A VTC management system or endpoint use does not have written approval and acceptance of risk by the responsible DAA.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17709	RTS-VTC 3640.00	SV-18883r2_rule	DCII-1	Medium

Description
DoDI 8500.2 IA control DCII-1 regarding “Security Design and Configuration/IA Impact Assessment” states “Changes to the DoD information system are assessed for IA and accreditation impact prior to implementation.” IA control DCII-1 essentially requires that the risk of operating any DoD system or application be assessed, defined, and formally accepted before use. The person responsible for the enclave’s network and system’s or application’s accreditation is the DAA. The DAA is also “the official with the authority to formally assume responsibility for operating a system at an acceptable level of risk” per the definition of the DAA in DoDD 8500.1. For the above reasons, the DAA must approve changes to an existing system or the implementation of a new system or application that can affect the IA posture and therefore the accreditation of the system(s) for which he/she is responsible. The IA issues surrounding the use of VTC endpoints warrant DAA approval. The DAA responsible for the network supporting a VTC endpoint and area in which it is installed must be made aware of the issues and vulnerabilities presented to the network, the area, and information processed as well as the mitigations for same. Once informed, the DAA can approve operation with “an acceptable level of risk” if so inclined. Approval by the DAA responsible for the locally effected enclave/network/area must be obtained in addition to accreditation received from the DISN DAAs represented by the DISN Security Accreditation Working Group (DSAWG) through the DoD APL or other pre-deployment approval process such as the Information Support Plan (ISP) or Tailored Information Support Plan (T-ISP) process. The DAA approval required here is for the addition of IP based VTC endpoints or VTC infrastructure devices (MCUs, gatekeepers, gateways etc) to the base network and/or organization’s intranet. This is not intended to require separate approval for each individual endpoint in a multi-endpoint system; however, if the system is a single endpoint, it may require an individual approval.

Description

DoDI 8500.2 IA control DCII-1 regarding “Security Design and Configuration/IA Impact Assessment” states “Changes to the DoD information system are assessed for IA and accreditation impact prior to implementation.” IA control DCII-1 essentially requires that the risk of operating any DoD system or application be assessed, defined, and formally accepted before use. The person responsible for the enclave’s network and system’s or application’s accreditation is the DAA. The DAA is also “the official with the authority to formally assume responsibility for operating a system at an acceptable level of risk” per the definition of the DAA in DoDD 8500.1. For the above reasons, the DAA must approve changes to an existing system or the implementation of a new system or application that can affect the IA posture and therefore the accreditation of the system(s) for which he/she is responsible. The IA issues surrounding the use of VTC endpoints warrant DAA approval. The DAA responsible for the network supporting a VTC endpoint and area in which it is installed must be made aware of the issues and vulnerabilities presented to the network, the area, and information processed as well as the mitigations for same. Once informed, the DAA can approve operation with “an acceptable level of risk” if so inclined. Approval by the DAA responsible for the locally effected enclave/network/area must be obtained in addition to accreditation received from the DISN DAAs represented by the DISN Security Accreditation Working Group (DSAWG) through the DoD APL or other pre-deployment approval process such as the Information Support Plan (ISP) or Tailored Information Support Plan (T-ISP) process. The DAA approval required here is for the addition of IP based VTC endpoints or VTC infrastructure devices (MCUs, gatekeepers, gateways etc) to the base network and/or organization’s intranet. This is not intended to require separate approval for each individual endpoint in a multi-endpoint system; however, if the system is a single endpoint, it may require an individual approval.

STIG	Date
Video Teleconference STIG	2014-02-11

Details

Check Text ( C-18979r1_chk )
[IP][ISDN]; Interview the IAO and validate compliance with the following requirement: Ensure the DAA responsible for the network and/or for the operation and use of a VTC system or endpoint(s) provides written approval or acceptance of risk for such usage and operation on the network. Approval is based upon the documented risks and use case justifications with a full understanding of the issues, vulnerabilities, and mitigations surrounding VTC system implementation. Note: maintain justification, implementation, and approval documentation pertaining to such use and implementation for inspection by auditors. Note: Appropriate documentation is added to the Site Security Authorization Agreement (SSAA) or other documentation that exists for the accreditation of the supporting network and the accreditation is adjusted accordingly. Stand alone VTC systems or endpoints such as those that connect using ISDN only may have their own accreditation or may be added to the site accreditation. Inspect documentation to ensure that if VTC and VTU endpoints are in use, they have been approved by the responsible DAA in writing. This documentation should reference the risk assessment performed with the DAA’s acknowledgement that he/she has a full understanding of any risk, vulnerabilities, and mitigations surrounding the VTC implementation

Check Text ( C-18979r1_chk )

[IP][ISDN]; Interview the IAO and validate compliance with the following requirement:

Ensure the DAA responsible for the network and/or for the operation and use of a VTC system or endpoint(s) provides written approval or acceptance of risk for such usage and operation on the network. Approval is based upon the documented risks and use case justifications with a full understanding of the issues, vulnerabilities, and mitigations surrounding VTC system implementation.

Note: maintain justification, implementation, and approval documentation pertaining to such use and implementation for inspection by auditors.

Note: Appropriate documentation is added to the Site Security Authorization Agreement (SSAA) or other documentation that exists for the accreditation of the supporting network and the accreditation is adjusted accordingly. Stand alone VTC systems or endpoints such as those that connect using ISDN only may have their own accreditation or may be added to the site accreditation.

Inspect documentation to ensure that if VTC and VTU endpoints are in use, they have been approved by the responsible DAA in writing. This documentation should reference the risk assessment performed with the DAA’s acknowledgement that he/she has a full understanding of any risk, vulnerabilities, and mitigations surrounding the VTC implementation

Fix Text (F-17606r2_fix)
[IP][ISDN]; Perform the following tasks: - Fully document the risks and vulnerabilities associated with the connection to the network and operation of a VTC endpoint and/or management system. Additionally document the justifications for use in light of the risks as well as any mitigations and the residual risk. - Obtain written approval from the responsible DAA for the operation of the VTC endpoint and/or management system in question.

Fix Text (F-17606r2_fix)

[IP][ISDN]; Perform the following tasks:
- Fully document the risks and vulnerabilities associated with the connection to the network and operation of a VTC endpoint and/or management system. Additionally document the justifications for use in light of the risks as well as any mitigations and the residual risk.
- Obtain written approval from the responsible DAA for the operation of the VTC endpoint and/or management system in question.