| Checked | Name | Title |
|---|
| ☐ | SV-8532r3_rule | Network topology diagrams for the enclave must be maintained and up to date at all times. |
| ☐ | SV-8533r3_rule | All external connections must be validated and approved by the Authorizing Official (AO) and the Connection Approval Office (CAO) and meeting Connection Approval Process (CAP) requirements. |
| ☐ | SV-8534r4_rule | External connections to the network must be reviewed and the documentation updated semi-annually. |
| ☐ | SV-8535r3_rule | The connection between the Channel Service Unit/Data Service Unit (CSU/DSU) and the Local Exchange Carriers (LEC) data service jack (i.e., demarc) as well as any service provider premise equipment must be located in a secure environment. |
| ☐ | SV-8537r4_rule | Written mission justification approval must be obtained from the Office of the DoD CIO prior to establishing a direct connection to the Internet via commercial service provider outside DoD CIO approved Internet access points (e.g. DISA IAP, Cloud Access Point, NIPRnet Federated Gateway, DREN IAP, etc.). |
| ☐ | SV-8538r4_rule | External network connections must not bypass the enclaves perimeter security. |
| ☐ | SV-8540r3_rule | All network infrastructure devices must be located in a secure room with limited access. |
| ☐ | SV-8546r2_rule | A centralized syslog server must be deployed in the management network. |
| ☐ | SV-8547r2_rule | Current and previous network element configurations must be stored in a secured location. |
| ☐ | SV-8552r3_rule | When protecting the boundaries of a network, the firewall must be placed between the private network and the perimeter router and the Demilitarized Zone (DMZ). |
| ☐ | SV-8564r3_rule | The organization must establish weekly data backup procedures for the network Intrusion Detection and Prevention System (IDPS) data. |
| ☐ | SV-8566r2_rule | The Intrusion Detection and Prevention System (IDPS) software and signatures must be updated when updates are provided by the vendor. |
| ☐ | SV-8567r3_rule | The organization must ensure all switches and associated cross-connect hardware are kept in a secure Intermediate Distribution Frame (IDF) or an enclosed cabinet that is kept locked. |
| ☐ | SV-8585r3_rule | Dynamic Host Configuration Protocol (DHCP) audit and event logs must record hostnames and MAC addresses to be stored online for thirty days and offline for one year. |
| ☐ | SV-8586r3_rule | Dynamic Host Configuration Protocol (DHCP) servers used within SIPRNet infrastructure must be configured with a minimum lease duration time of 30 days. |
| ☐ | SV-8758r3_rule | An Intrusion Detection and Prevention System (IDPS) must be deployed to monitor all unencrypted traffic entering and leaving the enclave. |
| ☐ | SV-12294r5_rule | A deny-by-default security posture must be implemented for traffic entering and leaving the enclave. |
| ☐ | SV-12654r2_rule | All Releasable Local Area Network (REL LAN) environments must be documented in the System Security Authorization Agreement (SSAA). |
| ☐ | SV-12655r2_rule | Annual reviews must be performed on all Releasable Local Area Network (REL LAN) environments. |
| ☐ | SV-15259r4_rule | If the site has a non-DoD external connection (i.e. Approved Gateway), an Intrusion Detection and Prevention System (IDPS) must be located between the sites Approved Gateway and the perimeter router. |
| ☐ | SV-15263r4_rule | All hosted NIPRNet-only applications must be located in a local enclave Demilitarized Zone (DMZ). |
| ☐ | SV-15265r4_rule | All Internet-facing applications must be hosted in a DoD Demilitarized Zone (DMZ) Extension. |
| ☐ | SV-15268r6_rule | The organization must implement a deep packet inspection solution when protecting perimeter boundaries. |
| ☐ | SV-15442r2_rule | An Out-of-Band (OOB) management network must be deployed for MAC I systems or 24x7 personnel must have console access for device management. |
| ☐ | SV-15473r2_rule | Two-factor authentication must be implemented to restrict access to all network elements. |
| ☐ | SV-15493r6_rule | Encapsulated and/or encrypted traffic received from another enclave must not bypass the network perimeter defense without being terminated and inspected before entering the enclaves private network. |
| ☐ | SV-15494r3_rule | Tunneling of classified traffic across an unclassified IP transport network or service provider backbone must be documented in the enclaves security authorization package and an Approval to Connect (ATC), or an Interim ATC must be issued by DISA prior to implementation. |
| ☐ | SV-15496r2_rule | DSAWG approval must be obtained before tunneling classified traffic outside the components local area network boundaries across a non-DISN or OCONUS DISN unclassified IP wide area network transport infrastructure. |
| ☐ | SV-15497r2_rule | Enabling a connection that extends DISN IP network connectivity (e.g., NIPRNet and SIPRNet) to any DoD Vendor, Foreign, or Federal Mission Partner enclave or network without a signed DoD CIO approved sponsorship memo is prohibited. For classified connectivity it must be to a DSS approved contractor facility or DoD Component approved foreign government facility. |
| ☐ | SV-15498r2_rule | Command and Control (C2) and non-C2 exceptions of SIPRNet must be documented in the enclaves accreditation package and an Authority to Connect (ATC) or Interim ATC amending the connection approval received prior to implementation. |
| ☐ | SV-15499r2_rule | Tunneling of classified traffic across an unclassified IP transport network must employ cryptographic algorithms in accordance with CNSS Policy No. 15. |
| ☐ | SV-15501r2_rule | VPN gateways used to create IP tunnels to transport classified traffic across an unclassified IP network must comply with appropriate physical security protection standards for processing classified information. |
| ☐ | SV-18981r2_rule | A dedicated management network must be implemented. |
| ☐ | SV-19152r2_rule | Two Network Time Protocol (NTP) servers must be deployed in the management network. |
| ☐ | SV-20025r2_rule | An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor all Demilitarized Zone (DMZ) segments housing public servers. |
| ☐ | SV-20027r2_rule | An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor the network segment hosting web, application, and database servers. |
| ☐ | SV-20028r2_rule | An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor network segments that house network security management servers. |
| ☐ | SV-20031r2_rule | Sensor traffic in transit must be protected at all times via an Out-of-Band (OOB) network or an encrypted tunnel between site locations. |
| ☐ | SV-20032r2_rule | Intrusion Detection and Prevention System (IDPS) traffic between the sensor and the security management or sensor data collection servers must traverse a dedicated Virtual Local Area Network (VLAN) logically separating IDPS traffic from all other enclave traffic. |
| ☐ | SV-20039r2_rule | Products collecting baselines for anomaly-based detection must have their baselines rebuilt based on changes to mission requirements such as Information Operations Conditions (INFOCON) levels and when the traffic patterns are expected to change significantly. |
| ☐ | SV-20041r2_rule | If a Secure File Transfer Protocol (SFTP) server is used to provide updates to the sensors, the server must be configured to allow read-only access to the files within the directory on which the signature packs are placed. |
| ☐ | SV-20042r2_rule | If an automated scheduler is used to provide updates to the sensors, an account on the file server must be defined that will provide access to the signatures only to the sensors. |
| ☐ | SV-20045r2_rule | The Intrusion Detection and Prevention System (IDPS) configuration must be backed up before applying software or signature updates, or when making changes to the configuration. |
| ☐ | SV-20046r2_rule | The Intrusion Detection and Prevention System (IDPS) file checksums provided by the vendor must be compared and verified with checksums computed from CD or downloaded files. |
| ☐ | SV-28616r3_rule | The organization must encrypt all network device configurations while stored offline. |
| ☐ | SV-41919r3_rule | All global address ranges used on unclassified and classified networks must be properly registered with the DoD Network Information Center (NIC). |
| ☐ | SV-41924r7_rule | Network Address Translation (NAT) and private IP address space must not be deployed within the SIPRNet enclave. |
| ☐ | SV-44284r2_rule | A policy must be implemented to keep Bogon/Martian rulesets up to date. |
| ☐ | SV-80839r1_rule | Prior to having external connection provisioned between enclaves, a Memorandum of Agreement (MOA) or Memorandum of Understanding (MOU) must be established. |
| ☐ | SV-80841r1_rule | Syslog messages must be retained for a minimum of 30 days online and then stored offline for one year. |
| ☐ | SV-80843r1_rule | Multi-Protocol Labeled Switching (MPLS) protocols deployed to build Label-Switch Path (LSP) tunnels must authenticate all messages with a hash function using the most secured cryptographic algorithm available. |
| ☐ | SV-80845r1_rule | Multi-Protocol Labeled Switching (MPLS) labels must not be exchanged between the enclaves edge routers and any external neighbor routers. |
| ☐ | SV-80847r1_rule | Label Distribution Protocol (LDP) must be synchronized with the Interior Gateway Protocol (IGP) to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange. |
| ☐ | SV-80851r1_rule | Rapid Spanning Tree Protocol (STP) must be implemented at the access and distribution layers where Virtual Local Area Networks (VLANs) span multiple switches. |
| ☐ | SV-80853r1_rule | A Quality of Service (QoS) policy must be implemented to provide preferred treatment for Command and Control (C2) real-time services and control plane traffic. |
| ☐ | SV-80855r1_rule | Protocol Independent Multicast (PIM) must be disabled on all router interfaces that are not required to support multicast routing. |
| ☐ | SV-80857r1_rule | A Protocol Independent Multicast (PIM) neighbor filter must be implemented to restrict and control multicast traffic. |
| ☐ | SV-80859r1_rule | The multicast domain must block inbound and outbound administratively-scoped multicast traffic at the edge. |
| ☐ | SV-80861r1_rule | The multicast domain must block inbound and outbound Auto-RP discovery and announcement messages at the edge. |
| ☐ | SV-80863r1_rule | Protocol Independent Multicast (PIM) register messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups. |
| ☐ | SV-80865r1_rule | Protocol Independent Multicast (PIM) join messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups. |
| ☐ | SV-80869r1_rule | Multicast register messages must be rate limited per each source-group (S, G) entry. |
| ☐ | SV-80871r1_rule | Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) report messages must be filtered to allow hosts to join only those multicast groups that have been approved by the organization. |
| ☐ | SV-80879r1_rule | The number of mroute states resulting from Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership reports must be limited. |
| ☐ | SV-80881r1_rule | The number of source-group (SG) states must be limited within the multicast topology where Any Source Multicast (ASM) is deployed. |
| ☐ | SV-80883r1_rule | Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping must be implemented within the network access layer. |
| ☐ | SV-80887r2_rule | First-hop redundancy services must be configured to delay any preempt to provide enough time for the Internet Gateway Protocol (IGP) to stabilize. |
STIGQter: STIG Summary: