The Infrastructure as a Service (IaaS)/Platform as a Service (PaaS)/Software as a Service (SaaS) must register the service/application with the DOD DMZ/IAP allowlist for internet-facing inbound and outbound traffic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259880	SRG-OS-000370-CLD-000050	SV-259880r958808_rule		Medium

Description
Register the service/application with the DOD DMZ/IAP allowlist for both inbound and outbound traffic if traffic will cross the internet access points (IAPs). Using an allowlist provides a configuration management method for allowing the execution of only authorized software, ports, protocols, and guest virtual machines (VMs). Using only authorized software decreases risk by limiting the number of potential vulnerabilities and preventing the execution of malware. Cloud approval documentation should include allowed approved ports and protocols communications, including allowlisted mission application traffic and services access from the internet via the Defense Information Systems Network (DISN) IAP. If all or a portion of the mission owners cloud-based Level 4/5 systems/applications connected through the BCAP are to be internet accessible, traffic is required to traverse the DISN IAPs. The system's/application's URLs/IP addresses must be registered with the DOD DMZ allowlist. Traffic that will typically traverse the IAP is management traffic for Level 2 off-premises systems/applications and for user plane traffic to/from Level 4/5 systems/applications that are internet-facing. Such traffic and IP addresses may be blocked if not registered in the allowlist.

Description

Register the service/application with the DOD DMZ/IAP allowlist for both inbound and outbound traffic if traffic will cross the internet access points (IAPs). Using an allowlist provides a configuration management method for allowing the execution of only authorized software, ports, protocols, and guest virtual machines (VMs). Using only authorized software decreases risk by limiting the number of potential vulnerabilities and preventing the execution of malware. Cloud approval documentation should include allowed approved ports and protocols communications, including allowlisted mission application traffic and services access from the internet via the Defense Information Systems Network (DISN) IAP. If all or a portion of the mission owners cloud-based Level 4/5 systems/applications connected through the BCAP are to be internet accessible, traffic is required to traverse the DISN IAPs. The system's/application's URLs/IP addresses must be registered with the DOD DMZ allowlist. Traffic that will typically traverse the IAP is management traffic for Level 2 off-premises systems/applications and for user plane traffic to/from Level 4/5 systems/applications that are internet-facing. Such traffic and IP addresses may be blocked if not registered in the allowlist.

STIG	Date
Cloud Computing Mission Owner Operating System Security Requirements Guide	2024-06-13

Details

Check Text ( C-63611r945626_chk )
Request the cloud service Provisional Authorization (PA) and registration documentation. Verify the IaaS/PaaS/software is registered in the service/application with the DOD DMZ/IAP allowlist for both inbound and outbound traffic when traffic will cross the IAPs. If the system/service/application is not registered with the DOD DMZ/IAP allowlist for both inbound and outbound internet-facing traffic, this is a finding.

Check Text ( C-63611r945626_chk )

Request the cloud service Provisional Authorization (PA) and registration documentation.

Verify the IaaS/PaaS/software is registered in the service/application with the DOD DMZ/IAP allowlist for both inbound and outbound traffic when traffic will cross the IAPs.

If the system/service/application is not registered with the DOD DMZ/IAP allowlist for both inbound and outbound internet-facing traffic, this is a finding.

Fix Text (F-63518r945627_fix)
This applies to all Impact Levels. FedRAMP Moderate, High. Coordinate with the cybersecurity service provider (CSSP) during cloud architecture development to ensure required security-relevant data will be accessible via the cloud service provider/cloud service offering, third-party security service subscription, and/or native application programming interface capability. Register the IaaS/PaaS/SaaS service/application with the DOD allowlist for both inbound and outbound traffic. Configure the DOD allowlist with the ports and protocols needed to support applications and services used in the cloud environment.

Fix Text (F-63518r945627_fix)

This applies to all Impact Levels.
FedRAMP Moderate, High.

Coordinate with the cybersecurity service provider (CSSP) during cloud architecture development to ensure required security-relevant data will be accessible via the cloud service provider/cloud service offering, third-party security service subscription, and/or native application programming interface capability.

Register the IaaS/PaaS/SaaS service/application with the DOD allowlist for both inbound and outbound traffic. Configure the DOD allowlist with the ports and protocols needed to support applications and services used in the cloud environment.