UCF STIG Viewer Logo

Video Services Policy STIG


Overview

Date Finding Count (80)
2014-06-26 CAT I (High): 6 CAT II (Med): 70 CAT III (Low): 4
STIG Description
The Video Services Policy Security Technical Implementation Guide (STIG) provides policy guidance for video teleconferencing systems and endpoints implemented on DoD networks. These policies ensure conformance to DoD requirements that govern video services deployment and operations. The Video Services Policy STIG works with the Video Teleconference STIG requirements for evaluation on each video teleconferencing (VTC) system review, regardless of the VTC product or release level. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-16074 High Deficient Policy or SOP for VTC and PC camera operations regarding their ability to pickup and transmit sensitive or classified information in visual form.
V-43027 High An enclave supporting an IP-based VTC system that must communicate across an IP WAN must implement a VTC/VVoIP-aware firewall or H.460-based firewall traversal solution at its boundary with the WAN.
V-17687 High Default passwords are not changed.
V-17715 High A VTC endpoint must not bridge a wired LAN and a wireless LAN.
V-43016 High An IP-based VTC system implementing a single CODEC supporting conferences on multiple networks having different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing by connecting the CODEC to one network at a time, matching the classification level of the session to the classification level of the network.
V-43017 High IP-based VTC systems must not connect to ISDN lines when connected to a classified network.
V-16078 Medium Deficient SOP or enforcement regarding presentation and application sharing via a PC or VTC.
V-17596 Medium Deficient SOP for, enforcement, usage, or configuration of the auto-answer feature.
V-17711 Medium VTC system user agreements are not signed or used when a user receives an endpoint or approval to use an endpoint.
V-16076 Medium Deficient Policy or SOP regarding VTC, PC, and speakerphone microphone operations regarding their ability to pickup and transmit sensitive or classified information in aural form.
V-16077 Medium Deficient Policy or SOP regarding PC communications video display positioning.
V-17600 Medium Inadequate “operator/facilitator/administrator” access control for remote monitoring of a VTU connected to an IP network.
V-17696 Medium VTU/CODEC is not properly configured to support streaming.
V-43015 Medium An IP-based VTC system implementing a single CODEC supporting conferences on multiple networks having different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing by being sanitized of all information while transitioning from one period/network to the next.
V-17706 Medium A DoD logon Electronic Notice (Warning) and Consent Banner is not displayed prior to logon and acknowledged by the user.
V-17697 Medium inadequate user training for pc presentation sharing that could lead to compromise of other information on the presenting PC
V-17709 Medium A VTC management system or endpoint use does not have written approval and acceptance of risk by the responsible DAA.
V-17708 Medium Deficient SOP or enforcement regarding the approval and deployment of VTC capabilities.
V-43041 Medium An ISDN-based VTC system supporting secure (classified) and non-secure (unclassified) conferences must utilize an approved pair of EIA-530 A/B switches operated in tandem or a dual A/B switch to switch the Type 1 encryptor in/out of the circuit between the CODEC and IMUX.
V-43040 Medium An ISDN-based or IP-based VTC system supporting conferences on multiple networks having different classification levels must utilize approved automatically controlled signage to indicate the secure/non-secure status or classification level of the conference/session. Such signage will be placed within the conference room and outside each entrance.
V-17689 Medium Passwords do not meet complexity or strength.
V-17701 Medium Secure protocols are not used for CODEC remote control and management
V-17700 Medium CODEC control / configuration messages received via the local Application Programmers Interface (API) are not encrypted or authenticated.
V-17703 Medium SNMP is not being used in accordance with the Network Infrastructure STIG.
V-17702 Medium Unnecessary/unused remote control/management/configuration protocols are not disabled.
V-17705 Medium A VTC system/device is not running the latest DoD approved patches/firmware/software from system/device vendor.
V-17704 Medium Remote management access and SNMP access and reporting are not restricted by IP address and/or subnet.
V-17707 Medium All VTC system management systems/servers are not configured in compliance with all applicable STIGs
V-17720 Medium Access Control Measures are not implemented for all conferences hosted on a centralized MCU appliance.
V-17688 Medium Passwords are displayed in clear text when logging onto a VTU.
V-43028 Medium An IDS/IPS must protect the IP-based VTC system within the enclave.
V-17698 Medium Deficient SOP or enforcement regarding the use of software based virtual connection between the PC and the VTC CODEC.
V-16557 Medium Administrative sessions with the VTU do not timeout within a maximum of 15 minutes.
V-16564 Medium Deficient SOP or enforcement for VTC/CODEC streaming.
V-43021 Medium An IP-based VTC system implementing a single CODEC supporting conferences on multiple networks having different classification levels must be implemented in a manner such that configuration information for a network having a higher classification level is not disclosed to a network having a lower classification level.
V-43020 Medium The A/B, A/B/C, or A/B/C/D switch within an IP-based VTC system supporting conferences on multiple networks having different classification levels must be based on optical technologies to maintain electrical isolation between the various networks to which it connects.
V-17683 Medium VTC media is not encrypted.
V-17684 Medium VTU does not use or provide FIPS 140-2 validated encryption module.
V-43024 Medium An IP-based VTC system implementing a single set of input/output devices (cameras, microphones, speakers, control system), an A/V switcher, and multiple CODECs connected to multiple IP networks having different classification levels must provide automatic mutually exclusive power control for the CODECs or their network connections such that only one CODEC is powered on or one CODEC is connected to any network at any given time.
V-43043 Medium An ISDN-based VTC system supporting secure (classified) and non-secure (unclassified) conferences while implementing dialing capability from the CODEC must utilize an approved EIA-366-A dial isolator that disconnects the dialing channel between the CODEC and IMUX when the IMUX signals it is connected to another IMUX (i.e., the session is connected).
V-17692 Medium Deficient SOP or enforcement of the SOP for manual password management.
V-16562 Medium No indicator is displayed on the VTU screen when CODEC streaming is activated.
V-17716 Medium A VTU endpoint does not have the wireless LAN capability disabled.
V-17680 Medium Inadequate notification to conference participants (manual or automatic) of monitoring activity by someone that is not a direct participant in a VTC session/conference.
V-17592 Medium Deficient SOP or enforcement for microphone and camera disablement when the VTU is required to be powered and inactive (in standby).
V-17712 Medium User Guides and documentation packages have not been developed and distributed to users that operate and work with VTC endpoints.
V-17713 Medium VTC systems must be logically or physically segregated on the LAN from data systems, other non-integrated voice communication (VoIP) systems, and by VTC system type.
V-17710 Medium Deficient IA training for VTC system/endpoint users, administrators, and helpdesk representatives.
V-17681 Medium Insufficient security clearance held by an “operator/facilitator/administrator” performing remote monitoring activities during a VTC session/conference.
V-17598 Medium Deficient SOP or enforcement regarding handling of incoming calls while in a conference.
V-17599 Medium Remote monitoring is not disabled while connected to an IP Network.
V-17717 Medium A VTU or conference room implemented using wireless components is not protected from external control or compromise
V-17682 Medium Far end camera control is not disabled.
V-17718 Medium VTC ports and protocols cross DoD/Enclave boundaries without prior registration in the DoD Ports and Protocols Database.
V-17719 Medium Access Control Measures are not implemented for all conferences hosted on a centralized MCU appliance.
V-17691 Medium Classified VTU activated without unique user login
V-17694 Medium Deficient user or administrator training regarding the vulnerabilities with, and operation of, CODEC streaming
V-43035 Medium The IP-based VTC system must use H.235-based signaling encryption.
V-16560 Medium Use of media streaming is not documented properly or is not configured securely.
V-43030 Medium The IP-based VTC system must authenticate to an H.323 Gatekeeper or VVoIP session/call controller.
V-17591 Medium Deficient SOP or enforcement regarding how to power-off the VTU when it is not actively participating in a conference.
V-43025 Medium The implementation of an IP-based VTC system supporting conferences on multiple networks having different classification levels must maintain isolation between the networks to which it connects by implementing separation of equipment and cabling between the various networks having differing classification levels in accordance with NSTISSAM TEMPEST-2-95, RED/BLACK installation guidance.
V-17714 Medium VTC endpoint connectivity is established via an unapproved DoD Wireless LAN infrastructure
V-43038 Medium The operator of an ISDN-based VTC system utilizing a Type 1 encryptor for classified sessions must ensure any removable Keying Material (KEYMAT) (e.g., Cryptographic Ignition Key (CIK)) for the encryptor is secured in an appropriate secure facility or GSA-approved container when the system is not in use.
V-17685 Medium VTU encryption indicator is not enabled.
V-43022 Medium The A/B, A/B/C, or A/B/C/D switch used for network switching in IP-based VTC systems implementing a single CODEC supporting conferences on multiple networks having different classification levels must be Common Criteria certified.
V-17699 Medium A CODEC's local Application Programmers Interface (API) provides unrestricted access to user or administrator configuration settings and CODEC controls without the use of an appropriate password.
V-17593 Medium Deficient VTU sleep mode configuration or operation.
V-43018 Medium An IP-based VTC system implementing a single CODEC supporting conferences on multiple networks having different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing sanitization by purging/clearing volatile memory within the CODEC by powering the CODEC off for a minimum of 60 seconds.
V-17686 Medium Deficient SOP or enforcement for user validation that encryption is on when required
V-43019 Medium IP-based VTC systems implementing a single CODEC supporting conferences on multiple networks having different classification levels must sanitize non-volatile memory while transitioning between networks by overwriting all configurable parameters with null settings before reconfiguring the CODEC for connection to the next network.
V-17693 Medium Deficient SOP or enforcement of One Time Use local meeting password
V-17594 Medium Inadequate display of an incoming call notification such that the VTU user can make an informed decision to answer the call or not.
V-17690 Medium Different VTU passwords are not used for different VTU functions.
V-43049 Medium ISDN-based VTC equipment supporting secure (classified) and non-secure (unclassified) conferences which implement dial isolators and A/B switches must meet minimum port-to-port isolation standards.
V-17695 Medium CODEC streaming is not disabled when it is not required.
V-17589 Low VTC endpoints and other VTC system components do not comply with DoD 8500.2 IA Controls.
V-43045 Low An ISDN-based VTC system supporting secure (classified) and non-secure (unclassified) conferences must be cabled to maintain a minimum of 5 or 15 centimeters RED/BLACK separation on either side of the Type 1 encryptor and the dial isolator (depending on the TEMPEST zone).
V-43023 Low The A/B, A/B/C, or A/B/C/D switch used for network switching in IP-based VTC systems implementing a single CODEC supporting conferences on multiple networks having different classification levels must be TEMPEST certified.
V-17595 Low Auto-answer feature is not administratively disabled.