U IIS6 Tech Overview V6R13
-
Upload
nggillian123 -
Category
Documents
-
view
229 -
download
0
Transcript of U IIS6 Tech Overview V6R13
-
8/3/2019 U IIS6 Tech Overview V6R13
1/21
UNCLASSIFIED
UNCLASSIFIED
Internet Information Services (IIS) 6
Technology Overview
Version 6, Release 13
28 October 2011
Developed by DISA for the DoD
-
8/3/2019 U IIS6 Tech Overview V6R13
2/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIEDii
This page is intentionally left blank.
-
8/3/2019 U IIS6 Tech Overview V6R13
3/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED iii
TABLE OF CONTENTS
Page
1. INTRODUCTION................................................................................................................. 11.1 Background ..........................................................................................................................11.2 Authority ..............................................................................................................................11.3 Scope ....................................................................................................................................11.4 Vulnerability Severity Code Definitions ..............................................................................31.5
STIG Distribution .................................................................................................................5
1.6 Document Revisions ............................................................................................................5
2. WEB SERVER AND SITE REQUIREMENTS ................................................................ 72.1 Web Server and Site Definition ...........................................................................................72.2 Web Policy Applicable to All Web Servers and Sites ......................................................72.3 Web Server and Site Topology ............................................................................................72.4 Clarification of Terms ..........................................................................................................8
2.4.1 Private vs. Public Web Server .......................................................................................82.4.2 Roles ..............................................................................................................................9
VMS PROCEDURES ................................................................................................................. 102.5 VMS Process Guide for Reviewers ....................................................................................102.6 VMS Process Guide for System Administrators ................................................................12
APPENDIX A. RELATED PUBLICATIONS ........................................................................ 15Government Publications ...........................................................................................................15Technical Publications ...............................................................................................................15Government and Technical Web Sites .......................................................................................15
APPENDIX B. ACRONYMS ..................................................................................................... 17
-
8/3/2019 U IIS6 Tech Overview V6R13
4/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIEDiv
The page is intentionally left blank.
-
8/3/2019 U IIS6 Tech Overview V6R13
5/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED 1
1. INTRODUCTION1.1 BackgroundMicrosoft Internet Information Server (IIS) is a web server currently licensed and distributed to
the DoD by the Microsoft Corporation. This STIG covers IIS version 6.0 running on Windows
Server 2003. The web server must be configured to protect classified, unclassified, and/or
restricted data, such as Personally Identifiable Information (PII), as well as data approved for
public release. Immediate risks inherent to this role are external attacks and accidental exposure.
Although security controls and infrastructure devices (such as, firewalls, intrusion detection
systems, and baseline integrity checking tools) offer some defense against malicious activity,
security for web servers is best achieved through implementing a comprehensive defense-in-
depth strategy. This strategy should include, but is not limited to, a server configuration to
prevent system compromise; operational procedures for posting data to avoid accidental
exposure; proper placement of the server within the network infrastructure; and the allowance or
denial of Ports, Protocols, and Services (PPS) used to access the web server.
1.2 AuthorityDoD Directive 8500.1 requires all IA and IA-enabled IT products incorporated into DoD
information systems shall be configured in accordance with DoD-approved security
configuration guidelines and tasks DISA to develop and provide security configuration
guidance for IA and IA-enabled IT products in coordination with Director, NSA. This
document is provided under the authority of DoDD 8500.1.
Although the use of the principles and guidelines in this document provide an environment that
contributes to the security requirements of DoD systems operating at Mission AssuranceCategory I through III, applicable DoD Instruction 8500.2 Information Assurance (IA) controls
need to be applied to all systems and architectures.
The Information Operations Condition for the DoD recommends actions during periods when a
heightened defensive posture is required to protect DoD computer networks from attack. The
Information Assurance Officer (IAO) will ensure compliance with the security requirements of
the current INFOCON level and will modify security requirements to comply with this guidance.
1.3 ScopeThis document is a requirement for all DoD-owned information systems and DoD-controlledinformation systems operated by a contractor and/or other entity on behalf of the DoD that
receive, process, store, display, or transmit DoD information, regardless of classification and/or
sensitivity. These requirements are designed to assist Security Managers (SMs), Information
Assurance Managers (IAMs), Information Assurance Officers (IAOs), and System
Administrators (SAs) with configuring and maintaining security controls. This guidance
supports DoD information system design, development, implementation, certification and
-
8/3/2019 U IIS6 Tech Overview V6R13
6/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED2
accreditation efforts, but is restricted to policies and configurations specific to web servers and
sites.
Guidance for the configuration of Operating Systems (OSs) will be governed by the specific OS
STIG provided by DISA. Guidance for the use and configuration of technologies, such as mobile
code and Common Gateway Interface (CGI) scripts utilized by hosted applications, will begoverned by the Application Security and Development STIG and mobile code guidance
provided by DISA. Enclave requirements will be governed by the Enclave STIG provided by
DISA. All STIGs are available on the Information Assurance Support Environment (IASE) web
site: http://iase.disa.mil/.
-
8/3/2019 U IIS6 Tech Overview V6R13
7/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED 3
1.4 Vulnerability Severity Code DefinitionsSeverity Category Code (CAT) is a measure of risk used to assess a facility or system security
posture. Each security policy specified in this document is assigned a severity code of CAT I, II,
or III. Each policy is evaluated based on the probability of a realized threat occurring and the
expected loss associated with an attack exploiting the resulting vulnerability. Table 1-1 providesthe severity code definitions.
Table 1-1. Vulnerability Severity Category Code Definitions
DISA/DIACAP Category Code
Guidelines
Examples of DISA/DIACAP Category Code
Guidelines
CAT
I
Any vulnerability, the exploitation of
which will, directly and immediately
result in loss of Confidentiality,
Availability or Integrity. An ATO will
not be granted while CAT I weaknessesare present.
Note: The exploitation of vulnerabilities
must be evaluated at the level of the
system or component being reviewed. A
workstation for example, is a stand alone
device for some purposes and part of a
larger system for others. Risks to the
device are first considered, then risks to
the device in its environment, then risks
presented by the device to theenvironment. All risk factors must be
considered when developing mitigation
strategies at the device and system level.
Includes BUT NOT LIMITED to the
following examples of direct and immediate
loss:
1.
May result in loss of life, loss of facilities,or equipment, which would result in
mission failure.
2. Allows unauthorized access to security oradministrator level resources or privileges.
3. Allows unauthorized disclosure of, oraccess to, classified data or materials.
4. Allows unauthorized access to classifiedfacilities.
5. Allows denial of service or denial ofaccess, which will result in mission
failure.6. Prevents auditing or monitoring of cyber
or physical environments.
7. Operation of a system/capability which hasnot been approved by the appropriate
Designated Accrediting Authority (DAA).
8. Unsupported software where there is nodocumented acceptance of DAA risk.
CAT
II
Any vulnerability, the exploitation of
which, has a potential to result in loss of
Confidentiality, Availability or Integrity.
CAT II findings that have been
satisfactorily mitigated will not prevent
an ATO from being granted.
Note: The exploitation of vulnerabilities
must be evaluated at the level of the
system or component being reviewed. A
workstation for example, is a stand alone
Includes BUT NOT LIMITED to the
following examples that have a potential to
result in loss:
1. Allows access to information that couldlead to a CAT I vulnerability.
2. Could result in personal injury, damage tofacilities, or equipment which would
degrade the mission.
3. Allows unauthorized access to user orapplication level system resources.
-
8/3/2019 U IIS6 Tech Overview V6R13
8/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED4
DISA/DIACAP Category Code
Guidelines
Examples of DISA/DIACAP Category Code
Guidelines
device for some purposes and part of a
larger system for others. Risks to the
device are first considered, then risks to
the device in its environment, then riskspresented by the device to the
environment. All risk factors must be
considered when developing mitigation
strategies at the device and system level.
4. Could result in the loss or compromise ofsensitive information.
5. Allows unauthorized access toGovernment or Contractor owned orleased facilities.
6. May result in the disruption of system ornetwork resources that degrades the ability
to perform the mission.
7. Prevents a timely recovery from an attackor system outage.
8. Provides unauthorized disclosure of oraccess to unclassified sensitive, personally
identifiable information (PII), or other data
or materials.
CAT
III
Any vulnerability, the existence of which
degrades measures to protect against loss
of Confidentiality, Availability or
Integrity. Assigned findings that may
impact IA posture but are not required to
be mitigated or corrected in order for an
ATO to be granted.
Note: The exploitation of vulnerabilities
must be evaluated at the level of the
system or component being reviewed. A
workstation for example, is a stand alone
device for some purposes and part of a
larger system for others. Risks to the
device are first considered, then risks to
the device in its environment, then risks
presented by the device to the
environment. All risk factors must be
considered when developing mitigation
strategies at the device and system level.
Includes BUT NOT LIMITED to the
following examples that provide information
which could potentially result in degradation
of system information assurance measures or
loss of data:
1. Allows access to information that couldlead to a CAT II vulnerability.
2. Has the potential to affect the accuracy orreliability of data pertaining to personnel,
resources, operations, or other sensitive
information.3. Allows the running of any applications,
services or protocols that do not support
mission functions.
4. Degrades a defense in depth systemssecurity architecture.
5. Degrades the timely recovery from anattack or system outage.
6. Indicates inadequate securityadministration.
7. System not documented in the sites C&APackage/System Security Plan (SSP).
8. Lack of document retention by theInformation Assurance Manager (IAM)
(i.e., completed user agreement forms).For web server installations and sites, policies are classified as CAT I if failure to comply may
lead to an exploitation which has a high probability of occurring, does not require specialized
-
8/3/2019 U IIS6 Tech Overview V6R13
9/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED 5
expertise or resources, and leads to unauthorized access to sensitive information (e.g., classified).
Exploitation of CAT I vulnerabilities allows an attacker physical or logical access to a protected
asset, privileged access, bypass the access control system, or access to high value assets (e.g.,
classified).
Exploitation of CAT II vulnerabilities also leads to unauthorized access to high valueinformation; however, additional sophistication, information, or multiple exploitations are
needed. Exploitation of CAT II vulnerabilities provides information with a high potential of
allowing access to an intruder but requires one or more of the following: Exploitation of
additional vulnerabilities, exceptional sophistication or expertise, or does not provide direct or
indirect access to high value information (e.g., classified).
A policy with a CAT III severity code requires unusual expertise, additional information,
multiple exploitations, and does not directly or indirectly result in access to high value
information. Exploitation of CAT III vulnerabilities provides information potentially leading to a
compromise. It requires additional information or multiple exploitations to be effective but does
not provide direct access to high value information.
1.5 STIG DistributionParties within the DoD and Federal Government's computing environments can obtain the
applicable STIG from the IASE web site: http://iase.disa.mil/. This site contains the latest
copies of any STIGs, scripts, and other related security information.
1.6 Document RevisionsComments or proposed revisions to this document should be sent via e-mail to the following
address: [email protected]. DISA Field Security Operations (FSO) will coordinate all changerequests with the relevant DoD organizations before inclusion in this document.
-
8/3/2019 U IIS6 Tech Overview V6R13
10/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED6
This page is intentionally left blank.
-
8/3/2019 U IIS6 Tech Overview V6R13
11/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED 7
2. WEB SERVER AND SITE REQUIREMENTS2.1 Web Server and Site DefinitionA web server is an automated information system managing one or more web sites by passing or
serving up web pages to an Internet browser, such as, Mozilla Firefox or Microsoft InternetExplorer. This document is only applicable to web servers and sites.
2.2 Web Policy Applicable to All Web Servers and SitesWeb Policy requirements are applicable to all web servers and sites. Review Web Policy checks
for all web servers or sites (classified or unclassified) used to process, transmit, store, or connect
to DoD information or enclave resources. These checks should be reviewed before web server
and web site specific technology checks are implemented. These policies are listed in the
Vulnerability Management System (VMS) under the Non-Computing assets, Web Policy asset
posture. The reviewer should create one non-computing asset for policy checks, one computing
asset for a web server review, and one computing asset for each web site hosted on the reviewedweb server.
2.3 Web Server and Site TopologyWeb server and sites operating within an enclave use segregation as a hardening technique. This
approach is intended to quarantine and protect public-facing applications. Additionally,
protections are built into the architecture to segregate restricted and unrestricted applications
from private applications. Figure 2-1 below provides a visual representation of a typical Enclave.
-
8/3/2019 U IIS6 Tech Overview V6R13
12/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED8
Figure 2-1. Typical Enclave Network
2.4 Clarification of Terms2.4.1 Private vs. Public Web ServerA DoD private web server as defined by the Department of Defense Instruction 8520.2 is:
E2.1.12. DoD Private Web Server. For unclassified networks, a DoD private web server is any
DoD-owned, operated, or controlled web server providing access to sensitive information thathas not been reviewed and approved for release in accordance with DoD Directive 5230.9
(reference (q)) and DoD Instruction 5230.29 (reference (r)). For Secret Internet Protocol Router
Network and other classified networks that are not accessible to the public, a DoD private web
server is any server that provides access to information that requires need-to-know control or
compartmentation.
-
8/3/2019 U IIS6 Tech Overview V6R13
13/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED 9
A DoD public web server is any DoD-owned, operated, or controlled web server providing
access to information that has been reviewed and approved for release in accordance with DoD
Directive 5230.9 and DoD Instruction 5230.29. Given the DoD definition of a private web
server, a public web server may reside on the SIPRNet provided the information published does
not require need-to-know control or compartmentalization.
While posting appropriate data to a properly protected public or private web server is necessary
to facilitate operations, all personnel and other content providers must exercise extreme caution
to ensure they do not post inappropriate material. Current examples of such material include
classified data, data covered by the Privacy Act, unclassified but sensitive data (such as, Health
Insurance Portability and Accountability Act (HIPAA) related information), contract
(procurement) sensitive information, proprietary data, or For Official Use Only (FOUO)
information.
2.4.2 RolesThe roles of the SA, web administrator, or web master are generally understood but the terms are
often used interchangeably. The SA is responsible for the OS, while the web administrator or
web master usually manages the web site or sites. In some cases, the SA is also the web
administrator/web master which is why guidance tends to be written in a certain fashion. The
application development group should refer to the supporting organization for the application,
when application issues arise from meeting IIS STIG requirements. This guidance does not cover
every unique application and configuration.
-
8/3/2019 U IIS6 Tech Overview V6R13
14/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED10
VMS PROCEDURES
2.5 VMS Process Guide for Reviewers1. For each host system supporting a web server at least one occurrence of a web server
installation and one occurrence of a web site of the same type and version (IIS6) must be
defined. Further, one occurrence of web policy (non-computing) must also be defined. See
the asset creation instructions for the host asset to create the host asset. Asset
verification/creation must be completed before entering review results for the web server.
Multiple IP and MAC addresses may exist for an asset. Tool results may be imported as long
as those addresses found by the tool are matched in the asset identification. The scripts will
capture only one of each type of address. The engine/instance name is the unique name given
to a specific engine/instance provided by the SA. The site name is the unique name given to
a specific site provided by the SA. The reviewer must choose an engine/instance to associate
with the site using a pull down menu.
Access VMS 6.0 Web Application- Click Asset Finding Maint.- Click Assets / Findings- Expand Visits- Expand the correct Folder under Visits- Continue expanding folders until reaching the Computing folder- Expand Computing- Expand Must Review- Click the Asset which data is to be imported- Click the Asset Identification tab to confirm:
o I.P. Addresso MAC Address
- Click the Asset Posture tab to confirm:o Applicationo Web Servero Web Server Vendoro Web Server Instance name must match the import file.
First XML IDENTIFIER input tag:
151
IIS Installation 6
IIS-Installation1
o Web Server Site name must match the import file.Second XML IDENTIFIER input tag:
154
-
8/3/2019 U IIS6 Tech Overview V6R13
15/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED 11
IIS Site 6
www.sitename.com
2. If the asset is not registered, create asset.
Access VMS 6.0 Web Application- Click Asset Finding Maint.- Click Assets / Findings- Expand Visits- Expand the correct Folder under Visits- Continue expanding folders until reaching the Computing folder- Click the yellow folder icon located at the right of Computing- Input data on General tab- Click the Asset Identification tab
o Enter I.P. Address, which must match the import file.o Click Addo Enter MAC Address, which must match the import file.o Click Add
- Click the Asset Posture tabo Expand Computingo Expand Applicationo Expand Web Servero Expand the Appropriate Vendor, Instance and Siteo Ensure Instance and Site match the import file.o Once site is entered choose Instance to be associated from pull down menuo Click >>o Click Save
3. Conduct the review using the Gold Disk and save the xml file, which should bevms6x.xml. It can be changed to a name that makes sense for the system being
reviewed.
For example: iis-installation1.xml
4. Import the xml file into VMS.
Access VMS 6.0 Web Application- Click Asset Finding Maint.- Click Assets / Findings- Expand Visits- Expand the correct Folder under Visits- Continue expanding folders until reaching the Computing folder- Click the blue XML arrow icon located at the right of Computing
-
8/3/2019 U IIS6 Tech Overview V6R13
16/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED12
- Click the Browse button- Click the import file- Click the Open button- Click the Submit button
5. If necessary, manually key results into VMS.
Access VMS 6.0 Web Application- Click Asset Finding Maint.- Click Assets / Findings- Expand Visits- Expand the correct Folder under Visits- Continue expanding folders until reaching the Computing folder- Expand Computing- Expand Must Review- Expand the correct asset- Expand correct WEB vendor/instance or site- Click the vulnerability to be modified
o Edit desired datao Click Saveo (Repeat as necessary)o
2.6 VMS Process Guide for System Administrators1. Ensure the asset is registered in VMS under the correct organization. Ensure the asset has
been assigned an OS. If the OS is Microsoft Windows the OS must also be assigned a role
(Domain Controller, Member Server, etc.). The asset must have at least a web server
installation, one web site, and one web policy instance defined. The engine/instance name is
the unique name given to a specific engine/instance provided by the SA. The site name is the
unique name given to a specific site provided by the SA. The reviewer must choose an
engine/instance to associate with the site using a pull down menu. The asset must also have
the IP and MAC address assigned. The engine/instance, site, IP address, MAC address, and
Asset Name must be identical to their associated XML tags in the vms6x.xml output file.
These descriptions are captured during the execution of the Gold Disk.
Access VMS 6.0 Web Application- Click Asset Finding Maint.- Click Assets / Findings- Expand By Location- Expand the correct Location- Expand Computing- Click the Asset which data is to be imported- Click the Asset Identification tab to confirm:
-
8/3/2019 U IIS6 Tech Overview V6R13
17/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED 13
o I.P. Addresso MAC Address
- Click the Asset Posture tab to confirm:o Applicationo Web Servero Web Server Vendoro Web Server Instance name must match the import file.
First XML IDENTIFIER input tag:
151
Apache Instance 2.x
IIS-Installation1
o Web Server Site name must match the import file.Second XML IDENTIFIER input tag:
154
IIS Site 6www.sitename.com
2. If the asset is not registered, create asset.
Access VMS 6.0 Web Application- Click Asset Finding Maint.- Click Assets / Findings- Expand By Location- Expand the correct Location- Click the yellow folder icon located at the right of Computing- Input data on General tab- Click the Asset Identification tab
o Enter I.P. Address, which must match the import file.o Click Addo Enter MAC Address, which must match the import file.o Click Add
- Click the Asset Posture tabo Expand Computingo Expand Applicationo Expand Web Servero Expand the Appropriate Vendor, Instance and Siteo Ensure Instance and Site match the import file.o Once site is entered choose Instance to be associated from pull down menuo Click >>o Click Save
-
8/3/2019 U IIS6 Tech Overview V6R13
18/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED14
3. Conduct the review using the Gold Disk and save the xml file, which should bevms6x.xml.
For example: iis-installation1.xml
4. Import the xml file into VMS. Access VMS 6.0 Web Application
- Click Asset Finding Maint.- Click Assets / Findings- Expand By Location- Expand the correct Location- Click the blue XML arrow icon located at the right of Computing- Click the Browse button- Click the import file- Click the Open button- Click the Submit button
5. If necessary, manually key results into VMS.
Access VMS 6.0 Web Application- Click Asset Finding Maint.- Click Assets / Findings- Expand By Location- Expand the correct Location- Expand Computing- Expand the correct asset- Expand correct WEB vendor/instance or site- Click the vulnerability to be modified
o Edit desired datao Click Saveo (Repeat as necessary)
-
8/3/2019 U IIS6 Tech Overview V6R13
19/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED 15
APPENDIX A. RELATED PUBLICATIONS
Government Publications
Department of Defense, DoD Directive (DoDD) 8500.1, Information Assurance, 24 October
2002.
Department of Defense, DoD Instruction (DoDI) 8500.2, Information Assurance IA
Implementation, 6 February 2003.
Department of Defense, DoD Instruction (DoDI) 8520.2 Public Key Infrastructure (PKI) and
Public Key (PK) Enabling, April 2004.
Department of Defense, DoD Instruction (DoDI) 8551.1, "Ports, Protocols, and Services
Management (PPSM)," 13 August 2004.
Chairman of the Joint Chiefs of Staff (CJCS) Manual 6510.01A, " Information Assurance (IA)and Computer Network Defense (CND) Volume I (Incident Handling Program)," 24 June 2009.
Department of Defense, DoD Instruction (DoDI) 8510.01 DoD Information Assurance
Certification and Accreditation Process,April 2004.
National Institute of Standards and Technology (NIST), Guidelines on Securing Public Web
Servers, Special Publication 800-44.
Web Server Security Technical Implementation Guide (STIG) V7R1, 20 September 2010.
Technical Publications
Center for Internet Security Benchmark for IIS 5.0 and 6.0 for Microsoft Windows 2000, XP, and
Server 2003, version 1.0.0, 15 August 2007
Government and Technical Web Sites
http://iase.disa.mil Defense Information Systems Agency
http://www.disa.mil/handbook/toc.html DISA Web Handbook
http://www.cert.org A Focal point for the computer security
concerns of Internet users
http://csrc.nist.gov/publications National Institute of Standards andTechnology's Computer Security
Resource Clearinghouse
http://www.defenselink.mil/Webmasters DoD Web Site Administration Policy
http://www.w3.org/ Information and Resources on
everything Web
-
8/3/2019 U IIS6 Tech Overview V6R13
20/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
UNCLASSIFIED16
http://www.owasp.org Foundation dedicated to improving web
security
http://cisecurity.org/en-us/?route=default& Center for Internet Security.
-
8/3/2019 U IIS6 Tech Overview V6R13
21/21
IIS6 Technology Overview, V6R13 DISA Field Security Operations
28 October - 2011 Developed by DISA for the DoD
APPENDIX B. ACRONYMS
ATO Authority To Operate
C&A Certification and Accreditation
CAT Category Codes (for Mission Assurance Category)
CIO Chief Information Officer
CNDSP Computer Network Defense Service Provider
COTS Commercial Off The Shelf
CTO Communication Tasking Order
DAA Designated Accrediting Authority
DIACAP Department of Defense (DoD) Information Assurance
Certification and Accreditation (C&A) Process
DISA Defense Information Systems Agency
DMZ Demilitarized Zone
DoD Department of Defense
DoDD DoD DirectiveDoDI DoD Instruction
FSO Field Security Operations
GOTS Government Off The Shelf
IA Information Assurance
IAM Information Assurance Manager
IAO Information Assurance Officer
IASE Information Assurance Support Environment
IAVM Information Assurance Vulnerability Management
INFOCON Information Operations Condition
JTF-GNO Joint Task Force - Global Network Operations
MAC Mission Assurance CategoryNIPRNet Non-classified Internet Protocol Router Network
OS Operating System
PII Personally Identifiable Information
PPS Ports, Protocols, and Services
SA System Administrator
SM Security Manager
SSP System Security Plan
STIG Security Technical Implementation Guide
URL Uniform Resource Locator