The Mission Owner of the Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) must continuously monitor and protect inbound communications from external systems, other IaaS within the same cloud service environment, or collocated mission applications for unusual or unauthorized activities or conditions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259868	SRG-NET-000390-CLD-000110	SV-259868r945592_rule		Medium

Description
Evidence of malicious code is used to identify potentially compromised information systems or information system components. Unusual/unauthorized activities or conditions related to information system inbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. This function may be deployed within the cloud service environment cloud access point or supporting Core Data Center (CDC).

Description

Evidence of malicious code is used to identify potentially compromised information systems or information system components. Unusual/unauthorized activities or conditions related to information system inbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. This function may be deployed within the cloud service environment cloud access point or supporting Core Data Center (CDC).

STIG	Date
Cloud Computing Mission Owner Network Security Requirements Guide	2024-06-13

Details

Check Text ( C-63599r945590_chk )
If this is a Software as a Service (SaaS), this is not applicable. Inspect the firewall and/or intrusion detection and prevention system (IDPS) access control lists (ACLs) and filters on the firewall inbound interfaces. Verify these rules are configured for continuous monitoring. Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or unusually high traffic from particular segments or devices. If the IaaS/PaaS does not continuously monitor inbound communications from external systems, other IaaS, or collocated mission applications within the same cloud service environment for unusual or unauthorized activities or conditions, this is a finding.

Check Text ( C-63599r945590_chk )

If this is a Software as a Service (SaaS), this is not applicable.

Inspect the firewall and/or intrusion detection and prevention system (IDPS) access control lists (ACLs) and filters on the firewall inbound interfaces.

Verify these rules are configured for continuous monitoring.

Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or unusually high traffic from particular segments or devices.

If the IaaS/PaaS does not continuously monitor inbound communications from external systems, other IaaS, or collocated mission applications within the same cloud service environment for unusual or unauthorized activities or conditions, this is a finding.

Fix Text (F-63506r945591_fix)
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the firewall and/or IDPS for continuous monitoring of all communications inbound to the virtual IaaS or PaaS. Configure the ACLs and security rules to detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or unusually high traffic from particular segments or devices.

Fix Text (F-63506r945591_fix)

This applies to all Impact Levels.
FedRAMP Moderate, High.

Configure the firewall and/or IDPS for continuous monitoring of all communications inbound to the virtual IaaS or PaaS.

Configure the ACLs and security rules to detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or unusually high traffic from particular segments or devices.