Check: SRG-NET-000205-CLD-000040
Cloud Computing Mission Owner SRG:
SRG-NET-000205-CLD-000040
(in version v1 r0.1)
Title
The Mission Owner's internet-facing applications must be configured to traverse the CAP and VDSS prior to communicate with the internet. (Cat I impact)
Discussion
The Cloud Access Point (CAP) and Virtual Datacenter Security Stack (VDSS) architectures mitigate potential damages to the DISN and provide the ability to detect and prevent an attack before reaching the DISN. All traffic bound for the internet will traverse the BCAP/ICAP and IAP. Mission applications may be internet-facing; internet-facing applications can be non-restricted or restricted (requiring CAC authentication). DOD users on the internet may first connect into their assigned DISN Virtual Private Network (VPN) network before accessing Mission Owner enclave or private applications.
Check Content
If this is a SaaS, this is not a finding. If Impact Level 2, but CSP has control over the environment, this is not a finding. Verify that virtual internet-facing applications are configured to traverse the CAP and VDSS prior to communicating with the internet. If virtual internet-facing applications permit direct access to the CSP or the internet, this is a finding.
Fix Text
This applies to all Impact Levels. FedRAMP Moderate, High. Configure virtual internet-facing applications to traverse the CAP and VDSS prior to communicating with the internet.
Additional Identifiers
Rule ID: SRG-NET-000205-CLD-000040_rule
Vulnerability ID: SRG-NET-000205-CLD-000040
Group Title: SRG-NET-000205-CLD-000040
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001097 |
The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system. |
Controls
Number | Title |
---|---|
SC-7 |
Boundary Protection |