8-24-1 Ensure external interfaces have been defined |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure all external entities with which the system interfaces or interacts have been identified. Ensure that the interface requirements and/or specification for each of these has been defined. Ensure that the authorizations for each external entity has been defined, and that the interface specifications reflect requirements that enforce access control policies on the interactions. Ensure that any required limitation on data values, parameters, formats, et al. are identified. Ensure that the system specifications define what actions are taken when the defined limitations and restrictions are violated.
|
NA
|
NA
|
CNSSI No. 1253 or equivalent National Institute of Standards and Technology (NIST) SP 800-53; Defense Information Systems Agency (DISA) Network Security Technical Information Guides (STIGs)
|
8-24-2 Ensure boundary protection requirements are defined and enforced |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure all external interfaces are protected by boundary protections mechanisms (e.g., firewalls) that limit communications to only those external entities that are authorized to interface with the system. Ensure that the rules-set for such devices completely and correctly allow the expected interactions, and ensure that any unauthorized communications attempts are identified and handled in accordance with the system security policies.
|
NA
|
NA
|
CNSSI No. 1253 or equivalent National Institute of Standards and Technology (NIST) SP 800-53; Defense Information Systems Agency (DISA) Network Security Technical Information Guides (STIGs)
|
8-24-3 Ensure Computer Network Defense (CND) requirements are defined and implemented |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure requirements for intrusion detection / prevention are defined. Ensure that, where necessary, Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) are employed. Ensure that the deployment is sufficient to review, capture, monitor, and react to all communications across the system's internal network. Ensure that the IDS / IPS is capable of correlating security-related data from the various points in the network at which that data is captured and / or generated. Ensure that the CND system completely and correctly reacts to security-related events, as defined by the system security policies.
|
NA
|
NA
|
CNSSI No. 1253 or equivalent National Institute of Standards and Technology (NIST) SP 800-53; Defense Information Systems Agency (DISA) Network Security Technical Information Guides (STIGs)
|
8-24-4 Ensure compliance with program policies and processes for tracking and addressing security patches and notifications, including assessment for applicability to the system and off-line testing for impacts before deployment to the development or operational system. |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure program policies and processes are maintained and followed for addressing security patches and notifications, including assessment for applicability to the system and off-line testing for impacts before deployment to the development or operational system since most of the systems are in some form of operational use with continuing development/upgrade).
|
NA
|
NA
|
Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53; System and Services Acquisition (SA) family of controls; TOR-2013-00742, Secure Software Assurance Coding Guidance; DISA Application Security & Development Security Technical Implementation Guide (STIG)
|