PC communications application C&A documentation is not included in the C&A documentation for the supporting VVoIP system .

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16106	VVoIP 1105 (GENERAL)	SV-17094r1_rule	DCBP-1 ECSC-1	Medium

Description
Along with the measures described later to ensure application integrity, it is important that communications applications be tested and subsequently certified and accredited for IA purposes. This includes the applications as well as any upgrades and/or patches. Since a PC VVoIP communications application is typically supported by a larger VVoIP communications system, the security of the application will affect the security of the overall system. Therefore the C&A documentation for the PC application must be included in the C&A documentation for the overall VVoIP system. Subsequently the VVoIP system’s C&A documentation must be included in the C&A documentation for the LAN/enclave. DoDI 8500.2 IA control DCCT-1 under “Security Design and Configuration / Compliance Testing” states “A comprehensive set of procedures is implemented that tests all patches, upgrades, and new AIS applications prior to deployment.” This IA control relates to all PC communications applications and the accessories that work in conjunction with them such as USB phones or audio adapters, USB ATAs/PPGs, cameras, etc. Additionally, the specific network implementation(s) in which these applications are used must be addressed along with any central communications service for which the applications act as clients. The DoD certification and accreditation process in defined by DoDI 8510.01; Department of Defense Information Assurance Certification and Accreditation Process (DIACAP), 28 November 2007.

Description

Along with the measures described later to ensure application integrity, it is important that communications applications be tested and subsequently certified and accredited for IA purposes. This includes the applications as well as any upgrades and/or patches. Since a PC VVoIP communications application is typically supported by a larger VVoIP communications system, the security of the application will affect the security of the overall system. Therefore the C&A documentation for the PC application must be included in the C&A documentation for the overall VVoIP system. Subsequently the VVoIP system’s C&A documentation must be included in the C&A documentation for the LAN/enclave. DoDI 8500.2 IA control DCCT-1 under “Security Design and Configuration / Compliance Testing” states “A comprehensive set of procedures is implemented that tests all patches, upgrades, and new AIS applications prior to deployment.” This IA control relates to all PC communications applications and the accessories that work in conjunction with them such as USB phones or audio adapters, USB ATAs/PPGs, cameras, etc. Additionally, the specific network implementation(s) in which these applications are used must be addressed along with any central communications service for which the applications act as clients. The DoD certification and accreditation process in defined by DoDI 8510.01; Department of Defense Information Assurance Certification and Accreditation Process (DIACAP), 28 November 2007.

STIG	Date
Voice/Video Services Policy STIG	2014-04-07

Details

Check Text ( C-17150r1_chk )
Interview the IAO to validate compliance with the following requirement: Ensure PC communications applications are certified and accredited in association with, or as part of, their supporting communications system or service. Inspect the C&A documentation of the communications system or service supporting a PC communications application. Look for the inclusion and IA of the PC communications application. If not included, this is a finding.

Check Text ( C-17150r1_chk )

Interview the IAO to validate compliance with the following requirement:

Ensure PC communications applications are certified and accredited in association with, or as part of, their supporting communications system or service.

Inspect the C&A documentation of the communications system or service supporting a PC communications application. Look for the inclusion and IA of the PC communications application. If not included, this is a finding.

Fix Text (F-16211r1_fix)
Ensure PC communications applications are certified and accredited in association with, or as part of, their supporting communications system or service. Include PC communications applications in the C&A of the supporting communications system or service. If PC communications applications are added after the supporting system is accredited, modify the system C&A documentation and update the “approvals to operate” (ATO) to include the added PC communications applications.

Fix Text (F-16211r1_fix)

Ensure PC communications applications are certified and accredited in association with, or as part of, their supporting communications system or service.

Include PC communications applications in the C&A of the supporting communications system or service. If PC communications applications are added after the supporting system is accredited, modify the system C&A documentation and update the “approvals to operate” (ATO) to include the added PC communications applications.