VTC system user agreements are not signed or used when a user receives an endpoint or approval to use an endpoint.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17711	RTS-VTC 3720.00	SV-18885r1_rule	PRRB-1	Medium

Description
DoDI 8500.2 IA control PRRB-1 regarding “Security Rules of Behavior or Acceptable Use Policy” states “A set of rules that describe the IA operations of the DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel is in place. The rules include the consequences of inconsistent behavior or non-compliance. Signed acknowledgement of the rules is a condition of access.” This IA control requires, or at minimum supports, the generation and use of a “user agreement” that contains site policy regarding acceptable use of various IS assets. Requiring the user to read and sign the user agreement before receiving their government furnished hardware and/or software, or before gaining access to an additional IS or add on application or an additional privilege, provides the required acknowledgement. The Secure Remote Computing STIG requires a user agreement be used and signed for a user to be permitted to remotely access a DoD network or system. The Wireless STIG adds policy items to this user agreement regarding the use of wireless capabilities in conjunction with remote access. While the first two STIGs mentioned require a user agreement prior to remote access privileges being granted, there should also be a user agreement signed when the user receives any government furnished hardware that covers all acceptable use policies to include such things as acceptable web browsing, remote access, all wireless usage, as well as the usage of certain applications and personal hardware and software. This STIG defines most but not necessarily all of the rules of use and operational procedures for VTC endpoints of all types. Each endpoint type will or may require different rules and procedures. Users must be informed of the vulnerabilities and risks of VTC endpoint use and trained in the procedures required to mitigate them as described in the training requirement. Furthermore, users must acknowledge their awareness of the IA issues and mitigating requirements and their agreement to abide by the rules of operation of the VTC endpoint or system. This is accomplished by the user signing a “user agreement”. This user agreement should restate the high points of the required training and might serve as an acknowledgement that the training was received. This user agreement can also include a statement of the penalties for non-compliance with the rules of operation.

Description

DoDI 8500.2 IA control PRRB-1 regarding “Security Rules of Behavior or Acceptable Use Policy” states “A set of rules that describe the IA operations of the DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel is in place. The rules include the consequences of inconsistent behavior or non-compliance. Signed acknowledgement of the rules is a condition of access.” This IA control requires, or at minimum supports, the generation and use of a “user agreement” that contains site policy regarding acceptable use of various IS assets. Requiring the user to read and sign the user agreement before receiving their government furnished hardware and/or software, or before gaining access to an additional IS or add on application or an additional privilege, provides the required acknowledgement. The Secure Remote Computing STIG requires a user agreement be used and signed for a user to be permitted to remotely access a DoD network or system. The Wireless STIG adds policy items to this user agreement regarding the use of wireless capabilities in conjunction with remote access. While the first two STIGs mentioned require a user agreement prior to remote access privileges being granted, there should also be a user agreement signed when the user receives any government furnished hardware that covers all acceptable use policies to include such things as acceptable web browsing, remote access, all wireless usage, as well as the usage of certain applications and personal hardware and software. This STIG defines most but not necessarily all of the rules of use and operational procedures for VTC endpoints of all types. Each endpoint type will or may require different rules and procedures. Users must be informed of the vulnerabilities and risks of VTC endpoint use and trained in the procedures required to mitigate them as described in the training requirement. Furthermore, users must acknowledge their awareness of the IA issues and mitigating requirements and their agreement to abide by the rules of operation of the VTC endpoint or system. This is accomplished by the user signing a “user agreement”. This user agreement should restate the high points of the required training and might serve as an acknowledgement that the training was received. This user agreement can also include a statement of the penalties for non-compliance with the rules of operation.

STIG	Date
Video Teleconference STIG	2014-02-11

Details

Check Text ( C-18981r1_chk )
[IP][ISDN]; Interview the IAO and validate compliance with the following requirement: Ensure VTC endpoint and/or system user’s agreements are signed when a user receives an endpoint or approval to use an endpoint. The user agreement will provide, but is not limited to, the following: - Acknowledgement of their awareness of the vulnerabilities and risks associated with the use of the specific VTC system or devices the user is receiving, will receive, or use. - Acknowledgement of their awareness of the methods contained in the SOP and training materials intended to mitigate the vulnerabilities and risks - Agreement to operate the system in a secure manner and employ the methods contained in the SOP and training materials intended to mitigate the vulnerabilities and risks - Acknowledgement of the penalties for non-compliance with the rules of operation if stated in the agreement. - Acknowledgement of their awareness of the capability (or lack thereof) of the system to provide “assured service” for C2 communications Note: The site may modify these items in accordance with local site policy however these items must be addressed in a user agreement. Inspect signed user agreements for content and to validate that they are being used and signed.

Check Text ( C-18981r1_chk )

[IP][ISDN]; Interview the IAO and validate compliance with the following requirement:

Ensure VTC endpoint and/or system user’s agreements are signed when a user receives an endpoint or approval to use an endpoint. The user agreement will provide, but is not limited to, the following:
- Acknowledgement of their awareness of the vulnerabilities and risks associated with the use of the specific VTC system or devices the user is receiving, will receive, or use.
- Acknowledgement of their awareness of the methods contained in the SOP and training materials intended to mitigate the vulnerabilities and risks
- Agreement to operate the system in a secure manner and employ the methods contained in the SOP and training materials intended to mitigate the vulnerabilities and risks
- Acknowledgement of the penalties for non-compliance with the rules of operation if stated in the agreement.
- Acknowledgement of their awareness of the capability (or lack thereof) of the system to provide “assured service” for C2 communications

Note: The site may modify these items in accordance with local site policy however these items must be addressed in a user agreement.

Inspect signed user agreements for content and to validate that they are being used and signed.

Fix Text (F-17608r1_fix)
[IP][ISDN]; Perform the following tasks: Develop a user agreement. The user agreement will for provide, but s not limited to, the following: - Acknowledgement of their awareness of the vulnerabilities and risks associated with the use of the specific VTC system or devices the user is receiving, will receive, or use. - Acknowledgement of their awareness of the methods contained in the SOP and training materials intended to mitigate the vulnerabilities and risks - Agreement to operate the system in a secure manner and employ the methods contained in the SOP and training materials intended to mitigate the vulnerabilities and risks - Acknowledgement of the penalties for non-compliance with the rules of operation if stated in the agreement. - Acknowledgement of their awareness of the capability (or lack thereof) of the system to provide “assured service” for C2 communications Note: The site may modify these items in accordance with local site policy however these items must be addressed in a user agreement. Ensure users sign the user agreement when a user receives an endpoint or approval to use an endpoint. Maintain copies of the signed user agreements and provide a copy to the user for their reference.

Fix Text (F-17608r1_fix)

[IP][ISDN]; Perform the following tasks:
Develop a user agreement. The user agreement will for provide, but s not limited to, the following:
- Acknowledgement of their awareness of the vulnerabilities and risks associated with the use of the specific VTC system or devices the user is receiving, will receive, or use.
- Acknowledgement of their awareness of the methods contained in the SOP and training materials intended to mitigate the vulnerabilities and risks
- Agreement to operate the system in a secure manner and employ the methods contained in the SOP and training materials intended to mitigate the vulnerabilities and risks
- Acknowledgement of the penalties for non-compliance with the rules of operation if stated in the agreement.
- Acknowledgement of their awareness of the capability (or lack thereof) of the system to provide “assured service” for C2 communications

Note: The site may modify these items in accordance with local site policy however these items must be addressed in a user agreement.

Ensure users sign the user agreement when a user receives an endpoint or approval to use an endpoint.
Maintain copies of the signed user agreements and provide a copy to the user for their reference.