UCF STIG Viewer Logo

Deficient acceptable use policy or user agreement regarding PC communication clients.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16090 VVoIP 1335 (GENERAL) SV-17078r1_rule Medium
Description
DoDI 8500.2 IA control PRRB-1 regarding “Security Rules of Behavior or Acceptable Use Policy” states “A set of rules that describe the IA operations of the DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel is in place. The rules include the consequences of inconsistent behavior or non-compliance. Signed acknowledgement of the rules is a condition of access.” This IA control requires the generation and use of a “user agreement” that contains site policy regarding acceptable use of various information system (IS) assets. Requiring the user to read and sign the user agreement before receiving their government furnished hardware and software, or before gaining access to an additional IS, add on application, or an additional privilege, provides the required acknowledgement. The Secure Remote Computing STIG requires that a user agreement be used and signed for a user to be permitted to remotely access a DoD network or system. The Wireless STIG adds policy items to this user agreement regarding the use of wireless capabilities in conjunction with remote access. This STIG will be no different in that we, the DoD IA community, must define acceptable use requirements for the use of PC based voice, video, UC, and collaboration communications applications and accessories. While the first two STIGs mentioned require a user agreement prior to remote access privileges being granted, the user agreement should be signed when the user receives their government furnished hardware that covers all acceptable use policies. These policies are to include such things as acceptable web browsing, remote access, all wireless usage, as well as the usage of communications applications, soft-phone accessories, stick phones, personally configured VoIP, and IM clients. Minimally, the user agreement must be updated as privileges and certain applications are installed. User agreements must also be accompanied with user training and guides that reiterate the agreed to policies and provide additional information such as how to implement certain features and IA measures as required.
STIG Date
Voice/Video Services Policy STIG 2014-04-07

Details

Check Text ( C-17133r1_chk )
Interview the IAO to validate compliance with the following requirement:

Ensure user agreements are developed in accordance with DoD policies that address the acceptable use of PC based voice, video, UC, collaboration communications applications and their accessories. Topics to be covered are, but are not limited to, the following:
- Users are not permitted to install soft-phone agents, soft-VTUs, and/or IM clients that connect to or use a public VoIP or IM service for personal use (i.e., non-official business).
- Users are not permitted to install private soft-phone agents that communicate with other private soft-phone agents or personal phone gateways (PPGs).
- Users are not permitted to use a stick-phone associated with a commercial VoIP service or a personal VoIP system on a DoD system unless they are sanctioned and provided by a DoD component or organization.
- Users are not permitted to use soft-phone accessories that can provide a bridge (if connected) between the DoD communications application or DoD network and another computer, phone network, or the PSTN.
- Users are not permitted to use the DoD provided soft-phone and/or soft-VTU intended for remote access while working in their normal DoD workspace such as in the office, without permission of the IAO and via a special or properly configured network connection or the LANs remote access architecture.
- User should be cautioned and given notice of the unreliable nature of PC based voice, video, UC, and collaboration applications communications such that C2 users are aware of and acknowledge the non-assured service nature of this communications media.
- User should be cautioned and given restrictions for the use of PC based voice, video, UC, and collaboration communications application’s capabilities when used in an area where classified work or discussion occurs with emphasis on “webcam” and speakerphone usage.

NOTE: The site may modify these items in accordance with local site policy however these items must be addressed in a user agreement. The user agreement may be stand alone regarding acceptable use of PC based voice, video, UC, and collaboration communications applications and their accessories or may be included in a larger user agreement that addresses remote access and/or workstation usage.

NOTE: To the extent possible, PC protection and monitoring mechanisms (e.g., HBSS) should monitor compliance with these requirements.

NOTE: Requirements supporting the above user agreement items may be discussed later in this document. The list above may not include all items that need be in the requirement based on the other requirements discussed.

Discuss the existence and enforcement of an acceptable use policy for PC based voice, video, UC, collaboration communications applications and their accessories. Inspect signed user agreements. Look for items that address the concerns listed in the requirement.

This is a finding if there is no acceptable use policy or related user agreement or these items are deficient in content.
Fix Text (F-16195r1_fix)
Ensure user agreements are developed in accordance with DoD policies that address the acceptable use of PC based voice, video, UC, collaboration communications applications and their accessories.

Require users to sign users agreements that address the acceptable use of PC based voice, video, UC, collaboration communications applications and their accessories. Topics to be covered are, but are not limited to, the following:
- Users are not permitted to install soft-phone agents, soft-VTUs, and/or IM clients that connect to or use a public VoIP or IM service for personal use (i.e., non-official business).
- Users are not permitted to install private soft-phone agents that communicate with other private soft-phone agents or personal phone gateways (PPGs).
- Users are not permitted to use a stick-phone associated with a commercial VoIP service or a personal VoIP system on a DoD system unless sanctioned and provided by a DoD component or organization.
- Users are not permitted to use soft-phone accessories that can provide a bridge (if connected) between the DoD communications application or DoD network and another computer, phone network, or the PSTN.
- Users are not permitted to use the DoD provided soft-phone and/or soft-VTU intended for remote access while working in their normal DoD workspace (i.e., in the office) without permission of the IAO and via a special or properly configured network connection or the LANs remote access architecture.
- Cautions and notice of the unreliable nature of PC based voice, video, UC, and collaboration applications communications such that C2 users are aware of and acknowledge the non-assured service nature of this communications media.
- Cautions and restrictions for the use of PC based voice, video, UC, and collaboration communications application’s capabilities when used in an area where classified work or discussion occurs with emphasis on “webcam” and speakerphone usage.

NOTE: The site may modify these items in accordance with local site policy however these items must be addressed in a user agreement. The user agreement may be stand alone regarding acceptable use of PC based voice, video, UC, and collaboration communications applications and their accessories or may be included in a larger user agreement that addresses remote access and/or workstation usage.

NOTE: To the extent possible, PC protection and monitoring mechanisms (e.g., HBSS) should monitor compliance with these requirements.

NOTE: Requirements supporting the above user agreement items may be discussed later in this document. The list above may not include all items that need be in the requirement based on the other requirements discussed.