STIGQter STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 11 Benchmark Date: 24 Apr 2020:

Deficient SOP or enforcement of the SOP for manual password management.

DISA Rule

SV-18866r1_rule

Vulnerability Number

V-17692

Group Title

RTS-VTC 2040.00 [IP][ISDN]

Rule Version

RTS-VTC 2040.00

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

[IP][ISDN]; Perform the following tasks:
Define and enforce policy and procedure that addresses password/PIN and account management that includes the following:
- Strong passwords/PINs will be used to the extent supported by the system/device. Each access point and
password will be addressed separately.
- Password/PIN reuse will be limited and will be in compliance with policy and INFOCON requirements.
- Password/PIN change intervals will be defined for each access point based upon policy, INFOCON levels, and
operational requirements.
- Passwords/PINs will be changed when compromised or personnel (users or administrators) leave the organization.
- Passwords/PINs that are no longer needed will be removed in a timely manner. A periodic review will be performed as scheduled by the SOP.
- SNMP community strings will be managed like passwords/PINs.
- A password/PIN change/removal log will be maintained and stored in a secure access controlled manner (such as in a safe or encrypted file on an access controlled server of workstation) for each device noting each access point, its password, and the date the password was changed. Such a log will aid in such things as SOP enforcement, password history compliance, and password recovery.

Provide user training regarding this SOP and include it in user agreements and user guides.

Check Contents

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

In the event a system/device does not support all DoD IA requirements for password/PIN and account management or logon requirements, ensure a policy and procedure is in place and enforced that minimally addresses the following:
- Strong passwords/PINs will be used to the extent supported by the system/device. Each access point and
password will be addressed separately.
- Password/PIN reuse will be limited and will be in compliance with policy and INFOCON requirements
- Password/PIN change intervals will be defined for each access point based upon policy, INFOCON levels, and
operational requirements.
- Passwords/PINs will be changed when compromised or personnel (users or administrators) leave the organization.
- Passwords/PINs that are no longer needed will be removed in a timely manner. A periodic review will be performed
as scheduled by the SOP.
- SNMP community strings will be managed like passwords/PINs.
- A password/PIN change/removal log will be maintained and stored in a secure access controlled manner (such as in a safe or encrypted file on an access controlled server of workstation) for each device noting each access point, its password, and the date the password was changed. Such a log will aid in such things as SOP enforcement, password history compliance, and password recovery.

Note: If and when VTC systems provide support for user and administrator accounts, this SOP is extended or modified to cover account management as necessary to manage non-automated functions.

Inspect the SOP as well as user training materials, agreements, and guides to determine if the items in the requirement are adequately covered. Interview the IAO to determine how the SOP is enforced. Interview a sampling of users to determine their awareness and implementation of the requirement and whether the SOP is enforced. This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details.

Vulnerability Number

V-17692

Documentable

False

Rule Version

RTS-VTC 2040.00

Severity Override Guidance

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

In the event a system/device does not support all DoD IA requirements for password/PIN and account management or logon requirements, ensure a policy and procedure is in place and enforced that minimally addresses the following:
- Strong passwords/PINs will be used to the extent supported by the system/device. Each access point and
password will be addressed separately.
- Password/PIN reuse will be limited and will be in compliance with policy and INFOCON requirements
- Password/PIN change intervals will be defined for each access point based upon policy, INFOCON levels, and
operational requirements.
- Passwords/PINs will be changed when compromised or personnel (users or administrators) leave the organization.
- Passwords/PINs that are no longer needed will be removed in a timely manner. A periodic review will be performed
as scheduled by the SOP.
- SNMP community strings will be managed like passwords/PINs.
- A password/PIN change/removal log will be maintained and stored in a secure access controlled manner (such as in a safe or encrypted file on an access controlled server of workstation) for each device noting each access point, its password, and the date the password was changed. Such a log will aid in such things as SOP enforcement, password history compliance, and password recovery.

Note: If and when VTC systems provide support for user and administrator accounts, this SOP is extended or modified to cover account management as necessary to manage non-automated functions.

Inspect the SOP as well as user training materials, agreements, and guides to determine if the items in the requirement are adequately covered. Interview the IAO to determine how the SOP is enforced. Interview a sampling of users to determine their awareness and implementation of the requirement and whether the SOP is enforced. This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details.

Check Content Reference

I

Potential Impact

Access to the VTU by unauthorized individuals possibly leading to the disclosure of sensitive or classified information to a caller of a VTU that may not have an appropriate need-to-know or proper security clearance.

Responsibility

Information Assurance Manager

Target Key

1418

Comments