STIGQter STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:

Deficient user training regarding the use of non-approved applications and hardware.

DISA Rule

SV-17106r1_rule

Vulnerability Number

V-16118

Group Title

Deficient User Trng: Non Apprvd PC Comm App/Hdwr

Rule Version

VVoIP 1325 (GENERAL)

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure users are trained as follows:
- Users are made aware and trained that even if their permissions allow, they are not to download and install IM and/or soft-phone applications on their DoD PCs that use or connect to public IM and/or IP telephony services unless directed to do so by their DoD organization for the fulfillment of an official requirement.
- Users are made aware and trained that, they are not to attempt to use a stick phone on their DoD PC that associates itself or connects to a public IM or IP telephony services unless directed to do so by their DoD organization for the fulfillment of an official requirement.
- Users are made aware and trained that, they are not to attempt to use a PPG on their DoD PC that associates itself with an installed soft-phone unless directed to do so by their DoD organization for the fulfillment of an official requirement.

Additionally ensure:
- The limitations in this requirement are listed in a signed user agreement.

Check Contents

Interview the IAO to validate compliance with the following requirement:

Ensure:
- Users are made aware and trained that even if their permissions allow, they are not to download and install IM and/or soft-phone applications on their DoD PCs that use or connect to public IM and/or IP telephony services unless directed to do so by their DoD organization for the fulfillment of an official requirement.
- Users are made aware and trained that, they are not to attempt to use a stick phone on their DoD PC that associates itself or connects to a public IM or IP telephony services unless directed to do so by their DoD organization for the fulfillment of an official requirement.
- Users are made aware and trained that, they are not to attempt to use a PPG on their DoD PC that associates itself with an installed soft-phone unless directed to do so by their DoD organization for the fulfillment of an official requirement.
- The limitations in this requirement are listed in a signed user agreement.

Note: DAA approval and possibly DISN DAA approval is required in the event IM and/or soft-phone applications, or stick phones that associate with or connect to a public IM or IP telephony service are to be implemented by a DoD component.

Ask the IAO if the required user training is provided and if the items in the requirement are listed in a signed user agreement.

Inspect user agreements for inclusion of the limitations and user acknowledgment.

Additionally, interview a random sample of users to determine their awareness of these limitations.

This is a finding if training is inadequate and users are unaware of the limitations and/or the limitations are not listed in signed user agreements.

Vulnerability Number

V-16118

Documentable

False

Rule Version

VVoIP 1325 (GENERAL)

Severity Override Guidance

Interview the IAO to validate compliance with the following requirement:

Ensure:
- Users are made aware and trained that even if their permissions allow, they are not to download and install IM and/or soft-phone applications on their DoD PCs that use or connect to public IM and/or IP telephony services unless directed to do so by their DoD organization for the fulfillment of an official requirement.
- Users are made aware and trained that, they are not to attempt to use a stick phone on their DoD PC that associates itself or connects to a public IM or IP telephony services unless directed to do so by their DoD organization for the fulfillment of an official requirement.
- Users are made aware and trained that, they are not to attempt to use a PPG on their DoD PC that associates itself with an installed soft-phone unless directed to do so by their DoD organization for the fulfillment of an official requirement.
- The limitations in this requirement are listed in a signed user agreement.

Note: DAA approval and possibly DISN DAA approval is required in the event IM and/or soft-phone applications, or stick phones that associate with or connect to a public IM or IP telephony service are to be implemented by a DoD component.

Ask the IAO if the required user training is provided and if the items in the requirement are listed in a signed user agreement.

Inspect user agreements for inclusion of the limitations and user acknowledgment.

Additionally, interview a random sample of users to determine their awareness of these limitations.

This is a finding if training is inadequate and users are unaware of the limitations and/or the limitations are not listed in signed user agreements.

Check Content Reference

I

Potential Impact

Compromise of the supporting PC, attached network, and/or network resources

Responsibility

Information Assurance Manager

Target Key

594

Comments