The Mission Owner of the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must configure scanning using an Assured Compliance Assessment Solution (ACAS) server or solution that meets DOD scanning and reporting requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259865	SRG-NET-000205-CLD-000095	SV-259865r945583_rule		Medium

Description
Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. Implement scanning using an ACAS server in accordance with USCYBERCOM TASKORD 13-670. - Use an ACAS Security Center server within NIPRNet or within an associated common virtual services environment in the same cloud service offering (CSO). - Implement a secure (encrypted) connection or path between the ACAS server and its assigned ACAS Security Center. Impact Level 2: Applies to IaaS/PaaS CSOs where the Mission Owner has control over the environment. In this case, Mission Owners must provide their own enclave boundary protections or leverage an enterprise-level application protection service instantiated within the same CSO.

Description

Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. Implement scanning using an ACAS server in accordance with USCYBERCOM TASKORD 13-670. - Use an ACAS Security Center server within NIPRNet or within an associated common virtual services environment in the same cloud service offering (CSO). - Implement a secure (encrypted) connection or path between the ACAS server and its assigned ACAS Security Center. Impact Level 2: Applies to IaaS/PaaS CSOs where the Mission Owner has control over the environment. In this case, Mission Owners must provide their own enclave boundary protections or leverage an enterprise-level application protection service instantiated within the same CSO.

STIG	Date
Cloud Computing Mission Owner Network Security Requirements Guide	2024-06-13

Details

Check Text ( C-63596r945581_chk )
If this is a Software as a Service (SaaS), this is not applicable. This applies to all Impact Levels. Review the configuration of the IaaS/PaaS. Verify that the IP address of an ACAS server is configured. Verify the flaw remediation data is also being communicated to the cybersecurity service provider (CSSP). If the PaaS/IaaS does not implement scanning using an ACAS server or CSP-provided solution that meets DOD scanning and reporting requirements, this is a finding.

Check Text ( C-63596r945581_chk )

If this is a Software as a Service (SaaS), this is not applicable.

This applies to all Impact Levels.

Review the configuration of the IaaS/PaaS. Verify that the IP address of an ACAS server is configured. Verify the flaw remediation data is also being communicated to the cybersecurity service provider (CSSP).

If the PaaS/IaaS does not implement scanning using an ACAS server or CSP-provided solution that meets DOD scanning and reporting requirements, this is a finding.

Fix Text (F-63503r945582_fix)
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IP address of an ACAS server or another solution that meets DOD scanning and reporting requirements.