Title

The purchase / maintenance contract, or specification, for the Voice/Video/RTS system under review does not contain verbiage requiring compliance and validation measures for all applicable STIGs. (Cat III impact)

Discussion

Requirement: The DSN PMO and/or site command/management will ensure that “compliance with all applicable STIGs” requirements and validation measures are added to specifications and contracts for commercially leased or procured telecommunications services or systems.STIG compliance is DoD policy and must be accomplished to the greatest extent possible so that any information system may be Certified and Accredited, operated, and connected to other systems if applicable. Placing this requirement in procurement contracts puts the vendor on notice that their product or solution must support these DoD policy requirements.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Additional Identifiers

Rule ID: SV-8836r1_rule

Vulnerability ID: V-8341

Group Title: “STIG Compliance” not required in contracts

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.