Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Interview the IAO to validate compliance with the following requirement: Ensure a policy and procedure is in place and enforced that addresses the operation of video/collaboration communications related cameras (e.g., webcams or VTC cameras) regarding their ability to inadvertently capture and transmit sensitive or classified information such that: - Conference room and office users do not display sensitive or classified information on walls that are within the view of the camera(s). - Conference room and office users do not place sensitive or classified information on a table or desk within the view of the camera(s) without proper protection (e.g., a proper cover). - Conference room and office users do not read or view sensitive or classified information at such an angle that the camera(s) could focus on it. NOTE: While covering such information mitigates disclosure when a camera is to be used, if the camera is activated unexpectedly or without taking action to cover the information prior to activating, the information can be compromised. The best practice is to not display it in view of the camera at all. NOTE: Vulnerability awareness and operational training will be provided to users of video/collaboration communications related camera(s) regarding these requirements. NOTE: This requirement is relevant no matter what the classification level of the session. In an IP environment the classification of PC communications is dependent upon the classification of the network to which the PC is attached, and the classification of the facility in which it is located. While classified communications can occur at the same level of classification as the network and facility, communications having a lower classification or no classification (e.g., unclassified or FOUO) may also occur in the same environment. As such, sensitive or classified information that is not part of the communications session might be improperly disclosed without proper controls in place. Inspect the applicable SOP. Inspect a random sampling of workspaces and conference rooms to determine compliance. Look for potentially sensitive information posted on the walls in view of the camera(s). Interview the IAO to determine how the SOP is enforced. Inspect user training materials and discuss practices to determine if information regarding the SOP is conveyed. Interview a random sampling of users to confirm their awareness of the SOP and related information. This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details.
Ensure a policy and procedure is in place and enforced that addresses the operation of video/collaboration communications related cameras (e.g., webcams or VTC cameras) regarding their ability to inadvertently capture and transmit sensitive or classified information. Do not post potentially sensitive information posted on the walls in view of the camera(s). Produce an SOP that addresses the operation of video/collaboration communications related cameras (e.g., webcams or VTC cameras) regarding their ability to inadvertently capture and transmit sensitive or classified information such that: - Conference room and office users do not display sensitive or classified information on walls that are within the view of the camera(s). - Conference room and office users do not place sensitive or classified information on a table or desk within the view of the camera(s) without proper protection. (e.g., a proper cover). - Conference room and office users do not read or view sensitive or classified information at such an angle that the camera(s) could focus on it. NOTE: while covering such information mitigates disclosure when a camera is to be used, if the camera is activated unexpectedly or without taking action to cover the information prior to activating, the information can be compromised. Best practice is to not display it in view of the camera at all. Provide appropriate training such that users follow the SOP. Enforce user compliance with the SOP.
Interview the ISSO to validate compliance with the following requirement: Ensure a policy and procedure is in place and enforced that addresses the placement and operation of hardware based voice and video communications devices and PC based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Operational policy and procedures are included in user training and guides. NOTE: This SOP should take into account the classification of the area where the Video Teleconferencing Unit (VTU) or PC supporting a PC based voice, video, UC, and collaboration communications applications is installed as well as the classification and need-to-know restraints of the information generally communicated via the facility or specific VTU. Along with those mentioned above, measures should be included such as closing office or conference room doors; muting of microphones before and after conference sessions, and during conference breaks; volume levels in open offices as well as muting the microphone when not speaking. Inspect the applicable SOP. Such an SOP should include policy on the use of headsets containing short range microphones and earphones in lieu of long range microphones and speakers in an open office environment. It should address the volume settings of speakers such that the session information is not heard by non-participants in a work area. It should also address the potential for the pickup of non-session related conversations in the work area. This requirement should also discuss Bluetooth, DECT/DECT 6.0, and other RF wireless technologies for accessories. Inspect user training materials and discuss practices to determine if information regarding the SOP is conveyed. Interview a random sampling of users to confirm their awareness of the SOP and related information. If the SOP or training is deficient, this is a finding.
Ensure a policy and procedure is in place and enforced that addresses the placement and operation of hardware based voice and video communications devices and PC based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Operational policy and procedures must be included in user training and guides. Produce an SOP that addresses the operation of hardware based voice and video communications devices and PC based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Such an SOP could or should include policy on the use of headsets containing short range microphones and earphones in lieu of long range microphones and speakers in an open office environment. It could or should address the volume settings of speakers such that the session information is not heard by non-participants in a work area. It could or should also address the potential for the pickup of non-session related conversations in the work area. Provide appropriate training such that users follow the SOP. Enforce user compliance with the SOP.
Interview the IAO to validate compliance with the following requirement: Ensure a policy and procedure is in place and enforced that addresses the positioning of video displays associated with communications devices and PC based voice, video, UC, and collaboration communications applications with regard to the sensitivity of the information displayed and the ability of individuals, not part of the communications session, to view the display. Operational policy and procedures must be included in user training and guides. If video displays associated with communications devices and PC based voice, video, UC, and collaboration communications applications are used to display sensitive or classified information, interview the IAO and inspect the applicable SOP. The SOP should address the positioning of video displays associated with communications devices and PC based voice, video, UC, and collaboration communications applications with regard to the sensitivity of the information displayed and the ability of individuals, not part of the communications session, to view the display. Inspect a random sampling of workspaces and conference rooms to determine compliance. Look for displays that are viewable through a window or are viewable from common walkways or areas where non-participants can view the information. The lack of partitions or the use of short partitions separating workspaces can be an issue depending upon the sensitivity of the displayed information. Inspect user training materials and discuss practices to determine if information regarding the SOP is conveyed. Interview a random sampling of users to confirm their awareness of the SOP and related information. This is a finding if video displays associated with communications devices and PC based voice, video, UC, and collaboration communications applications that are used to display sensitive or classified information are easily viewable from locations outside the immediate user’s work area. This is also a finding if the SOP or training is deficient. NOTE: During a SRR, the review of this check may be coordinated with a traditional security reviewer if one is available so that duplication of effort is minimized. However, the similar/related traditional security check primarily addresses displays that are attached to classified systems which are displaying classified information, and not sensitive but unclassified information or privacy information.
Ensure a policy and procedure is in place and enforced that addresses the positioning of video displays associated with communications devices and PC based voice, video, UC, and collaboration communications applications with regard to the sensitivity of the information displayed and the ability of individuals, not part of the communications session, to view the display. Operational policy and procedures must be included in user training and guides. Produce an SOP that addresses the positioning of video displays associated with communications devices and PC based voice, video, UC, and collaboration communications applications with regard to the sensitivity of the information displayed and the ability of individuals, not part of the communications session, to view the display. Provide appropriate training such that users follow the SOP. Enforce user compliance with the SOP.
Interview the IAO to validate compliance with the following requirement: Ensure a policy and procedure is in place and enforced that addresses the proper implementation and use of the “Presentation and Sharing” features of collaboration applications and devices. This policy and SOP will be based on the specific application’s or device’s capabilities and will address mitigations for the possible inadvertent disclosure of information to conferees that have no need to see or have access to such information. Operational policy and procedures must be included in user training and guides. Interview the IAO and inspect the applicable SOP. The SOP should address the proper implementation and use of the “Presentation and Sharing” features of collaboration applications and devices. This policy and SOP will be based on the specific application’s or device’s capabilities and will address mitigations for the possible inadvertent disclosure of information to conferees that have no need to see or have access to. Inspect user training materials and discuss practices to determine if information regarding the SOP is conveyed. Interview a random sampling of users to confirm their awareness of the SOP and related information. This is a finding if the if the SOP or training is deficient.
Ensure a policy and procedure is in place and enforced that addresses the proper implementation and use of the “Presentation and Sharing” features of collaboration applications and devices. This policy and SOP will be based on the specific application’s or device’s capabilities and will address mitigations for the possible inadvertent disclosure of information to conferees that have no need to see or have access to such information. Operational policy and procedures must be included in user training and guides. Produce an SOP that addresses the proper implementation and use of the “Presentation and Sharing” features of collaboration applications and devices. This policy and SOP will be based on the specific application’s or device’s capabilities and will address mitigations for the possible inadvertent disclosure of information to conferees that have no need to see or have access to. Operational policy and procedures must be included in user training and guides. Provide appropriate training such that users follow the SOP. Enforce user compliance with the SOP
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure a configurable “idle/inactive session timeout/logout feature” is available and used to disconnect idle/inactive management connections or sessions. The idle timer is set to a maximum of 15 minutes. Longer time periods are documented and approved by the responsible DAA. This requirement applies to all types of physical and logical management connections and all management session protocols. NOTE 1: This is not a finding in the event an approved management connection/session must be established for permanent full time monitoring of a system/device or the production traffic it processes. NOTE 2: This is not a finding during management operations where the disconnection of the connection/session due to idle session timeout would inhibit the successful completion of a management task. A SOP must be established and enforced, or an automated process used, to ensure the idle/inactive session timeout feature is re-enabled and reset following such activity NOTE 3: During APL testing, this is a finding in the event this requirement is not supported by the VTU. > Determine if a configurable “idle/inactive session timeout/logout feature” is available and used to disconnect idle/inactive management connections or sessions. > Determine if the timeout is set to a maximum of 15 minutes. > If the timeout is set to a longer period, determine if the extended time period is documented and approved by the responsible DAA and a SOP is in place and enforced that will insure that the idle/inactive session timeout feature is re-enabled and reset following monitoring/testing activity.
[IP][ISDN]; Perform the following tasks: > Implement a VTU with a configurable “idle/inactive session timeout/logout feature” for management sessions. > Configure/set the idle timer to a maximum of 15 minutes. > If longer periods are necessary, obtain approval from the responsible DAA. Document approval for inspection by auditors. Develop and enforce a SOP that will insure that the idle/inactive session timeout feature is re-enabled and reset following monitoring/testing activity. Include this SOP in administrator training, agreements and guides.
[IP]; Interview the IAO to validate compliance with the following requirement: Ensure the following regarding VTC streaming: - Streaming of VTC content will not be implemented unless required to fulfill a specific, validated, authorized, and documented mission requirement. - Streaming from a VTU/CODEC is to the unicast addresses of a streaming/recording server only, not to an IP multicast or broadcast address due to the lack of user/recipient access control. - A streaming server is used that provides the streaming service via an authenticated and audited client to server (unicast) session or authenticated and audited access to an .sdp file. - Streaming server access control will use DoD PKI. - Streaming server to client connection is encrypted for confidentiality of the streamed media. - If approved, and IP multicast must be used, the media stream must be encrypted and a secure key exchange process employed. Determine if VTC media streaming is being used. If not, this is not a finding. If so, additionally determine the following: - Inspect the documentation regarding the validated and authorized/approved mission requirement. This is a finding if the documentation or approval is deficient or non-existent. - If IP multicast or IP broadcast is being used as the distribution method. If so, this is a finding unless the use is approved (inspect DAA approval documentation) and the media stream is encrypted and a secure key exchange process employed. - If streaming from a CODEC is being used, this is a finding if the media stream is not limited to the single IP address of a streaming/recording server. - If a streaming server is being used, this is a finding if the stream is not delivered via an authenticated and audited client to server (unicast) session or authenticated and audited access to an .sdp file; and/or Streaming server access control does not use DoD PKI; and/or the server to client connection is not encrypted.
[IP]; Perform the following tasks: - Discontinue the use of VTC media streaming OR obtain approval for the validated mission requirement, the distribution method, and fully document the requirement, distribution method, and the approval. - If streaming from a CODEC is approved, configure the codec for a unicast connection such that the media stream is limited to the single IP address of a streaming/recording server. - If IP multicast or IP broadcast is approved as the distribution method. Configure the streaming server/CODEC to encrypt the media stream and use a secure key exchange process. - If streaming from a streaming/recording server is approved, configure the server to provide the streaming service via an authenticated and audited client to server (unicast) session or authenticated and audited access to an .sdp file; additionally configure the server to use DoD PKI for access control; and to provide an encrypted client server connection or encryption of the media stream.
[IP]; Validate compliance with the following requirement: Ensure an on-screen indicator is displayed when the VTU/CODEC is actively streaming. Include awareness of the indicator and its meaning in user training and user guides. Note: This is a requirement whether streaming from a CODEC is approved or not. Note: During APL testing, this is a finding in the event this requirement is not supported by the CODEC. This is a finding if an on-screen indicator is not displayed when the VTU/CODEC is actively streaming. Validate compliance via inspection of the device manuals or activate streaming and look for the on-screen indicator. Activating the streaming feature may require applying a streaming configuration. If so, be sure to remove/disable the configuration following the indicator test.
[IP]; Perform the following tasks: - Purchase VTC equipment that either does not support streaming from the CODEC or provides an indicator that the CODEC is actively streaming. AND/OR - Configure the CODEC to provide the required on-screen indicator in the event such display does not occur by default. AND Include awareness of the indicator and its meaning in user training and user guides.
[IP]; Interview the IAO to validate compliance with the following requirement: In the event the VTU/CODEC is connected to an IP based LAN, and if the CODEC supports streaming, ensure a “Streaming” policy and procedure is in place and enforced that addresses the following: - The approval of conference streaming on a case by case basis prior to it being configured by an administrator and activated. - Implementation and distribution of temporary one-time “streaming passwords”, and other session information, to control recipient access to the media stream. For best protection of the system, this password must be used one time and not repeated. This password must not match any other user or administrative password and must be configured to meet or exceed DoD password complexity requirements since entry from a keyboard is expected. - Requirements for implementing an appropriate streaming configuration to limit the reach of the stream across the network. - Re installation of the “blocking” configuration and password (as required below) following any given streaming session. - Changes to the “access blocking” configuration and password in the event it is compromised or if administrative staff changes. Note: The details of this SOP will be included in user’s training, agreements, and guides. Note: This is a requirement whether streaming from a CODEC is approved or not. Inspect the SOP as well as user training materials, agreements, and guides to determine if the items in the requirement are adequately covered. Interview the IAO to determine how the SOP is enforced. Interview a sampling of users to determine their awareness and implementation of the requirement and whether the SOP is enforced. This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details.
[IP]; If the CODEC supports streaming, Perform the following tasks: - Develop and enforce the SOP, train users, and include the SOP in user agreements and guides. - The SOP will address the following: > The approval of conference streaming on a case by case basis prior to it being configured by an administrator and activated. > Implementation and distribution of temporary “streaming passwords”, or other session information, to control recipient access to the media stream. For best protection of the system, this password must be used one time and not repeated. This password must not match any other user or administrative password and must be configured to meet or exceed DoD password complexity requirements since entry from a keyboard is expected. A temporary, one time password is implemented during streaming enablement and configuration of the given streaming session. > Requirements for implementing an appropriate streaming configuration to limit the reach of the stream across the network. > Re installation of the “blocking” configuration and password (as required below) following any given streaming session. > Changes to the “access blocking” configuration and password in the event it is compromised or if administrative staff changes.
Review the VTC system architecture and ensure the VTC endpoints and system components are configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. Ensure all VTC endpoints and system components comply with the following NIST 800-53 (Rev. 4) IA controls: - Account Management (AC-2) - Individual ID & Password (IA-5) - Lockout on logon failure (AC-7) - Warning Banner (AC-8) - Roles (privileged access) (AC-1) - Least Privilege (AC-6, SA-17) - Security audit (AU-2) - Audit Content (AU-3) - Audit Trail Protection (AU-12) If the VTC endpoints and system components are not configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, this is a finding.
Procure and implement VTC endpoints and system components configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. Encourage vendors to develop VTC systems and devices that provide robust IA features that support compliance with DoD policies for all devices.
[IP][ISDN] Interview the IAO to validate compliance with the following requirement: In the event the VTU is connected to an IP network and/or if auto-answer is on while connected to an ISDN network, ensure a policy and procedure is in place and enforced that requires users to power-off the VTU when it is not actively participating in a conference unless it is required to be powered-on to meet validated, approved, and documented mission requirements. Note: While this requirement can be deemed N/A or “Not a Finding” in the event there are validated, approved, and documented mission requirements, the VTU is still subject to RTS-VTC 1025.00. An example of a mission requirement needing validation, approval, and documentation would be a requirement for nightly testing of the VTU from a central location or a need to regularly answer incoming calls. Note: The documented and validated mission requirements along with their approval(s) are maintained by the IAO for inspection by auditors. Such approval is obtained from the DAA or IAM responsible for the VTU(s) or system. Note: This is not a requirement (i.e., N/A) if the VTU is located in a conference room that is only used for VTC conferences; the room is empty when not preparing for or participating in a VTC; the room contains no sensitive or classified information when not in use; no other meetings are held there; and no other work or activities occur there. Note: Sleep mode does not fully mitigate the vulnerability addressed here unless it can be invoked by the user. Typically a VTU would go to sleep after a period of time. During this period, the vulnerability still exists and may exist in sleep mode depending upon what is required to wake the VTU. Sleep mode should be able to be initiated by the user. Exiting sleep mode should be initiated by user action and not an automated process. This functionality needs to be explored further and specific requirements defined. Note: This requirement must be stated in user’s guides and training because the user is the one that must implement these mitigations. Inspect the SOP as well as user training materials, agreements, and guides to determine if the requirement is adequately covered. Interview the IAO to determine how the SOP is enforced. Interview a sampling of users to determine their awareness and implementation of the requirement and whether the SOP is enforced. Have a sampling of users demonstrate how to power-off the VTU when it is not actively participating in a conference. This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details. Have a sampling of users demonstrate how to power-off the VTU when it is not actively participating in a conference.
[IP][ISDN]; Perform the following tasks: Define and enforce policy and procedure that when a VTU is connected to an IP network and/or if auto answer is on while connected to an ISDN network that the user is required and knows how to power-off the VTU when it is not actively participating in a conference unless it is required to be powered-on to meet validated, approved, and documented mission requirements. Provide user training regarding this SOP and include it in user agreements and user guides.
[IP][ISDN] Interview the IAO to validate compliance with the following requirement: In the event the VTU is connected to an IP network and/or if auto-answer is on while connected to an ISDN network, AND the VTU is required to be powered-on to meet validated, approved, and documented mission requirements (that is RTS-VTC 1025.00 is “not a finding”); ensure a policy and procedure is in place and enforced that requires users to perform the following when the VTU is it is not actively participating in a conference: Mute the microphone. AND Disable the capability of the camera to view activities within the room as follows: Cover the camera(s) if its/their position/aim is fixed or able to be remotely controlled. OR Aim the camera(s) at a nearby corner where it/they cannot see room activities if the camera position/aim is movable but cannot be remotely controlled. Note: The documented and validated mission requirements along with their approval(s) are maintained by the IAO for inspection by auditors. Such approvals are obtained from the DAA or IAM responsible for the VTU(s) or system. This documentation and validated mission requirements are the same documentation that renders RTS-VTC 1020.00 N/A or “Not a Finding” Note: This finding can be reduced to a CAT III in the event the camera(s) can be remote controlled but are aimed at the wall (e.g., a corner) where it/they cannot see room activities if the camera supports aiming or being moved. While the practice of aiming the camera at the side or back wall of the room where there is nothing to see and muting the microphone can mitigate normal operational issues, this measure is not a mitigation if the camera can be remotely controlled via auto-answer and Far End Camera Control (FECC) and/or the CODEC remote control/configuration feature is not configured properly, is compromised, or can be accessed by a administrator with the remote access password. Note: This is not a finding in the event sleep mode provides the necessary disablement functions and is invoked by the user when the VTU is powered on or leaves the active state. This finding can be reduced to a CAT III finding in the event sleep mode provides the necessary disablement functions and the VTU enters sleep automatically within 15 minutes of when the VTU entered standby. This is still a finding because the vulnerability exists during the standby period. Note: This is not a requirement (i.e., N/A) if the VTU is located a conference room that is only used for VTC conferences; the room is empty when not preparing for or participating in a VTC; the room contains no sensitive or classified information when not in use; no other meetings are held there; and no other work or activities occur there. Note: A camera cover should be provided by the camera vendor and attached in such a manner that it is not easily detachable so that it cannot be easily lost. Alternately, the cover can be as simple as an opaque cloth of appropriate size or sewn such that it won’t fall off easily. If the cover is detachable such that can be easily lost, a supply of replacement covers should be readily available. Note: This requirement must be stated in site user’s guides and training because the user is the one that must implement these mitigations. Inspect the SOP as well as user training materials, agreements, and guides to determine if the items in the requirement are adequately covered. Interview the IAO to determine how the SOP is enforced. Interview a sampling of users to determine their awareness and implementation of the requirement and whether the SOP is enforced. This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details. This is a finding if the VTU is found to be powered-on when inactive and the microphone and/or camera are not disabled. This is a finding if there is no documented requirement that the VTU be powered-on or there are no approvals. Inspect the documentation relating to the DAA approvals for the validated, approved, and documented mission requirements that require the VTU to be powered-on while inactive. This is a finding if there is no SOP regarding the disablement of the VTU microphone and camera when the VTU is not actively participating in a conference. Interview the IAO to determine if this requirement is covered in a SOP and user training/agreements. Interview a sampling of users to determine their awareness and implementation of the requirement.
[IP][ISDN]; Perform the following tasks: Define and enforce policy and procedure that when a VTU is connected to an IP network and/or if auto answer is on while connected to an ISDN network AND the VTU is required to be powered-on to meet validated, approved, and documented mission requirements., that the user is required and knows how to disable the VTU microphone and camera when the VTU is not actively participating in a conference. Provide user training regarding this SOP and include it in user agreements and user guides.
[IP][ISDN]; Interview the IAO to validate for CODEC compliance with the following requirement: In the event sleep mode is to be used to mitigate standby vulnerabilities, ensure that sleep mode provides and/or is configured to provide the following functionality: - The CODEC’s audio and video pickup/transmission capability should be disabled as follows: > Disable the microphone’s audio pickup capability. > Disable the camera’s image capture capability. > Disable remote activation/control capabilities of the camera and microphone. - Auto-answer capabilities are disabled. - Local user action is required to exit sleep mode such as pressing some button or key to activate the wakeup function. - If a wake-on-incoming-call feature is available, it must not fully wake the VTU and may only provide an indication that there is an incoming call along with meeting the incoming call display requirement below so that the user can make an informed decision to wake the system and answer the call or not. - In the event the VTU can be remotely accessed or managed during sleep mode, the following controls must be in place: > The VTU must limit access to specific authorized IP addresses. > Remote access must not permit the activation of the microphone and camera unless this functionality is required to meet validated, approved, and documented mission requirements. Note: If the VTU meets the user activation/authentication and banner requirements stated later, these function must be invoked when the VTU wakes. Note: If the VTU has a sleep mode, in addition to the required capabilities noted above, it should have configurable settings that permit immediate user activation via a button press and an automatic activation with a configurable time frame that could be as short as 15 seconds or as long as several hours, or never. This would permit the sleep mode to be used as partial or full mitigation for the vulnerabilities addressed by the above two requirements. The various configurable settings could be used when the VTU is in different locations. For example, the short duration and/or user activation could be used in a classified environment. APL Testing: This is a finding in the event this requirement is not supported by the VTU. Have the IAO or SA demonstrate the configuration setting required to meet the individual features of this requirement. Place the VTU in standby/sleep mode, place a call to the VTU, and view its responses.
[IP][ISDN]; Perform the following tasks: Configure the VTU to provide the following functionality: - The CODEC’s audio and video pickup/transmission capability must be disabled as follows: > Disable the microphone’s audio pickup capability. > Disable the camera’s image capture capability. > Disable remote activation/control capabilities of the camera and microphone. - Auto-answer capabilities are disabled. - Local user action is required to exit sleep mode such as pressing some button or key to activate the wakeup function. - If a wake-on-incoming-call feature is available, it must not fully wake the VTU and may only provide an indication that there is an incoming call along with meeting the incoming call display requirement below so that the user can make an informed decision to wake the system and answer the call or not. - In the event the VTU can be remotely accessed or managed during sleep mode, the following controls must be in place: > The VTU must limit access to specific authorized IP addresses. > Remote access must not permit the activation of the microphone and camera unless this functionality is required to meet validated, approved, and documented mission requirements. Note: If the VTU meets the user activation/authentication and banner requirements stated later, these function must be invoked when the VTU wakes. Note: If the VTU has a sleep mode, in addition to the required capabilities noted above, it should have configurable settings that permit immediate user activation via a button press and an automatic activation with a configurable time frame that could be as short as 15 seconds or as long as several hours, or never. This would permit the sleep mode to be used as partial or full mitigation for the vulnerabilities addressed by the above two requirements. The various configurable settings could be used when the VTU is in different locations. For example, the short duration and/or user activation could be used in a classified environment.
[IP][ISDN] Interview the IAO to validate for compliance with the following requirement: If the VTU is capable of receiving incoming calls while inactive or while active, ensure the following: - The VTU displays the source of the incoming call and to the extent possible, the identity of the caller, such that the user can make an informed decision to answer the call or not. - Directories are maintained with current information regarding user information related to other VTUs with which the VTU is expected to communicate unless calling VTUs provide the caller information along with the source information. - Users are trained to not answer incoming calls from unknown sources in the event doing so could disclose sensitive or classified information in the area of the VTU. - Users are trained to not answer incoming calls from unknown sources or sources that may not have appropriate clearance or a need-to-know during a conference since doing so could improperly disclose sensitive or classified information to the caller. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. Interview the IAO and have him/her demonstrate on a sampling of the VTUs in the system
[IP][ISDN]; Perform the following tasks: - Configure the VTU to display the source of the incoming call and to the extent possible, the identity of the caller, such that the user can make an informed decision to answer the call or not. - Maintained directories with current information regarding user information related to other VTUs with which the VTU is expected to communicate unless calling VTUs provide the caller information along with the source information. - Train users to not answer incoming calls from unknown sources in the event doing so could disclose sensitive or classified information in the area of the VTU. - Train users to not answer incoming calls from unknown sources or sources that may not have appropriate clearance or a need-to-know during a conference since doing so could improperly disclose sensitive or classified information to the caller.
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: If a VTC endpoint auto-answer feature is available, ensure it is administratively disabled, thus ensuring the feature is not selectable by the user, unless required to satisfy validated, approved, and documented mission requirements. Note: The documented and validated mission requirements along with their approval(s) are maintained by the IAO for inspection by auditors. Such approval will be obtained from the DAA or IAM responsible for the VTU(s) or system. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. Verify that if the auto-answer feature is available on the VTU endpoint that it is administratively disabled. If the auto-answer is a mission requirement, verify that IAO has evidence/documentation that the DAA or IAM responsible has given written approval for its use.
[IP][ISDN]; Perform the following tasks: Administratively disable the auto-answer function on the VTU unless required to fulfill validated and approved mission requirements. If auto-answer is required to fulfill validated and approved mission requirements, obtain written approval for the use of this function from DAA or IAM and maintain documentation on the validated requirement and approval. Train users in the proper use and vulnerabilities associated with the use of auto-answer
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: In the event the auto-answer feature is available and/or used, ensure a policy and procedure is in place and enforced such that, all of the following occurs: - The auto-answer feature is configured to answer with the microphone muted. - The camera is covered or otherwise disabled while waiting for a call. - The VTU provides a visual indication that a call has been answered. - The user will ensure the ringer or audible notification volume is set to an easily audible level or the VTU will automatically satisfy this requirement. - The user(s) to which the feature is available is trained in its proper use as reflected in the SOP and in the vulnerabilities it presents. Note: During APL testing, this is a finding in the event “auto-answer with microphone muted” is not configurable on the VTU. It is also desirable that this setting will ensure the audible notification is at a level to be easily heard. Determine if this requirement is covered in a SOP and user training/agreements. Interview a sampling of users to determine their awareness and implementation of the requirement. Verify that, if supported, the VTU auto-answer feature is configured to answer with microphone muted.
[IP][ISDN]; Perform the following tasks: In the event the auto-answer feature is approved for use, perform the following tasks: - Maintain full documentation on the validation of the mission requirement and the DAA approval to use the auto-answer feature - Develop and enforce a SOP regarding the proper use of the auto-answer feature. - Configure the auto-answer feature to answer with the microphone muted. - Ensure the camera is covered by the user or otherwise disabled automatically while waiting for a call. - Ensure the VTU provides a visual indication that a call has been answered. - Train users to ensure the ringer or audible notification volume is set and maintained at an easily audible level or the VTU automatically satisfies this requirement. - Train the user(s) to which the feature is available in its proper use as reflected in the SOP and in the vulnerabilities it presents.
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure the following regarding incoming calls while the VTU is engaged in a conference: - The VTU automatically rejects incoming calls, is administratively configured to return a “busy signal”, or optionally does so through the use of a user selected “do-not-disturb” feature. OR - The VTU is configured to not automatically answer an incoming call and join it to an active conference (in progress) without user intervention. (i.e., the user must decide to answer the call or not based on the required source and caller information display. Answering the call affects the join). OR - A password, entered by the caller, is required to access the VTU’s integrated MCU. This password must be unique among all other passwords used by the system. This capability must not be functional at all times, i.e., it is only to be functional when the capability is required to be used. Note: In the event the VTU supports the “call-in/join via local meeting password” feature for the integrated MCU, the VTU should also have an administrative setting that disables this capability thereby forcing host action. In effect this setting would invoke an automatic “do-not-disturb” or return of a “busy” signal while the VTU is active. The various VTC vendors implement VTU integrated MCU access control differently. Examples are as follows: Tandberg – Dial out and dial in with host action only – no local meeting password option. Polycom – Dial-out and Dial-in w/ “meeting password” which is required to join a multipoint call or streamed meeting. This is a memory location used to set the local MCU or streamed media access or join password for access to the VTU and to set the endpoint password given to another MCU when calling into it. “This field can also be used to store a password required by another system that this system calls.” Note: this pre-configurable “meeting password” violates unique and scripted password policies. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU as an administrator configurable option and/or as a default condition. The desired capability is to block incoming calls during a VTC session by default without requiring the user to set the condition since the user may forget to do so. The user may have the capability to set the condition that temporarily turns off the “do-not-disturb” feature such that the call can be answered externally to the conference and then manually joined. Interview the IAO to determine if this requirement is covered in a SOP and user training/agreements. Interview a sampling of users to determine their awareness and implementation of the requirement. Place a call to an endpoint that is already in a conference and witness its response or reaction.
[IP][ISDN]; Perform the following tasks: Ensure the following regarding incoming calls while the VTU is engaged in a conference: - The VTU automatically rejects incoming calls, is administratively configured to return a “busy signal”, or optionally does so through the use of a user selected “do-not-disturb” feature. AND/OR - The VTU is configured to not automatically answer an incoming call and join it to an active conference (in progress) without user intervention. (i.e., the user must decide to answer the call or not based on the required source and caller information display. Answering the call affects the join.) AND/OR - A password, entered by the caller, is required to access the VTU’s integrated MCU. This password must be unique among all other passwords used by the system. This capability must not be functional at all times, i.e., it is only to be functional when the capability is required to be used.
[IP]; Interview the IAO to validate compliance with the following requirement: In the event the VTU is connected to an IP network ensure remote monitoring of the VTU via IP is disabled unless required to satisfy validated, approved, and documented mission requirements. Note: The documented and validated mission requirements along with their approval(s) are maintained by the IAO for inspection by auditors. Such approval is obtained from the DAA or IAM responsible for the VTU(s) or system. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. i.e., remote monitoring must be able to be disabled or the feature/capability must not be supported. Interview the IAO to determine if remote monitoring is required and approved to meet mission requirements. Have the IAO or SA demonstrate compliance with the requirement.
[IP]; Perform the following tasks: - Obtain validation of mission requirements and DAA approval if remote monitoring of a VTU is to be used. OR - Configure the VTU to disable remote monitoring if the feature is not needed to satisfy validated, approved, and documented mission requirements.
[IP]; Interview the IAO to validate compliance with the following requirement: In the event the VTU is connected to an IP network ensure access to IP remote monitoring and associated control functions of the VTU is minimally protected by a password. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. i.e., remote monitoring must be able to have a password set in order to access remote monitoring features. Verify that an administrator password is required to access remotely accessible VTU. Have the IAO or SA demonstrate compliance with the requirement.
[IP]; Perform the following tasks: If IP remote monitoring is activated, configure the VTU to require a password before permitting access to the remote monitoring and associated control functions.
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure conference participants are made aware that a conference is being monitored by someone that is not a direct participant of the call or conference. Interview the IAO to determine if this requirement is covered by an automatic indicator that appears on all participating endpoints OR is covered in a SOP and user training/agreements. Interview the IAO and monitoring “operator/facilitator” to determine their awareness and implementation of the requirement.
[IP][ISDN]; Perform the following tasks: - Configure the CODEC and/or MCU to automatically display an indication on all endpoints participating in a conference that the conference is being monitored. OR - Develop a SOP that addresses manual notification by SAs and chair persons that the conference is being monitored.
[IP][ISDN]; Interview the Administrator to validate compliance with the following requirement: Ensure administrators that are required to monitor a conference or conferences possess a security clearance that is the same as or higher than the VTC system and the conference information to which they are exposed. Verify with IAO that conference call operator/facilitator has security clearance commensurate with or higher than the classification level of the system and/or the information to which they are exposed.
[IP][ISDN]; Perform the following tasks: Ensure administrators that are required to monitor a conference or conferences possess a security clearance that is the same as or higher than the VTC system and the conference information to which they are exposed.
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure far end camera control is disabled unless required to satisfy validated, approved, and documented mission requirements. Note: The documented and validated mission requirements along with their approval(s) are maintained by the IAO for inspection by auditors. Such approval is obtained from the DAA or IAM responsible for the VTU(s) or system. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. i.e., far end camera control must be able to be disabled or the feature must not be supported. Determine if remote monitoring is required and approved to meet mission requirements. Have the IAO or SA demonstrate compliance with the requirement.
[IP][ISDN]; Perform the following tasks: Configure the CODEC to disable far end camera control OR Document and validate the mission requirements that require far end camera control to be enabled and obtain DAA approval. Maintain the requirement and approval documentation for review by auditors.
If a VTU under review is connected to classified IP networks and the conference information owners provide is written confirmation that encryption is not required within the classified enclave, this requirement is not applicable. If the VTC systems, endpoints, and MCUs under review are on a physically separate network from the enclave’s LAN and use dedicated point-to-point circuits outside the enclave to interconnect to MCUs and other endpoints, this requirement is not applicable. If the VTC systems, endpoints, and MCUs under review are on a logically separate network on the enclave’s LAN using a dedicated and closed VTC VLAN, and protected on the WAN using an encrypted VPN between endpoints and the MCU, this requirement is not applicable. Review the VTC system architecture and ensure the VTC data in transit is encrypted. If the VTC data in transit is not encrypted, this is a finding. Ensure the strongest encryption algorithm is used for VTC media streams as supported by all communicating VTUs and associated MCUs.
Configure the VTC system architecture to require all data in transit be encrypted, with a preference for FIPS-validated or NSA-approved cryptography over legacy encryption.
Interview the ISSO to validate compliance with the following requirement: Ensure VTUs under his/her control employ encryption module(s) validated to FIPS 140-2. Determine if the various VTUs with which the system under review is expected to communicate support and are using FIPS 140-2 validated encryption modules and that they are operated in FIPS mode. Have the ISSO or SA demonstrate and verify that the VTU is using 140-2 encryption in FIPS mode. Review documentation from the vendor designating the encryption modules in use and verify that they are listed on the NIST CMVP validated modules web site (http://csrc.nist.gov/groups/STM/cmvp/validation.html). If the VTU does not use FIPS 140-2 validated encryption module, this is a finding.
Purchase and install only those VTUs and MCUs that employ encryption modules that are validated to FIPS 140-2 standards. Upgrade or replace non-compliant devices. Note: Updating firmware or software to provide desired functionality is preferred. A vendor may provide security updates and patches that offer additional functions. In many cases, the IA Vulnerability Management (IAVM) system mandates updating software to reduce risk to DoD networks.
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure all VTU’s under IAO’s control display a visual indicator that encryption is in fact taking place. Note: During APL testing, this is a finding in the event this requirement is not supported by the CODEC i.e., an on screen visual indicator displaying that encryption is indeed occurring. Note: In the event encryption is provided by external devices (not the CODEC), an external indicator meets this requirement in place of the on-screen indicator.
[IP][ISDN]; Perform the following tasks: Implement VTU CODECs that provide an on screen indicator that encryption is occurring and active. OR If the encryption is provided by external devices (not the CODEC), implement an external indicator to display encryption status in place of an on-screen indicator provided by the CODEC.
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure a policy and procedure is in place and enforced that addresses user activation and verification of encryption use when encryption is required based on the sensitivity of the information discussed or presented. The following must be included: - The user must check that all participants are using encryption and have enabled the encryption on their devices if manual activation necessary. - When the conference has begun, the user must ensure that the VTU is displaying the “conference is encrypted” indication. Note: This requirement must be reflected in user training, agreements and guides. Verify that there is a policy and procedure in place that enforces and guides users on how and what to check when participants are required to use encryption.
[IP][ISDN]; Perform the following tasks: Define and enforce policy and procedure that addresses user activation and verification of encryption use when encryption is required based on the sensitivity of the information discussed or presented. The following must be included: - The user must check that all participants are using encryption and have enabled the encryption on their devices if manual activation necessary. - When the conference has begun, the user must ensure that the VTU is displaying the “conference is encrypted” indication.
Review site documentation to confirm VTC system and component default and factory passwords have been changed. This includes SNMP community strings must be changed or replaced prior to the VTU being placed into service. If the VTC system and component default and factory passwords are not changed, this is a finding. Note: During APL testing, this is a finding in the event default passwords cannot be changed on VTC or VTU.
Implement changing all VTC system and component default and factory passwords.
Review site documentation to confirm the VTC system and components does not display passwords in clear text when logging onto a VTU locally or remotely. If the VTC system or any components do display passwords in clear text, this is a finding. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU.
Implement the VTC system and components to not display passwords in clear text. If existing devices do not support this behavior, upgrade as soon as possible.
Review site documentation to confirm a policy and procedure requires the videoconferencing system and components to have passwords meeting complexity or strength policy, as follows: - PINs entered into a local video endpoint from a hand-held remote control must contain at least six digits. - PINs entered into a remote video endpoint from a hand-held remote control must contain at least nine digits. - Passwords entered from a keyboard must contain at least at least 15 characters with at least one lowercase letter, one uppercase letter, one number, and one special character. - Passwords and PINs must be encrypted per DoD standards. If the videoconferencing system and components do not have passwords meeting complexity or strength policy, this is a finding.
Implement videoconferencing system and components passwords to meet complexity and strength policy.
Review site documentation to confirm passwords are required for access to all functions and services of the VTU, to include: - Local user device use/activation and access to user configurable settings. - Local user or machine access to the user’s networked or otherwise attached PC running a presentation or desktop sharing application when permitted. - Local administrator access to configuration settings. - Remote administrator access to configuration settings and for remote software or firmware upgrade. - Remote caller access to a VTU integrated MCU conference if local user intervention is not required. - Remote user access to media streamed from a VTU CODEC. - Passwords used by VTU users, administrators, and devices are logically grouped by entity and roles (human or machine), type of access provided (information vs. control), and device accessed. - Passwords are unique across these logical groups. (i.e., a single password will not be used for multiple functions or to access multiple devices from a given VTU with the exception of a user’s local access to the VTU or its user accessible settings). - Passwords that provide user or administrator level access to another device or information will not be stored on the VTU for automated entry in lieu of the person entering the required password. If a VTU password is not used for each VTU function, this is a finding. If different VTU passwords are not used for groups of VTU functions, this is a finding.
Implement VTUs that support different password for different functions as follows: - Passwords are required for access to all functions and services of the VTU. This includes, but may not be limited to, the following: - Local user device use/activation and access to user configurable settings. - Local user or machine access to the user’s networked or otherwise attached PC running a presentation or desktop sharing application (if used or permitted; discussed later under PC Data and Presentation Sharing). - Local administrator access to configuration settings. - Remote administrator access to configuration settings and for remote software or firmware upgrade via IP or ISDN. - Remote caller access to a VTU integrated MCU conference if local user intervention is not required. - Remote user access to media streamed from a VTU CODEC. - Passwords used by VTU users, administrators, and devices are logically grouped by entity and roles (human or machine), type of access provided (information vs. control), and device accessed. - Passwords are unique across these logical groups (i.e., a single password will not be used for multiple functions or to access multiple devices from a given VTU with the exception of a user’s local access to the VTU or its user accessible settings). - Passwords that provide user or administrator level access to another device or information will not be stored on the VTU for automated entry in lieu of the person entering the required password. Note: Updating firmware or software to provide desired functionality is preferred. A vendor may provide security updates and patches that offer additional functions.
Review site documentation to confirm the classified videoconferencing system authenticates using a unique user logon prior to performing functions and services. The video endpoint must not be capable of placing or answering a call unless it is unlocked by a user logon. Additionally, ensure the video endpoint configuration settings are as follows: - Unique (non-default/non-shared) IDs for each privileged and user account, to include an administrator test account. Note this is best accomplished using a central user management system, such as RADIUS or TACACS+. Authentication must meet current DoD requirements and may implement username/password or multifactor authentication (DoD PKI token preferred). - Video endpoints to require unique user identities to authenticate at first logon and when unlocking. - Video endpoints to automatically lock after 15 minutes of inactivity. - Video endpoints to display incoming call notifications while locked (a unique ID is required to activate the video endpoint and answer the call). If the classified videoconferencing system is not configured as above, this is a finding. If the classified videoconferencing system does not authenticate using a unique user logon prior to performing functions and services, this is a finding.
Configure the classified videoconferencing system to authenticate with a unique user logon prior to performing functions and services. Additionally, configure the video endpoint with the following: - Configure unique (non-default/non-shared) IDs for each privileged and user account, to include an administrator test account. Note this is best accomplished using a central user management system, such as RADIUS or TACACS+. Authentication must meet current DoD requirements and may implement username/password or multifactor authentication (DoD PKI token preferred). - Configure video endpoints to require unique user identities to authenticate at first logon and when unlocking. - Configure video endpoints to automatically lock after 15 minutes of inactivity. - Configure video endpoints to display incoming call notifications while locked (a unique ID is required to activate the video endpoint and answer the call).
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: In the event a system/device does not support all DoD IA requirements for password/PIN and account management or logon requirements, ensure a policy and procedure is in place and enforced that minimally addresses the following: - Strong passwords/PINs will be used to the extent supported by the system/device. Each access point and password will be addressed separately. - Password/PIN reuse will be limited and will be in compliance with policy and INFOCON requirements - Password/PIN change intervals will be defined for each access point based upon policy, INFOCON levels, and operational requirements. - Passwords/PINs will be changed when compromised or personnel (users or administrators) leave the organization. - Passwords/PINs that are no longer needed will be removed in a timely manner. A periodic review will be performed as scheduled by the SOP. - SNMP community strings will be managed like passwords/PINs. - A password/PIN change/removal log will be maintained and stored in a secure access controlled manner (such as in a safe or encrypted file on an access controlled server of workstation) for each device noting each access point, its password, and the date the password was changed. Such a log will aid in such things as SOP enforcement, password history compliance, and password recovery. Note: If and when VTC systems provide support for user and administrator accounts, this SOP is extended or modified to cover account management as necessary to manage non-automated functions. Inspect the SOP as well as user training materials, agreements, and guides to determine if the items in the requirement are adequately covered. Interview the IAO to determine how the SOP is enforced. Interview a sampling of users to determine their awareness and implementation of the requirement and whether the SOP is enforced. This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details.
[IP][ISDN]; Perform the following tasks: Define and enforce policy and procedure that addresses password/PIN and account management that includes the following: - Strong passwords/PINs will be used to the extent supported by the system/device. Each access point and password will be addressed separately. - Password/PIN reuse will be limited and will be in compliance with policy and INFOCON requirements. - Password/PIN change intervals will be defined for each access point based upon policy, INFOCON levels, and operational requirements. - Passwords/PINs will be changed when compromised or personnel (users or administrators) leave the organization. - Passwords/PINs that are no longer needed will be removed in a timely manner. A periodic review will be performed as scheduled by the SOP. - SNMP community strings will be managed like passwords/PINs. - A password/PIN change/removal log will be maintained and stored in a secure access controlled manner (such as in a safe or encrypted file on an access controlled server of workstation) for each device noting each access point, its password, and the date the password was changed. Such a log will aid in such things as SOP enforcement, password history compliance, and password recovery. Provide user training regarding this SOP and include it in user agreements and user guides.
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: If the use of a local meeting password is required because it is supported by the VTU, ensure a “local meeting password” policy and procedure is in place and enforced along with user training that addresses the following: - Implementation and distribution of a temporary password for the session when use of the feature is required. This password is used one time and not repeated. This password must not match any other user or administrative password on the device. - Disablement of the feature when its use is not required or the installation of a strong blocking password that is kept confidential. This password could be distributed as the temporary password when use of the feature is required if it is changed and kept confidential following the session. - User instructions on how to properly set and manage the password if site policy permits the user to set the password instead of calling an administrator. - User awareness training regarding the vulnerabilities associated with the reuse of meeting passwords. Note: In some instances, the local meeting password is also used for gaining access to media streamed from the VTU. While these are two different functions or entry points, and should not have the same password, the passwords for these functions are to be managed and used similarly. Streaming is discussed later in this document. Inspect the SOP as well as user training materials, agreements, and guides to determine if the items in the requirement are adequately covered. Interview the IAO to determine how the SOP is enforced. Interview a sampling of users to determine their awareness and implementation of the requirement and whether the SOP is enforced. This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details. Note: This requirement applies to VTC CODECs that can host a multipoint meeting or conference using an integral MCU. This is typically capable of supporting four to six endpoints. A “local meeting password” typically controls access to the MCU. In some cases, this password is also used to access conference streaming. Note: This requirement applies to VTU CODECs that contain an integrated MCU Note: During APL testing, this is a finding in the event one time “meeting passwords” are not supported by the MCU.
[IP][ISDN]; Perform the following tasks: Define and enforce policy and procedure that addresses the management and use of a “local meeting password” for access to meetings hosted or streamed by a CODEC. The SOP will include the following: - Implementation and distribution of a temporary password for the session when use of the feature is required. This password is used one time and not repeated. This password must not match any other user or administrative password on the device. - Disablement of the feature when its use is not required or the installation of a strong blocking password that is kept confidential. This password could be distributed as the temporary password when use of the feature is required if it is changed and kept confidential following the session. - User instructions on how to properly set and manage the password if site policy permits the user to set the password instead of calling an administrator. - User awareness training regarding the vulnerabilities associated with the reuse of meeting passwords. Provide user training regarding the SOP and include it in user agreements and user guides.
[IP]; Interview the IAO to validate compliance with the following requirement: In the event the VTU/CODEC is connected to an IP based LAN, and if the CODEC supports streaming, ensure users/operators and administrators of a VTU receive training regarding streaming that addresses the following: - User awareness regarding the vulnerabilities streaming from a CODEC presents to conference confidentiality. - User awareness regarding accidental activation of streaming. - How to recognize the displayed indication provided by the VTU that it is in streaming mode. - How to terminate streaming, particularly if the CODEC should not be streaming. - The implementation and distribution of a temporary password for an approved CODEC streaming session using a one-time password that is not repeated and does not match any other user or administrative password. Note: This is a requirement whether steaming from a CODEC is approved or not. Interview VTC/CODEC administrators and user/operators to verify that they have received training on the vulnerabilities of streaming, recognition of CODEC streaming, and how to deactivate streaming when it is active. Have a sampling of these individuals demonstrate their knowledge. . This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details.
[IP]; In the event the VTU/CODEC is connected to an IP based LAN, and if the CODEC supports streaming, Perform the following tasks: - Train CODEC user/operators and administrators regarding CODEC streaming addressing the following: > User awareness regarding the vulnerabilities streaming from a CODEC presents to conference confidentiality. > User awareness regarding accidental activation of streaming. > How to recognize the displayed indication provided by the VTU that it is in streaming mode. > How to terminate streaming, particularly if the CODEC should not be streaming. Additionally include this information in user’s agreements and guides.
); [IP]; Interview the IAO to validate compliance with the following requirement: Ensure the following streaming configuration settings are implemented as prudent to further minimize the effect of accidental or unwanted streaming activation when streaming is not required to be activated: - Disable streaming and/or user activation of streaming - Disable remote start of streaming (if remote start is supported) OR if the above settings do not exist or do not work properly: - Clear the streaming destination or multicast address(s) - Set TTL/router hops to 0 or a maximum of 1 if 0 is not accepted. - Set the password used to access the CODEC for streaming to a strong password that meets or exceeds minimum DoD password requirements. This password is kept confidential. Note: If clearing the IP address or IP port does not prevent the CODEC from streaming to a default address or port, set a unicast addresses that will never be used by a device and set a very high IP port. Note: This requirement is applicable whether the CODEC is normally connected to an IP based LAN or not. If not normally connected to an IP based LAN, these settings will mitigate the vulnerability in the event the CODEC does become connected to a LAN via un-authorized or clandestine means Note: During APL testing, this is a finding in the event the product does not support the ability to disable conference streaming. Have the IAO or SA demonstrate the streaming configuration on a random sampling of CODECs.
[IP]; Perform the following tasks when CODEC streaming is not required to be use: Configure the CODEC as follows: - Disable streaming and/or user activation of streaming - Disable remote start of streaming (if remote start is supported) OR if the above settings do not exist or do not work properly: - Clear the streaming destination or multicast address(s) - Set TTL/router hops to 0 or a maximum of 1 if 0 is not accepted. - Set the password used to access the CODEC for streaming to a strong password that meets or exceeds minimum DoD password requirements. This password is kept confidential. Note: If clearing the IP address or IP port does not prevent the CODEC from streaming to a default address or port, set a unicast addresses that will never be used by a device and set a very high IP port. Note: This requirement is applicable whether the CODEC is normally connected to an IP based LAN or not. If not normally connected to an IP based LAN, these settings will mitigate the vulnerability in the event the CODEC does become connected to a LAN via un-authorized or clandestine means
[IP]; Interview the IAO to validate compliance with the following requirement: If and when implementing streaming, ensure the following streaming configuration settings are implemented as prudent to minimize accessibility to the media stream: - Implement and distribute a temporary password for the session. For best protection of the system, this password is used one time and not repeated. This password must not match any other user or administrative password. - Enter an appropriate address and IP port for delivery of the media stream. If multicast is used, these are different from the default settings used by the vendor, and are randomly different each time they are used. - Set TTL/router hops to an appropriate number to limit the range of distribution of the media stream to within the local LAN or Intranet as required. This number should be limited to 1 for the local network, 15 or 16 for the campus, 25 for the adjoining site. Never enter a high number such as 64 and above since this will extend the reach to a region or the world as the number goes higher. Determine/review site policy/procedure for the implementation of approved VTC CODEC streaming. Review configuration settings to be used. If any CODECs are currently approved for and configured to stream, inspect or have the SA demonstrate the configuration used. This is a finding if the policy/procedure and/or configuration does not match or support the requirement items listed above.
[IP]; Perform the following tasks if streaming of a VTC CODEC session is approved and is to be implemented: - Implement and distribute a temporary password for the session. This password is used one time and never repeated. This password must not match any other user or administrative password. - Configure the CODEC by entering an appropriate address and IP port for delivery of the media stream. If multicast is used, these must be different from the default settings used by the vendor, and are randomly different each time they are used. - Configure the CODEC by setting TTL/router hops to an appropriate number to limit the range of distribution of the media stream to within the local LAN or Intranet as required. This number should be limited to 1 for the local network, 15 or 16 for the campus, 25 for the adjoining site. Never enter a high number such as 64 and above since this will extend the reach to a region or the world as the number goes higher.
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure VTU users receive training in the proper use and operation of PC to CODEC connections and understand the vulnerabilities associated with such interconnections regarding inadvertent or improper information disclosure. Interview a sampling of VTU administrators and users to verify that training has been provided for proper use and operation of PC to CODEC connections and that they understand the vulnerabilities associated with such interconnections regarding inadvertent or improper information disclosure. This is a finding if deficiencies are found. List these deficiencies in the finding details.
[IP][ISDN]; Perform the following tasks: Train users and administrators in the proper use and operation of PC to CODEC connections and provide an understanding of the vulnerabilities associated with such interconnections regarding inadvertent or improper information disclosure.
[IP]; Interview the IAO to validate compliance with the following requirement: In the event a software based virtual connection between a PC/workstation and a CODEC is to be used for presentation display, file transfer, or collaboration, the IAO will ensure the following: - Additional appropriate policy and procedures for this type of connection are added to the required “Presentation/PC workstation display sharing” policy and procedure. These are based on the particular vendor’s solution to be implemented. - Additional appropriate user training is added to the training requirement noted above. - Perform and document an assessment of the application to be used to verify that it performs only those functions that are necessary, that the application behaves properly on the platform, and that it does not invalidate the security of the workstation. - Perform and document a risk assessment regarding the use of the application in light of the application assessment and the defined operational policy/procedures. - The responsible DAA approves, in writing, the installation of the additional software to the PC workstation(s) required to use this method. - The responsible DAA approves, in writing, the implementation and use procedures that mitigate the application’s vulnerabilities. Note: Assessments should be performed and DAA approvals should be obtained prior to purchase. Note: The IAO will maintain the policy, procedures, assessment documentation, risk assessment, and DAA approvals for inspection by IA auditors as evidence of compliance. Verify that additional and appropriate user training is added to the training requirement as noted in RTS-VTC 2460.00 that addresses additional vulnerabilities associated with presentation, application, and desktop sharing to a VTU from a PC. AND Verify additional vendor specific procedures and policies have been implemented. AND Verify that assessments have been performed and documented to validate additional VTU application(s) has not invalidated the security of the workstation. Verify with the IAO that a risk assessment has been performed and documented. AND Verify that DAA has approved in writing the installation of additional VTU software and the DAA is aware and approved the implementation and procedures used to mitigate the VTU application(s) vulnerabilities This is a finding if deficiencies are found. List these deficiencies in the finding details.
[IP]; Perform the following tasks: - Develop additional appropriate policy and procedures for this type of connection are added to the required “Presentation/PC workstation display sharing” policy and procedure. These are based on the particular vendor’s solution to be implemented. - Provide additional appropriate user training to the training requirement noted under RTS-VTC 2460. - Perform and document an assessment of the application to be used to verify that it performs only those functions that are necessary, that the application behaves properly on the platform, and that it does not invalidate the security of the workstation. - Perform and document a risk assessment regarding the use of the application in light of the application assessment and the defined operational policy/procedures. - Obtain approval from the responsible DAA in writing for the installation of the additional software to the PC/workstation(s) required to use this method. - Obtain approval from the responsible DAA in writing for the use and implementation procedures that mitigate the application’s vulnerabilities. - Maintain the policy, procedures, assessment documentation, risk assessment, and DAA approvals for inspection by IA auditors as evidence of compliance Note: Assessments should be performed and DAA approvals should be obtained prior to purchase.
Review site documentation to confirm a CODEC’s API does not provide unrestricted access to user or administrator configuration settings and without the use of an appropriate password. Review the vendor documentation on the API. Look for information on restricting access to user or administrator configuration settings. Determine what user or administrator configuration settings are accessible or programmable via the API. Determine all API access methods and communications protocols, meaning local serial connection or “remotely” via a network. AND Establish a connection to the CODEC’s API using the information gained above and a PC; disconnect any AV control panel if necessary. Attempt to gain access and to change various user or administrator configuration settings via the API. If a CODEC's local API does not prevent unrestricted access to user or administrator configuration settings and CODEC controls without a password, this is a finding.
Implement only CODEC's with a local API preventing unrestricted access to user or administrator configuration settings and CODEC controls without a password.
[IP][ISDN]; Validate compliance with the following requirement: Ensure control command communications between a CODEC and an audio visual control panel (touch panel), implemented using a wired or wireless networking technology, or is via a wired network (i.e., LAN), is encrypted and the CODEC authenticates the source of the commands. Note: This finding can be reduced to a CAT III (as opposed to not-a finding) for direct connections using the Ethernet connection on the CODEC. This is because, in this case, direct connection is only a partial mitigation since there is the potential that the VTU could still be connected to a LAN Note: This is not a finding for direct connections using the EIA-232 serial connection on the CODEC. Determine if the API connection between a CODEC and its AV control panel is via wired or wireless networking technology or a LAN. This is a finding if the control panel does not encrypt its commands and the CODEC does not authenticate the source of the commands. Have the SA demonstrate or Inspect the CODEC’s configuration settings regarding the encryption and authentication methods for the API communications with the AV control panel.
[IP][ISDN]; Perform the following tasks: Purchase and implement VTC CODECs and AV control panels that support the encryption and authentication of API messages from the AV control panel. AND Configure VTC CODEC to only accept authenticated and encrypted API messages from the AV control panel. AND Configure the AV control panel to encrypt its control messages and to include authentication information for each message such that the CODEC can authenticate the source of the message before acting upon it.
Review site documentation to confirm a policy and procedure requires secure protocols is implemented for CODEC remote control and management. Ensure secure remote access protocols, such as HTTPS and SSH, are used for CODEC remote control, management, and configuration. If secure protocols are not implemented for CODEC remote control and management, this is a finding. Note: During APL testing if the device does not support encrypted management protocols or an encrypted VPN between the managing workstation and the managed device, this is a finding.
Secure protocols must be implemented for CODEC remote control and management Purchase and implement VTC CODECs and other VTC devices that support encryption of “Remote Control/Management/Configuration” protocols via the use of encrypted protocols or encrypted VPN tunnels between the managing PC/workstation and the managed device. AND Configure VTC CODECs and other VTC devices to use encrypted “Remote Control/Management/Configuration” protocols or an encrypted VPN tunnel between the managing PC/workstation/server and the managed device.
[IP]; Interview the IAO and validate compliance with the following requirement: Ensure remote access ports, protocols, and services used for VTC system/device “Remote Control/Management/Configuration” are disabled, turned off, or removed if not required in the specific implementation of the device. Determine what ports, protocols, and services are required for in the specific implementation of the device. Have the SA demonstrate the device configuration regarding these protocols or independently validate that only the required ports, protocols, and services are active. Validation can be performed by performing a scan of the network and management interface of the system/device. This is a finding if it is determined that there are ports, protocols, and services active that are not needed for the specific implementation of the device.
[IP]; Perform the following tasks: Configure the VTC system/device such that unused or unneeded ports, protocols, and services are disabled or removed from the system.
[IP]; Interview the IAO and validate compliance with the following requirement: If SNMP is used to monitor or remotely control/manage/configure a VTC system/device, ensure the use of SNMP is performed in compliance with the applicable SNMP requirements found in the Network Infrastructure STIG. This is a finding if SNMP is not being used in accordance with the Network Infrastructure STIG. Note: During APL testing, this is a finding in the event SNMP configuration cannot come into compliance with the Network Infrastructure STIG.
[IP]; Perform the following tasks: If SNMP is used to monitor or remotely control/manage/configure a VTC system/device, implement and configure SNMP in compliance with the applicable SNMP requirements found in the Network Infrastructure STIG.
[IP]; Interview the IAO and validate compliance with the following requirement: If the VTU is connected to an IP based LAN, ensure remote management access (administrator and management system/server/application) and SNMP access and reporting is restricted by IP address and/or subnet. Determine what IP addresses or subnets are authorized to send VTC system/device “Remote Control/Management/Configuration” messages and what IP addresses or subnets are authorized to receive monitoring or status messages from the VTC system/device. Have the SA demonstrate how the VTC system/device is configured to restrict “Remote Control/Management/Configuration” messages to and from these authorized IP addresses or subnets. This is a finding if there is no limitation on either sending or receiving these messages. Note: During APL testing, this is a finding in the event the VTC system/devoice does not support the limiting of all management traffic to authorized IP addresses or subnets.
[IP]; Perform the following tasks: Configure the VTC system/device to restrict The source and/or destination of VTC system/device “Remote Control/Management/Configuration” and monitoring/status traffic to/from authorized IP addresses or subnets.
Interview the ISSO and validate compliance with the following requirement: Ensure all VTC systems and devices are running the latest DoD-approved patches, firmware, and software from the VTC system and device vendors to ensure the most current IA vulnerability mitigations or fixes are employed. Validate the latest software, firmware, and patches are installed on VTC systems and devices. Inspect the documentation regarding DoD testing and approval of the installed versions. If a CODEC or other VTC device is not using the latest software, firmware, and patches from the VTC system or device vendor, this is a finding. Note: Updating firmware or software to provide desired functionality is preferred. A vendor may provide security updates and patches that offer additional functions. In many cases, the IA Vulnerability Management (IAVM) system mandates updating software to reduce risk to DoD networks.
Perform the following tasks: Ensure updates to software firmware are patched, tested, and approved by a DoD entity prior to installation of such updates and patches per DoD policy. Install the latest DoD-approved patches, firmware, and software from the system/device vendor.
Interview the IAO to validate compliance with the following requirement: Verify all video teleconferencing system components display the Standard Mandatory DoD Notice and Consent Banner prior to logon or initial access. If the displayed text is not exactly as specified in the DoD Instruction 8500.01 dated March 14, 2014, this is a finding. The text is posted on the IASE website: https://dl.cyber.mil/hidden/home/unclass-consent_banner.zip
Configure all video teleconferencing system components to display the Standard Mandatory DoD Notice and Consent Banner prior to logon or initial access.
[IP]; Interview the IAO and validate compliance with the following requirement: Ensure all VTC system management suites/applications, gateways, and scheduling systems are configured in compliance with all applicable STIGs and are operated on STIG compliant platforms. Note: The following is a listing of, but possibly not all, applicable STIGs: - Operating system e.g., Windows, UNIX - Web Server, Application Services - Database - Application Development, Application Security Checklist Determine the STIGs that are applicable to the site’s VTC system management suites/applications, gateways, and scheduling systems. Inspect documentation regarding the IA review of these systems and applications against the applicable STIGs. This is a finding only if the site’s VTC system management suites/applications, gateways, and scheduling systems have not been reviewed against all applicable STIGs. This is not a finding if all applicable reviews have been performed regardless of the number of findings determined during those reviews. The IA posture of the reviewed system is based on the results of those reviews.
[IP]; Perform the following tasks: - Determine the STIGs that are applicable to the VTC system’s management suites/applications, gateways, and scheduling systems. - Configure these systems in accordance with the requirements in the applicable STIGs
[IP][ISDN]; Interview the IAO and validate compliance with the following requirement: Ensure local policies are developed and enforced regarding the approval and deployment of office-based VTUs, desktop VTUs, and PC software based VTC applications. Such policies will include and/or address the following: - Validation and justification of the need for VTC endpoint installation to include annual revalidation. - Approval of VTC endpoint deployment on a case by case basis. - Documentation regarding the validation, justification, and approvals. Inspect the documentation regarding the policy for justifying the installation of office-based VTUs, desktop VTUs, and PC software based VTC applications. Inspect the documentation regarding the justification and re-justification of the need for all VTC endpoint installations. This is a finding if there is no documented policy, or if installation justifications have not been documented.
[IP][ISDN]; Perform the following tasks: - Develop, document and enforce a policy regarding the justification for the installation of office-based VTUs, desktop VTUs, and PC software based VTC applications - Document the justification for the installation of all office-based VTUs, desktop VTUs, and PC software based VTC applications - Maintain this documentation for inspection by auditors.
Review site documentation to confirm the VTC management system and endpoint have risk approval and acceptance in writing by the responsible AO. Inspect documentation to ensure that if VTC and VTU endpoints are in use, they have been approved by the responsible AO in writing. This documentation should reference the risk assessment performed with the AO’s acknowledgement of a full understanding of any risk, vulnerabilities, and mitigations surrounding the VTC implementation. If the VTC management system and endpoint do not have risk approval and acceptance in writing by the responsible AO, this is a finding.
Implement site documentation containing the VTC management system and endpoint risk approval and acceptance in writing by the responsible AO.
Review site documentation to confirm the VTC system and endpoint users, administrators, and helpdesk representatives receive cybersecurity training as follows: - Administrators, helpdesk representatives, and users are trained in all VTC system and endpoint vulnerabilities, cybersecurity issues, risks to both meeting and non-meeting related information, and assured service capabilities. - Users, administrators, and helpdesk representatives are trained in all aspects of VTC system and endpoint vulnerability, risk mitigation, and operating procedures. This training may be tailored to the specific VTC system or devices for a site. - Administrators and helpdesk representatives are trained in all aspects of VTC system and endpoint configuration and implementation to include approved connections. - The details contained in the SOPs intended to mitigate the vulnerabilities and risks associated with the configuration and operation of the specific VTC system or devices to include: > Protection of the information discussed or presented in the meeting such as the technical measures to prevent disclosure as well as the inadvertent disclosure of sensitive or classified information to individuals within view or earshot of the VTU. >The inadvertent disclosure of non-meeting related information to other conference attendees while sharing a presentation or other information from a PC workstation. >The inadvertent capture and dissemination of non-meeting related information from the area around the VTC endpoint to the other conference attendees. - Other training topics mentioned elsewhere in this document, are not listed here. If VTC system and endpoint users, administrators, and helpdesk representatives do not receive the above cybersecurity training, this is a finding. Note: Documentation is maintained regarding users, administrators, and helpdesk representative’s receipt of training. Training is refreshed annually and may be incorporated into other IA training received annually. The site may modify these items in accordance with local site policy however these items must be addressed in the training materials.
Implement site documentation to support the VTC system and endpoint users, administrators, and helpdesk representatives receive cybersecurity training as follows: - Administrators, helpdesk representatives, and users are trained in all VTC system and endpoint vulnerabilities, cybersecurity issues, risks to both meeting and non-meeting related information, and assured service capabilities. - Users, administrators, and helpdesk representatives are trained in all aspects of VTC system and endpoint vulnerability, risk mitigation, and operating procedures. This training may be tailored to the specific VTC system or devices for a site. - Administrators and helpdesk representatives are trained in all aspects of VTC system and endpoint configuration and implementation to include approved connections. - The details contained in the SOPs intended to mitigate the vulnerabilities and risks associated with the configuration and operation of the specific VTC system or devices to include: > Protection of the information discussed or presented in the meeting such as the technical measures to prevent disclosure as well as the inadvertent disclosure of sensitive or classified information to individuals within view or earshot of the VTU. >The inadvertent disclosure of non-meeting related information to other conference attendees while sharing a presentation or other information from a PC workstation. >The inadvertent capture and dissemination of non-meeting related information from the area around the VTC endpoint to the other conference attendees. - Other training topics mentioned elsewhere in this document, are not listed here. Maintain documentation on who received training and when.
Review site documentation to confirm a policy and procedure requires the VTC system and endpoint users must sign a user agreement when accepting an endpoint or obtaining approval to use an endpoint. Inspect the user agreement to confirm it contains the following at minimum: - Acknowledgement of their awareness of the vulnerabilities and risks associated with the use of the specific VTC system or devices the user is receiving, will receive, or use. - Acknowledgement of their awareness of the methods contained in the SOP and training materials intended to mitigate the vulnerabilities and risks - Agreement to operate the system in a secure manner and employ the methods contained in the SOP and training materials intended to mitigate the vulnerabilities and risks - Acknowledgement of the penalties for non-compliance with the rules of operation if stated in the agreement. - Acknowledgement of their awareness of the capability (or lack thereof) of the system to provide assured service for C2 communications If a policy and procedure requiring the VTC system and endpoint users to sign a user agreement when accepting an endpoint or obtaining approval to use an endpoint does not exist, this is a finding. If the user agreement does not, at minimum, contain the above, this is a finding.
Implement a policy and procedure providing VTC system and endpoint users must sign a user agreement when accepting an endpoint or obtaining approval to use an endpoint. Maintain copies of the signed user agreements and provide a copy to the user for their reference.
Review site documentation to confirm user guides and documentation packages are developed and distributed to users operating VTC endpoints, to include conference room systems, that provides the following information: - Reiterates the policies and restrictions agreed to when the user’s agreement was signed upon receiving the VTC endpoint of authorization to use one. - Provides cautions and notice of the non-assured nature of VTC communications so that C2 users are aware and reminded regarding the use of this communications media for C2. - Provides instruction regarding the proper and safe use of a VTC endpoint’s or conference room system’s audio and video capabilities such that the appropriate confidentiality of meeting related and non-meeting related information is maintained. - Provides instruction regarding the proper and safe use of document and desktop sharing when using a PC connected to a VTC endpoint such that the appropriate confidentiality of meeting related and non-meeting related information is maintained. - Provides instruction regarding the safeguarding of meeting related and non-meeting related sensitive and/or classified information If user guides and documentation packages are not developed and distributed to users operating VTC endpoints, this is a finding.
Implement a policy or procedure for User Guides and documentation packages to be developed and distributed to users operating VTC endpoints, to include conference room systems that provide the following information: - Reiterates the policies and restrictions agreed to when the user’s agreement was signed upon receiving the VTC endpoint of authorization to use one. - Provides cautions and notice of the non-assured nature of VTC communications so that C2 users are aware and reminded regarding the use of this communications media for C2. - Provides instruction regarding the proper and safe use of a VTC endpoint’s or conference room system’s audio and video capabilities such that the appropriate confidentiality of meeting related and non-meeting related information is maintained. - Provides instruction regarding the proper and safe use of document and desktop sharing when using a PC connected to a VTC endpoint such that the appropriate confidentiality of meeting related and non-meeting related information is maintained. - Provides instruction regarding the safeguarding of meeting related and non-meeting related sensitive and/or classified information.
Review site documentation to confirm VTC systems are logically or physically segregated on the LAN from data systems, voice (VoIP) systems, and by VTC system type as follows: - Verify that there is a dedicated LAN infrastructure and IP address space for the VTC endpoints. OR - Verify that there is a pruned and closed VLAN/IP subnet structure and dedicated IP address space on the LAN for the VTC system(s) that is (are) separate from the VLAN and IP address space/IP subnet structure(s) assigned to data systems and other non-integrated voice communications (VoIP) systems. - Verify that VTC systems are segregated on the LAN from themselves and other LAN services as follows: - Primary conference room systems - Hardware-based desktop and office VTUs Exception 1: If integrated with the VoIP phone system, these devices may connect to the VoIP system VLAN structure. Exception 2: If part of an overall managed VTC network within the enclave or hardware-based desktop and office VTUs must communicate with the conference room systems within the enclave, these devices may connect to the conference room VLAN structure. - Local MCUs and VTU configuration management/control servers must reside in the VTC VLAN and IP subnet with the devices they manage or conference. - If WAN access is required, the VLAN(s) or dedicated infrastructure can be extended to the enclave boundary. If any of these criteria apply and are not implemented, this is a finding.
Implement VTC systems to be logically or physically segregated on the LAN from data systems, voice (VoIP) systems, and by VTC system type. Design dedicated LAN infrastructure and IP address space for the VTC endpoints or implement a pruned and closed VLAN that is separate from the VLAN assigned to data systems and voice (VoIP) systems. Implement a separate IP address subnet for the VTC systems separate from the IP address subnet assigned to data systems and other non-integrated voice communications (VoIP) systems. Configure ACLs on each routing device in the LAN to limit traffic that needs to cross between the VTC VLANs and the data or management VLAN to authorized traffic based on the service or authorized IP address.
[IP]; Interview the IAO and validate compliance with the following requirement: Ensure VTC endpoint connectivity is established via an approved DoD wireless LAN infrastructure. Furthermore, ensure both the LAN and VTC endpoint are configured and operated in compliance with the Wireless STIG. Note: During APL testing, this is a finding in the event the VTU cannot come into compliance with the applicable requirements in the Wireless STIG. Inspect VTU configuration to verify with that if wireless is not required it is disabled. If wireless connectivity is required verify/inspect that the wireless functionality is configured and operating in accordance with the Wireless STIG.
[IP]; Perform the following tasks: If wireless LAN connectivity is required, configure the wireless LAN capabilities of a VTU using the applicable requirements in the Wireless STIG.
Verify VTC endpoints do not simultaneously connect to a wired LAN and a wireless LAN. If the VTC endpoint equipment can pass traffic between the two LANs, this is a finding.
Configure the VTC system to prohibit simultaneous connection to a wireless LAN and a wired LAN connection. NOTE: Best practice is to design the VTC endpoint unit with equipment that does not support wireless LAN connectivity or to insert an approved isolation switch between the networks connected to the VTC endpoint. For VTC endpoints relying on wireless connectivity for the conference room control system, cameras, or microphones, additional design considerations may be necessary to prevent bridging networks.
[IP]; Interview the IAO and validate compliance with the following requirement: Ensure wireless capability is configured as “disabled”. Note: In the event such a setting is not available for a PCMCIA WLAN card. This finding can be reduced to a CAT III if the PCMCIA slot is fitted with a hard to remove device that prevents the insertion of a card into the slot. If the VTU supports wireless LAN connectivity and it is not needed, verify that it is it is disabled. In the event the wireless capability is supported by inserting a WLAN card onto a PCMCIA slot, verify that the wireless capability remains disabled when the card is inserted. In the event such a setting is not available for a PCMCIA WLAN card verify that the PCMCIA slot is fitted with a hard to remove device that prevents the insertion of a card into the slot. Note: It is recognized that there is no mitigation for or configuration setting that would prevent the connection of an external wireless LAN adaptor via the wired LAN connection. This however would not permit both the wired and wireless LAN capabilities of the VTU to be active at the same time.
[IP]; Perform the following tasks: Configure the VTU to disable wireless LAN capabilities whether an internal wireless adaptor or a WLAN card plugged into a PCMCIA slot is used. OR Physically prevent the ability to insert a WLAN card into a PCMCIA slot.
Interview the ISSO and validate compliance with the following requirement: If the audio, video, white boarding, data sharing capabilities or components of a VTC system are implemented using wireless RF technologies, ensure the following: - All information-bearing RF transmissions are encrypted to prevent eavesdropping. - All control-bearing RF transmissions are encrypted and/or authenticated to prevent control hijacking. - Wireless technologies covered by the wireless STIG and other DoD wireless policies are implemented and configured in compliance with that STIG and other policies. - Such implementations are approved by the responsible local AO in writing, and the ISSO will maintain approval documentation for inspection by IA auditors. Note: A much more expensive mitigation to this issue would be to enclose the room in RF shielding so that the information or control bearing VTC radio signals cannot escape the facility and external control signals cannot enter the facility. This might not be practical. Note: Wireless AV control systems or “touch panels were discussed and requirements provided earlier in this document. The earlier mentioned requirements are to be used in conjunction with this one. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. Inspect the configuration of the VTC system and all wireless RF components and their associated documentation to ensure that the wireless traffic is protected. Also inspect approval documentation to ensure the responsible local AO has approved, in writing, the implementation of VTU based wireless RF components. If a VTU or conference room implemented using wireless components is not protected from external control or compromise, this is a finding.
Perform the following tasks: Purchase and install wireless RF VTC system components that can support the following: - The encryption of all information-bearing RF transmissions to prevent eavesdropping. - The encrypted and/or authenticated of all control-bearing RF transmissions to prevent control hijacking. - The configuration of wireless technologies covered by the wireless STIG and other DoD wireless policies is supported. AND Configure all wireless RF VTC system components to encrypt information-bearing RF transmissions to prevent eavesdropping and to encrypt and/or authenticate all control-bearing RF transmissions to prevent control hijacking. AND Obtain written approval from the responsible AO for the use of wireless RF components to assemble the VTC system. AND/OR Enclose the facility housing the VTC system in RF shielding so that the information or control bearing VTC radio signals cannot escape the facility and external control signals cannot enter the facility. OR Implement a hardwired VTC system.
[IP]; Interview the IAO and validate compliance with the following requirement: Ensure all protocols and services that cross the enclave boundary and/or any of the defined DoD boundaries (along with their associated IP ports) used by VTC systems for which he/she is responsible are registered in the DoD Ports and Protocols Database in accordance with DoDI 8550.1. Review network diagrams, device documentation, to identify what VTC/VTU/MCU Ports/Protocols/Services are used by the VTC system. Once these Ports/Protocols/Services have been determined and confirmed for use, verify that these same Ports/Protocols/Services are registered and approved for use in the DoD Ports and Protocols Database in accordance with DoDI 8550.1. Note: Reference tables are provided in the STIG
[IP]; Perform the following tasks: - Determine what Ports/Protocols/Services are used by the VTC system within the enclave and which cross the enclave boundary as well as what other boundaries they traverse. - Register all Ports/Protocols/Services are used by the VTC system in the PPS database.
Review site documentation to confirm control measures are implemented for all conferences hosted on a centralized MCU appliance as follows: - Only authorized endpoints are permitted to access an MCU - Only authorized users are permitted to access/join a conference. Authorization is pre-configured on the MCU access control system and is based on validated need-to-know as well as security clearance if applicable. If access control measures are not implemented for all conferences hosted on a centralized MCU appliance, this is a finding.
Implement access control measures for all conferences hosted on a centralized MCU appliance as follows: - Only authorized endpoints are permitted to access an MCU - Only authorized users are permitted to access/join a conference. Authorization is pre-configured on the MCU access control system and is based on validated need-to-know as well as security clearance if applicable. Note: this applies to standing, scheduled one-time, and non-scheduled ad hoc conferences.
Review site documentation to confirm access control measures are implemented to control access to conference scheduling systems such that only authorized individuals can schedule conferences. Verify that only authorized individuals are permitted to schedule conferences. Inspect VTC scheduling system to verify that only users that are identified for accessing and setting up scheduled VTC conferences have access to said scheduling function. If access control measures are not implemented for all conferences hosted on a centralized MCU appliance, this is a finding.
Implement access control measures to control access to conference scheduling systems such that only authorized individuals can schedule conferences.
Verify that an automatic capability exists and review documentation to determine whether this capability is being implemented before transitioning from one period/network to the next. If no automatic capability exists, review organizational documentation to determine whether a manual procedure is specified and implemented before transitioning from one period/network to the next. Coordinate with the vendor/solutions provider and certifier to ensure all residual information is sanitized based on equipment make and model. If an automatic capability exists and is being implemented, this is not a finding. If an automatic capability exists but is not being implemented, this is a finding unless a manual procedure is specified and is being implemented. If a manual procedure is specified and is being implemented, this is not a finding. If no procedure is specified or none being implemented, this is a finding.
Obtain equipment that has an automatic capability to sanitize memory or implement and document a manual procedure. Implement the automatic capability or manual procedure to sanitize all information while transitioning from one period/network to the next.
Review the VTC system architecture to verify that an approved A/B, A/B/C, or A/B/C/D switch is present and properly cabled. Alternately, validate that the VTC CODEC is manually connected to one network at a time through the use of a single patch cord. If neither is in place, this is a finding.
Obtain and install an approved A/B, A/B/C, or A/B/C/D switch. Alternately, manually connect the VTC CODEC to one network at a time through the use of a single patch cord.
Review the VTC system architecture and inspect the VTC CODEC to verify that ISDN lines are not connected directly to the CODEC if it connects to a classified IP network (e.g., SIPRNet, JWICS) at any time. If they are, this is a finding. Note: If the VTC system is used to support multiple networks having different classification levels, and the ISDN lines are isolated from classified IP, they must meet periods processing requirements.
Do not simultaneously connect ISDN lines to a VTC CODEC if the CODEC connects to a classified IP network.
Observe the operation of the VTC system as it transitions between networks. Verify that the CODEC is powered off for a minimum of 60 seconds during the transition. If it is not, this is a finding.
Sanitize volatile memory by disconnection of all power for at least 60 seconds.
Verify that the VTC system has an automated configuration management system configured to sanitize and reconfigure the CODEC when transitioning between networks. If it does, review documentation to determine that this capability is being implemented. If these conditions are met, this is not a finding. If the unit is not implementing an automated process, review documentation to determine whether a manual procedure is specified and implemented when transitioning between networks; this will result in a CAT III finding if these conditions are met and a CAT II finding if they are not. If an automatic capability exists but is not being implemented or an automated configuration management system is not being used, this is a CAT II finding unless a manual procedure is specified and is being implemented, then this is a CAT III finding. If the unit is not being sanitized when transitioning between networks, this is a CAT II finding.
Obtain a VTC system that has an automated sanitization capability. Implement and document a procedure that utilizes this capability to sanitize the CODEC when transitioning between networks. As a last resort, implement and document a manual sanitization / reconfiguration procedure to perform this function.
Review A/B, A/B/C, or A/B/C/D switch vendor documentation to determine if optical technologies are used to maintain electrical isolation between the input port/connection and between all selectable output ports/connections. If this is not the case, this is a finding. Validate approved equipment is being used. DISN Video Services (DVS) maintains a list of A/B, A/B/C, or A/B/C/D switches that have been certified to meet the above requirements at http://disa.mil/Services/Network-Services/Video/~/media/Files/DISA/Services/DVS/red_black_peripherals.xls. If the A/B, A/B/C, or A/B/C/D switch is not on the list, this is a finding.
Obtain and install an approved A/B, A/B/C, or A/B/C/D switch.
Review the VTC system architecture documentation and observe system operation while transitioning between networks to verify one of the following: • The CODEC is switched to a disconnected/unused switch position while it is being purged/reconfigured . • The CODEC is purged while connected to one network, then power cycled as it is switched to the next network, then reconfigured for that network. • Alternately, if a manual switching procedure is used, ensure the CODEC is physically disconnected from any network while being reconfigured. If none of these procedures is being followed, this is a finding.
Architect, implement, and configure the system such that the A/B, A/B/C, or A/B/C/D switch connects the CODEC to an unused switch position while it is being reconfigured during transition from one network to another. OR Architect, implement, and configure the system such that the CODEC configuration is purged before it is switched to the next network, then the CODEC is power cycled for the required time period as the A/B, A/B/C, or A/B/C/D switch connects the CODEC to the next network, then the CODEC is reconfigured for that network. OR If a manual switching procedure is used, physically disconnect the CODEC from any network while it is reconfigured for the next network.
Review the NIAP Product Compliant List (PCL) at https://www.niap-ccevs.org to verify that a certification exists for the A/B, A/B/C, or A/B/C/D switch or review a vendor-provided letter from NIAP or the NIAP test report indicating satisfactory completion of testing and PCL listing. Validation of certification via the NIAP PCL can be more easily facilitated if the vendor has provided the certification number. If the product is not on the list or a NIAP letter or test report is not provided, this is a finding.
Obtain and install an A/B, A/B/C, or A/B/C/D switch that has obtained Common Criteria certification.
Review the documentation to verify whether the A/B, A/B/C, or A/B/C/D switch is TEMPEST certified. Review TEMPEST certification documentation provided by a CTTA or the vendor to validate if the switch is TEMPEST certified. If the A/B, A/B/C, or A/B/C/D switch is not on the list, or satisfactory documentation is not provided, this is a finding.
Obtain and install a TEMPEST-certified A/B, A/B/C, or A/B/C/D switch.
Review the VTC system architecture to determine the method of network isolation used. Verify that only one CODEC or fiber optic media adaptor can be turned on at a time by attempting to turn on more than one CODEC concurrently. If more than one CODEC operates, this is a finding.
Obtain and implement a power control system that can support automatic mutually exclusive power control.
Review the documentation and based on the TEMPEST ZONE in the CNSSAM TEMPEST/01-13, RED/BLACK Installation Guidance, verify whether the required separations between RED and BLACK equipment and cables have been met. This includes cable routing inside equipment cabinets. Depending on the TEMPEST ZONE, the separation requirements are: - Minimum equipment separation - 50 cm or 1m - Minimum cable separation - 5 cm or 15 cm If the cables or equipment are closer than the minimum cable and equipment separation distances, this is a finding. In the event a CTTA has reviewed the system’s installation and provided a favorable report or certification, this is not a finding.
Install cabling and equipment in accordance with the CNSSAM TEMPEST/01-13, RED/BLACK Installation Guidance. Depending on the TEMPEST ZONE, the separation requirements are: - Minimum equipment separation - 50 cm or 1m - Minimum cable separation - 5 cm or 15 cm
Review system documentation and verify that a VTC/VVoIP-aware firewall or H.460-based firewall traversal solution has been implemented at the enclave boundary. If this does not exist, verify the following: • The enclave firewall allows VTC traffic only to the internal IP address(es) of the internal CODEC(s) and the external address(es) of a central MCU or a limited set of remote endpoints. • The inbound permit statements are restricted to a limited range of UDP ports and external IP addresses while routing/outbound permit statements force all outbound VTC traffic to these external addresses. • These UDP ports are not statically opened, but are manually opened and closed by the firewall administrator for the duration of VTC sessions. If there is not a VTC/VVoIP-aware firewall or H.460-based firewall traversal solution implemented at the enclave boundary and no other measures have been taken, this is a CAT I finding. If there is not a VTC/VVoIP-aware firewall or H.460-based firewall traversal solution implemented at the enclave boundary, and the firewall is configured to allow VTC traffic only to the internal IP address(es) of the internal CODEC(s) and the external address(es) of a central MCU or a limited set of remote endpoints and the inbound permit statements are restricted to a limited range of UDP ports, this is a CAT III finding. If the firewall allows the VTC traffic only during VTC sessions, then this is no longer a finding.
Obtain and implement a VTC/VVoIP-aware firewall or H.460-based firewall traversal solution at the enclave boundary. If this is not possible, configure the existing firewall to allow VTC traffic only to the internal IP address(es) of the internal CODEC(s) and the external address(es) of a central MCU or a limited set of remote endpoints. If possible, reconfigure the firewall to close VTC ports between sessions.
Review network documentation and verify that the existing enclave network IDS/IPS is protecting the VTC system or that a dedicated IDS/IPS is protecting the VTC enclave. If there is no IDS/IPS protecting the VTC system, this is a finding.
Obtain and configure a dedicated IDS/IPS or configure the existing enclave IDS/IPS to protect the VTC system.
Review the system documentation and verify that an H.323 Gatekeeper and/or VVoIP session/call controller is in place and is configured to require authentication of endpoints. If there is no H.323 Gatekeeper or VVoIP session/call controller present; or it is not configured to require authentication of endpoints; or endpoints are not configured to authenticate with either, this is a finding.
Configure the endpoints and H.323 Gatekeeper or VVoIP session/call controller to authenticate endpoints.
Review the documentation to determine that the VTC equipment supports H.235-based signaling encryption and review configuration of the equipment to verify that it is being implemented. If the equipment does not support H.235-based signaling encryption or it has not been implemented, this is a finding.
Obtain equipment that supports H.235-based signaling encryption and configure the equipment to implement encryption.
Verify that the VTC Administrator and all other authorized personnel have a copy of the Operational Security Doctrine of the particular encryptor(s) in use at the site, as well as all applicable policies and guidance. Verify the following: • If Type 1 encryptors that use OTAR rekeying methods are operated in a secure facility rated for the highest classification level of the keys used, this is not a finding. • If Type 1 encryptors that use removable KEYMAT are operated in a secure facility rated for the highest classification level of the keys used and any removable KEYMAT remains with or in the Type 1 encryptor, this is not a finding. • If Type 1 encryptors that use removable KEYMAT are NOT operated in a secure facility rated for the highest classification level of the keys used, verify the removable KEYMAT is secured in an appropriate secure facility rated for the highest classification level of the KEYMAT or in a GSA-approved container when the system is not in use. If so, this is a finding.
Implement Cryptographic Ignition Key handling procedures that comply with Operational Security Doctrine and applicable policies and guidance. Secure each CIK in either a GSA-approved safe or locked cabinet in a secure facility rated for the highest classification level of the KEYMAT.
Inspect the room where conferences take place to observe sign placement and that they accurately reflect the secure/non-secure status or classification of the network to which the system is connected. This will require a demonstration of the capability. If the signage is not posted or it does not accurately reflect the secure/non-secure status or classification of the network to which the system is connected, this is a finding.
Obtain and implement approved automatically controlled signage that indicates the secure/non-secure status or classification level of the conference/session. Install signs so they are clearly visible within the room and at the entranceways.
Review the documentation to determine whether approved A/B switches are in place. DISN Video Services (DVS) maintains a list of A/B switches and dial isolators that have been TEMPEST certified to meet the above requirements at http://disa.mil/Services/Network-Services/Video/~/media/Files/DISA/Services/DVS/red_black_peripherals.xls. If A/B switches operated in tandem or a dual A/B switch is not implemented and used, or the A/B switches are not on the list, this is a finding.
Obtain and install approved EIA-530 A/B switches.
Review the documentation to determine whether an approved EIA-366-A dial isolator is in place. DISN Video Services (DVS) maintains a list of A/B switches and dial isolators that have been TEMPEST certified to meet the above requirements at http://disa.mil/Services/Network-Services/Video/~/media/Files/DISA/Services/DVS/red_black_peripherals.xls. If a dial isolator is not implemented and used, or the dial isolator is not on the list, this is a finding. If there is no EIA-366-A connection between the CODEC and the IMUX and all dialing is performed from the IMUX, this is not a finding.
Obtain and install an approved EIA-366-A dial isolator unless there is no EIA-366-A connection between the CODEC and the IMUX and all dialing is performed from the IMUX.
Review the documentation and based on the TEMPEST ZONE in the CNSSAM TEMPEST/01-13, RED/BLACK Installation Guidance, verify whether the required separations between RED and BLACK equipment and cables are met. This includes cable routing inside equipment cabinets. Depending on the TEMPEST ZONE, the separation requirements are: - Minimum equipment separation - 50 cm or 1m - Minimum cable separation - 5 cm or 15 cm If the cables or equipment are closer than the minimum cable and equipment separation distances, this is a finding.
Install cabling and equipment in accordance with CNSSAM TEMPEST/01-13, RED/BLACK Installation Guidance. Depending on the TEMPEST ZONE, the separation requirements are: - Minimum equipment separation - 50 cm or 1m - Minimum cable separation - 5 cm or 15 cm
Review documentation to determine whether approved dial isolators and A/B switches are being used. DISN Video Services (DVS) maintains a list of A/B switches and dial isolators that have been TEMPEST certified to meet the above requirements at http://disa.mil/Services/Network-Services/Video/~/media/Files/DISA/Services/DVS/red_black_peripherals.xls. If the A/B switch or dial isolator is not on the list, this is a finding.
Obtain and install DVS-approved dial isolators and A/B switches that maintain the following port-to-port isolation standards: • 100 dB over the baseband audio frequency range between 0.3 and 15 kHz. • 80 dB over the baseband video frequency range up to 5 MHz. • 60 dB over the frequency range from one times (Rd) to ten times the basic data rate (10Rd) of the digital signal(s) processed.
Interview the IAO to validate compliance with the following requirement: Verify all video teleconferencing system components retain the Standard Mandatory DoD Notice and Consent Banner on the screen until acknowledgement of the usage conditions by taking explicit actions to log on for further access.
Configure all video teleconferencing system components to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until acknowledgement of the usage conditions by taking explicit actions to log on for further access.
Confirm a policy and supporting procedures are in place that address the placement and operation of video conferencing, UC soft client, and speakerphone speakers to prevent disclosure of sensitive or classified information over non-secure systems. Operational policy and procedures are included in user training and guides. The policy and supporting procedures should take into account the classification of the area where the video conferencing equipment, the PC supporting a UC soft client, and Voice Video endpoints are placed, as well as the classification and need-to-know restraints of the information communicated within the area. Include measures such as closing office or conference room doors, adjusting volume levels in open offices, and muting microphones when not directly in use. If a policy and supporting procedures governing video conferencing, UC soft client, and speakerphone speaker operations preventing disclosure of sensitive or classified information over non-secure systems do not exist or are not enforced, this is a finding.
Document and enforce a policy and procedure for video conferencing, UC soft client, and speakerphone speaker operations to prevent disclosure of sensitive or classified information over non-secure systems. Ensure appropriate training is provided for users. The policy and supporting procedures should take into account the classification of the area where the video conferencing equipment, the PC supporting a UC soft client, and Voice Video endpoints are placed, as well as the classification and need-to-know restraints of the information communicated within the area. Include measures such as closing office or conference room doors, adjusting volume levels in open offices, and muting microphones when not directly in use.