UCF STIG Viewer Logo

Test and Development Zone A Security Technical Implementation Guide



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-39663 High Access control lists between the test and development environment and DoD operational networks must be in a deny-by-default posture.
V-39636 High The test and development infrastructure must use a firewall for traffic inspection to and from DoD operational networks.
V-39437 High Development systems must have antivirus installed and enabled with up-to-date signatures.
V-39667 Medium Remote access into the test and development environment must use an encryption mechanism approved for the classification level of the network.
V-39664 Medium Access control lists between the test and development environments must be in a deny-by-default posture.
V-39629 Medium Ports, protocols, and services visible to DoD operational networks or ISPs must follow DoDI 8551.1 policy.
V-39627 Medium The test and development infrastructure must use a gateway to separate access to DoD operational networks.
V-39669 Medium Remote access VPNs must prohibit the use of split tunneling on VPN connections.
V-43317 Medium The organization must create a policy and procedures document for proper handling and transport of data entering (physically or electronically) the test and development environment.
V-39440 Medium Development systems must be part of a patch management solution.
V-39441 Medium A change management policy must be implemented for application development.
V-39611 Medium The organization must document and gain approval from the Change Control Authority prior to migrating data to DoD operational networks.
V-39614 Medium Application code must go through a code review prior to deployment into DoD operational networks.
V-39619 Medium Access to source code during application development must be restricted to authorized users.
V-39672 Medium Virtual machines used for application development and testing must not share the same physical host with DoD operational virtual machines.
V-39344 Medium Network infrastructure and systems supporting the test and development environment must be documented within the organizations accreditation package.
V-39439 Medium Development systems must have a firewall installed, configured, and enabled.
V-39438 Medium Development systems must have HIDS or HIPS installed and configured with up-to-date signatures.
V-41494 Medium Data used for testing and development must be downloaded through a secure connection to an IA-compliant system for vulnerability scanning prior to deployment in the test and development environment.
V-39433 Medium Network infrastructure and systems supporting the test and development environment must be registered in a DoD asset management system.
V-39345 Medium Network infrastructure and systems supporting the test and development environment must follow DoD certification and accreditation procedures before connecting to a DoD operational network or Internet Service Provider.
V-39436 Medium Application development must not occur on DoD operational network segments.
V-39435 Medium The organization must document impersistent connections to the test and development environment with approval by the organizations Authorizing Official.
V-39434 Medium Network infrastructure and systems supporting the test and development environment must be managed from a management network.
V-39662 Low Access control lists between development and testing network segments within a test and development environment must be in a deny-by-default posture.
V-39671 Low Installation of operating systems on systems and devices in the test and development environment must be logically separated to prohibit access to any operational network.