STIGQter STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:

The integrity of a PC Communications Application, upgrade, or patch is not validated via digital signature before installation.

DISA Rule

SV-17100r1_rule

Vulnerability Number

V-16112

Group Title

Deficient Integrity: PC Comm App Digital Signature

Rule Version

VVoIP 1710 (GENERAL)

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure PC voice, video, UC, or collaboration communications applications, upgrades, and patches are digitally signed by the vendor and validated for integrity before installation.

Employ only those PC voice, video, UC, or collaboration communications applications, upgrades, and patches that are digitally signed by the vendor. Perform the appropriate digital signature validation process to validate application and upgrade/patch integrity before installation.

Check Contents

Interview the IAO to validate compliance with the following requirement:

Ensure PC voice, video, UC, or collaboration communications applications, upgrades, and patches are digitally signed by the vendor and validated for integrity before installation.

Determine if PC voice, video, UC, or collaboration communications applications, upgrades, and patches are digitally signed by the vendor and validated for integrity before installation. Have the IAO or SA demonstrate the application and upgrade/patch integrity validation process. This is a finding if digital signatures are not validated before installation.

Vulnerability Number

V-16112

Documentable

False

Rule Version

VVoIP 1710 (GENERAL)

Severity Override Guidance

Interview the IAO to validate compliance with the following requirement:

Ensure PC voice, video, UC, or collaboration communications applications, upgrades, and patches are digitally signed by the vendor and validated for integrity before installation.

Determine if PC voice, video, UC, or collaboration communications applications, upgrades, and patches are digitally signed by the vendor and validated for integrity before installation. Have the IAO or SA demonstrate the application and upgrade/patch integrity validation process. This is a finding if digital signatures are not validated before installation.

Check Content Reference

I

Potential Impact

Compromise of the supported communications or the supporting network

Responsibility

Information Assurance Officer

Target Key

594

Comments