STIGQter: STIG Summary: Test and Development Zone D Security Technical Implementation Guide Version: 1 Release: 5 Benchmark Date: 26 Oct 2018:

The organization must sanitize data transferred to test and development environments from DoD operational networks for testing to remove personal and sensitive information exempt from the Freedom of Information Act.

DISA Rule

SV-51479r2_rule

Vulnerability Number

V-39621

Group Title

ENTD0150 - Operational data is not sanitized prior to testing.

Rule Version

ENTD0150

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Create organizational policies and procedures to prohibit the use of any live operational DoD data or Privacy Act information in the test and development environment.

Check Contents

Determine the data type on systems within the test and development environment. Interview the ISSM or ISSO regarding the connection approval process for housing DoD live operational data or Privacy Act information on any test or development system. If the test and development environment is using live DoD data or Privacy Act information, this is a finding.

Vulnerability Number

V-39621

Documentable

False

Rule Version

ENTD0150

Severity Override Guidance

Determine the data type on systems within the test and development environment. Interview the ISSM or ISSO regarding the connection approval process for housing DoD live operational data or Privacy Act information on any test or development system. If the test and development environment is using live DoD data or Privacy Act information, this is a finding.

Check Content Reference

M

Target Key

1134

Comments