STIGQter STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 10 Benchmark Date: 26 Oct 2018: Deficient SOP or enforcement regarding the use of software based virtual connection between the PC and the VTC CODEC.

DISA Rule

SV-18872r2_rule

Vulnerability Number

V-17698

Group Title

RTS-VTC 2480.00 [IP]

Rule Version

RTS-VTC 2480.00

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

[IP]; Perform the following tasks:
- Develop additional appropriate policy and procedures for this type of connection are added to the required “Presentation/PC workstation display sharing” policy and procedure. These are based on the particular vendor’s solution to be implemented.
- Provide additional appropriate user training to the training requirement noted under RTS-VTC 2460.
- Perform and document an assessment of the application to be used to verify that it performs only those functions that are necessary, that the application behaves properly on the platform, and that it does not invalidate the security of the workstation.
- Perform and document a risk assessment regarding the use of the application in light of the application assessment and the defined operational policy/procedures.
- Obtain approval from the responsible DAA in writing for the installation of the additional software to the PC/workstation(s) required to use this method.
- Obtain approval from the responsible DAA in writing for the use and implementation procedures that mitigate the application’s vulnerabilities.
- Maintain the policy, procedures, assessment documentation, risk assessment, and DAA approvals for inspection by IA auditors as evidence of compliance

Note: Assessments should be performed and DAA approvals should be obtained prior to purchase.

Check Contents

[IP]; Interview the IAO to validate compliance with the following requirement:

In the event a software based virtual connection between a PC/workstation and a CODEC is to be used for presentation display, file transfer, or collaboration, the IAO will ensure the following:
- Additional appropriate policy and procedures for this type of connection are added to the required “Presentation/PC workstation display sharing” policy and procedure. These are based on the particular vendor’s solution to be implemented.
- Additional appropriate user training is added to the training requirement noted above.
- Perform and document an assessment of the application to be used to verify that it performs only those functions that are necessary, that the application behaves properly on the platform, and that it does not invalidate the security of the workstation.
- Perform and document a risk assessment regarding the use of the application in light of the application assessment and the defined operational policy/procedures.
- The responsible DAA approves, in writing, the installation of the additional software to the PC workstation(s) required to use this method.
- The responsible DAA approves, in writing, the implementation and use procedures that mitigate the application’s vulnerabilities.

Note: Assessments should be performed and DAA approvals should be obtained prior to purchase.

Note: The IAO will maintain the policy, procedures, assessment documentation, risk assessment, and DAA approvals for inspection by IA auditors as evidence of compliance.

Verify that additional and appropriate user training is added to the training requirement as noted in RTS-VTC 2460.00 that addresses additional vulnerabilities associated with presentation, application, and desktop sharing to a VTU from a PC.
AND
Verify additional vendor specific procedures and policies have been implemented.
AND
Verify that assessments have been performed and documented to validate additional VTU application(s) has not invalidated the security of the workstation. Verify with the IAO that a risk assessment has been performed and documented.
AND
Verify that DAA has approved in writing the installation of additional VTU software and the DAA is aware and approved the implementation and procedures used to mitigate the VTU application(s) vulnerabilities

This is a finding if deficiencies are found. List these deficiencies in the finding details.

Vulnerability Number

V-17698

Documentable

False

Rule Version

RTS-VTC 2480.00

Severity Override Guidance

[IP]; Interview the IAO to validate compliance with the following requirement:

In the event a software based virtual connection between a PC/workstation and a CODEC is to be used for presentation display, file transfer, or collaboration, the IAO will ensure the following:
- Additional appropriate policy and procedures for this type of connection are added to the required “Presentation/PC workstation display sharing” policy and procedure. These are based on the particular vendor’s solution to be implemented.
- Additional appropriate user training is added to the training requirement noted above.
- Perform and document an assessment of the application to be used to verify that it performs only those functions that are necessary, that the application behaves properly on the platform, and that it does not invalidate the security of the workstation.
- Perform and document a risk assessment regarding the use of the application in light of the application assessment and the defined operational policy/procedures.
- The responsible DAA approves, in writing, the installation of the additional software to the PC workstation(s) required to use this method.
- The responsible DAA approves, in writing, the implementation and use procedures that mitigate the application’s vulnerabilities.

Note: Assessments should be performed and DAA approvals should be obtained prior to purchase.

Note: The IAO will maintain the policy, procedures, assessment documentation, risk assessment, and DAA approvals for inspection by IA auditors as evidence of compliance.

Verify that additional and appropriate user training is added to the training requirement as noted in RTS-VTC 2460.00 that addresses additional vulnerabilities associated with presentation, application, and desktop sharing to a VTU from a PC.
AND
Verify additional vendor specific procedures and policies have been implemented.
AND
Verify that assessments have been performed and documented to validate additional VTU application(s) has not invalidated the security of the workstation. Verify with the IAO that a risk assessment has been performed and documented.
AND
Verify that DAA has approved in writing the installation of additional VTU software and the DAA is aware and approved the implementation and procedures used to mitigate the VTU application(s) vulnerabilities

This is a finding if deficiencies are found. List these deficiencies in the finding details.

Check Content Reference

I

Potential Impact

The inadvertent disclosure of sensitive or
classified information to a caller of a VTU that may not have an
appropriate need-to-know or proper security
clearance.

Responsibility

Other

Target Key

1418

Comments