VTC endpoints and other VTC system components do not comply with DoD 8500.2 IA Controls.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17589	RTS-VTC 1000.00	SV-18715r1_rule	DCBP-1 ECSC-1	Low

Description
DoD user/administrator account and password requirements are defined by the DoDI 8500.2 IA control IAIA-1, IAIA-2, IAAC-1, IAGA-1, as well as JTF-GNO Command Tasking Order (CTO) 06-02 as amended and any current INFOCON modifications. IA controls ECLO-1 and 2 provide policy for system/device logon controls, while IATS-1 and 2 provide policy requiring DoD Public Key Infrastructure (PKI) certificates along with physical tokens (i.e., Common Access Card (CAC) or Alternate Logon Token (ALT)) are used for system/device access, user identification, authentication, and non-repudiation. These policies address individual user/administrator accounts and user-IDs; two-factor authentication using CAC, other PKI based tokens (e.g., ALT), or the use of passwords, password strength, password history, password and account aging and lockout, account lockout for failed logon attempts, removal of unnecessary accounts, group accounts, and more. IA controls ECPS-1 and ECLP-1 define policy for various levels of user and administrator authorization based on roles and the principal of least privilege. Additionally, IA controls ECAT-1, ECAR-1, 2, and 3, as well as ECTP-1 define DoD security auditing policy. Under these policies user and administrator actions that could affect security are to be recorded in a protected security or audit log. These IA controls rely on the successful implementation of individual user accounts and other required access control measures. Without individual user accounts and/or identities, to which actions can be tied, auditing of user/administrator actions becomes impossible. Examples of auditable actions include (but are not limited to) access to the system or device; access to, use of, or activation of services provided by the system or device; access to files on the system or device to include modification, deletion, name changes etc; access to configuration settings along with changes made. These auditing records are in addition to and separate from traditional telephony CDRs used for accounting purposes. Based on the information presented in Table 3-1 in the STIG, we can see that VTC CODECs do not support most DoD requirements on all access points and features, if at all. This holds true for most other VTC system devices. As such, this does not negate the fact that all DoD ISs are subject to these policies that provide access controls, address vulnerabilities, and provide for user and administrator accountability. The purpose of the following requirement is to highlight the lack of such support in security readiness review as well as certification and accreditation reports. The balance of this document attempts to define mitigations to this lack of policy compliance to the greatest extent possible.

Description

DoD user/administrator account and password requirements are defined by the DoDI 8500.2 IA control IAIA-1, IAIA-2, IAAC-1, IAGA-1, as well as JTF-GNO Command Tasking Order (CTO) 06-02 as amended and any current INFOCON modifications. IA controls ECLO-1 and 2 provide policy for system/device logon controls, while IATS-1 and 2 provide policy requiring DoD Public Key Infrastructure (PKI) certificates along with physical tokens (i.e., Common Access Card (CAC) or Alternate Logon Token (ALT)) are used for system/device access, user identification, authentication, and non-repudiation. These policies address individual user/administrator accounts and user-IDs; two-factor authentication using CAC, other PKI based tokens (e.g., ALT), or the use of passwords, password strength, password history, password and account aging and lockout, account lockout for failed logon attempts, removal of unnecessary accounts, group accounts, and more. IA controls ECPS-1 and ECLP-1 define policy for various levels of user and administrator authorization based on roles and the principal of least privilege. Additionally, IA controls ECAT-1, ECAR-1, 2, and 3, as well as ECTP-1 define DoD security auditing policy. Under these policies user and administrator actions that could affect security are to be recorded in a protected security or audit log. These IA controls rely on the successful implementation of individual user accounts and other required access control measures. Without individual user accounts and/or identities, to which actions can be tied, auditing of user/administrator actions becomes impossible. Examples of auditable actions include (but are not limited to) access to the system or device; access to, use of, or activation of services provided by the system or device; access to files on the system or device to include modification, deletion, name changes etc; access to configuration settings along with changes made. These auditing records are in addition to and separate from traditional telephony CDRs used for accounting purposes. Based on the information presented in Table 3-1 in the STIG, we can see that VTC CODECs do not support most DoD requirements on all access points and features, if at all. This holds true for most other VTC system devices. As such, this does not negate the fact that all DoD ISs are subject to these policies that provide access controls, address vulnerabilities, and provide for user and administrator accountability. The purpose of the following requirement is to highlight the lack of such support in security readiness review as well as certification and accreditation reports. The balance of this document attempts to define mitigations to this lack of policy compliance to the greatest extent possible.

STIG	Date
Video Teleconference STIG	2014-02-11

Details

Check Text ( C-18889r1_chk )
[IP][ISDN] Interview the IAO to validate compliance with the following requirement: Ensure all VTC endpoints and other VTC system components comply with the following DoDI 8500.2 IA controls: - IAAC-1 Account Management - IAIA-1 & 2 Individual ID & Password - ECLO-1 & 2 lockout on logon failure - ECWN-1 Warning Banner - ECPA-1 Roles (privileged access) - ECLP-1 Least Privilege - ECAT-2 Security audit - ECAR-1, 2, & 3 Audit Content - ECTP-1 Audit Trail Protection Note: The specific IA control deficiencies exhibited by a particular VTC system or device must be documented for use in the risk assessments that are necessary for a DAA to make an informed decision regarding the use of the system or device. APL Testing: In the event an IA control on the above list fails when going through product review this check would be a finding. This check will result in a finding in most cases because VTC endpoints and other VTC system components have typically not provided support for IA beyond a password for access to configuration settings. The basic features for compliance with each IA control by any device are listed below. This list is not intended to be all inclusive nor does it contain all IA controls that might be applicable. IAAC-1 Account Management - Individual administrator and user accounts can be created and deleted. - Accounts age and lockout when age limits are exceeded. IAIA-1 & 2 Individual ID & Password - Individual User ID and password required for logon by administrators and users alike in association with individual user accounts. - Strong passwords with specific configurable length and character type content - Passwords are required to be changed at regular configurable intervals and at first logon - Password history and aging ECLO-1 & 2 Lockout on logon failure - User and admin accounts lockout after a configurable number of failed logon attempts ECWN-1 Warning Banner - The standard DoD mandated warning banner must be displayed on the main VTC display prior to user or local admin logon - The standard DoD mandated warning banner must be displayed on all management interfaces, both local and remote. ECPA-1 Roles (privileged access) - The system provides access to various functions and configuration levels based upon the role of the user or administrator as assigned to their user account. - The system minimally provides a user role and an administrator role ECLP-1 Least Privilege - Works with ECPA in that users and administrators are provided access to only those commands and configuration settings required to perform their job. ECAT-2 Security audit - The system records security related events in an audit log ECAR-1, 2, & 3 Audit Content - The system records various types of security related events based upon the sensitivity of the system. Typically these include: ECTP-1 Audit Trail Protection - The audit log is protected from access except by authorized persons - The audit log is encrypted - The audit log is not able to be edited or deleted.

Check Text ( C-18889r1_chk )

[IP][ISDN] Interview the IAO to validate compliance with the following requirement:

Ensure all VTC endpoints and other VTC system components comply with the following DoDI 8500.2 IA controls:
- IAAC-1 Account Management
- IAIA-1 & 2 Individual ID & Password
- ECLO-1 & 2 lockout on logon failure
- ECWN-1 Warning Banner
- ECPA-1 Roles (privileged access)
- ECLP-1 Least Privilege
- ECAT-2 Security audit
- ECAR-1, 2, & 3 Audit Content
- ECTP-1 Audit Trail Protection

Note: The specific IA control deficiencies exhibited by a particular VTC system or device must be documented for use in the risk assessments that are necessary for a DAA to make an informed decision regarding the use of the system or device.

APL Testing: In the event an IA control on the above list fails when going through product review this check would be a finding.

This check will result in a finding in most cases because VTC endpoints and other VTC system components have typically not provided support for IA beyond a password for access to configuration settings.

The basic features for compliance with each IA control by any device are listed below. This list is not intended to be all inclusive nor does it contain all IA controls that might be applicable.

IAAC-1 Account Management
- Individual administrator and user accounts can be created and deleted.
- Accounts age and lockout when age limits are exceeded.
IAIA-1 & 2 Individual ID & Password
- Individual User ID and password required for logon by administrators and users alike in association with individual user accounts.
- Strong passwords with specific configurable length and character type content
- Passwords are required to be changed at regular configurable intervals and at first logon
- Password history and aging
ECLO-1 & 2 Lockout on logon failure
- User and admin accounts lockout after a configurable number of failed logon attempts
ECWN-1 Warning Banner
- The standard DoD mandated warning banner must be displayed on the main VTC display prior to user or local admin logon
- The standard DoD mandated warning banner must be displayed on all management interfaces, both local and remote.
ECPA-1 Roles (privileged access)
- The system provides access to various functions and configuration levels based upon the role of the user or administrator as assigned to their user account.
- The system minimally provides a user role and an administrator role
ECLP-1 Least Privilege
- Works with ECPA in that users and administrators are provided access to only those commands and configuration settings required to perform their job.
ECAT-2 Security audit
- The system records security related events in an audit log
ECAR-1, 2, & 3 Audit Content
- The system records various types of security related events based upon the sensitivity of the system. Typically these include:
ECTP-1 Audit Trail Protection
- The audit log is protected from access except by authorized persons
- The audit log is encrypted
- The audit log is not able to be edited or deleted.

Fix Text (F-17507r1_fix)
[IP][ISDN]; Perform the following tasks: Purchase and implement VTC endpoints and other VTC system components that provide the IA features required by DoD policies. Encourage vendors to develop VTC systems and devices that provide robust IA features that support compliance with DoD policies for all devices.