STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 11 Benchmark Date: 24 Apr 2020:

Deficient SOP or enforcement for VTC/CODEC streaming.

DISA Rule

SV-17563r2_rule

Vulnerability Number

V-16564

Group Title

RTS-VTC 2360.00 [IP]

Rule Version

RTS-VTC 2360.00

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

[IP]; If the CODEC supports streaming, Perform the following tasks:
- Develop and enforce the SOP, train users, and include the SOP in user agreements and guides.
- The SOP will address the following:
> The approval of conference streaming on a case by case basis prior to it being configured by an administrator and activated.
> Implementation and distribution of temporary “streaming passwords”, or other session information, to control recipient access to the media stream. For best protection of the system, this password must be used one time and not repeated. This password must not match any other user or administrative password and must be configured to meet or exceed DoD password complexity requirements since entry from a keyboard is expected. A temporary, one time password is implemented during streaming enablement and configuration of the given streaming session.
> Requirements for implementing an appropriate streaming configuration to limit the reach of the stream across the network.
> Re installation of the “blocking” configuration and password (as required below) following any given streaming session.
> Changes to the “access blocking” configuration and password in the event it is compromised or if administrative staff changes.

Check Contents

[IP]; Interview the IAO to validate compliance with the following requirement:

In the event the VTU/CODEC is connected to an IP based LAN, and if the CODEC supports streaming, ensure a “Streaming” policy and procedure is in place and enforced that addresses the following:
- The approval of conference streaming on a case by case basis prior to it being configured by an administrator and activated.
- Implementation and distribution of temporary one-time “streaming passwords”, and other session information, to control recipient access to the media stream. For best protection of the system, this password must be used one time and not repeated. This password must not match any other user or administrative password and must be configured to meet or exceed DoD password complexity requirements since entry from a keyboard is expected.
- Requirements for implementing an appropriate streaming configuration to limit the reach of the stream across the network.
- Re installation of the “blocking” configuration and password (as required below) following any given streaming session.
- Changes to the “access blocking” configuration and password in the event it is compromised or if administrative staff changes.

Note: The details of this SOP will be included in user’s training, agreements, and guides.

Note: This is a requirement whether streaming from a CODEC is approved or not.

Inspect the SOP as well as user training materials, agreements, and guides to determine if the items in the requirement are adequately covered. Interview the IAO to determine how the SOP is enforced. Interview a sampling of users to determine their awareness and implementation of the requirement and whether the SOP is enforced. This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details.

Vulnerability Number

V-16564

Documentable

False

Rule Version

RTS-VTC 2360.00

Severity Override Guidance

[IP]; Interview the IAO to validate compliance with the following requirement:

In the event the VTU/CODEC is connected to an IP based LAN, and if the CODEC supports streaming, ensure a “Streaming” policy and procedure is in place and enforced that addresses the following:
- The approval of conference streaming on a case by case basis prior to it being configured by an administrator and activated.
- Implementation and distribution of temporary one-time “streaming passwords”, and other session information, to control recipient access to the media stream. For best protection of the system, this password must be used one time and not repeated. This password must not match any other user or administrative password and must be configured to meet or exceed DoD password complexity requirements since entry from a keyboard is expected.
- Requirements for implementing an appropriate streaming configuration to limit the reach of the stream across the network.
- Re installation of the “blocking” configuration and password (as required below) following any given streaming session.
- Changes to the “access blocking” configuration and password in the event it is compromised or if administrative staff changes.

Note: The details of this SOP will be included in user’s training, agreements, and guides.

Note: This is a requirement whether streaming from a CODEC is approved or not.

Inspect the SOP as well as user training materials, agreements, and guides to determine if the items in the requirement are adequately covered. Interview the IAO to determine how the SOP is enforced. Interview a sampling of users to determine their awareness and implementation of the requirement and whether the SOP is enforced. This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details.

Check Content Reference

I

Potential Impact

The inadvertent or improper disclosure of sensitive or classified information to a caller of a VTU that may not have an appropriate need-to-know or proper security clearance.

Responsibility

Other

Target Key

1418

Comments