UCF STIG Viewer Logo

Deficient SOP or enforcement for VTC/CODEC streaming.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16564 RTS-VTC 2360.00 SV-17563r2_rule DCBP-1 ECSC-1 IAAC-1 IAIA-1 IAIA-2 Medium
Description
To control streaming from a VTU/CODEC, the site must have a policy and procedure regarding the use of streaming. This could be very simple if streaming will never be used or more complex if there is the potential for its use. Such an SOP will reflect the requirements of this STIG regarding streaming. Note: For additional information regarding the vulnerabilities associated with VTC streaming, see the discussion under RTS-VTC 2340
STIG Date
Video Services Policy STIG 2020-02-25

Details

Check Text ( C-17362r1_chk )
[IP]; Interview the IAO to validate compliance with the following requirement:

In the event the VTU/CODEC is connected to an IP based LAN, and if the CODEC supports streaming, ensure a “Streaming” policy and procedure is in place and enforced that addresses the following:
- The approval of conference streaming on a case by case basis prior to it being configured by an administrator and activated.
- Implementation and distribution of temporary one-time “streaming passwords”, and other session information, to control recipient access to the media stream. For best protection of the system, this password must be used one time and not repeated. This password must not match any other user or administrative password and must be configured to meet or exceed DoD password complexity requirements since entry from a keyboard is expected.
- Requirements for implementing an appropriate streaming configuration to limit the reach of the stream across the network.
- Re installation of the “blocking” configuration and password (as required below) following any given streaming session.
- Changes to the “access blocking” configuration and password in the event it is compromised or if administrative staff changes.

Note: The details of this SOP will be included in user’s training, agreements, and guides.

Note: This is a requirement whether streaming from a CODEC is approved or not.

Inspect the SOP as well as user training materials, agreements, and guides to determine if the items in the requirement are adequately covered. Interview the IAO to determine how the SOP is enforced. Interview a sampling of users to determine their awareness and implementation of the requirement and whether the SOP is enforced. This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details.
Fix Text (F-16534r1_fix)
[IP]; If the CODEC supports streaming, Perform the following tasks:
- Develop and enforce the SOP, train users, and include the SOP in user agreements and guides.
- The SOP will address the following:
> The approval of conference streaming on a case by case basis prior to it being configured by an administrator and activated.
> Implementation and distribution of temporary “streaming passwords”, or other session information, to control recipient access to the media stream. For best protection of the system, this password must be used one time and not repeated. This password must not match any other user or administrative password and must be configured to meet or exceed DoD password complexity requirements since entry from a keyboard is expected. A temporary, one time password is implemented during streaming enablement and configuration of the given streaming session.
> Requirements for implementing an appropriate streaming configuration to limit the reach of the stream across the network.
> Re installation of the “blocking” configuration and password (as required below) following any given streaming session.
> Changes to the “access blocking” configuration and password in the event it is compromised or if administrative staff changes.