| V-39665 | High | Tunneling mechanisms must be used for data transmission between interconnected organizations. | Using tunnels will prohibit data shared between interconnecting sites from leaking onto untrusted networks. These mechanisms are vital for transit over an untrusted network so sensitive... |
| V-39437 | High | Development systems must have antivirus installed and enabled with up-to-date signatures. | Virus scan programs are a primary line of defense against the introduction of viruses and malicious code that can destroy data and even render a computer inoperable. Utilizing the most current... |
| V-39666 | Medium | Sensitive data transmitted between interconnected organizations must be encrypted using an approved mechanism for the classification level of the data transmitted. | The use of encryption at the appropriate level to secure the confidentiality and integrity of sensitive information is imperative to ensure a data breach does not occur when transiting a transport... |
| V-39660 | Medium | The test and development environment must not have access to DoD operational networks. | Systems or devices used for test data that do not meet minimum IA standards for accreditation are a risk to a DoD operational network if allowed to communicate between environments. Data that has... |
| V-39621 | Medium | The organization must sanitize data transferred to test and development environments from DoD operational networks for testing to remove personal and sensitive information exempt from the Freedom of Information Act. | If DoD production data is transferred to a test and development environment and personal or sensitive information has not been sanitized from the data, personal or sensitive information could be... |
| V-43317 | Medium | The organization must create a policy and procedures document for proper handling and transport of data entering (physically or electronically) the test and development environment. | Without policies and procedures in place, the organization will not have the authority to hold personnel accountable for improperly handling or transporting data into the test and development... |
| V-39440 | Medium | Development systems must be part of a patch management solution. | Major software vendors release security patches and hotfixes to their products when security vulnerabilities are discovered. It is essential that these updates be applied in a timely manner to... |
| V-39441 | Medium | A change management policy must be implemented for application development. | Change management is the formal review process that ensures that all changes made to a system or application receives formal review and approval. Change management reduces impacts from proposed... |
| V-39611 | Medium | The organization must document and gain approval from the Change Control Authority prior to migrating data to DoD operational networks. | Without the approval of the Change Control Authority, data moved from the test and development network into an operational network could pose a risk of containing malicious code or cause other... |
| V-39614 | Medium | Application code must go through a code review prior to deployment into DoD operational networks. | Prior to release of the application receiving an IATO for deployment into a DoD operational network, the application will have a thorough code review. Along with the proper testing, the code... |
| V-39619 | Medium | Access to source code during application development must be restricted to authorized users. | Restricting access to source code and the application to authorized users will limit the risk of source code theft or other potential compromise. |
| V-39673 | Medium | Organizations interconnecting test and development environments must have MOAs, MOUs, and SLAs properly documented. | Prior to establishing a connection with another organization, a Memorandum of Understanding (MOU), Memorandum of Agreement (MOA), and/or Service Level Agreement (SLA) must be established between... |
| V-39672 | Medium | Virtual machines used for application development and testing must not share the same physical host with DoD operational virtual machines. | Attacks on virtual machines from other VMs through denial of service and other attacks potentially stealing sensitive data such as source code used in application development. It is imperative to... |
| V-39439 | Medium | Development systems must have a firewall installed, configured, and enabled. | A firewall provides a line of defense against malicious attacks. To be effective, it must be enabled and properly configured. |
| V-39438 | Medium | Development systems must have HIDS or HIPS installed and configured with up-to-date signatures. | A HIDS or HIPS application is a secondary line of defense behind the antivirus. The application will monitor all ports and the dynamic state of a development system. If the application detects... |
| V-41494 | Medium | Data used for testing and development must be downloaded through a secure connection to an IA-compliant system for vulnerability scanning prior to deployment in the test and development environment. | It is mandatory that data from an untrusted network or website that is to be used in a testing and development environment be downloaded through a secure perimeter. Bringing data directly from an... |
| V-39433 | Medium | Network infrastructure and systems supporting the test and development environment must be registered in a DoD asset management system. | An asset management system is used to send out notifications on vulnerabilities in commercial and military information infrastructures as they are discovered. If the organization's assets are not... |
| V-39345 | Medium | Network infrastructure and systems supporting the test and development environment must follow DoD certification and accreditation procedures before connecting to a DoD operational network or Internet Service Provider. | Prior to connecting to a live operational network, such as the DISN, systems, at minimum, receive an IATO. A system without an IATO does not show adequate effort to meet IA controls and security... |
| V-39344 | Medium | Network infrastructure and systems supporting the test and development environment must be documented within the organizations accreditation package. | Up-to-date documentation is essential in assisting with the management, auditing, and security of the network infrastructure used to support the test and development environment. Network diagrams... |
| V-39435 | Medium | The organization must document impersistent connections to the test and development environment with approval by the organizations Authorizing Official. | An impersistent connection is any temporary connection needed to another test and development environment or DoD operational network where testing is not feasible. As any unvetted connection or... |
| V-39434 | Medium | Network infrastructure and systems supporting the test and development environment must be managed from a management network. | It is important to restrict administrative access to the supporting network infrastructure and systems in the test and development environment, as it reduces the risk of data theft or interception... |
| V-39668 | Low | The organization must prohibit remote access from external networks to the test and development environment. | Because the test and development environment is a closed network, any network or remote access from outside the designated environment boundaries is prohibited. Allowing remote access from an... |
