Check: SRG-NET-000370-CLD-000120
Cloud Computing Mission Owner SRG:
SRG-NET-000370-CLD-000120
(in version v1 r0.1)
Title
The IaaS/PaaS/SaaS must register the service/application with the DOD allowlist for both internet-facing, inbound and outbound traffic. (Cat II impact)
Discussion
Register the service/application with the DOD DMZ Whitelist for both inbound and outbound traffic if traffic will cross the IAPs. Utilizing a allowlist provides a configuration management method for allowing the execution of only authorized software, ports, protocols, and guest VMs. Using only authorized software decreases risk by limiting the number of potential vulnerabilities and by preventing the execution of malware. Cloud approval documentation should include allowed approved ports and protocols communications to include allowlisted mission application traffic and services access from Internet via the DISN Internet Access Point (IAP). If all or a portion of the mission owners cloud-based level 4/5 systems/applications connected through the BCAP are to be internet accessible, traffic is required to traverse the DISN IAPs. The system’s/application’s URLs/IP addresses must be registered with the DOD DMZ allowlist. Traffic that will typically traverse the IAP is management traffic for level 2 off-premises systems/applications and for user plane traffic to/from level 4/5 systems/applications that are internet-facing. Such traffic and IP addresses may be blocked if not registered in the allowlist.
Check Content
Request the cloud service Provisional Approval (PA) and registration documentation. Verify the IaaS/PaaS/software is registered in the service/application with the DOD allowlist for both inbound and outbound traffic when traffic will cross the IAPs. If system/service/application is not registered with the DOD allowlist for both inbound and outbound internet facing traffic, this is a finding.
Fix Text
This applies to all Impact Levels. FedRAMP Moderate, High. Coordinate with CSSP during cloud architecture development to ensure required security relevant data will be accessible via CSP/CSO, third-party security service subscription, and/or native API capability. Register the IaaS/PaaS/SaaS service/application with the DOD allowlist for both inbound and outbound traffic. Configure the DOD allowlist with the ports and protocols needed to support applications and services used in the cloud environment.
Additional Identifiers
Rule ID: SRG-NET-000370-CLD-000120_rule
Vulnerability ID: SRG-NET-000370-CLD-000120
Group Title: SRG-NET-000370-CLD-000120
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001774 |
The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system. |
Controls
Number | Title |
---|---|
CM-7 (5) |
Authorized Software / Whitelisting |