acceptedTest and Development Zone B Security Technical Implementation GuideThe Test & Development Zone A STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 5 Benchmark Date: 26 Oct 20181I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>ENTD0010 - The test and development infrastructure is not properly documented.<GroupDescription></GroupDescription>ENTD0010Network infrastructure and systems supporting the test and development environment must be documented within the organizations accreditation package.<VulnDiscussion>Up-to-date documentation is essential in assisting with the management, auditing, and security of the network infrastructure used to support the test and development environment. Network diagrams are important because they show the overall layout where devices are physically located within the network infrastructure. Diagrams also show the relationship and connectivity between devices where possible intrusive attacks could take place. Having up-to-date network diagrams will also help show what the security, traffic, and physical impact of adding a system will be on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><Responsibility>Information Assurance Manager</Responsibility><IAControls>DCHW-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Document network infrastructure and systems supporting the test and development environment, then include it with the accreditation package.Review the accreditation package documentation to verify the test and development environment is correctly documented within the network diagrams and site security plan. If the organization's accreditation package does not include the test and development infrastructure in the network diagrams and system security plan, this is a finding.ENTD0020 - The test and development infrastructure does not follow a CAP.<GroupDescription></GroupDescription>ENTD0020Network infrastructure and systems supporting the test and development environment must follow DoD certification and accreditation procedures before connecting to a DoD operational network or Internet Service Provider.<VulnDiscussion>Prior to connecting to a live operational network, such as the DISN, systems, at minimum, receive an IATO. A system without an IATO does not show adequate effort to meet IA controls and security requirements and may pose a risk to other computers or systems connecting to the operational network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><Responsibility>Information Assurance Manager</Responsibility><IAControls>EBCR-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Certify and accredit the test and development infrastructure and supporting systems connecting to the DISN. Keep the IATO with the organization's accreditation package.Review the accreditation package documentation to verify the test and development environment has been granted an IATO to connect to the DISN. If an IATO has not been granted, this is a finding.
If the zone environment does not have any connectivity to the DISN or commercial ISP, this requirement is not applicable.ENTD0030 - The test and development infrastructure registered in DoD asset management program.<GroupDescription></GroupDescription>ENTD0030Network infrastructure and systems supporting the test and development environment must be registered in a DoD asset management system.<VulnDiscussion>An asset management system is used to send out notifications on vulnerabilities in commercial and military information infrastructures as they are discovered. If the organization's assets are not registered with an asset management system, administrators will not be notified of important vulnerabilities such as viruses, denial of service attacks, system weaknesses, back doors, and other potentially harmful situations. Additionally, there will be no way to enter, track, or resolve findings during a review.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>VIVM-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Register the network infrastructure and systems supporting the test and development environment in a DoD asset management program.Determine whether all systems and network infrastructure devices supporting the test and development environment are registered in an asset management system. If any systems and network infrastructure devices supporting the test and development environment are not registered in an asset management system, this is a finding.ENTD0040 - The test and development infrastructure is not managed through management network.<GroupDescription></GroupDescription>ENTD0040Network infrastructure and systems supporting the test and development environment must be managed from a management network.<VulnDiscussion>It is important to restrict administrative access to the supporting network infrastructure and systems in the test and development environment, as it reduces the risk of data theft or interception from an attacker on the operational network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Engineer a management network solution and document it within the test and development network diagrams.Review the network diagrams to determine whether a management network has been established to manage the network infrastructure and systems supporting the test and development environment. If a management network has not been established to manage the test and development environment infrastructure, this is a finding.ENTD0050 - Impersistent connections do not have approval.<GroupDescription></GroupDescription>ENTD0050The organization must document impersistent connections to the test and development environment with approval by the organizations Authorizing Official.<VulnDiscussion>An impersistent connection is any temporary connection needed to another test and development environment or DoD operational network where testing is not feasible. As any unvetted connection or device will create additional risk and compromise the entire environment, it is up to the Authorizing Official for the organization to accept the risk of an impersistent connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>EBCR-1, ECSD-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Create and have on file up-to-date documentation of the authorized risk approval for impersistent connections or devices.Review documentation for impersistent connections or devices to ensure the risk has been thoroughly assessed and approved by the Authorizing Official. If no documented approval is available for impersistent connections, this is a finding.ENTD0060 - Development on operational network segments.<GroupDescription></GroupDescription>ENTD0060Application development must not occur on DoD operational network segments.<VulnDiscussion>To reduce the risk of compromise of DoD operational networks and data, application and system development needs to be limited to systems within a network segment designated for development only.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Designate network segments for applications and systems development. Document these designated network segments in the network diagrams for the T&D environment.Review the organization's network diagrams to determine whether network segments for development have been established and outlined in the documentation. If application development occurs on DoD operational networks, this is a finding.
If there isn't any application development occurring in the zone environment, this requirement is not applicable.ENTD0070 - Antivirus not installed on development systems.<GroupDescription></GroupDescription>ENTD0070Development systems must have antivirus installed and enabled with up-to-date signatures.<VulnDiscussion>Virus scan programs are a primary line of defense against the introduction of viruses and malicious code that can destroy data and even render a computer inoperable. Utilizing the most current virus scan program provides the ability to detect this malicious code before extensive damage occurs. Updated virus scan data files help protect a system, as new malware is identified by the software vendors on a regular basis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1, ECVP-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Install antivirus with current signatures on development systems.Review development images to determine whether antivirus is installed and configured with current signatures. If antivirus is missing on development systems, this is a finding.
If there isn't any application development occurring in the zone environment, this requirement is not applicable.ENTD0080 - HIDS or HIPS not installed on development system.<GroupDescription></GroupDescription>ENTD0080Development systems must have HIDS or HIPS installed and configured with up-to-date signatures.<VulnDiscussion>A HIDS or HIPS application is a secondary line of defense behind the antivirus. The application will monitor all ports and the dynamic state of a development system. If the application detects irregularities on the system, it will block incoming traffic that may potentially compromise the development system that can lead to a DoS or data theft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECID-1, ECSC-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Install and configure a HIDS or HIPS application on development system images.Review the development images to determine whether a HIDS or HIPS application is installed and configured. If a HIDS or HIPS application is not installed and configured on the development image, this is a finding.
If there isn't any application development occurring in the zone environment, this requirement is not applicable.ENTD0090 - A firewall is not present on the development system.<GroupDescription></GroupDescription>ENTD0090Development systems must have a firewall installed, configured, and enabled.<VulnDiscussion>A firewall provides a line of defense against malicious attacks. To be effective, it must be enabled and properly configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Install, configure, and enable either the OS or a third party firewall on the development system.Review the development images to determine whether the OS or a third party firewall has been installed, configured, and enabled. If a firewall is not installed, configured, and enabled, this is a finding.
If there isn't any application development occurring in the zone environment, this requirement is not applicable.ENTD0100 - A patch management solution is not implemented for development systems.<GroupDescription></GroupDescription>ENTD0100Development systems must be part of a patch management solution.<VulnDiscussion>Major software vendors release security patches and hotfixes to their products when security vulnerabilities are discovered. It is essential that these updates be applied in a timely manner to prevent unauthorized individuals from exploiting identified vulnerabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1, VIVM-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Implement a patch management solution to keep development systems up to date with the latest security patches released by the vendor.Determine whether the organization has a patch management solution in place to apply security patches released by the vendor. If a patch management solution has not been implemented and is not functioning to update development systems with the latest patches, this is a finding.
If there isn't any application development occurring in the zone environment, this requirement is not applicable.ENTD0110 - A change management policy is not implemented.<GroupDescription></GroupDescription>ENTD0110A change management policy must be implemented for application development.<VulnDiscussion>Change management is the formal review process that ensures that all changes made to a system or application receives formal review and approval. Change management reduces impacts from proposed changes that could possibly have interruptions to the services provided. Recording all changes for applications will be accomplished by a configuration management policy. The configuration management policy will capture the actual changes to software code and anything else affected by the change.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>DCII-1, DCPR-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Create a change management policy for the organization for application and system development.Interview the ISSM/ISSO to determine whether a current Change Control Management policy has been implemented in the organization. If a change management policy has not been created and implemented for the organization, this is a finding.
If there isn't any application development occurring in the zone environment, this requirement is not applicable.ENTD0120 - Applications moving to operational networks not approved.<GroupDescription></GroupDescription>ENTD0120The organization must document and gain approval from the Change Control Authority prior to migrating data to DoD operational networks.<VulnDiscussion>Without the approval of the Change Control Authority, data moved from the test and development network into an operational network could pose a risk of containing malicious code or cause other unintended consequences to live operational data. Data moving into operational networks from final stage preparation must always be vetted and approved.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1, ECSD-1, ECSD-2</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Create a policy to document all finalized projects to gain approval by the Change Control Authority prior to deploying finalized projects to a DoD operational network.Review the change control documentation for the environment to determine whether the organization has prior approval to move data from the test and development environment to the operational network after final testing. If the organization does not keep a change control log or the log exists but is not current, this is a finding.
If there isn't any application development occurring in the zone environment, this requirement is not applicable.ENTD0130 - Code review not completed prior to application deployment.<GroupDescription></GroupDescription>ENTD0130Application code must go through a code review prior to deployment into DoD operational networks.<VulnDiscussion>Prior to release of the application receiving an IATO for deployment into a DoD operational network, the application will have a thorough code review. Along with the proper testing, the code review will specify flaws causing security, compatibility, or reliability concerns that may compromise the operational network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>DCSQ-1, ECSC-1, ECSD-1, ECSD-2</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Implement a code review policy for applications before deployment into DoD operational networks.Determine whether there is a policy in place for code review prior to applications being deployed into a DoD operational network. If a code review policy has not been established, this is a finding.
If there isn't any application development occurring in the zone environment, this requirement is not applicable.ENTD0140 - Source code not restricted to authorized individuals.<GroupDescription></GroupDescription>ENTD0140Access to source code during application development must be restricted to authorized users.<VulnDiscussion>Restricting access to source code and the application to authorized users will limit the risk of source code theft or other potential compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECAN-1, ECCD-1, ECLP-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Document all authorized users with access to the development environment and access to source code. If the documentation exists but is not current, bring the documentation up to date.Review the organization's site security plan and documentation to determine whether there is a list of current authorized users. If a current list of authorized users is missing from the site security plan for the test and development environment, this is a finding.
If there isn't any application development occurring in the zone environment, this requirement is not applicable.ENTD0150 - Operational data is not sanitized prior to testing.<GroupDescription></GroupDescription>ENTD0150The organization must sanitize data transferred to test and development environments from DoD operational networks for testing to remove personal and sensitive information exempt from the Freedom of Information Act.<VulnDiscussion>If DoD production data is transferred to a test and development environment and personal or sensitive information has not been sanitized from the data, personal or sensitive information could be exposed or compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Create organizational policies and procedures to prohibit the use of any live operational DoD data or Privacy Act information in the test and development environment.Determine the data type on systems within the test and development environment. Interview the ISSM or ISSO regarding the connection approval process for housing DoD live operational data or Privacy Act information on any test or development system. If the test and development environment is using live DoD data or Privacy Act information, this is a finding.ENTD0160 - The test and development environment does have a gateway.<GroupDescription></GroupDescription>ENTD0160The test and development infrastructure must use a gateway to separate access to DoD operational networks.<VulnDiscussion>Acting as the first hop into a test and development environment, the gateway can implement proper routing and provide a first layer of defense against attacks and other unintentional compromise or spillage of sensitive information into the operational network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>DCSP-1, ECSC-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Install a gateway to separate the test and development environment from the DoD operational network. Document it in the test and development network diagrams.Review the network diagrams and physically check to see whether the organization has a gateway implemented for the test and development environment. If the organization has not documented or implemented a gateway for the test and development environment, this is a finding.ENTD0170 - PPS does not following the DoDI 8551.1.<GroupDescription></GroupDescription>ENTD0170Ports, protocols, and services visible to DoD operational networks or ISPs must follow DoDI 8551.1 policy.<VulnDiscussion>In accordance with the DoD 8551.1 policy, the test and development environment may require external access to live operational data to perform final stage testing. All network connections for the test and development environment must make use of the PPS CAL at the appropriate boundaries.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>DCPP-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Configure all ports, protocols, and services visible to DoD-managed components as described in the DoDI 8551.1 PPSM policy.Review the latest version of the PPS CAL for those ports, protocols, and services visible to DoD-managed components. If the organization is using ports, protocols, or services deemed not acceptable by the PPS CAL or requiring Authorization Official approval without proper documentation, this is a finding. ENTD0180 - A firewall has not been installed to protect the test and development environment.<GroupDescription></GroupDescription>ENTD0180The test and development infrastructure must use a firewall for traffic inspection to and from DoD operational networks.<VulnDiscussion>A firewall is necessary to inspect traffic as it flows into and out of the test and development environment. Without a firewall present, traffic could flow freely between the operational network and test and development environment, allowing malicious or other unintended traffic and unauthorized access, compromising a system or environment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>DCSP-1, EBBD-1, EBBD-2, EBBD-3, ECSC-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Install and configure a firewall to separate DoD operational and test and development environments.Install and configure a firewall to separate DoD operational and test and development environments.ENTD0190 - Data is not transported through a DMZ.<GroupDescription></GroupDescription>ENTD0190The test and development infrastructure must use a DMZ to import and export data between test and development environments and DoD operational networks.<VulnDiscussion>Most systems that reside in the test and development environment require external access using a DoD network as the transport mechanism. Logical access control mechanisms, such as strictly controlled ACLs for both ingress and egress traffic, must be utilized at the environment boundary. The permissible activities for test and development environments include, but are not limited to, user functional acceptance of a product, final stage testing, and development. Downloading software from the Internet is acceptable for the environment; however, establish a DMZ for such purposes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>DCSP-1, EBBD-1, EBBD-2, EBBD-3, ECSC-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Configure and implement a DMZ for traffic entering and leaving the test and development environment.Determine whether there is a DMZ properly configured for traffic entering and leaving the test and development environment. If a DMZ for traffic entering and leaving the test and development environment is not implemented, this is a finding.ENTD0220 - No logical separation between network segments.<GroupDescription></GroupDescription>ENTD0220Logical separation must occur between testing and development network segments within the same test and development environment.<VulnDiscussion>Logical network segmentation is a way to restrict access between test and development systems to reduce the chance of code becoming victim to compromise. Since test and development segments may not have the same level of IA assurance, logical separation is required. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>DCSP-1, ECSC-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Establish logical separation between test and development network segments in the environment. Document the logical separation on the network diagrams.Determine whether logical separation is present between test and development network segments. Review the test and development network diagrams to ensure they have been properly documented. If logical separation has not been established and documented between test and development network segments in the environment, this is a finding.ENTD0230 - Access control lists not in deny-by-default posture.<GroupDescription></GroupDescription>ENTD0230Access control lists between development and testing network segments within a test and development environment must be in a deny-by-default posture.<VulnDiscussion>To prevent malicious or accidental leakage of information between test and development environments, organizations must implement a deny-by-default security posture. All traffic not explicitly permitted must be denied. Such rule sets prevent many malicious exploits or accidental leakage by regulating the ports, protocols, or services necessary between network segments within the test and development environment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Implement a deny-by-default security posture for both ingress and egress traffic between network segments in the test and development environment.Determine whether a deny-by-default security posture has been implemented for both ingress and egress traffic for the test and development environment. If the organization is not using a deny-by-default security posture for ingress and ingress traffic for the test and development environment, this is a finding.ENTD0240 - Access control lists not in deny-by-default security posture.<GroupDescription></GroupDescription>ENTD0240Access control lists between the test and development environment and DoD operational networks must be in a deny-by-default posture.<VulnDiscussion>To prevent malicious or accidental leakage of traffic between test and development environments and operational networks, organizations must implement a deny-by-default security posture. Perimeter routers, boundary controllers, or firewalls must deny incoming and outgoing traffic not expressly permitted. Such rule sets prevent many malicious exploits or accidental leakage by regulating the ports, protocols, or services necessary to the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Implement a deny-by-default security posture for both ingress and egress traffic between the test and development environment and DoD operational networks.Determine whether a deny-by-default security posture has been implemented for both ingress and egress traffic between the test and development environment and DoD operational networks. If the organization is not using a deny-by-default security posture for traffic between the test and development environment and DoD operational networks, this is a finding.ENTD0250 - Access control lists not in deny-by-default security posture.<GroupDescription></GroupDescription>ENTD0250Access control lists between the test and development environments must be in a deny-by-default posture.<VulnDiscussion>To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture between test and development environments. All ingress and egress traffic not explicitly permitted between test and development environments must be denied. Such rule sets prevent many malicious exploits or accidental leakage by regulating the ports, protocols, or services necessary to each environment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Implement a deny-by-default security posture for both ingress and egress traffic between test and development environments.Determine whether a deny-by-default security posture has been implemented for both ingress and egress traffic between the test and development environments. If the organization is not using a deny-by-default security posture for traffic between the test and development environments, this is a finding.ENTD0280 - An approved encryption mechanism is not used for remote access.<GroupDescription></GroupDescription>ENTD0280Remote access into the test and development environment must use an encryption mechanism approved for the classification level of the network.<VulnDiscussion>Remote access to the environment using unapproved encryption mechanism is inherently dangerous because anyone with a packet sniffer and access to the network can acquire the device's account and password information. With this intercepted information, a malicious user could gain access to the device, cause denial of service attacks, intercept sensitive information, or perform other destructive actions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>EBRU-1, ECCT-1, ECCT-2</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Implement an approved encryption mechanism for the classification of the network for remote access. Unclassified/FOUO or any need-to-know data will need to use a FIPS 140-2 validated cryptographic module. Classified traffic must use an NSA approved encryption standard.Determine whether the proper encryption standard is deployed for the classification of the network where remote access is performed. Unclassified/FOUO or any need-to-know data will need to use a FIPS 140-2 validated cryptographic module. Classified traffic must use an NSA approved encryption standard. If the proper encryption standard is not in use for remote access, this is a finding.ENTD0300 - Remote access VPN policies do not disable split tunneling.<GroupDescription></GroupDescription>ENTD0300Remote access VPNs must prohibit the use of split tunneling on VPN connections.<VulnDiscussion>The VPN software on a host can be configured in either of two modes. It can be set to encrypt all IP traffic originating from that host, and send all of that traffic to the remote IP address of the network gateway. This configuration is called “tunnel-all” mode, because all IP traffic from the host must traverse the VPN tunnel to the remote system, where it will either be processed or further forwarded to additional IP addresses after decryption. Alternately, the VPN software can be set only to encrypt traffic that is specifically addressed to an IP at the other end of the VPN tunnel. All other IP traffic bypasses the VPN encryption and routing process, and is handled by the host as if the VPN relationship did not exist. This configuration is called “split-tunnel” mode, because the IP traffic from the host is split between encrypted packets sent across the VPN tunnel and unencrypted packets sent to all other external addresses. There are security and operational implications in the decision of whether to use split-tunnel or tunnel-all mode. Placing a host in tunnel-all mode makes it appear to the rest of the world as a node on the connected logical (VPN-connected) network. It no longer has an identity to the outside world based on the local physical network. In tunnel-all mode, all traffic between the remote host and any other host can be subject to inspection and processing by the security policy devices of the remote VPN-linked network. This improves the security aspects of the connected network, since it can enforce all security policies on the VPN-connected computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Configure VPNs to prohibit split tunneling when connecting to the test and development environment.Determine whether split tunneling is prohibited for remote access VPNs connecting to the test and development environment. If the VPN policy allows split tunneling, this is a finding.ENTD0330 - Operational along with test and developments VMs share same host.<GroupDescription></GroupDescription>ENTD0330Virtual machines used for application development and testing must not share the same physical host with DoD operational virtual machines.<VulnDiscussion>Attacks on virtual machines from other VMs through denial of service and other attacks potentially stealing sensitive data such as source code used in application development. It is imperative to keep DoD operational virtual machines on physically separate platforms from test and development virtual machines.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Engineer a solution to use separate physical hosts for DoD operational and T&D virtual machines.Review the system plan to determine whether physical hosts are sharing DoD operational and test and development virtual machines.ENTD0360 - Test and development data not securely downloaded.<GroupDescription></GroupDescription>ENTD0360Data used for testing and development must be downloaded through a secure connection to an IA-compliant system for vulnerability scanning prior to deployment in the test and development environment.<VulnDiscussion>It is mandatory that data from an untrusted network or website that is to be used in a testing and development environment be downloaded through a secure perimeter. Bringing data directly from an untrusted network or downloaded from a personal computer or home Internet connection must be prohibited. Scanning data is crucial to ensure the integrity of the information prior to deployment for T&D processes. While not an all-inclusive list, data in this situation includes OS patches, application updates, operating systems, development tools, and test data. In the T&D environment, there will typically be one or more IA-compliant systems accessing a secure Internet connection. If a secure Internet connection is not available, such as in Zone D, a connection in another zone can be used and the data moved by approved physical media into the zone. Scanning the data with an anti-virus program will reduce the risk of exploits and of having vulnerable systems in the T&D environment taken over. Downloading data from a single workstation for all zone environments is acceptable. Organizations with NIPRNet connections must download all data through their NIPR connection for scanning at the IAPs. Contractors or other DoD organizations without any direct NIPRNet connectivity will need to use a secure Internet connection following all applicable DoD IA policy and STIG requirements. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B11321. Deploy an IA-compliant system to download data.
2. Configure the IA-compliant system to download data through a secure, IA-compliant connection.
A. If your organization has a NIPRNet or connection; data must be downloaded through the DoD IAP.
B. If your organization does not have a NIPRNet or connection, data must be downloaded through a secure, IA-compliant connection.1. Verify an IA-compliant system has been deployed to scan downloaded data prior to deployment into the T&D environment. Also, review the zone diagrams to ensure the workstation is documented appropriately.
2. Determine if the organization has a NIPRNet connection.
A. If the organization has a NIPRNet connection; data must be downloaded through the DoD IAP.
B. If the organization does not have a NIPRNet connection, data must be downloaded through a secure, IA-compliant connection.
If the organization does not download and scan the downloaded data to a dedicated IA-system and secure IA-compliant connection, this is a finding.ENTD0370 - Policy and procedures document not created for proper data handling.<GroupDescription></GroupDescription>ENTD0370The organization must create a policy and procedures document for proper handling and transport of data entering (physically or electronically) the test and development environment.<VulnDiscussion>Without policies and procedures in place, the organization will not have the authority to hold personnel accountable for improperly handling or transporting data into the test and development environment. The documents need to include guidance for both physical and electronic data migration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Test Enclave - Zone BDISADPMS TargetTest Enclave - Zone B1132Create a policy for, and document the procedure of, proper handling of data transported into the test and development environment. This document must include information for physical and electronic handling and migration of data.Review the organization's policies and procedures document to ensure proper handling of data being transported into the test and development environment. This document must include information for physical and electronic migration of data.
If the organization does not have a policy and procedures document created or available for review, this is a finding.