All Internet-facing applications must be hosted in a DoD Demilitarized Zone (DMZ) Extension.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-251365 | NET0348 | SV-251365r806050_rule | CCI-000366 | medium |
| Description | ||||
| Without the protection of a DMZ, production networks will be prone to outside attacks as they are allowing externally accessible services to be accessed on the internal LAN. This can cause many undesired consequences such as access to the entire network, Denial of Service attacks, or theft of sensitive information. | ||||
| STIG | Date | |||
| Network Infrastructure Policy Security Technical Implementation Guide | 2024-08-02 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · V10R7 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · V10R7 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · V10R7 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · V10R7 · disa_xccdf · related
Details
Check Text (C-251365r806050_chk)
Review the network topology diagram and interview the ISSO to verify that all Internet-facing applications are hosted in a DoD DMZ Extension.
If there are any Internet-facing applications hosted in the enclave's DMZ or private network, this is a finding.
Fix Text (F-54753r806049_fix)
Implement and move internet facing applications logically to a DoD DMZ Extension.