The IAO will ensure, if remote access is required to a non STIG compliant system in Zone B, dedicated clients (non-production) are utilized to access Zone B systems from a VPN or dialup connection. No connectivity will occur from a production STIG compliant client (e.g., STIG’d Government Furnished Equipment) to a non-STIG’d system in Zone B.

From Enclave - Zone B Checklist

Part of Production clients used to access Zone B systems.

Associated with IA controls: ECSC-1

SV-15078r1_rule The IAO will ensure, if remote access is required to a non STIG compliant system in Zone B, dedicated clients (non-production) are utilized to access Zone B systems from a VPN or dialup connection. No connectivity will occur from a production STIG compliant client (e.g., STIG’d Government Furnished Equipment) to a non-STIG’d system in Zone B.

Vulnerability discussion

The Secure Remote Computing and the Network Infrastructure STIGs clearly define remote (not physically or logically collocated) access requirements for system administrator or user access to a DoD network. The requirements set forth in the aforementioned STIGs apply to T&D environments as well. As there may be situations in which an SA must access a T&D environment, if they are not located within the testing facility/lab or are teleworking, security requirements must be in place to ensure protection of DoD data and networks. Many network administrators prefer technologies such as Thin Client, Terminal Services, and Virtual Machine architectures, such as Citrix and VMWare, to provide the necessary access to their remote user base. This solution is acceptable in T&D environments as well; however, as DoD LAN clients may use this technology, additional security requirements must be met. The following table defines the overall access requirements for T&D and the following section details virtual machine architectures. The network connectivity employed will determine the baseline security prerequisites listed in the previous section. Network devices, such as routers and firewalls; that support this environment must be STIG compliant.

Check content

Review the connection approval documentation and the remote access policy to determine if DoD production (LAN) client workstations are allowed to connect to non-STIG’d Zone B systems. If they are allowed, this is a finding. Zone B requires non-production system connectivity to systems that are not in a secure state.

Fix text

The IAO will ensure, if remote access is required to a non STIG compliant system in Zone B, dedicated clients (non-production) are utilized to access Zone B systems from a VPN or dialup connection. No connectivity will occur from a production STIG compliant client (e.g., STIG’d Government Furnished Equipment) to a non-STIG’d system in Zone B.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer