STIGQter STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 11 Benchmark Date: 24 Apr 2020:

IP-based VTC systems implementing a single CODEC supporting conferences on multiple networks having different classification levels must sanitize non-volatile memory while transitioning between networks by overwriting all configurable parameters with null settings before reconfiguring the CODEC for connection to the next network.

DISA Rule

SV-55748r1_rule

Vulnerability Number

V-43019

Group Title

RTS-VTC 7080 [IP]

Rule Version

RTS-VTC 7080

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Obtain a VTC system that has an automated sanitization capability. Implement and document a procedure that utilizes this capability to sanitize the CODEC when transitioning between networks. As a last resort, implement and document a manual sanitization / reconfiguration procedure to perform this function.

Check Contents

Verify that the VTC system has an automated configuration management system configured to sanitize and reconfigure the CODEC when transitioning between networks. If it does, review documentation to determine that this capability is being implemented. If these conditions are met, this is not a finding.
If the unit is not implementing an automated process, review documentation to determine whether a manual procedure is specified and implemented when transitioning between networks; this will result in a CAT III finding if these conditions are met and a CAT II finding if they are not.
If an automatic capability exists but is not being implemented or an automated configuration management system is not being used, this is a CAT II finding unless a manual procedure is specified and is being implemented, then this is a CAT III finding.
If the unit is not being sanitized when transitioning between networks, this is a CAT II finding.

Vulnerability Number

V-43019

Documentable

False

Rule Version

RTS-VTC 7080

Severity Override Guidance

Verify that the VTC system has an automated configuration management system configured to sanitize and reconfigure the CODEC when transitioning between networks. If it does, review documentation to determine that this capability is being implemented. If these conditions are met, this is not a finding.
If the unit is not implementing an automated process, review documentation to determine whether a manual procedure is specified and implemented when transitioning between networks; this will result in a CAT III finding if these conditions are met and a CAT II finding if they are not.
If an automatic capability exists but is not being implemented or an automated configuration management system is not being used, this is a CAT II finding unless a manual procedure is specified and is being implemented, then this is a CAT III finding.
If the unit is not being sanitized when transitioning between networks, this is a CAT II finding.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

1418

Comments