V-259865

Discussion

Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. Implement scanning using an ACAS server in accordance with USCYBERCOM TASKORD 13-670. - Use an ACAS Security Center server within NIPRNet or within an associated common virtual services environment in the same cloud service offering (CSO). - Implement a secure (encrypted) connection or path between the ACAS server and its assigned ACAS Security Center. Impact Level 2: Applies to IaaS/PaaS CSOs where the Mission Owner has control over the environment. In this case, Mission Owners must provide their own enclave boundary protections or leverage an enterprise-level application protection service instantiated within the same CSO.

Check Content

If this is a Software as a Service (SaaS), this is not applicable.

This applies to all Impact Levels.

Review the configuration of the IaaS/PaaS. Verify that the IP address of an ACAS server is configured. Verify the flaw remediation data is also being communicated to the cybersecurity service provider (CSSP).

If the PaaS/IaaS does not implement scanning using an ACAS server or CSP-provided solution that meets DOD scanning and reporting requirements, this is a finding.