UCF STIG Viewer Logo

ECMT-2 Conformance Monitoring and Testing


Overview

Conformance testing that includes periodic, unannounced in-depth monitoring and provides for specific penetration testing to ensure compliance with all vulnerability mitigation procedures such as the DoD IAVA or other DoD IA practices is planned, scheduled, conducted, and independently validated. Testing is intended to ensure that the system's IA capabilities continue to provide adequate assurance against constantly evolving threats and vulnerabilities.

MAC / CONF Impact Subject Area
CLASSIFIED Medium Enclave Computing Environment

Details

Threat
Without regular conformance testing being performed, system vulnerabilities could not be identified and fixed in a timely manner.  This implementation guide is aimed to help project management schedule and perform regular conformance testing to identify threats to and vulnerabilities of the system and implement countermeasures to mitigate or eliminate potential risks.

Guidance
1. The project management shall develop a conformance testing plan that includes the following information:
  · Type of conformance testing (e.g., vulnerability assessment, security test and evaluation [ST&E], internal and/or external penetration testing)
  · Schedule of the testing either periodic (e.g., quarterly) or unannounced
  · Resources required to perform individual testing
  · Tools to be used for conformance testing (e.g., Internet Security Systems (ISS) Vulnerability Scanner, FSO Gold Disk, nmap, nessus, Retina)
  · Current Information Assurance Vulnerability Alerts (IAVA), IAV Bulletins (IAVB), and IAV Technical Advisories (IAV-TA)
  · Other vulnerability and patch information from vendors, Common Vulnerabilities& Exposures (CVE), etc.
2. The project management shall determine if the conformance testing will be performed using in-house resources or outsourced.
3. The project management shall establish a conformance test team (e.g., Test Engineer, Test Reviewer) with an adequate degree of independent review and validation.
4. The project management shall review and approve the Rules of Engagement developed by the test team.
5. The project management shall coordinate with personnel involved in the conformance testing for all activities associated with the periodic or unannounced conformance testing.
6. For penetration testing, the project management shall ensure to establish a “White Cell” to coordinate the penetration testing.
7. The test team shall install required testing resources on the workstations/laptops to be used for the testing and configure them properly.
8. The test teams shall perform the testing based on the approved rules (e.g., ST&E Plan, Rules of Engagement) and document the test results.
9. The project management shall review the results of the conformance testing and countermeasures to mitigate the identified potential risks.
10. The project management shall develop a Plan of Actions and Milestones (POAM).
11. The project management shall implement the recommended countermeasures based on the POAM to ensure that the system’s IA capabilities provide adequate assurance against constantly evolving threats and vulnerabilities.
12. The project management shall protect the Conformance Testing Reports at the level of information contained in the reports (e.g., Classified, For Official Use Only).

References

  • CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004
  • DISA Windows NT Security Checklist, 10 December 2004
  • DISA Windows 2003 Checklist, 10 December 2004
  • DISA Unix STIG, Version 4, Release 4, 15 September 2003
  • DISA Solaris Security Checklist, 20 January 2004
  • DISA Unisys STIG, 22 July 2003
  • DISA Application Security Checklist, Version 2, Release 1.5. 28 January 2005
  • DISA FSO Security Readiness Scripts
  • Center for Internet Security Router Audit Tool (RAT), September 2004
  • Field Security Operations (FSO) Operating Systems Gold Disks
  • NIST - Technical Guide to Information Security Testing and Assessment