| Finding ID |
Severity |
Title |
Description |
|
V-259871
|
High |
The Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) Cloud Service to use DOD-approved OCSP responder or CRL to validate certificates used for PKI-based authentication. |
To provide assurances that certificates are validated by the correct responders, the Mission Owner must ensure they are using a valid DOD OCSP responder for remote system DOD Common Access Card (CAC) two-factor authentication of DOD privileged users to systems instantiated within the cloud service environment.
When a Mission Owner... |
|
V-259870
|
High |
The Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform to use certificate path validation to ensure revoked user credentials are prohibited from establishing a user or machine session. |
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate.
Certification path validation includes checks such as certificate issuer trust,... |
|
V-259867
|
High |
For Infrastructure as a Service (IaaS)/Platform as a Service (PaaS), the Mission Owner must configure an intrusion detection and prevention system (IDPS) to protect DOD virtual machines (VMs), services, and applications. |
Network environments and applications installed using an IaaS/PaaS cloud service offering where the Mission Owner has control over the environment must comply with DOD network infrastructure and host policies. Putting an application in the cloud does not take care of all security responsibilities.
Without coordinated reporting between cloud service environments... |
|
V-259864
|
High |
The Mission Owner's internet-facing applications must be configured to traverse the Cloud Access Point (CAP) and Virtual Datacenter Security Stack (VDSS) prior to communicating with the internet. |
The CAP and VDSS architectures mitigate potential damages to the Defense Information Systems Network (DISN) and provide the ability to detect and prevent an attack before it reaches the DISN.
All traffic bound for the internet will traverse the BCAP/ICAP and IAP. Mission applications may be internet facing; internet-facing applications... |
|
V-259863
|
High |
The Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must implement a security stack that restricts traffic flow inbound and outbound between the IaaS and the Boundary Cloud Access Point (BCAP) or Internal Cloud Access Point (ICAP) connection. |
DOD users on the internet may first connect to their assigned Defense Information Systems Network (DISN) Virtual Private Network (VPN) before accessing DOD private applications. The virtual environment may be composed of an array of cloud service offerings from a particular cloud service provider (CSP). The DISN security architecture provides... |
|
V-259869
|
Medium |
The Mission Owner of the Infrastructure as a Service (IaaS) must continuously monitor outbound communications to other systems and enclaves for unusual or unauthorized activities or conditions. |
Evidence of malicious code is used to identify potentially compromised information systems or information system components.
Unusual/unauthorized activities or conditions related to outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of... |
|
V-259868
|
Medium |
The Mission Owner of the Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) must continuously monitor and protect inbound communications from external systems, other IaaS within the same cloud service environment, or collocated mission applications for unusual or unauthorized activities or conditions. |
Evidence of malicious code is used to identify potentially compromised information systems or information system components.
Unusual/unauthorized activities or conditions related to information system inbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized... |
|
V-259866
|
Medium |
The Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must be configured to maintain separation of all management and data traffic. |
The Virtual Datacenter Management system provides a management plane for privileged access and communications. Separation of management and user traffic, including access to the customer service portal, is provided to the DOD Mission Owner by the cloud service provider (CSP) to provision and configure cloud service offerings.
Additionally, service endpoints... |
|
V-259865
|
Medium |
The Mission Owner of the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must configure scanning using an Assured Compliance Assessment Solution (ACAS) server or solution that meets DOD scanning and reporting requirements. |
Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws.
Implement scanning using an ACAS server in accordance with USCYBERCOM TASKORD 13-670.
- Use an... |
