Auto-answer feature is not administratively disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17595	RTS-VTC 1040.00	SV-18722r1_rule	DCBP-1 ECSC-1	Low

Description
Some VTC endpoints have a user selectable feature that provides the capability to automatically answer an incoming call. This would be akin to your speakerphone picking up a call each time the phone rang allowing an ongoing conversation to be heard by the caller. This feature, if activated, is highly detrimental to the confidentiality of information in a room in which a VTU is installed. In fact, a security incident could result from “auto-answer” being enabled. Such would be the case in the event a VTU automatically answered a call when a classified meeting or discussion (not via VTC) was being held in a conference room or an office having VTC capability. The auto-answer feature must not be activated by a user unless the feature is required to satisfy mission requirements. Furthermore, users must be trained in the vulnerabilities associated with the auto-answer feature and in its proper use if it is to be used. The ideal mitigation for this vulnerability is for the auto-answer feature to not be supported by the VTU or there be an administrator setting that can disable the feature preventing a user from activating it.

Description

Some VTC endpoints have a user selectable feature that provides the capability to automatically answer an incoming call. This would be akin to your speakerphone picking up a call each time the phone rang allowing an ongoing conversation to be heard by the caller. This feature, if activated, is highly detrimental to the confidentiality of information in a room in which a VTU is installed. In fact, a security incident could result from “auto-answer” being enabled. Such would be the case in the event a VTU automatically answered a call when a classified meeting or discussion (not via VTC) was being held in a conference room or an office having VTC capability. The auto-answer feature must not be activated by a user unless the feature is required to satisfy mission requirements. Furthermore, users must be trained in the vulnerabilities associated with the auto-answer feature and in its proper use if it is to be used. The ideal mitigation for this vulnerability is for the auto-answer feature to not be supported by the VTU or there be an administrator setting that can disable the feature preventing a user from activating it.

STIG	Date
Video Services Policy STIG	2020-02-25

Details

Check Text ( C-18895r1_chk )
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: If a VTC endpoint auto-answer feature is available, ensure it is administratively disabled, thus ensuring the feature is not selectable by the user, unless required to satisfy validated, approved, and documented mission requirements. Note: The documented and validated mission requirements along with their approval(s) are maintained by the IAO for inspection by auditors. Such approval will be obtained from the DAA or IAM responsible for the VTU(s) or system. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. Verify that if the auto-answer feature is available on the VTU endpoint that it is administratively disabled. If the auto-answer is a mission requirement, verify that IAO has evidence/documentation that the DAA or IAM responsible has given written approval for its use.

Check Text ( C-18895r1_chk )

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

If a VTC endpoint auto-answer feature is available, ensure it is administratively disabled, thus ensuring the feature is not selectable by the user, unless required to satisfy validated, approved, and documented mission requirements.
Note: The documented and validated mission requirements along with their approval(s) are maintained by the IAO for inspection by auditors. Such approval will be obtained from the DAA or IAM responsible for the VTU(s) or system.
Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU.

Verify that if the auto-answer feature is available on the VTU endpoint that it is administratively disabled. If the auto-answer is a mission requirement, verify that IAO has evidence/documentation that the DAA or IAM responsible has given written approval for its use.

Fix Text (F-17513r1_fix)
[IP][ISDN]; Perform the following tasks: Administratively disable the auto-answer function on the VTU unless required to fulfill validated and approved mission requirements. If auto-answer is required to fulfill validated and approved mission requirements, obtain written approval for the use of this function from DAA or IAM and maintain documentation on the validated requirement and approval. Train users in the proper use and vulnerabilities associated with the use of auto-answer

Fix Text (F-17513r1_fix)

[IP][ISDN]; Perform the following tasks:
Administratively disable the auto-answer function on the VTU unless required to fulfill validated and approved mission requirements.

If auto-answer is required to fulfill validated and approved mission requirements, obtain written approval for the use of this function from DAA or IAM and maintain documentation on the validated requirement and approval.
Train users in the proper use and vulnerabilities associated with the use of auto-answer