Deficient PC communications application testing prior to implementation.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16107	VVoIP 1125 (GENERAL)	SV-17095r1_rule	DCBP-1 ECSC-1	Medium

Description
Along with the measures described later to ensure application integrity, it is important that communications applications be tested and subsequently certified and accredited for IA purposes. This includes the applications as well as any upgrades and/or patches. DoDI 8500.2 IA control DCCT-1 under “Security Design and Configuration / Compliance Testing” states “A comprehensive set of procedures is implemented that tests all patches, upgrades, and new AIS applications prior to deployment.” This IA control relates to all PC communications applications and the accessories that work in conjunction with them such as USB phones or audio adapters, USB ATAs/PPGs, cameras, etc. Additionally, the specific network implementation(s) in which these applications are used must be addressed along with any central communications service for which the applications act as clients. The DoD certification and accreditation process in defined by DoDI 8510.01; Department of Defense Information Assurance Certification and Accreditation Process (DIACAP), 28 November 2007.

Description

Along with the measures described later to ensure application integrity, it is important that communications applications be tested and subsequently certified and accredited for IA purposes. This includes the applications as well as any upgrades and/or patches. DoDI 8500.2 IA control DCCT-1 under “Security Design and Configuration / Compliance Testing” states “A comprehensive set of procedures is implemented that tests all patches, upgrades, and new AIS applications prior to deployment.” This IA control relates to all PC communications applications and the accessories that work in conjunction with them such as USB phones or audio adapters, USB ATAs/PPGs, cameras, etc. Additionally, the specific network implementation(s) in which these applications are used must be addressed along with any central communications service for which the applications act as clients. The DoD certification and accreditation process in defined by DoDI 8510.01; Department of Defense Information Assurance Certification and Accreditation Process (DIACAP), 28 November 2007.

STIG	Date
Voice / Video Services Policy STIG	2015-01-05

Details

Check Text ( C-17151r1_chk )
Interview the IAO to validate compliance with the following requirement: Ensure PC communications applications are tested and approved prior to implementation. Determine if implemented PC communications applications were tested and approved prior to implementation. Review documentation relating to the testing and approval of the PC communications application(s) that are implemented. This is a finding if it is determined that PC communications applications were NOT tested and approved prior to implementation.

Check Text ( C-17151r1_chk )

Interview the IAO to validate compliance with the following requirement:

Ensure PC communications applications are tested and approved prior to implementation.

Determine if implemented PC communications applications were tested and approved prior to implementation. Review documentation relating to the testing and approval of the PC communications application(s) that are implemented. This is a finding if it is determined that PC communications applications were NOT tested and approved prior to implementation.

Fix Text (F-16212r1_fix)
Ensure PC communications applications are tested and approved prior to implementation. Test PC communications applications for IA concerns and seek approval for their use prior to implementation. Document the testing and approval of PC communications application(s) before they are implemented. Maintain this documentation for auditors / inspectors.