Rule ID
SV-234251r960759_rule
Version
V1R2
CCIs
CCI-000068
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information.
A DoD approved VPN, or gateway/proxy, must be leveraged to access StoreFront from a remote network. This VPN, or gateway, must handle user authentication and tunneling of StoreFront traffic. The VPN, or gateway, must meet the DoD encryption requirements, such as FIPS 140-2, for the environment. If no VPN, or gateway/proxy, is used for remote access to StoreFront, this is a finding. If the VPN, or gateway/proxy, does not authenticate the remote user before providing access to StoreFront, this is a finding. If the VPN, or gateway/proxy, fails to meet the DoD encryption requirements for the environment, this is a finding.
Implement a DoD approved VPN, or gateway/proxy, that will authenticate user access and tunnel/proxy traffic to StoreFront. Ensure the VPN, or gateway/proxy, is configured to authenticate the user before accessing the environment, and meets the DoD encryption requirements, such as FIPS 140-2, for the environment.