Title

The organization must document and gain approval from the Change Control Authority prior to migrating data to DoD operational networks. (Cat II impact)

Discussion

Without the approval of the Change Control Authority, data moved from the test and development network into an operational network could pose a risk of containing malicious code or cause other unintended consequences to live operational data. Data moving into operational networks from final stage preparation must always be vetted and approved.

Check Content

Review the change control documentation for the environment to determine whether the organization has prior approval to move data from the test and development environment to the operational network after final testing. If the organization does not keep a change control log or the log exists but is not current, this is a finding. If there isn't any application development occurring in the zone environment, this requirement is not applicable.

Fix Text

Create a policy to document all finalized projects to gain approval by the Change Control Authority prior to deploying finalized projects to a DoD operational network.

Additional Identifiers

Rule ID: SV-51469r1_rule

Vulnerability ID: V-39611

Group Title: ENTD0120 - Applications moving to operational networks not approved.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.