Rule ID
SV-259874r1132412_rule
Version
V1R3
CCIs
CCI-000382
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), Mission Owners must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
For dedicated infrastructure with a DOD Information Network (DODIN) connection, review the architecture diagrams. This includes all user and management plane traffic for Impact Levels 4, 5, and 6, as well as management plane traffic for Impact Level 2 if managed/monitored from within a DOD network. Verify that the virtual firewall access control lists that restrict traffic flow inbound and outbound to/from the cloud service to the DODIN connection comply with the boundary requirements. Verify that all traffic from the cloud service provider (CSP) enclave and other sources are blocked by these methods. If the cloud service offering is not configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. For dedicated infrastructure with a DODIN connection (Impact Levels 2–6), configure the IaaS/PaaS virtual firewall that restricts traffic flow inbound and outbound to/from the cloud service to the DODIN connection and block all traffic from all other sources. To ensure protocols and services are not blocked by the above configuration, register them along with their related UDP/TCP IP ports used by the SaaS service that will traverse the Defense Information Systems Network (DISN) in the DOD PPSM registry. This includes all user and management plane traffic for Impact Levels 4, 5, and 6, as well as management plane traffic for Impact Level 2 if managed/monitored from within a DOD network.