Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-17706 | RTS-VTC 3420.00 | SV-18880r1_rule | ECSC-1 ECWM-1 | Medium |
Description |
---|
DoDI 8500.2 IA control ECWM-1 regarding “Warning Message”; requires “users” to be warned that “they are entering a Government information system, and are provided with appropriate privacy and security notices to include statements informing them that they are subject to monitoring, recording and auditing.” This requirement applies to all user and administrative access points or interfaces to a DoD IS. Additionally the DoD CIO has issued new, mandatory policy standardizing the wording of “notice and consent” banners and matching user agreements for all Secret and below DoD information systems, including stand-alone systems by releasing DoD CIO Memo, “Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement”, dated 9 May 2008. The Banner is mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. Implementation of this banner verbiage is further directed to all DoD components for all DoD assets via JTF-GNO CTO 08-008A. This also applies to all management ports or interfaces to system or network devices as well as OAM&P/NM workstations must display a DoD approved warning banner at login regardless of the means of connection or communication. The purpose of the logon warning or “Electronic Notice and Consent Banner” is two-fold. First, it warns users that unless they are authorized they should not proceed. It is like an electronic “No Trespassing” sign that allows prosecution of those who do trespass. Secondly, it warns both authorized and unauthorized users that they are subject to monitoring to detect unauthorized use and access if they do logon or attempt to logon. This provides the informed consent that again allows prosecution of those who abuse or damage the system. Not displaying the properly worded banner will hamper the sites legal authority or ability to monitor the given device. Failure to display the required login banner prior to logon attempts will also limit the sites ability to prosecute unauthorized access which has the potential of criminal and civil liability for systems administrators and information systems managers who fail to cause the banner to be displayed. Specifics for compliance with this requirement are defined in the DoD CIO Memorandum noted above. It states the warning banner must present specific verbiage as defined in the memorandum and be associated with a specifically worded user agreement. Furthermore it states “Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK."] Note: the memorandum specifies two banners; banner A having 1300 characters for use on most systems and one for use on devices with severely limited display capability such as a PDA, and banner B having only 49 characters. Both reference the user agreement and their verbiage must not be altered. The required verbiage for most systems including VTC systems is as follows: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: - The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - At any time, the USG may inspect and seize data stored on this IS. - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - This IS includes security measures (e.g., authentication and access controls) to protect USG interests - not for your personal benefit or privacy. - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Banner requirements are applicable to any and all DoD information systems, and more specifically those requiring a logon for access. All user and administrator access requires a logon per DoD policy. Acknowledgment of the banner with a keystroke or mouse click before receiving the logon screen is the preferred display and acknowledgment method which can be supported on most if not all user and management terminals/workstations and many managed systems/devices. Unfortunately, some managed systems/devices cannot support this due to limitations in memory and/or processing power. In this case, the banner must minimally be displayed on the logon screen. Continuing to login, implies acknowledgement and consent based upon the login being the acknowledgement keystroke. In order for VTC systems and devices to properly comply with the warning banner requirement, the banner must be displayed and acknowledged in the following situations: When a normal user or administrator logs-in to or activates the VTU locally. i.e., when the VTU is initially powered on and when it comes out of sleep mode (selectable) in the event sleep mode is used instead of powering off the VTU. When an administrator remotely accesses/ logs-in to a VTU or any other VTC system device (e.g., MCU, gateway, any server) over any network connection whatever the purpose, access method, application, or protocol used. When an administrator accesses/ logs-in to a management suite/application and/or its supporting platform(s). When a user is required to logon to a multipoint conference via a MCU. When a user accesses/ logs-in to an independent scheduling system. i.e., a stand alone scheduling application hosted on a server or appliance (e.g., application or web server). This would not be required if the scheduling process was performed through another application that the user was running on their platform such as a collaboration or unified communications tool/application to which they had already logged in. When a user accesses/ logs-in to a streamed conference whatever the source. e.g., VTU or streaming media server. Regarding the inclusion of the MCU in the above list; it is debatable whether a MCU (centralized or VTU integrated) needs to comply with this requirement. While the MCU and VTU-MCU are DoD ISs, the argument can be made that a user accessing the MCU should have already logged into a VTU which is the endpoint of the VTC system (viewing and acknowledging the banner). This argument works if the VTU and MCU are part of the same organization or integrated system. However, the argument does not work if the MCU is, or can be, accessed by someone from a different organization than the one that operates the MCU and more so if the person accessing the MCU is a non-DoD entity. Therefore the access control mechanism for the MCU must present the user with the banner and require its acknowledgement. In some cases this function could be handled by a device external to the MCU (if used) that authenticates the user and controls access to the MCU. VTC endpoints (and MCUs) typically do not support this requirement (that is, at the time of this writing). No “warning banner/message” is displayed on configuration interfaces or to a user. Some VTUs provide a capability that permits the use of a customized company logo in place of the vendor’s logo on the welcome or possibly some other screen. This is implemented by uploading a graphics image file such as a .jpg to the VTU. This feature can and should be used, in lieu of a better method, to install a warning banner that is shown to the user on initial startup of the VTU and while it is not participating in a conference. This feature could provide partial and minimal compliance with the DoD banner requirement, but only for VTU users and administrators using the local access method with the remote control. A suggested process for this non-compliance mitigation follows: Banner text can be written and formatted in a text editor as appropriate to fit the display parameters of the CODEC for its logo display. This formatted text can be converted to .jpg or other compatible graphics file using a screen capture program such as PrintKey v3.0. Experimentation may be necessary to get the banner to display cleanly in a readable size. VTC administrators who successfully implement a banner in this manner are encouraged to send their file to the FSO helpdesk fso_spt@disa.mil along with the make and model of VTU on which it was installed so that it may be shared with others. Note: While the mitigation suggested above is a partial solution, it does not solve the problem and vendors need to build this functionality into their products that are sold to the DoD to meet DoD policy. |
STIG | Date |
---|---|
Video Teleconference STIG | 2014-02-11 |
Check Text ( C-18976r1_chk ) |
---|
[IP][ISDN]; Have the IAO or SA demonstrate compliance with JTF-GNO CTO 08-008A and DoD CIO Memo, “Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement”, dated 9 May 2008 or attempt login from each interface and method. Validate that the user interface and management ports or interfaces to system or network devices as well as OAM&P/NM workstations display the mandatory warning banner verbiage at login regardless of the means of connection or communication. The required verbiage follows: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: “I've read & consent to terms in IS user agreem't. Note: if the application and server comprise a purpose built appliance, the application or platform operating system may perform the function. - All management ports/interfaces on managed systems/devices/servers. Displayed before logon regardless of the port/interface (physical or logical), means of connection (e.g., serial modem or dumb terminal, Ethernet, workstation, local or remote connection, etc), or communication protocol (e.g., serial and/or IP protocols, etc); and acknowledged with a keystroke or mouse click before receiving the logon screen; Or minimally in the event a managed system/device cannot support a keystroke acknowledgement, the banner must minimally be displayed on the logon screen/page. Continuing to login, implies audited acknowledgement and consent assuming the logon is audited as required. - The banner text conforms to current DoD policy and is legally approved. User agreements include verbiage in support of the warning banner as necessary to comply with current DoD policy. Note: For VTC systems and devices to comply with this requirement, a warning banner is to be displayed and acknowledged prior to logon under the following circumstances: - When a normal user or administrator logs-in to or activates the VTU locally. i.e., when the VTU is initially powered on and/or when it comes out of sleep mode in the event sleep mode is used instead of powering off the VTU. - When an administrator remotely accesses/logs-in to a VTU or any other VTC system device over any network connection whatever the purpose, access method, application, or protocol used. - When an administrator accesses/ logs-in to a management suite/application and/or its supporting platform(s) - When a user accesses/ logs-in to an independent scheduling system. i.e., a stand alone scheduling application hosted on a server or appliance (e.g., application or web server). This would not be required if the scheduling process was performed through another application that the user was running on their platform such as a collaboration or unified communications tool/application to which they had already logged in. - When a user accesses/ logs-in to a streamed conference whatever the source. e.g., VTU or streaming media server. Note: It is understood that this requirement will generate a finding for most if not all VTC devices in use or available today. Vendors are encouraged to provide the required functionality to meet this requirement in future products, not only for their DoD customers but also for other Federal government customers that most likely need to comply with NIAP SP 800-53 AC-8. Vendors are also encouraged to produce patches or firmware/software upgrades to add this functionality to products that are already deployed and in use throughout the DoD and federal government today. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTC system devices Inspect VTC/VTU equipment and verify that the Logon Consent Banner is displayed on all user and administrator workstations, all NMS/EMS servers, and/or applications. Additionally verify banner text conforms to current DoD policy and is legally approved. Verify that warning banners are displayed prior to the following: - When a normal user or administrator logs-in to or activates the VTU locally. i.e., when the VTU is initially powered on and/or when it comes out of sleep mode in the event sleep mode is used instead of powering off the VTU. - When an administrator remotely accesses/logs-in to a VTU or any other VTC system device over any network connection whatever the purpose, access method, application, or protocol used. - When an administrator accesses/ logs-in to a management suite/application and/or its supporting platform(s) - When a user accesses/ logs-in to an independent scheduling system. i.e., a stand alone scheduling application hosted on a server or appliance (e.g., application or web server). This would not be required if the scheduling process was performed through another application that the user was running on their platform such as a collaboration or unified communications tool/application to which they had already logged in. - When a user accesses/ logs-in to a streamed conference whatever the source. e.g., VTU or streaming media server. |
Fix Text (F-17603r1_fix) |
---|
[IP][ISDN]; Comply with JTF-GNO CTO 08-008A and DoD CIO Memo, “Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement”, dated 9 May 2008. Configure the user interface and management ports and interfaces to the network device to display the DoD mandated warning banner verbiage at login regardless of the means of connection or communication. The required banner verbiage that must be displayed verbatim is as follows: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: “I've read & consent to terms in IS user agreem't. Ensure the specifically worded (per policy) warning and consent banner is displayed and acknowledged when a user or administrator accesses or logs-on to any interface or service provided by the VTC system minimally as follows: - When a normal user or administrator logs-in to or activates the VTU locally. i.e., when the VTU is initially powered on and/or when it comes out of sleep mode in the event sleep mode is used instead of powering off the VTU. - When an administrator remotely accesses/logs-in to a VTU or any other VTC system device over any network connection whatever the purpose, access method, application, or protocol used. - When an administrator accesses/ logs-in to a management suite/application and/or its supporting platform(s) - When a user accesses/ logs-in to an independent scheduling system. i.e., a stand alone scheduling application hosted on a server or appliance (e.g., application or web server). This would not be required if the scheduling process was performed through another application that the user was running on their platform such as a collaboration or unified communications tool/application to which they had already logged in. - When a user accesses/ logs-in to a streamed conference whatever the source. e.g., VTU or streaming media server. |