For each application integrated with Okta, network zones must be defined in its authentication policy.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279693	SRG-APP-000039	OKTA-APP-003244	SV-279693r1155078_rule	2025-11-19	1

Description
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. The flow of all application information must be monitored and controlled so it does not introduce any unacceptable risk to the systems or data. Application-specific examples of enforcement occurs in systems that employ rule sets or establish configuration settings that restrict information system services, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy. Each application in Okta should have a well defined access control policy that takes into account the end user network. This should be documented in the Access Control policy for each application. As an example, access to an application may be restricted to a specific location by policy. In this case, a network defining that specific location should be created.

Description

A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. The flow of all application information must be monitored and controlled so it does not introduce any unacceptable risk to the systems or data. Application-specific examples of enforcement occurs in systems that employ rule sets or establish configuration settings that restrict information system services, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy. Each application in Okta should have a well defined access control policy that takes into account the end user network. This should be documented in the Access Control policy for each application. As an example, access to an application may be restricted to a specific location by policy. In this case, a network defining that specific location should be created.

ℹ️ Check
For each application integrated into Okta: 1. From the Admin console, open the "Security" menu, and then select "Networks". 2. Verify the list of networks includes all necessary allow or block lists. If any application is not configured with network zones, this is a finding.

✔️ Fix
For each application, starting at the admin console: 1. Open the "Applications" group from the Menu, and then click the "Applications" menu item. 2. Click the application name. 3. Click the "Sign On" tab. 4. Scroll to the "User Authentication" section, and then click "Edit". 5. Select the appropriate Authentication policy from the pull down, and then click "Save". 6. Click "View Policy Details". 7. For each nondefault rule: a. Select "Edit" from the Actions menu. b. In the "IF" section, verify the "User is" setting has the appropriate allow or deny range has been selected based on the Access Control policy for the application. c. Scroll down to the bottom and click "Save". 8. For the Catch-All rule: a. Select "Edit" from the Actions menu. b. Scroll down to the "Then" section. c. For the "Access is" setting, select "Denied", and then click "Save".

✔️ Fix

For each application, starting at the admin console: 1. Open the "Applications" group from the Menu, and then click the "Applications" menu item. 2. Click the application name. 3. Click the "Sign On" tab. 4. Scroll to the "User Authentication" section, and then click "Edit". 5. Select the appropriate Authentication policy from the pull down, and then click "Save". 6. Click "View Policy Details". 7. For each nondefault rule: a. Select "Edit" from the Actions menu. b. In the "IF" section, verify the "User is" setting has the appropriate allow or deny range has been selected based on the Access Control policy for the application. c. Scroll down to the bottom and click "Save". 8. For the Catch-All rule: a. Select "Edit" from the Actions menu. b. Scroll down to the "Then" section. c. For the "Access is" setting, select "Denied", and then click "Save".