STIGQter: STIG Summary: Test and Development Zone D Security Technical Implementation Guide Version: 1 Release: 5 Benchmark Date: 26 Oct 2018:

Data used for testing and development must be downloaded through a secure connection to an IA-compliant system for vulnerability scanning prior to deployment in the test and development environment.

DISA Rule

SV-54070r1_rule

Vulnerability Number

V-41494

Group Title

ENTD0360 - Test and development data not securely downloaded.

Rule Version

ENTD0360

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

1. Deploy an IA-compliant system to download data.

2. Configure the IA-compliant system to download data through a secure, IA-compliant connection.
A. If your organization has a NIPRNet or connection; data must be downloaded through the DoD IAP.

B. If your organization does not have a NIPRNet or connection, data must be downloaded through a secure, IA-compliant connection.

Check Contents

1. Verify an IA-compliant system has been deployed to scan downloaded data prior to deployment into the T&D environment. Also, review the zone diagrams to ensure the workstation is documented appropriately.

2. Determine if the organization has a NIPRNet connection.
A. If the organization has a NIPRNet connection; data must be downloaded through the DoD IAP.

B. If the organization does not have a NIPRNet connection, data must be downloaded through a secure, IA-compliant connection.

If the organization does not download and scan the downloaded data to a dedicated IA-system and secure IA-compliant connection, this is a finding.

Vulnerability Number

V-41494

Documentable

False

Rule Version

ENTD0360

Severity Override Guidance

1. Verify an IA-compliant system has been deployed to scan downloaded data prior to deployment into the T&D environment. Also, review the zone diagrams to ensure the workstation is documented appropriately.

2. Determine if the organization has a NIPRNet connection.
A. If the organization has a NIPRNet connection; data must be downloaded through the DoD IAP.

B. If the organization does not have a NIPRNet connection, data must be downloaded through a secure, IA-compliant connection.

If the organization does not download and scan the downloaded data to a dedicated IA-system and secure IA-compliant connection, this is a finding.

Check Content Reference

M

Target Key

1134

Comments