STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cloud Computing Mission Owner Operating System Security Requirements Guide

V-259880

CAT II (Medium)

The Infrastructure as a Service (IaaS)/Platform as a Service (PaaS)/Software as a Service (SaaS) must register the service/application with the DOD DMZ/IAP allowlist for internet-facing inbound and outbound traffic.

Rule ID

SV-259880r958808_rule

STIG

Cloud Computing Mission Owner Operating System Security Requirements Guide

Version

V1R3

CCIs

CCI-001774

Discussion

Register the service/application with the DOD DMZ/IAP allowlist for both inbound and outbound traffic if traffic will cross the internet access points (IAPs). Using an allowlist provides a configuration management method for allowing the execution of only authorized software, ports, protocols, and guest virtual machines (VMs). Using only authorized software decreases risk by limiting the number of potential vulnerabilities and preventing the execution of malware. Cloud approval documentation should include allowed approved ports and protocols communications, including allowlisted mission application traffic and services access from the internet via the Defense Information Systems Network (DISN) IAP. If all or a portion of the mission owners cloud-based Level 4/5 systems/applications connected through the BCAP are to be internet accessible, traffic is required to traverse the DISN IAPs. The system's/application's URLs/IP addresses must be registered with the DOD DMZ allowlist. Traffic that will typically traverse the IAP is management traffic for Level 2 off-premises systems/applications and for user plane traffic to/from Level 4/5 systems/applications that are internet-facing. Such traffic and IP addresses may be blocked if not registered in the allowlist.

Check Content

Request the cloud service Provisional Authorization (PA) and registration documentation. 

Verify the IaaS/PaaS/software is registered in the service/application with the DOD DMZ/IAP allowlist for both inbound and outbound traffic when traffic will cross the IAPs. 

If the system/service/application is not registered with the DOD DMZ/IAP allowlist for both inbound and outbound internet-facing traffic, this is a finding.

Fix Text

This applies to all Impact Levels.
FedRAMP Moderate, High.

Coordinate with the cybersecurity service provider (CSSP) during cloud architecture development to ensure required security-relevant data will be accessible via the cloud service provider/cloud service offering, third-party security service subscription, and/or native application programming interface capability.

Register the IaaS/PaaS/SaaS service/application with the DOD allowlist for both inbound and outbound traffic. Configure the DOD allowlist with the ports and protocols needed to support applications and services used in the cloud environment.