STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:

The integrity of a vendor provided application, upgrade, or patch is not validated via digital signature before installation.

DISA Rule

SV-21541r1_rule

Vulnerability Number

V-19482

Group Title

Deficient Integrity: Vendor’s App, Upgrade, Patch

Rule Version

VVoIP 1201 (GENERAL)

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Ensure VVoIP system applications, upgrades, and patches are digitally signed by the vendor and validated for integrity before installation.

Employ only those VVoIP system applications, upgrades, and patches that are digitally signed by the vendor. Perform the appropriate digital signature validation process to validate application and upgrade/patch integrity before installation.

Check Contents

Interview the IAO to validate compliance with the following requirement:

Ensure VVoIP system applications, upgrades, and patches are digitally signed by the vendor and validated for integrity before installation.

Determine if VVoIP system applications, upgrades, and patches are digitally signed by the vendor and validated for integrity before installation. Have the IAO or SA demonstrate the application and upgrade/patch integrity validation process. This is a finding if digital signatures are not validated before installation.

NOTE: This requirement addresses applications, upgrades, and patches for the overall VVoIP system infrastructure. PC based applications, upgrades, and patches are addressed separately.

Vulnerability Number

V-19482

Documentable

False

Rule Version

VVoIP 1201 (GENERAL)

Severity Override Guidance

Interview the IAO to validate compliance with the following requirement:

Ensure VVoIP system applications, upgrades, and patches are digitally signed by the vendor and validated for integrity before installation.

Determine if VVoIP system applications, upgrades, and patches are digitally signed by the vendor and validated for integrity before installation. Have the IAO or SA demonstrate the application and upgrade/patch integrity validation process. This is a finding if digital signatures are not validated before installation.

NOTE: This requirement addresses applications, upgrades, and patches for the overall VVoIP system infrastructure. PC based applications, upgrades, and patches are addressed separately.

Check Content Reference

I

Potential Impact

Compromise of the supported communications or the supporting infrastructure

Responsibility

Information Assurance Officer

Target Key

594

Comments