UCF STIG Viewer Logo

Test and Development Zone B Security Technical Implementation Guide


Overview

Date Finding Count (28)
2018-09-17 CAT I (High): 3 CAT II (Med): 24 CAT III (Low): 1
STIG Description
The Test & Development Zone A STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-39663 High Access control lists between the test and development environment and DoD operational networks must be in a deny-by-default posture.
V-39636 High The test and development infrastructure must use a firewall for traffic inspection to and from DoD operational networks.
V-39437 High Development systems must have antivirus installed and enabled with up-to-date signatures.
V-39667 Medium Remote access into the test and development environment must use an encryption mechanism approved for the classification level of the network.
V-39664 Medium Access control lists between the test and development environments must be in a deny-by-default posture.
V-39629 Medium Ports, protocols, and services visible to DoD operational networks or ISPs must follow DoDI 8551.1 policy.
V-39661 Medium Logical separation must occur between testing and development network segments within the same test and development environment.
V-39621 Medium The organization must sanitize data transferred to test and development environments from DoD operational networks for testing to remove personal and sensitive information exempt from the Freedom of Information Act.
V-39627 Medium The test and development infrastructure must use a gateway to separate access to DoD operational networks.
V-39669 Medium Remote access VPNs must prohibit the use of split tunneling on VPN connections.
V-43317 Medium The organization must create a policy and procedures document for proper handling and transport of data entering (physically or electronically) the test and development environment.
V-39440 Medium Development systems must be part of a patch management solution.
V-39441 Medium A change management policy must be implemented for application development.
V-39611 Medium The organization must document and gain approval from the Change Control Authority prior to migrating data to DoD operational networks.
V-39614 Medium Application code must go through a code review prior to deployment into DoD operational networks.
V-39619 Medium Access to source code during application development must be restricted to authorized users.
V-39658 Medium The test and development infrastructure must use a DMZ to import and export data between test and development environments and DoD operational networks.
V-39672 Medium Virtual machines used for application development and testing must not share the same physical host with DoD operational virtual machines.
V-39344 Medium Network infrastructure and systems supporting the test and development environment must be documented within the organizations accreditation package.
V-39439 Medium Development systems must have a firewall installed, configured, and enabled.
V-39438 Medium Development systems must have HIDS or HIPS installed and configured with up-to-date signatures.
V-41494 Medium Data used for testing and development must be downloaded through a secure connection to an IA-compliant system for vulnerability scanning prior to deployment in the test and development environment.
V-39433 Medium Network infrastructure and systems supporting the test and development environment must be registered in a DoD asset management system.
V-39345 Medium Network infrastructure and systems supporting the test and development environment must follow DoD certification and accreditation procedures before connecting to a DoD operational network or Internet Service Provider.
V-39436 Medium Application development must not occur on DoD operational network segments.
V-39435 Medium The organization must document impersistent connections to the test and development environment with approval by the organizations Authorizing Official.
V-39434 Medium Network infrastructure and systems supporting the test and development environment must be managed from a management network.
V-39662 Low Access control lists between development and testing network segments within a test and development environment must be in a deny-by-default posture.