The Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) to prohibit or restrict the use of functions, ports, protocols, and/or services.
An XCCDF Rule
Description
<VulnDiscussion>To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), Mission Owners must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-259874r958480_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
This applies to Impact Level 4/5/6.
FedRAMP Moderate, High.
For dedicated infrastructure with a DODIN connection (Levels 4–6), configure the IaaS/PaaS virtual firewall that restricts traffic flow inbound and outbound to/from the cloud service to the DODIN connection and block all traffic from all other sources.
To ensure protocols and services are not blocked by the above configuration, register them along with their related UDP/TCP IP ports used by the SaaS service that will traverse the Defense Information Systems Network (DISN) in the DOD PPSM registry. This includes all user and management plane traffic for Levels 4, 5, and 6 as well as management plane traffic for Level 2 if managed/monitored from within a DOD network.