STIGQter STIGQter: STIG Summary: Test and Development Zone A Security Technical Implementation Guide

Version: 1

Release: 5 Benchmark Date: 26 Oct 2018

CheckedNameTitle
SV-51202r1_ruleNetwork infrastructure and systems supporting the test and development environment must be documented within the organizations accreditation package.
SV-51203r1_ruleNetwork infrastructure and systems supporting the test and development environment must follow DoD certification and accreditation procedures before connecting to a DoD operational network or Internet Service Provider.
SV-51291r1_ruleNetwork infrastructure and systems supporting the test and development environment must be registered in a DoD asset management system.
SV-51292r1_ruleNetwork infrastructure and systems supporting the test and development environment must be managed from a management network.
SV-51293r1_ruleThe organization must document impersistent connections to the test and development environment with approval by the organizations Authorizing Official.
SV-51294r1_ruleApplication development must not occur on DoD operational network segments.
SV-51295r1_ruleDevelopment systems must have antivirus installed and enabled with up-to-date signatures.
SV-51296r1_ruleDevelopment systems must have HIDS or HIPS installed and configured with up-to-date signatures.
SV-51297r1_ruleDevelopment systems must have a firewall installed, configured, and enabled.
SV-51298r1_ruleDevelopment systems must be part of a patch management solution.
SV-51299r1_ruleA change management policy must be implemented for application development.
SV-51469r1_ruleThe organization must document and gain approval from the Change Control Authority prior to migrating data to DoD operational networks.
SV-51472r1_ruleApplication code must go through a code review prior to deployment into DoD operational networks.
SV-51477r1_ruleAccess to source code during application development must be restricted to authorized users.
SV-51479r2_ruleThe organization must sanitize data transferred to test and development environments from DoD operational networks for testing to remove personal and sensitive information exempt from the Freedom of Information Act.
SV-51485r1_ruleThe test and development infrastructure must use a gateway to separate access to DoD operational networks.
SV-51487r1_rulePorts, protocols, and services visible to DoD operational networks or ISPs must follow DoDI 8551.1 policy.
SV-51494r1_ruleThe test and development infrastructure must use a firewall for traffic inspection to and from DoD operational networks.
SV-51529r1_ruleAccess control lists between development and testing network segments within a test and development environment must be in a deny-by-default posture.
SV-51530r1_ruleAccess control lists between the test and development environment and DoD operational networks must be in a deny-by-default posture.
SV-51531r1_ruleAccess control lists between the test and development environments must be in a deny-by-default posture.
SV-51534r1_ruleRemote access into the test and development environment must use an encryption mechanism approved for the classification level of the network.
SV-51536r1_ruleRemote access VPNs must prohibit the use of split tunneling on VPN connections.
SV-51538r1_ruleInstallation of operating systems on systems and devices in the test and development environment must be logically separated to prohibit access to any operational network.
SV-51539r1_ruleVirtual machines used for application development and testing must not share the same physical host with DoD operational virtual machines.
SV-54070r1_ruleData used for testing and development must be downloaded through a secure connection to an IA-compliant system for vulnerability scanning prior to deployment in the test and development environment.
SV-56070r1_ruleThe organization must create a policy and procedures document for proper handling and transport of data entering (physically or electronically) the test and development environment.