| 2.3.12-7-1 Ensure Information Assurance and Information Assurance enabled products are National Information Assurance Partnership evaluated |
Phase B |
Phase C |
Phase D1 |
|
Ensure IA and IA enabled products are NSA or National Information Assurance Partnership evaluated to satisfy the DoDI 8500.2 IA controls and the NIST SP 800-53 controls.
|
NA
|
NA
|
Defense Information Systems Agency (DISA) Security Technical Information Guides (STIGs) for Operating Systems, including UNIX, Windows, etc.
|
| 2.3.12-7-2 Ensure the secure configuration of the operating system is documented and agreed to by the Information Assurance & Cyber team, the Application Developers, and the Operating System Administrators before development begins |
Phase B |
Phase C |
Phase D1 |
|
Ensure the hardening criteria in the relevant Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG)s are shared with Development and System Administrators and a documented consensus configuration agreed to so that the application software conforms as closely and efficiently as possible.
|
NA
|
NA
|
Defense Information Systems Agency (DISA) Security Technical Information Guides (STIGs) for Operating Systems, including UNIX, Windows, etc.
|
| 2.3.12-7-3 Ensure the System is configured according to the constraints of the applicable Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG), or equivalent |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure, per the constraints of the applicable Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG), It is insufficient to harden the OS after development and test are complete. The hardening criteria in the relevant Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG)s must be shared with Development and System Administrators and a documented consensus configuration should be agreed to so that the application software conforms as closely and efficiently as possible.
|
NA
|
NA
|
Defense Information Systems Agency (DISA) Security Technical Information Guides (STIGs) for Operating Systems, including UNIX, Windows, etc.
|
| 2.3.12-7-4 Ensure there is a documented and implemented process for addressing security patches and notifications, including assessment for applicability to the system and off-line testing for impacts before deployment to the development or operational system |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure there is a documented and implemented process for addressing security patches and notifications, including assessment for applicability to the system and off-line testing for impacts before deployment to the development or operational system since most of the systems are in some form of operational use with continuing development/upgrade).
|
NA
|
NA
|
Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53; System and Services Acquisition (SA) family of controls; TOR-2013-00742 Secure Software Assurance Coding Guidance; DISA Application Security & Development Security Technical Implementation Guide (STIG)
|