STIGQter STIGQter: STIG Summary: Video Services Policy STIG

Version: 1

Release: 10 Benchmark Date: 26 Oct 2018

CheckedNameTitle
SV-17061r2_ruleDeficient Policy or SOP for VTC and PC camera operations regarding their ability to pickup and transmit sensitive or classified information in visual form.
SV-17063r2_ruleVTC, Unified Capability (UC) soft client, and speakerphone microphone operations policy must prevent the pickup and transmission of sensitive or classified information over non-secure systems.
SV-17064r1_ruleDeficient Policy or SOP regarding PC communications video display positioning.
SV-17065r1_ruleDeficient SOP or enforcement regarding presentation and application sharing via a PC or VTC.
SV-17556r1_ruleAdministrative sessions with the VTU do not timeout within a maximum of 15 minutes.
SV-17559r1_ruleUse of media streaming is not documented properly or is not configured securely.
SV-17561r1_ruleNo indicator is displayed on the VTU screen when CODEC streaming is activated.
SV-17563r2_ruleDeficient SOP or enforcement for VTC/CODEC streaming.
SV-18715r2_ruleThe VTC endpoints and system components must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
SV-18718r1_ruleDeficient SOP or enforcement regarding how to power-off the VTU when it is not actively participating in a conference.
SV-18719r1_ruleDeficient SOP or enforcement for microphone and camera disablement when the VTU is required to be powered and inactive (in standby).
SV-18720r1_ruleDeficient VTU sleep mode configuration or operation.
SV-18721r1_ruleInadequate display of an incoming call notification such that the VTU user can make an informed decision to answer the call or not.
SV-18722r1_ruleAuto-answer feature is not administratively disabled.
SV-18723r1_ruleDeficient SOP for, enforcement, usage, or configuration of the auto-answer feature.
SV-18725r1_ruleDeficient SOP or enforcement regarding handling of incoming calls while in a conference.
SV-18726r1_ruleRemote monitoring is not disabled while connected to an IP Network.
SV-18727r1_ruleInadequate “operator/facilitator/administrator” access control for remote monitoring of a VTU connected to an IP network.
SV-18854r1_ruleInadequate notification to conference participants (manual or automatic) of monitoring activity by someone that is not a direct participant in a VTC session/conference.
SV-18855r1_ruleInsufficient security clearance held by an “operator/facilitator/administrator” performing remote monitoring activities during a VTC session/conference.
SV-18856r1_ruleFar end camera control is not disabled.
SV-18857r2_ruleVTC data in transit must be encrypted.
SV-18858r2_ruleThe VTU must use FIPS 140-2 validated encryption module.
SV-18859r1_ruleVTU encryption indicator is not enabled.
SV-18860r1_ruleDeficient SOP or enforcement for user validation that encryption is on when required
SV-18861r2_ruleThe VTC system and components must not have default or factory passwords.
SV-18862r3_ruleThe VTC system and components must not display passwords in clear text.
SV-18863r4_ruleThe Videoconferencing system and components passwords must meet complexity and strength policy.
SV-18864r4_ruleA VTU password must be used for each VTU function.
SV-18865r2_ruleClassified videoconferencing systems must authenticate with a unique user logon prior to performing functions and services.
SV-18866r1_ruleDeficient SOP or enforcement of the SOP for manual password management.
SV-18867r1_ruleDeficient SOP or enforcement of One Time Use local meeting password
SV-18868r1_ruleDeficient user or administrator training regarding the vulnerabilities with, and operation of, CODEC streaming
SV-18869r1_ruleCODEC streaming is not disabled when it is not required.
SV-18870r1_ruleVTU/CODEC is not properly configured to support streaming.
SV-18871r1_ruleinadequate user training for pc presentation sharing that could lead to compromise of other information on the presenting PC
SV-18872r2_ruleDeficient SOP or enforcement regarding the use of software based virtual connection between the PC and the VTC CODEC.
SV-18873r3_ruleA CODECs local Application Programmers Interface (API) must prevent unrestricted access to user or administrator configuration settings and CODEC controls without a password.
SV-18874r2_ruleCODEC control / configuration messages received via the local Application Programmers Interface (API) are not encrypted or authenticated.
SV-18875r2_ruleSecure protocols must be implemented for CODEC remote control and management.
SV-18876r1_ruleUnnecessary/unused remote control/management/configuration protocols are not disabled.
SV-18877r1_ruleSNMP is not being used in accordance with the Network Infrastructure STIG.
SV-18878r2_ruleRemote management access and SNMP access and reporting are not restricted by IP address and/or subnet.
SV-18879r2_ruleVTC systems and devices must run the latest DoD-approved patches/firmware/software from the system/device vendor.
SV-18880r2_ruleVideo Teleconferencing system components must display the Standard Mandatory DoD Notice and Consent Banner exactly as specified prior to logon or initial access.
SV-18881r1_ruleAll VTC system management systems/servers are not configured in compliance with all applicable STIGs
SV-18882r2_ruleDeficient SOP or enforcement regarding the approval and deployment of VTC capabilities.
SV-18883r3_ruleA VTC management system or endpoint must have risk approval and acceptance in writing by the responsible Authorizing Official (AO).
SV-18884r2_ruleVTC system and endpoint users, administrators, and helpdesk representatives must receive cybersecurity training.
SV-18885r2_ruleVTC system and endpoint users must sign a user agreement when accepting an endpoint or obtaining approval to use an endpoint.
SV-18886r2_ruleUser Guides and documentation packages must be developed and distributed to users operating VTC endpoints.
SV-18887r3_ruleVTC systems must be logically or physically segregated on the LAN from data systems, other non-integrated voice communication (VoIP) systems, and by VTC system type.
SV-18888r1_ruleVTC endpoint connectivity is established via an unapproved DoD Wireless LAN infrastructure
SV-18889r2_ruleA VTC endpoint must not bridge a wired LAN and a wireless LAN.
SV-18890r1_ruleA VTU endpoint does not have the wireless LAN capability disabled.
SV-18891r2_ruleA VTU or conference room implemented using wireless components must be protected from external control or compromise.
SV-18892r1_ruleVTC ports and protocols cross DoD/Enclave boundaries without prior registration in the DoD Ports and Protocols Database.
SV-18893r2_ruleAccess control measures must be implemented for all conferences hosted on a centralized MCU appliance.
SV-18894r2_ruleAccess control measures must be implemented for all conferences hosted on a centralized MCU appliance.
SV-55744r1_ruleAn IP-based VTC system implementing a single CODEC supporting conferences on multiple networks having different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing by being sanitized of all information while transitioning from one period/network to the next.
SV-55745r1_ruleAn IP-based VTC system implementing a single CODEC supporting conferences on multiple networks having different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing by connecting the CODEC to one network at a time, matching the classification level of the session to the classification level of the network.
SV-55746r2_ruleIP-based VTC systems must not connect to ISDN lines when connected to a classified network.
SV-55747r1_ruleAn IP-based VTC system implementing a single CODEC supporting conferences on multiple networks having different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing sanitization by purging/clearing volatile memory within the CODEC by powering the CODEC off for a minimum of 60 seconds.
SV-55748r1_ruleIP-based VTC systems implementing a single CODEC supporting conferences on multiple networks having different classification levels must sanitize non-volatile memory while transitioning between networks by overwriting all configurable parameters with null settings before reconfiguring the CODEC for connection to the next network.
SV-55749r1_ruleThe A/B, A/B/C, or A/B/C/D switch within an IP-based VTC system supporting conferences on multiple networks having different classification levels must be based on optical technologies to maintain electrical isolation between the various networks to which it connects.
SV-55750r1_ruleAn IP-based VTC system implementing a single CODEC supporting conferences on multiple networks having different classification levels must be implemented in a manner such that configuration information for a network having a higher classification level is not disclosed to a network having a lower classification level.
SV-55751r1_ruleThe A/B, A/B/C, or A/B/C/D switch used for network switching in IP-based VTC systems implementing a single CODEC supporting conferences on multiple networks having different classification levels must be Common Criteria certified.
SV-55752r2_ruleThe A/B, A/B/C, or A/B/C/D switch used for network switching in IP-based VTC systems implementing a single CODEC supporting conferences on multiple networks having different classification levels must be TEMPEST certified.
SV-55753r1_ruleAn IP-based VTC system implementing a single set of input/output devices (cameras, microphones, speakers, control system), an A/V switcher, and multiple CODECs connected to multiple IP networks having different classification levels must provide automatic mutually exclusive power control for the CODECs or their network connections such that only one CODEC is powered on or one CODEC is connected to any network at any given time.
SV-55754r2_ruleThe implementation of an IP-based VTC system supporting conferences on multiple networks having different classification levels must maintain isolation between the networks to which it connects by implementing separation of equipment and cabling between the various networks having differing classification levels in accordance with CNSSAM TEMPEST/01-13, RED/BLACK Installation Guidance.
SV-55756r1_ruleAn enclave supporting an IP-based VTC system that must communicate across an IP WAN must implement a VTC/VVoIP-aware firewall or H.460-based firewall traversal solution at its boundary with the WAN.
SV-55757r1_ruleAn IDS/IPS must protect the IP-based VTC system within the enclave.
SV-55759r1_ruleThe IP-based VTC system must authenticate to an H.323 Gatekeeper or VVoIP session/call controller.
SV-55764r1_ruleThe IP-based VTC system must use H.235-based signaling encryption.
SV-55767r1_ruleThe operator of an ISDN-based VTC system utilizing a Type 1 encryptor for classified sessions must ensure any removable Keying Material (KEYMAT) (e.g., Cryptographic Ignition Key (CIK)) for the encryptor is secured in an appropriate secure facility or GSA-approved container when the system is not in use.
SV-55769r1_ruleAn ISDN-based or IP-based VTC system supporting conferences on multiple networks having different classification levels must utilize approved automatically controlled signage to indicate the secure/non-secure status or classification level of the conference/session. Such signage will be placed within the conference room and outside each entrance.
SV-55770r1_ruleAn ISDN-based VTC system supporting secure (classified) and non-secure (unclassified) conferences must utilize an approved pair of EIA-530 A/B switches operated in tandem or a dual A/B switch to switch the Type 1 encryptor in/out of the circuit between the CODEC and IMUX.
SV-55772r1_ruleAn ISDN-based VTC system supporting secure (classified) and non-secure (unclassified) conferences while implementing dialing capability from the CODEC must utilize an approved EIA-366-A dial isolator that disconnects the dialing channel between the CODEC and IMUX when the IMUX signals it is connected to another IMUX (i.e., the session is connected).
SV-55774r2_ruleAn ISDN-based VTC system supporting secure (classified) and non-secure (unclassified) conferences must be cabled to maintain a minimum of 5 or 15 centimeters RED/BLACK separation on either side of any Type 1 encryptor and any dial isolator (depending on the TEMPEST zone).
SV-55778r1_ruleISDN-based VTC equipment supporting secure (classified) and non-secure (unclassified) conferences which implement dial isolators and A/B switches must meet minimum port-to-port isolation standards.
SV-68941r1_ruleVideo teleconferencing system components Standard Mandatory DoD Notice and Consent Banner must be acknowledged by the user prior to logon or initial access.
SV-93757r2_ruleVideo conferencing, Unified Capability (UC) soft client, and speakerphone speaker operations policy must prevent disclosure of sensitive or classified information over non-secure systems.