Far end camera control is not disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17682	RTS-VTC 1180.00	SV-18856r1_rule	DCBP-1 ECSC-1	Medium

Description
Many VTC endpoints support Far End Camera Control (FECC). This feature uses H.281 protocol which must be supported by both VTUs. Typically, this is only available during an active VTC session but could be available if the VTU is compromised or if a call is automatically answered. Allowing another conference attendee to take control of your camera can place the confidentiality of non conference related information at risk. FECC should be disabled to prevent the control of the near end camera by the far end unless required to satisfy validated mission requirements.

Description

Many VTC endpoints support Far End Camera Control (FECC). This feature uses H.281 protocol which must be supported by both VTUs. Typically, this is only available during an active VTC session but could be available if the VTU is compromised or if a call is automatically answered. Allowing another conference attendee to take control of your camera can place the confidentiality of non conference related information at risk. FECC should be disabled to prevent the control of the near end camera by the far end unless required to satisfy validated mission requirements.

STIG	Date
Video Services Policy STIG	2020-02-25

Details

Check Text ( C-18952r1_chk )
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure far end camera control is disabled unless required to satisfy validated, approved, and documented mission requirements. Note: The documented and validated mission requirements along with their approval(s) are maintained by the IAO for inspection by auditors. Such approval is obtained from the DAA or IAM responsible for the VTU(s) or system. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. i.e., far end camera control must be able to be disabled or the feature must not be supported. Determine if remote monitoring is required and approved to meet mission requirements. Have the IAO or SA demonstrate compliance with the requirement.

Check Text ( C-18952r1_chk )

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

Ensure far end camera control is disabled unless required to satisfy validated, approved, and documented mission requirements.

Note: The documented and validated mission requirements along with their approval(s) are maintained by the IAO for inspection by auditors. Such approval is obtained from the DAA or IAM responsible for the VTU(s) or system.

Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. i.e., far end camera control must be able to be disabled or the feature must not be supported.

Determine if remote monitoring is required and approved to meet mission requirements. Have the IAO or SA demonstrate compliance with the requirement.

Fix Text (F-17579r1_fix)
[IP][ISDN]; Perform the following tasks: Configure the CODEC to disable far end camera control OR Document and validate the mission requirements that require far end camera control to be enabled and obtain DAA approval. Maintain the requirement and approval documentation for review by auditors.