UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Written mission justification approval must be obtained from the Office of the DoD CIO prior to establishing a direct connection to the Internet via commercial service provider outside DoD CIO approved Internet access points (e.g. DISA IAP, Cloud Access Point, NIPRnet Federated Gateway, DREN IAP, etc.).


Overview

Finding ID Version Rule ID IA Controls Severity
V-8051 NET0160 SV-8537r3_rule High
Description
Analysis of DoD reported incidents reveal current protective measures at the NIPRNet boundary points are insufficient. Documented ISPs and validated architectures for DMZs are necessary to protect internal network resources from cyber attacks originating from external Internet sources by protective environments.
STIG Date
Network Infrastructure Policy Security Technical Implementation Guide 2017-03-02

Details

Check Text ( C-7432r7_chk )
Any connection to an internet service provider (ISP) must be approved by the Office of the DoD CIO before a connection is made to the ISP. Based on the use cases below, verify written approval has been obtained from the Office of the DoD CIO or verify a renewal request has been appropriately submitted. There are three basic use cases for an ISP connection.

Use case (1): An ISP connection that originates from an approved DISN infrastructure source (includes IAP connections at the DECCs). A DoDIN Waiver is required for a CC/S/A to connect the unclassified DISN to an ISP. These connection requests must come to the Waiver Panel with a Component CIO endorsement of the requirement. These connections should not be provisioned and put into use until waived. Expired waivers pending renewal from the OSD DoDIN Waiver Panel may be downgraded to a Severity 3 category, if proof of a requested renewal can be verified. A DISN enclave that cannot prove DoDIN Waiver approval for the ISP connection is a Severity 1 category. Note: If discovered during a CCRI assessment, the review team lead will immediately report the unapproved ISP connection to the USCYBERCOM and the Connection Approval Office. USCYBERCOM will direct the connection be immediately disconnected.

Use Case (2): An ISP connection to a Stand Alone Enclave (physically and logically separated from any DISN connection) requires DoDIN Waiver approval prior to connection. The Stand Alone Enclave must have an AO issued ATO and the connection must be logically and physically separated from the DISN. An unapproved ISP connection in this use case will be assigned a Severity 3 category.

Use Case (3): An ISP connection to a non-DoD network (such as a contractor-owned infrastructure) co-located on the same premises as the DoD network. The non-DoD network is physically and logically separated from any DoD IP network. Furthermore, it is not connected to any DoD IP network. The non-DoD network infrastructure is not DoD funded nor is it operated or administered by DoD military or civilian personnel. In addition, the non-DoD network with the ISP connection is not storing, processing, or transmitting any DoD data. For such a network as defined herein, a DoDIN Waiver approval is not required for deploying a connection to an ISP. However, the AO must perform and have on file a risk assessment endorsed by the facility or installation command.

If any of the above use cases that are applicable and written approval has been not been obtained from the Office of the DoD CIO or if a renewal request has not been submitted, this is a finding.
Fix Text (F-7626r4_fix)
Written mission justification approval must be obtained from the Office of the DoD CIO prior to establishing a direct connection to the Internet via commercial service provider outside DoD CIO approved Internet access points (e.g. DISA IAP, Cloud Access Point, NIPRnet Federated Gateway, DREN IAP, etc.).