The ALG that is part of a CDS, when transferring information between different security domains, must implement organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-204973 | SRG-NET-000283-ALG-000072 | SV-204973r987743_rule | CCI-000366 | medium |
| Description | ||||
| Data structure and content restrictions reduce the range of potential malicious and/or unsanctioned content in cross-domain transactions. Security policy filters that restrict data structures include, for example, restricting file sizes and field lengths. Data content policy filters include: 1) Encoding formats for character sets (e.g., Universal Character Set Transformation Formats) 2) American Standard Code for Information Interchange (ASCII) 3) Restricting character data fields to only contain alpha-numeric characters 4) Prohibiting special characters 5) Validating schema structures Organization-defined security policy filters which require format restrictions depend on the environment, data, and security boundaries. Organizations implementing CDS must follow the DoD-required process of testing, baselining, and risk assessment to ensure the rigor and accuracy necessary to rely upon a CDS for cross domain security. | ||||
| STIG | Date | |||
| Application Layer Gateway Security Requirements Guide | 2024-12-04 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-204973r987743_chk)
If the ALG is not part of a CDS, this is not applicable.
Verify the ALG, when transferring information between different security domains, implements organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content.
If the ALG when transferring information between different security domains does not implement organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content, this is a finding.
Fix Text (F-5241r396053_fix)
If the ALG is part of a CDS, configure the ALG to implement organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content when transferring information between different security domains.