The VTC system and components passwords must meet complexity and strength policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17689	RTS-VTC 2024.00	SV-18863r3_rule	DCBP-1 ECSC-1 IAIA-1 IAIA-2	Medium

Description
DoD policy mandates the use of strong passwords. The minimum password length is 15 characters. The minimum password complexity when not using DoD PKI is at least one lowercase letter, one uppercase letter, one number, and one special character must be present in the password. While VTC endpoints today typically do not require a username, they do require a password for user access and authentication. The strength of these passwords is an issue for VTUs and is dependent upon the method of entry. Strong passwords along with other measures, as noted in DoD policy, are required for any access method that is received by the VTU across a network. This is because of the potential that a password could be broken by a variety of high speed cracking attacks. Due to the inability to use letters, PINs are very weak passwords. Typically, a local VTU PIN entered from a hand-held remote control can support 5 or more characters.

Description

DoD policy mandates the use of strong passwords. The minimum password length is 15 characters. The minimum password complexity when not using DoD PKI is at least one lowercase letter, one uppercase letter, one number, and one special character must be present in the password. While VTC endpoints today typically do not require a username, they do require a password for user access and authentication. The strength of these passwords is an issue for VTUs and is dependent upon the method of entry. Strong passwords along with other measures, as noted in DoD policy, are required for any access method that is received by the VTU across a network. This is because of the potential that a password could be broken by a variety of high speed cracking attacks. Due to the inability to use letters, PINs are very weak passwords. Typically, a local VTU PIN entered from a hand-held remote control can support 5 or more characters.

STIG	Date
Video Services Policy STIG	2015-07-01

Details

Check Text ( C-18959r2_chk )
Review site documentation to confirm a policy and procedure requires the VTC system and components to have passwords meeting complexity or strength policy, as follows: - PINs entered into a local VTU from a hand-held remote control must contain at least 6 digits. - PINs entered into a remote VTU from a hand-held remote control must contain at least 9 digits. - Passwords entered from a keyboard must contain at least at least 15 characters with at least one lowercase letter, one uppercase letter, one number, and one special character. - Passwords and PINs must be encrypted per DoD standards. If the VTC system and components do not have passwords meeting complexity or strength policy, this is a finding.

Check Text ( C-18959r2_chk )

Review site documentation to confirm a policy and procedure requires the VTC system and components to have passwords meeting complexity or strength policy, as follows:
- PINs entered into a local VTU from a hand-held remote control must contain at least 6 digits.
- PINs entered into a remote VTU from a hand-held remote control must contain at least 9 digits.
- Passwords entered from a keyboard must contain at least at least 15 characters with at least one lowercase letter, one uppercase letter, one number, and one special character.
- Passwords and PINs must be encrypted per DoD standards.

If the VTC system and components do not have passwords meeting complexity or strength policy, this is a finding.

Fix Text (F-17586r2_fix)
Implement VTC system and components to have passwords meeting complexity or strength policy.