized risk approval for impersistent connections or devices.

c
Development systems must have antivirus installed and enabled with up-to-date signatures.
High - V-39437 - SV-51295r1_rule
RMF Control
Severity
H
CCI
Version
ENTD0070
Vuln IDs
  • V-39437
Rule IDs
  • SV-51295r1_rule
Virus scan programs are a primary line of defense against the introduction of viruses and malicious code that can destroy data and even render a computer inoperable. Utilizing the most current virus scan program provides the ability to detect this malicious code before extensive damage occurs. Updated virus scan data files help protect a system, as new malware is identified by the software vendors on a regular basis.ECSC-1, ECVP-1
Checks: C-46712r3_chk

Review development images to determine whether antivirus is installed and configured with current signatures. If antivirus is missing on development systems, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.

Fix: F-44450r2_fix

Install antivirus with current signatures on development systems.

b
Development systems must have HIDS or HIPS installed and configured with up-to-date signatures.
Medium - V-39438 - SV-51296r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0080
Vuln IDs
  • V-39438
Rule IDs
  • SV-51296r1_rule
A HIDS or HIPS application is a secondary line of defense behind the antivirus. The application will monitor all ports and the dynamic state of a development system. If the application detects irregularities on the system, it will block incoming traffic that may potentially compromise the development system that can lead to a DoS or data theft.ECID-1, ECSC-1
Checks: C-46713r3_chk

Review the development images to determine whether a HIDS or HIPS application is installed and configured. If a HIDS or HIPS application is not installed and configured on the development image, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.

Fix: F-44451r2_fix

Install and configure a HIDS or HIPS application on development system images.

b
Development systems must have a firewall installed, configured, and enabled.
Medium - V-39439 - SV-51297r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0090
Vuln IDs
  • V-39439
Rule IDs
  • SV-51297r1_rule
A firewall provides a line of defense against malicious attacks. To be effective, it must be enabled and properly configured.ECSC-1
Checks: C-46714r3_chk

Review the development images to determine whether the OS or a third party firewall has been installed, configured, and enabled. If a firewall is not installed, configured, and enabled, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.

Fix: F-44452r2_fix

Install, configure, and enable either the OS or a third party firewall on the development system.

b
Development systems must be part of a patch management solution.
Medium - V-39440 - SV-51298r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0100
Vuln IDs
  • V-39440
Rule IDs
  • SV-51298r1_rule
Major software vendors release security patches and hotfixes to their products when security vulnerabilities are discovered. It is essential that these updates be applied in a timely manner to prevent unauthorized individuals from exploiting identified vulnerabilities.ECSC-1, VIVM-1
Checks: C-46715r3_chk

Determine whether the organization has a patch management solution in place to apply security patches released by the vendor. If a patch management solution has not been implemented and is not functioning to update development systems with the latest patches, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.

Fix: F-44453r2_fix

Implement a patch management solution to keep development systems up to date with the latest security patches released by the vendor.

b
A change management policy must be implemented for application development.
Medium - V-39441 - SV-51299r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0110
Vuln IDs
  • V-39441
Rule IDs
  • SV-51299r1_rule
Change management is the formal review process that ensures that all changes made to a system or application receives formal review and approval. Change management reduces impacts from proposed changes that could possibly have interruptions to the services provided. Recording all changes for applications will be accomplished by a configuration management policy. The configuration management policy will capture the actual changes to software code and anything else affected by the change.DCII-1, DCPR-1
Checks: C-46716r3_chk

Interview the ISSM/ISSO to determine whether a current Change Control Management policy has been implemented in the organization. If a change management policy has not been created and implemented for the organization, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.

Fix: F-44454r2_fix

Create a change management policy for the organization for application and system development.

b
The organization must document and gain approval from the Change Control Authority prior to migrating data to DoD operational networks.
Medium - V-39611 - SV-51469r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0120
Vuln IDs
  • V-39611
Rule IDs
  • SV-51469r1_rule
Without the approval of the Change Control Authority, data moved from the test and development network into an operational network could pose a risk of containing malicious code or cause other unintended consequences to live operational data. Data moving into operational networks from final stage preparation must always be vetted and approved.ECSC-1, ECSD-1, ECSD-2
Checks: C-46796r3_chk

Review the change control documentation for the environment to determine whether the organization has prior approval to move data from the test and development environment to the operational network after final testing. If the organization does not keep a change control log or the log exists but is not current, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.

Fix: F-44627r2_fix

Create a policy to document all finalized projects to gain approval by the Change Control Authority prior to deploying finalized projects to a DoD operational network.

b
Application code must go through a code review prior to deployment into DoD operational networks.
Medium - V-39614 - SV-51472r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0130
Vuln IDs
  • V-39614
Rule IDs
  • SV-51472r1_rule
Prior to release of the application receiving an IATO for deployment into a DoD operational network, the application will have a thorough code review. Along with the proper testing, the code review will specify flaws causing security, compatibility, or reliability concerns that may compromise the operational network.DCSQ-1, ECSC-1, ECSD-1, ECSD-2
Checks: C-46813r2_chk

Determine whether there is a policy in place for code review prior to applications being deployed into a DoD operational network. If a code review policy has not been established, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.

Fix: F-44666r1_fix

Implement a code review policy for applications before deployment into DoD operational networks.

b
Access to source code during application development must be restricted to authorized users.
Medium - V-39619 - SV-51477r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0140
Vuln IDs
  • V-39619
Rule IDs
  • SV-51477r1_rule
Restricting access to source code and the application to authorized users will limit the risk of source code theft or other potential compromise.ECAN-1, ECCD-1, ECLP-1
Checks: C-46797r3_chk

Review the organization's site security plan and documentation to determine whether there is a list of current authorized users. If a current list of authorized users is missing from the site security plan for the test and development environment, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.

Fix: F-44630r2_fix

Document all authorized users with access to the development environment and access to source code. If the documentation exists but is not current, bring the documentation up to date.

b
The organization must sanitize data transferred to test and development environments from DoD operational networks for testing to remove personal and sensitive information exempt from the Freedom of Information Act.
Medium - V-39621 - SV-51479r2_rule
RMF Control
Severity
M
CCI
Version
ENTD0150
Vuln IDs
  • V-39621
Rule IDs
  • SV-51479r2_rule
If DoD production data is transferred to a test and development environment and personal or sensitive information has not been sanitized from the data, personal or sensitive information could be exposed or compromised.ECSC-1
Checks: C-46799r3_chk

Determine the data type on systems within the test and development environment. Interview the ISSM or ISSO regarding the connection approval process for housing DoD live operational data or Privacy Act information on any test or development system. If the test and development environment is using live DoD data or Privacy Act information, this is a finding.

Fix: F-44637r2_fix

Create organizational policies and procedures to prohibit the use of any live operational DoD data or Privacy Act information in the test and development environment.

c
The Zone D test and development environment must be physically separate and isolated from any DoD operational network.
High - V-39659 - SV-51526r2_rule
RMF Control
Severity
H
CCI
Version
ENTD0200
Vuln IDs
  • V-39659
Rule IDs
  • SV-51526r2_rule
Systems found in the Zone D test and development environment are typically non-IA-compliant test systems that include hardware, software, or development systems. These systems typically do not follow the appropriate best security practices. Therefore, if they are connected to any operational network, it is possible to infect live data or degrade infrastructure in an operational network.ECSC-1
Checks: C-46814r3_chk

Review the organization's network diagrams for the Zone D test and development environment and work with the network reviewer to determine whether the environment is physically separate and isolated from any DoD operational network. If physical separation or isolation is not shown for the Zone D test and development environment on the network diagrams, this is a finding.

Fix: F-44667r3_fix

Physically separate and isolate the Zone D test and development environment from any DoD operational network.

b
The test and development environment must not have access to DoD operational networks.
Medium - V-39660 - SV-51527r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0210
Vuln IDs
  • V-39660
Rule IDs
  • SV-51527r1_rule
Systems or devices used for test data that do not meet minimum IA standards for accreditation are a risk to a DoD operational network if allowed to communicate between environments. Data that has not been fully tested and finalized for use in an operational network may cause unintended consequences, such as data loss or corruption. Unvetted data allowed into a DoD operational network from non-IA-compliant machines may also contain malicious code that could be used to steal or damage live data.ECSC-1
Checks: C-46815r1_chk

Determine whether there are procedures in place to prohibit non-IA-compliant systems or devices from accessing any DoD operational network. If no procedure is in place to prohibit connection to any DoD operational network by non-IA-compliant systems, this is a finding.

Fix: F-44668r1_fix

Prohibit non-IA-compliant systems or devices in the test and development environment from accessing any DoD operational network or live data.

b
Remote access VPNs must prohibit the use of split tunneling on VPN connections.
Medium - V-39669 - SV-51536r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0300
Vuln IDs
  • V-39669
Rule IDs
  • SV-51536r1_rule
The VPN software on a host can be configured in either of two modes. It can be set to encrypt all IP traffic originating from that host, and send all of that traffic to the remote IP address of the network gateway. This configuration is called “tunnel-all” mode, because all IP traffic from the host must traverse the VPN tunnel to the remote system, where it will either be processed or further forwarded to additional IP addresses after decryption. Alternately, the VPN software can be set only to encrypt traffic that is specifically addressed to an IP at the other end of the VPN tunnel. All other IP traffic bypasses the VPN encryption and routing process, and is handled by the host as if the VPN relationship did not exist. This configuration is called “split-tunnel” mode, because the IP traffic from the host is split between encrypted packets sent across the VPN tunnel and unencrypted packets sent to all other external addresses. There are security and operational implications in the decision of whether to use split-tunnel or tunnel-all mode. Placing a host in tunnel-all mode makes it appear to the rest of the world as a node on the connected logical (VPN-connected) network. It no longer has an identity to the outside world based on the local physical network. In tunnel-all mode, all traffic between the remote host and any other host can be subject to inspection and processing by the security policy devices of the remote VPN-linked network. This improves the security aspects of the connected network, since it can enforce all security policies on the VPN-connected computer.ECSC-1
Checks: C-46824r1_chk

Determine whether split tunneling is prohibited for remote access VPNs connecting to the test and development environment. If the VPN policy allows split tunneling, this is a finding.

Fix: F-44677r1_fix

Configure VPNs to prohibit split tunneling when connecting to the test and development environment.

b
Remote access into the test and development environment must originate from a non-DoD operational network segment.
Medium - V-39670 - SV-51537r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0310
Vuln IDs
  • V-39670
Rule IDs
  • SV-51537r1_rule
If remote access is needed to access the test and development environment, it must be originated from a non-DoD operational network segment. Examples of this are a virtual machine located on government-furnished equipment used for operational tasks, or a separate physical machine sitting in a separate network segment or VLAN. Keeping direct access off the DoD operational network will reduce the risk of test and development data being leaked, potentially damaging or compromising live data.ECSC-1
Checks: C-46825r1_chk

Determine whether remote access to the test and development environment from any DoD operational network segment has been prohibited. If no procedures exist to prohibit remote access to the test and development environment from any DoD operational network, this is a finding.

Fix: F-44678r1_fix

Prohibit remote access from DoD operational networks.

b
Virtual machines used for application development and testing must not share the same physical host with DoD operational virtual machines.
Medium - V-39672 - SV-51539r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0330
Vuln IDs
  • V-39672
Rule IDs
  • SV-51539r1_rule
Attacks on virtual machines from other VMs through denial of service and other attacks potentially stealing sensitive data such as source code used in application development. It is imperative to keep DoD operational virtual machines on physically separate platforms from test and development virtual machines.ECSC-1
Checks: C-46827r1_chk

Review the system plan to determine whether physical hosts are sharing DoD operational and test and development virtual machines.

Fix: F-44680r2_fix

Engineer a solution to use separate physical hosts for DoD operational and T&D virtual machines.

a
The organization must have a current ISP GIG Waiver for any ISP connections to the test and development environment.
Low - V-39674 - SV-51541r1_rule
RMF Control
Severity
L
CCI
Version
ENTD0350
Vuln IDs
  • V-39674
Rule IDs
  • SV-51541r1_rule
The test and development environment is typically a closed and physically separated network with no external connectivity to the DISN or Internet. In some instances, Internet connectivity is needed for this environment due to the flexibility it provides for nonoperational systems. In this case, an ISP GIG Waiver is required, along with approval from the organization's Authorizing Official.
Checks: C-46829r1_chk

Verify the organization has an ISP GIG Waiver for any Internet connection. The documentation should be up to date and included with the accreditation package. If no ISP GIG Waiver has been obtained or is not up to date, this is a finding.

Fix: F-44682r1_fix

Obtain an ISP GIG Waiver for any Internet connection into the test and development environment.

b
Data used for testing and development must be downloaded through a secure connection to an IA-compliant system for vulnerability scanning prior to deployment in the test and development environment.
Medium - V-41494 - SV-54070r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0360
Vuln IDs
  • V-41494
Rule IDs
  • SV-54070r1_rule
It is mandatory that data from an untrusted network or website that is to be used in a testing and development environment be downloaded through a secure perimeter. Bringing data directly from an untrusted network or downloaded from a personal computer or home Internet connection must be prohibited. Scanning data is crucial to ensure the integrity of the information prior to deployment for T&D processes. While not an all-inclusive list, data in this situation includes OS patches, application updates, operating systems, development tools, and test data. In the T&D environment, there will typically be one or more IA-compliant systems accessing a secure Internet connection. If a secure Internet connection is not available, such as in Zone D, a connection in another zone can be used and the data moved by approved physical media into the zone. Scanning the data with an anti-virus program will reduce the risk of exploits and of having vulnerable systems in the T&D environment taken over. Downloading data from a single workstation for all zone environments is acceptable. Organizations with NIPRNet connections must download all data through their NIPR connection for scanning at the IAPs. Contractors or other DoD organizations without any direct NIPRNet connectivity will need to use a secure Internet connection following all applicable DoD IA policy and STIG requirements.
Checks: C-48011r6_chk

1. Verify an IA-compliant system has been deployed to scan downloaded data prior to deployment into the T&D environment. Also, review the zone diagrams to ensure the workstation is documented appropriately. 2. Determine if the organization has a NIPRNet connection. A. If the organization has a NIPRNet connection; data must be downloaded through the DoD IAP. B. If the organization does not have a NIPRNet connection, data must be downloaded through a secure, IA-compliant connection. If the organization does not download and scan the downloaded data to a dedicated IA-system and secure IA-compliant connection, this is a finding.

Fix: F-46950r4_fix

1. Deploy an IA-compliant system to download data. 2. Configure the IA-compliant system to download data through a secure, IA-compliant connection. A. If your organization has a NIPRNet or connection; data must be downloaded through the DoD IAP. B. If your organization does not have a NIPRNet or connection, data must be downloaded through a secure, IA-compliant connection.

b
The organization must create a policy and procedures document for proper handling and transport of data entering (physically or electronically) the test and development environment.
Medium - V-43317 - SV-56070r1_rule
RMF Control
Severity
M
CCI
Version
ENTD0370
Vuln IDs
  • V-43317
Rule IDs
  • SV-56070r1_rule
Without policies and procedures in place, the organization will not have the authority to hold personnel accountable for improperly handling or transporting data into the test and development environment. The documents need to include guidance for both physical and electronic data migration.
Checks: C-49290r2_chk

Review the organization's policies and procedures document to ensure proper handling of data being transported into the test and development environment. This document must include information for physical and electronic migration of data. If the organization does not have a policy and procedures document created or available for review, this is a finding.

Fix: F-48944r1_fix

Create a policy for, and document the procedure of, proper handling of data transported into the test and development environment. This document must include information for physical and electronic handling and migration of data.