UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Video conferencing, Unified Capability (UC) soft client, and speakerphone speaker operations policy must prevent disclosure of sensitive or classified information over nonsecure systems.


Overview

Finding ID Version Rule ID IA Controls Severity
V-259902 SRG-VOIP-000220 SV-259902r948746_rule Medium
Description
Speakers used with Voice Video systems and devices may be heard by people and microphones with no relationship to the conference or call in progress. In open areas, conference audio may be overheard by others in the area without a need-to-know. A policy must be in place and enforced regarding the placement and use of speakers connected to secure Voice Video systems (video conferencing, EVoIP, ECVoIP, etc.) and secure Voice Video endpoints (STU-III, STE, etc.) located in areas or rooms where classified meetings, conversations, or work normally occur. The policy must be in accordance with NSA and DCI guidance and address, at a minimum, the following: - Location if instruments must be limited to sole-use offices, conference rooms, and similar areas that afford sound attenuation. - Notification to all room occupants of the use of the speaker. - Notification to all room occupants for awareness of the classification of conversations taking place. - The room occupant assuming responsibility for taking the necessary precautions to ensure the classified discussion is not overheard. - Secure Voice Video endpoints must be configured to prevent speaker enablement in the nonsecure mode. Speakerphone use on secure telecommunications systems requires special consideration regarding placement and operating policy. NSA S412 approves the installation/enablement of speakerphones on National Secure Telephone Systems (NSTS) and STU-III/STE instruments. The intent of speakerphone approval rests with the room occupant assuming responsibility for taking the necessary precautions to ensure the classified discussion is not overheard by individuals outside the conversation who may not have a need-to-know for the information discussed and/or that the speakerphone will not pick up and transmit other classified conversations in the area that are not part of the call in progress.
STIG Date
Enterprise Voice, Video, and Messaging Policy Security Requirements Guide 2024-03-12

Details

Check Text ( C-63633r946625_chk )
Confirm a policy and supporting procedures are in place that address the placement and operation of video conferencing, UC soft client, and speakerphone speakers to prevent disclosure of sensitive or classified information over nonsecure systems. Operational policy and procedures must be included in user training and guides.

The policy and supporting procedures should consider the classification of the area where the video conferencing equipment, the PC supporting a UC soft client, and Voice Video endpoints are placed, as well as the classification and need-to-know restraints of the information communicated within the area.

They should include measures such as closing office or conference room doors, adjusting volume levels in open offices, and muting microphones when not directly in use.

If a policy and supporting procedures governing video conferencing, UC soft client, and speakerphone speaker operations preventing disclosure of sensitive or classified information over nonsecure systems do not exist or are not enforced, this is a finding.
Fix Text (F-63540r946626_fix)
Document and enforce a policy and procedure for video conferencing, UC soft client, and speakerphone speaker operations to prevent disclosure of sensitive or classified information over nonsecure systems. Ensure appropriate training is provided for users.

The policy and supporting procedures should consider the classification of the area where the video conferencing equipment, the PC supporting a UC soft client, and Voice Video endpoints are placed, as well as the classification and need-to-know restraints of the information communicated within the area.

Include measures such as closing office or conference room doors, adjusting volume levels in open offices, and muting microphones when not directly in use.