STIGQter STIGQter: STIG Summary: Test and Development Zone C Security Technical Implementation Guide

Version: 1

Release: 5 Benchmark Date: 26 Oct 2018

CheckedNameTitle
SV-51202r1_ruleNetwork infrastructure and systems supporting the test and development environment must be documented within the organizations accreditation package.
SV-51203r1_ruleNetwork infrastructure and systems supporting the test and development environment must follow DoD certification and accreditation procedures before connecting to a DoD operational network or Internet Service Provider.
SV-51291r1_ruleNetwork infrastructure and systems supporting the test and development environment must be registered in a DoD asset management system.
SV-51292r1_ruleNetwork infrastructure and systems supporting the test and development environment must be managed from a management network.
SV-51293r1_ruleThe organization must document impersistent connections to the test and development environment with approval by the organizations Authorizing Official.
SV-51295r1_ruleDevelopment systems must have antivirus installed and enabled with up-to-date signatures.
SV-51296r1_ruleDevelopment systems must have HIDS or HIPS installed and configured with up-to-date signatures.
SV-51297r1_ruleDevelopment systems must have a firewall installed, configured, and enabled.
SV-51298r1_ruleDevelopment systems must be part of a patch management solution.
SV-51299r1_ruleA change management policy must be implemented for application development.
SV-51469r1_ruleThe organization must document and gain approval from the Change Control Authority prior to migrating data to DoD operational networks.
SV-51472r1_ruleApplication code must go through a code review prior to deployment into DoD operational networks.
SV-51477r1_ruleAccess to source code during application development must be restricted to authorized users.
SV-51479r2_ruleThe organization must sanitize data transferred to test and development environments from DoD operational networks for testing to remove personal and sensitive information exempt from the Freedom of Information Act.
SV-51527r1_ruleThe test and development environment must not have access to DoD operational networks.
SV-51532r1_ruleTunneling mechanisms must be used for data transmission between interconnected organizations.
SV-51533r1_ruleSensitive data transmitted between interconnected organizations must be encrypted using an approved mechanism for the classification level of the data transmitted.
SV-51535r1_ruleThe organization must prohibit remote access from external networks to the test and development environment.
SV-51539r1_ruleVirtual machines used for application development and testing must not share the same physical host with DoD operational virtual machines.
SV-51540r1_ruleOrganizations interconnecting test and development environments must have MOAs, MOUs, and SLAs properly documented.
SV-54070r1_ruleData used for testing and development must be downloaded through a secure connection to an IA-compliant system for vulnerability scanning prior to deployment in the test and development environment.
SV-56070r1_ruleThe organization must create a policy and procedures document for proper handling and transport of data entering (physically or electronically) the test and development environment.