8-23-1 Ensure Cybersecurity enabled products are National Information Assurance Partnership evaluated |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure Cybersecurity enabled products are NSA or National Cybersecurity Partnership evaluated to satisfy the DoDI 8500.2 IA controls and the NIST SP 800-53 controls.
|
NA
|
NA
|
Defense Information Systems Agency (DISA) Security Technical Information Guides (STIGs) for Operating Systems, including UNIX, Windows, etc.
|
8-23-2 Ensure agreed-to secure configuration of operating system is maintained and implemented. |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure that documented agreements between Cybersecurity team, Application Developers, and Operating System Administrators are continuously maintained and properly implemented. Ensure the hardening criteria in the relevant Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG)s or other applicable standards and guides are shared with Development and System Administrators and a documented consensus configuration agreed to so that the application software conforms as closely and efficiently as possible.
|
NA
|
NA
|
Defense Information Systems Agency (DISA) Security Technical Information Guides (STIGs) for Operating Systems, including UNIX, Windows, etc.
|
8-23-3 Ensure the System is configured according to the constraints of the applicable Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG), or equivalent |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure, per the constraints of the applicable Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) are implemented. It is insufficient to harden the OS after development and test are complete. The hardening criteria in the relevant Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG)s must be shared with Development and System Administrators and a documented consensus configuration should be agreed to so that the application software conforms as closely and efficiently as possible.
|
NA
|
NA
|
Defense Information Systems Agency (DISA) Security Technical Information Guides (STIGs) for Operating Systems, including UNIX, Windows, etc.
|
8-23-4 Ensure compliance with program policies and processes for tracking and addressing security patches and notifications, including assessment for applicability to the system and off-line testing for impacts before deployment to the development or operational system. |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure program policies and processes are maintained and followed for addressing security patches and notifications, including assessment for applicability to the system and off-line testing for impacts before deployment to the development or operational system since most of the systems are in some form of operational use with continuing development/upgrade).
|
NA
|
NA
|
Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53; System and Services Acquisition (SA) family of controls; TOR-2013-00742, Secure Software Assurance Coding Guidance; DISA Application Security & Development Security Technical Implementation Guide (STIG)
|