UCF STIG Viewer Logo

Video Services Policy STIG


Overview

Date Finding Count (82)
2020-02-25 CAT I (High): 6 CAT II (Med): 70 CAT III (Low): 6
STIG Description
The Video Services Policy Security Technical Implementation Guide (STIG) provides policy guidance for video teleconferencing systems and endpoints implemented on DoD networks. These policies ensure conformance to DoD requirements that govern video services deployment and operations. The Video Services Policy STIG works with the Video Teleconference STIG requirements for evaluation on each video teleconferencing (VTC) system review, regardless of the VTC product or release level. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-16074 High Deficient Policy or SOP for VTC and PC camera operations regarding their ability to pickup and transmit sensitive or classified information in visual form.
V-43027 High An enclave supporting an IP-based VTC system that must communicate across an IP WAN must implement a VTC/VVoIP-aware firewall or H.460-based firewall traversal solution at its boundary with the WAN.
V-17687 High The VTC system and components must not have default or factory passwords.
V-17715 High A VTC endpoint must not bridge a wired LAN and a wireless LAN.
V-43016 High An IP-based VTC system implementing a single CODEC supporting conferences on multiple networks having different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing by connecting the CODEC to one network at a time, matching the classification level of the session to the classification level of the network.
V-43017 High IP-based VTC systems must not connect to ISDN lines when connected to a classified network.
V-16078 Medium Deficient SOP or enforcement regarding presentation and application sharing via a PC or VTC.
V-17596 Medium Deficient SOP for, enforcement, usage, or configuration of the auto-answer feature.
V-17711 Medium VTC system and endpoint users must sign a user agreement when accepting an endpoint or obtaining approval to use an endpoint.
V-16076 Medium VTC, Unified Capability (UC) soft client, and speakerphone microphone operations policy must prevent the pickup and transmission of sensitive or classified information over non-secure systems.
V-16077 Medium Deficient Policy or SOP regarding PC communications video display positioning.
V-17600 Medium Inadequate “operator/facilitator/administrator” access control for remote monitoring of a VTU connected to an IP network.
V-17696 Medium VTU/CODEC is not properly configured to support streaming.
V-43015 Medium An IP-based VTC system implementing a single CODEC supporting conferences on multiple networks having different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing by being sanitized of all information while transitioning from one period/network to the next.
V-17697 Medium inadequate user training for pc presentation sharing that could lead to compromise of other information on the presenting PC
V-17709 Medium A VTC management system or endpoint must have risk approval and acceptance in writing by the responsible Authorizing Official (AO).
V-17708 Medium Deficient SOP or enforcement regarding the approval and deployment of VTC capabilities.
V-43041 Medium An ISDN-based VTC system supporting secure (classified) and non-secure (unclassified) conferences must utilize an approved pair of EIA-530 A/B switches operated in tandem or a dual A/B switch to switch the Type 1 encryptor in/out of the circuit between the CODEC and IMUX.
V-43040 Medium An ISDN-based or IP-based VTC system supporting conferences on multiple networks having different classification levels must utilize approved automatically controlled signage to indicate the secure/non-secure status or classification level of the conference/session. Such signage will be placed within the conference room and outside each entrance.
V-17689 Medium The Videoconferencing system and components passwords must meet complexity and strength policy.
V-17701 Medium Secure protocols must be implemented for CODEC remote control and management.
V-17700 Medium CODEC control / configuration messages received via the local Application Programmers Interface (API) are not encrypted or authenticated.
V-17703 Medium SNMP is not being used in accordance with the Network Infrastructure STIG.
V-17702 Medium Unnecessary/unused remote control/management/configuration protocols are not disabled.
V-17705 Medium VTC systems and devices must run the latest DoD-approved patches/firmware/software from the system/device vendor.
V-17704 Medium Remote management access and SNMP access and reporting are not restricted by IP address and/or subnet.
V-17707 Medium All VTC system management systems/servers are not configured in compliance with all applicable STIGs
V-17720 Medium Access control measures must be implemented for all conferences hosted on a centralized MCU appliance.
V-17688 Medium The VTC system and components must not display passwords in clear text.
V-43028 Medium An IDS/IPS must protect the IP-based VTC system within the enclave.
V-17698 Medium Deficient SOP or enforcement regarding the use of software based virtual connection between the PC and the VTC CODEC.
V-16557 Medium Administrative sessions with the VTU do not timeout within a maximum of 15 minutes.
V-16564 Medium Deficient SOP or enforcement for VTC/CODEC streaming.
V-43021 Medium An IP-based VTC system implementing a single CODEC supporting conferences on multiple networks having different classification levels must be implemented in a manner such that configuration information for a network having a higher classification level is not disclosed to a network having a lower classification level.
V-43020 Medium The A/B, A/B/C, or A/B/C/D switch within an IP-based VTC system supporting conferences on multiple networks having different classification levels must be based on optical technologies to maintain electrical isolation between the various networks to which it connects.
V-17683 Medium VTC data in transit must be encrypted.
V-17684 Medium The VTU must use FIPS 140-2 validated encryption module.
V-43024 Medium An IP-based VTC system implementing a single set of input/output devices (cameras, microphones, speakers, control system), an A/V switcher, and multiple CODECs connected to multiple IP networks having different classification levels must provide automatic mutually exclusive power control for the CODECs or their network connections such that only one CODEC is powered on or one CODEC is connected to any network at any given time.
V-43043 Medium An ISDN-based VTC system supporting secure (classified) and non-secure (unclassified) conferences while implementing dialing capability from the CODEC must utilize an approved EIA-366-A dial isolator that disconnects the dialing channel between the CODEC and IMUX when the IMUX signals it is connected to another IMUX (i.e., the session is connected).
V-17692 Medium Deficient SOP or enforcement of the SOP for manual password management.
V-79051 Medium Video conferencing, Unified Capability (UC) soft client, and speakerphone speaker operations policy must prevent disclosure of sensitive or classified information over non-secure systems.
V-16562 Medium No indicator is displayed on the VTU screen when CODEC streaming is activated.
V-17716 Medium A VTU endpoint does not have the wireless LAN capability disabled.
V-17680 Medium Inadequate notification to conference participants (manual or automatic) of monitoring activity by someone that is not a direct participant in a VTC session/conference.
V-17592 Medium Deficient SOP or enforcement for microphone and camera disablement when the VTU is required to be powered and inactive (in standby).
V-17712 Medium User Guides and documentation packages must be developed and distributed to users operating VTC endpoints.
V-17713 Medium VTC systems must be logically or physically segregated on the LAN from data systems, other non-integrated voice communication (VoIP) systems, and by VTC system type.
V-17710 Medium VTC system and endpoint users, administrators, and helpdesk representatives must receive cybersecurity training.
V-17681 Medium Insufficient security clearance held by an “operator/facilitator/administrator” performing remote monitoring activities during a VTC session/conference.
V-17598 Medium Deficient SOP or enforcement regarding handling of incoming calls while in a conference.
V-17599 Medium Remote monitoring is not disabled while connected to an IP Network.
V-17717 Medium A VTU or conference room implemented using wireless components must be protected from external control or compromise.
V-17682 Medium Far end camera control is not disabled.
V-17718 Medium VTC ports and protocols cross DoD/Enclave boundaries without prior registration in the DoD Ports and Protocols Database.
V-17719 Medium Access control measures must be implemented for all conferences hosted on a centralized MCU appliance.
V-17691 Medium Classified videoconferencing systems must authenticate with a unique user logon prior to performing functions and services.
V-17694 Medium Deficient user or administrator training regarding the vulnerabilities with, and operation of, CODEC streaming
V-43035 Medium The IP-based VTC system must use H.235-based signaling encryption.
V-16560 Medium Use of media streaming is not documented properly or is not configured securely.
V-43030 Medium The IP-based VTC system must authenticate to an H.323 Gatekeeper or VVoIP session/call controller.
V-17591 Medium Deficient SOP or enforcement regarding how to power-off the VTU when it is not actively participating in a conference.
V-43025 Medium The implementation of an IP-based VTC system supporting conferences on multiple networks having different classification levels must maintain isolation between the networks to which it connects by implementing separation of equipment and cabling between the various networks having differing classification levels in accordance with CNSSAM TEMPEST/01-13, RED/BLACK Installation Guidance.
V-17714 Medium VTC endpoint connectivity is established via an unapproved DoD Wireless LAN infrastructure
V-43038 Medium The operator of an ISDN-based VTC system utilizing a Type 1 encryptor for classified sessions must ensure any removable Keying Material (KEYMAT) (e.g., Cryptographic Ignition Key (CIK)) for the encryptor is secured in an appropriate secure facility or GSA-approved container when the system is not in use.
V-17685 Medium VTU encryption indicator is not enabled.
V-43022 Medium The A/B, A/B/C, or A/B/C/D switch used for network switching in IP-based VTC systems implementing a single CODEC supporting conferences on multiple networks having different classification levels must be Common Criteria certified.
V-17699 Medium A CODECs local Application Programmers Interface (API) must prevent unrestricted access to user or administrator configuration settings and CODEC controls without a password.
V-17593 Medium Deficient VTU sleep mode configuration or operation.
V-43018 Medium An IP-based VTC system implementing a single CODEC supporting conferences on multiple networks having different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing sanitization by purging/clearing volatile memory within the CODEC by powering the CODEC off for a minimum of 60 seconds.
V-17686 Medium Deficient SOP or enforcement for user validation that encryption is on when required
V-43019 Medium IP-based VTC systems implementing a single CODEC supporting conferences on multiple networks having different classification levels must sanitize non-volatile memory while transitioning between networks by overwriting all configurable parameters with null settings before reconfiguring the CODEC for connection to the next network.
V-17693 Medium Deficient SOP or enforcement of One Time Use local meeting password
V-17594 Medium Inadequate display of an incoming call notification such that the VTU user can make an informed decision to answer the call or not.
V-17690 Medium A VTU password must be used for each VTU function.
V-43049 Medium ISDN-based VTC equipment supporting secure (classified) and non-secure (unclassified) conferences which implement dial isolators and A/B switches must meet minimum port-to-port isolation standards.
V-17695 Medium CODEC streaming is not disabled when it is not required.
V-17589 Low The VTC endpoints and system components must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-17706 Low Video Teleconferencing system components must display the Standard Mandatory DoD Notice and Consent Banner exactly as specified prior to logon or initial access.
V-43045 Low An ISDN-based VTC system supporting secure (classified) and non-secure (unclassified) conferences must be cabled to maintain a minimum of 5 or 15 centimeters RED/BLACK separation on either side of any Type 1 encryptor and any dial isolator (depending on the TEMPEST zone).
V-43023 Low The A/B, A/B/C, or A/B/C/D switch used for network switching in IP-based VTC systems implementing a single CODEC supporting conferences on multiple networks having different classification levels must be TEMPEST certified.
V-54695 Low Video teleconferencing system components Standard Mandatory DoD Notice and Consent Banner must be acknowledged by the user prior to logon or initial access.
V-17595 Low Auto-answer feature is not administratively disabled.