UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Deficient SOP or enforcement for user validation that encryption is on when required


Overview

Finding ID Version Rule ID IA Controls Severity
V-17686 RTS-VTC 1260.00 SV-18860r1_rule Medium
Description
When encryption is enabled via automatic/negotiate, and one endpoint does not support encryption or supports DES and not AES, the entire conference defaults to the lower capability level. This is not acceptable for some conferences depending upon the sensitivity of the information discussed or presented. As noted above, the stated DoD IA controls require encryption. To ensure this requirement is met, when it is unknown whether all endpoints in a conference support encryption and whether it is turned on, the VTU user must provide the final check that encryption is being used. If a conference is to be encrypted, the user must check that all participants are using encryption and have enabled the encryption on their devices. When the conference has begun, the user must ensure that the conference is encrypted. The alternate to this is to exclude the endpoint that does not support the required encryption or not proceed with the conference session.
STIG Date
Video Services Policy STIG 2017-04-06

Details

Check Text ( C-18956r1_chk )
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

Ensure a policy and procedure is in place and enforced that addresses user activation and verification of encryption use when encryption is required based on the sensitivity of the information discussed or presented. The following must be included:
- The user must check that all participants are using encryption and have enabled the encryption on their devices if manual activation necessary.
- When the conference has begun, the user must ensure that the VTU is displaying the “conference is encrypted” indication.
Note: This requirement must be reflected in user training, agreements and guides.

Verify that there is a policy and procedure in place that enforces and guides users on how and what to check when participants are required to use encryption.
Fix Text (F-17583r1_fix)
[IP][ISDN]; Perform the following tasks:
Define and enforce policy and procedure that addresses user activation and verification of encryption use when encryption is required based on the sensitivity of the information discussed or presented. The following must be included:
- The user must check that all participants are using encryption and have enabled the encryption on their devices if manual activation necessary.
- When the conference has begun, the user must ensure that the VTU is displaying the “conference is encrypted” indication.