The DAA, IAM, IAO, or SA for the system DOES NOT enforce contract requirements for STIG compliance and validation
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-8342 | DSN03.03 | SV-8837r1_rule | ECSC-1 | unknown |
| Description |
|---|
| Requirement: The IAO will ensure that commercially contracted (leased or procured) systems and services supporting the DSN comply with all applicable STIGs in accordance with contract requirements.STIG compliance is DoD policy and must be accomplished to the greatest extent possible so that any information system may be Certified and Accredited, operated, and connected to other systems if applicable. Placing this requirement in procurement contracts puts the vendor on notice that their product or solution must support these DoD policy requirements. The responsibility of monitoring compliance of contract requirements falls to the DAA, IAM, IAO, and/or SA responsible for operating the system in compliance with policy. Placing compliance requirements in a contract provides no assurance that they are being met if there is no validation or enforcement of the contract requirements. |
| STIG | Date |
|---|---|
| Defense Switched Network STIG | 2015-01-02 |
Details
| Check Text ( C-7650r1_chk ) |
|---|
| Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable. |
| Fix Text (F-7991r1_fix) |
|---|
| Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy. |