The Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) to prohibit or restrict the use of functions, ports, protocols, and/or services.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259874	SRG-OS-000096-CLD-000060	SV-259874r958480_rule		Medium

Description
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), Mission Owners must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.

STIG	Date
Cloud Computing Mission Owner Operating System Security Requirements Guide	2024-06-13

Details

Check Text ( C-63605r945608_chk )
If this is an Impact Level 2 cloud service offering, this is not a finding. For dedicated infrastructure with a DOD Information Network (DODIN) connection (Levels 4–6), review the architecture diagrams. Verify the virtual firewall access control lists that restrict traffic flow inbound and outbound to/from the cloud service to the DODIN connection comply with the boundary requirements. Verify all traffic from the cloud service provider (CSP) enclave and other sources are blocked by these methods. If the cloud service offering is not configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments, this is a finding.

Check Text ( C-63605r945608_chk )

If this is an Impact Level 2 cloud service offering, this is not a finding.

For dedicated infrastructure with a DOD Information Network (DODIN) connection (Levels 4–6), review the architecture diagrams. Verify the virtual firewall access control lists that restrict traffic flow inbound and outbound to/from the cloud service to the DODIN connection comply with the boundary requirements. Verify all traffic from the cloud service provider (CSP) enclave and other sources are blocked by these methods.

If the cloud service offering is not configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments, this is a finding.

Fix Text (F-63512r945609_fix)
This applies to Impact Level 4/5/6. FedRAMP Moderate, High. For dedicated infrastructure with a DODIN connection (Levels 4–6), configure the IaaS/PaaS virtual firewall that restricts traffic flow inbound and outbound to/from the cloud service to the DODIN connection and block all traffic from all other sources. To ensure protocols and services are not blocked by the above configuration, register them along with their related UDP/TCP IP ports used by the SaaS service that will traverse the Defense Information Systems Network (DISN) in the DOD PPSM registry. This includes all user and management plane traffic for Levels 4, 5, and 6 as well as management plane traffic for Level 2 if managed/monitored from within a DOD network.

Fix Text (F-63512r945609_fix)

This applies to Impact Level 4/5/6.
FedRAMP Moderate, High.

For dedicated infrastructure with a DODIN connection (Levels 4–6), configure the IaaS/PaaS virtual firewall that restricts traffic flow inbound and outbound to/from the cloud service to the DODIN connection and block all traffic from all other sources.

To ensure protocols and services are not blocked by the above configuration, register them along with their related UDP/TCP IP ports used by the SaaS service that will traverse the Defense Information Systems Network (DISN) in the DOD PPSM registry. This includes all user and management plane traffic for Levels 4, 5, and 6 as well as management plane traffic for Level 2 if managed/monitored from within a DOD network.