The Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must implement a security stack that restricts traffic flow inbound and outbound between the IaaS and the Boundary Cloud Access Point (BCAP) or Internal Cloud Access Point (ICAP) connection.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259863	SRG-NET-000205-CLD-000085	SV-259863r945577_rule		High

Description
DOD users on the internet may first connect to their assigned Defense Information Systems Network (DISN) Virtual Private Network (VPN) before accessing DOD private applications. The virtual environment may be composed of an array of cloud service offerings from a particular cloud service provider (CSP). The DISN security architecture provides the users with connectivity to the cloud service environment. The architecture mitigates potential damages to the DISN and provides the ability to detect and prevent an attack before it reaches the DISN. Note: Off-premise CSP infrastructure having a Level 2 Provisional Authorization (PA) is directly connected to the internet. All traffic to and from a Level 2 cloud service offering (CSO) serving Level 2 missions and their mission virtual networks will connect via the internet. CSP infrastructure (dedicated to DOD) located inside the Base, Camp, Post, and Station (B/C/P/S) "fence line" (i.e., on premise) connects via an ICAP. The architecture of ICAPs may vary and may leverage existing capabilities, such as the information assurance stack protecting a DOD data center or a Joint Regional Security Stack (JRSS). An ICAP may also have special capabilities to support specific missions, CSP types (commercial or DOD), or cloud services. CSP infrastructure (shared with non-DOD or dedicated to the DOD) located outside the B/C/P/S fence line that connects to the DODIN/NIPRNet does so via one or more BCAPs. The BCAP terminates dedicated circuits and VPN connections originating within the CSP's network infrastructure and/or Mission Owner's virtual networks. All connections between a CSP's network infrastructure or Mission Owner's virtual networks that is accessed via or from the NIPRNet/SIPRNet must connect to the DODIN via a BCAP. For dedicated infrastructure with a DODIN connection (Levels 4–6), the Mission Owner will ensure a virtual security stack is configured in accordance with DODI 8551.

Description

DOD users on the internet may first connect to their assigned Defense Information Systems Network (DISN) Virtual Private Network (VPN) before accessing DOD private applications. The virtual environment may be composed of an array of cloud service offerings from a particular cloud service provider (CSP). The DISN security architecture provides the users with connectivity to the cloud service environment. The architecture mitigates potential damages to the DISN and provides the ability to detect and prevent an attack before it reaches the DISN. Note: Off-premise CSP infrastructure having a Level 2 Provisional Authorization (PA) is directly connected to the internet. All traffic to and from a Level 2 cloud service offering (CSO) serving Level 2 missions and their mission virtual networks will connect via the internet. CSP infrastructure (dedicated to DOD) located inside the Base, Camp, Post, and Station (B/C/P/S) "fence line" (i.e., on premise) connects via an ICAP. The architecture of ICAPs may vary and may leverage existing capabilities, such as the information assurance stack protecting a DOD data center or a Joint Regional Security Stack (JRSS). An ICAP may also have special capabilities to support specific missions, CSP types (commercial or DOD), or cloud services. CSP infrastructure (shared with non-DOD or dedicated to the DOD) located outside the B/C/P/S fence line that connects to the DODIN/NIPRNet does so via one or more BCAPs. The BCAP terminates dedicated circuits and VPN connections originating within the CSP's network infrastructure and/or Mission Owner's virtual networks. All connections between a CSP's network infrastructure or Mission Owner's virtual networks that is accessed via or from the NIPRNet/SIPRNet must connect to the DODIN via a BCAP. For dedicated infrastructure with a DODIN connection (Levels 4–6), the Mission Owner will ensure a virtual security stack is configured in accordance with DODI 8551.

STIG	Date
Cloud Computing Mission Owner Network Security Requirements Guide	2024-06-13

Details

Check Text ( C-63594r945575_chk )
If this is an Impact Level 2 IaaS/PaaS implementation, this requirement is not applicable. Review the architecture for the IaaS. Verify that for dedicated infrastructure mission Impact Levels 4–5, the IaaS implements a security stack that restricts traffic flow inbound and outbound between the IaaS/PaaS and the BCAP or ICAP connection. For IaaS Levels 4–5, if the IaaS does not implement a security stack that restricts traffic flow inbound and outbound between the IaaS/PaaS and the BCAP or ICAP connection, this is a finding.

Check Text ( C-63594r945575_chk )

If this is an Impact Level 2 IaaS/PaaS implementation, this requirement is not applicable.

Review the architecture for the IaaS.

Verify that for dedicated infrastructure mission Impact Levels 4–5, the IaaS implements a security stack that restricts traffic flow inbound and outbound between the IaaS/PaaS and the BCAP or ICAP connection.

For IaaS Levels 4–5, if the IaaS does not implement a security stack that restricts traffic flow inbound and outbound between the IaaS/PaaS and the BCAP or ICAP connection, this is a finding.

Fix Text (F-63501r945576_fix)
FedRAMP Moderate, High. For dedicated infrastructure with an ICAP/BCAP connection (Levels 4–5 and on-premise Impact Level 2), ensure the IaaS/PaaS implements a security stack that restricts traffic flow inbound and outbound between the IaaS/PaaS and the BCAP or ICAP connection.