The Mission Owner must configure the customer service portal credentials for least privilege.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259872	SRG-OS-000001-CLD-000010	SV-259872r958362_rule		High

Description
The Mission Owner must appoint specific individuals or entities to establish plans and policies for the control of privileged user access (including root account credentials) used to establish, configure, and control a Mission Owner's Virtual Private Cloud (VPC) configuration once connected to the DISA Information Systems Network (DISN). These individuals or entities establish and manage accounts and credentials used by privileged DOD users and systems to administer and control DOD cloud service offering configurations. This role is intended to operate at all DOD information Impact Levels. However, it may not apply to some Software-as-a-Service (SaaS) solutions where DOD account owners are not required to use the cloud service provider's (CSP's) Identity and Access Management (IdAM) system to administer user accounts and service configurations.

Description

The Mission Owner must appoint specific individuals or entities to establish plans and policies for the control of privileged user access (including root account credentials) used to establish, configure, and control a Mission Owner's Virtual Private Cloud (VPC) configuration once connected to the DISA Information Systems Network (DISN). These individuals or entities establish and manage accounts and credentials used by privileged DOD users and systems to administer and control DOD cloud service offering configurations. This role is intended to operate at all DOD information Impact Levels. However, it may not apply to some Software-as-a-Service (SaaS) solutions where DOD account owners are not required to use the cloud service provider's (CSP's) Identity and Access Management (IdAM) system to administer user accounts and service configurations.

STIG	Date
Cloud Computing Mission Owner Operating System Security Requirements Guide	2024-06-13

Details

Check Text ( C-63603r945602_chk )
Review the site's approval documentation to verify that an individual or entity has been appointed to manage the cloud management service portal. This may be a group or contracted service. Verify the cloud service offering has been configured to allow only these individuals for portal service and virtual instance configuration. If the Mission Owner has not configured the customer service portal credentials and the Mission Owner application/system privileged accounts for least privilege, this is a finding.

Check Text ( C-63603r945602_chk )

Review the site's approval documentation to verify that an individual or entity has been appointed to manage the cloud management service portal. This may be a group or contracted service. Verify the cloud service offering has been configured to allow only these individuals for portal service and virtual instance configuration.

If the Mission Owner has not configured the customer service portal credentials and the Mission Owner application/system privileged accounts for least privilege, this is a finding.

Fix Text (F-63510r945603_fix)
This applies to all Impact Levels. FedRAMP Moderate, High. Appoint an individual or entity to manage portal services. Application and enclave administrators should also be appointed. Configure access for these individuals to access and configure services and virtual instances.