Check: SRG-NET-000205-CLD-000060
Cloud Computing Mission Owner SRG:
SRG-NET-000205-CLD-000060
(in version v1 r0.1)
Title
The Mission Owner of the PaaS/IaaS must configure scanning using an Assured Compliance Assessment Solution (ACAS) server or solution that meets DOD scanning and reporting requirements. (Cat II impact)
Discussion
Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. Implement scanning using an ACAS server IAW USCYBERCOM TASKORD 13-670. - Use an ACAS Security Center server within NIPRNet or within an associated common virtual services environment in the same CSO. - Implement a secure (encrypted) connection or path between the ACAS server and its assigned ACAS Security Center. Impact Level 2: Applies to IaaS/PaaS CSOs where the Mission Owner has control over the environment. In this case, Mission Owners must provide their own enclave boundary protections or leverage an enterprise level application protection service (i.e., the Virtual Datacenter Security Stack [VDSS]/Virtual Datacenter Management Suite [VDMS] portion of the SCCA) instantiated within the same CSO.
Check Content
If this is a SaaS, this is not applicable. This applies to all Impact Levels. Review the configuration of the IaaS/PaaS. Verify that the IP address of an ACAS server is configured. Verify the flaw remediation data is also being communicated to the Cybersecurity Service Provider (CSSP). If the PaaS/IaaS does not implement scanning using an ACAS server or CSP provided solution that meets DOD scanning and reporting requirements, this is a finding.
Fix Text
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IP address of an ACAS server or another solution that meets DOD scanning and reporting requirements.
Additional Identifiers
Rule ID: SRG-NET-000205-CLD-000060_rule
Vulnerability ID: SRG-NET-000205-CLD-000060
Group Title: SRG-NET-000205-CLD-000060
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001097 |
The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system. |
Controls
Number | Title |
---|---|
SC-7 |
Boundary Protection |