Access Control Measures are not implemented for all conferences hosted on a centralized MCU appliance.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17720	RTS-VTC 5120.00	SV-18894r1_rule	ECPA-1 IAIA-1 IAIA-2	Medium

Description
Access control to the conference scheduling system must be exercised and limited to authorized individuals. This is accomplished in different ways depending upon the access method. Scheduling systems accessed by users or administrators via a web interface must comply with all of the requirements for a web server and/or applications server to include DoD access control (e.g., DoD PKI) and auditing requirements for such devices/systems. Scheduling systems accessed via a collaboration tool must minimally utilize the access control required for accessing the collaboration application. Since an authorized user of a collaboration tool may or may not have the right to schedule VTC conferences, the scheduling application should receive user credentials from the collaboration application to determine authorization or the right must be controlled by the collaboration application. Scheduling systems accessed by administrators using other methods must also employ access control and auditing meeting DoD requirements. Note: The general requirement stated below is supported by several DoDI 8500.2 IA controls such as IAIA-1, IAIA-2, and ECPA-1.

Description

Access control to the conference scheduling system must be exercised and limited to authorized individuals. This is accomplished in different ways depending upon the access method. Scheduling systems accessed by users or administrators via a web interface must comply with all of the requirements for a web server and/or applications server to include DoD access control (e.g., DoD PKI) and auditing requirements for such devices/systems. Scheduling systems accessed via a collaboration tool must minimally utilize the access control required for accessing the collaboration application. Since an authorized user of a collaboration tool may or may not have the right to schedule VTC conferences, the scheduling application should receive user credentials from the collaboration application to determine authorization or the right must be controlled by the collaboration application. Scheduling systems accessed by administrators using other methods must also employ access control and auditing meeting DoD requirements. Note: The general requirement stated below is supported by several DoDI 8500.2 IA controls such as IAIA-1, IAIA-2, and ECPA-1.

STIG	Date
Video Teleconference STIG	2014-02-11

Details

Check Text ( C-18990r1_chk )
[IP][ISDN]; Interview the IAO and validate compliance with the following requirement: Ensure access control measures are implemented to control access to conference scheduling systems such that only authorized individuals can schedule conferences. Note: General compliance with all applicable STIGs was covered earlier in this document. Verify that only authorized individuals are permitted to schedule conferences. Inspect VTC scheduling system to verify that only users that are identified by IAO for accessing and setting up scheduled VTC conferences have access to said scheduling function.

Check Text ( C-18990r1_chk )

[IP][ISDN]; Interview the IAO and validate compliance with the following requirement:

Ensure access control measures are implemented to control access to conference scheduling systems such that only authorized individuals can schedule conferences.

Note: General compliance with all applicable STIGs was covered earlier in this document.

Verify that only authorized individuals are permitted to schedule conferences. Inspect VTC scheduling system to verify that only users that are identified by IAO for accessing and setting up scheduled VTC conferences have access to said scheduling function.

Fix Text (F-17617r1_fix)
[IP][ISDN]; Perform the following tasks: Ensure access control measures are implemented to control access to conference scheduling systems such that only authorized individuals can schedule conferences.