Deficient testing or approval of PC communications application patches or upgrades.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16108	VVoIP 1130 (GENERAL)	SV-17096r1_rule	DCBP-1 ECSC-1	Medium

Description
Along with the measures described later to ensure application integrity, it is important that communications applications be tested and subsequently certified and accredited for IA purposes. This includes the applications as well as any upgrades and/or patches. DoDI 8500.2 IA control DCCT-1 under “Security Design and Configuration / Compliance Testing” states “A comprehensive set of procedures is implemented that tests all patches, upgrades, and new AIS applications prior to deployment.” This IA control relates to all PC communications applications and the accessories that work in conjunction with them such as USB phones or audio adapters, USB ATAs/PPGs, cameras, etc. Additionally, the specific network implementation(s) in which these applications are used must be addressed along with any central communications service for which the applications act as clients. The DoD certification and accreditation process in defined by DoDI 8510.01; Department of Defense Information Assurance Certification and Accreditation Process (DIACAP), 28 November 2007.

Description

Along with the measures described later to ensure application integrity, it is important that communications applications be tested and subsequently certified and accredited for IA purposes. This includes the applications as well as any upgrades and/or patches. DoDI 8500.2 IA control DCCT-1 under “Security Design and Configuration / Compliance Testing” states “A comprehensive set of procedures is implemented that tests all patches, upgrades, and new AIS applications prior to deployment.” This IA control relates to all PC communications applications and the accessories that work in conjunction with them such as USB phones or audio adapters, USB ATAs/PPGs, cameras, etc. Additionally, the specific network implementation(s) in which these applications are used must be addressed along with any central communications service for which the applications act as clients. The DoD certification and accreditation process in defined by DoDI 8510.01; Department of Defense Information Assurance Certification and Accreditation Process (DIACAP), 28 November 2007.

STIG	Date
Voice/Video Services Policy STIG	2014-04-07

Details

Check Text ( C-17221r1_chk )
Interview the IAO to validate compliance with the following requirement: Ensure upgrades and patches to communications systems supporting PC communications applications are tested and approved prior to implementation. Determine if upgrades and patches to communications systems supporting PC communications applications and PC communications applications are tested and approved prior to implementation. Review documentation relating to the testing of the patch or upgrade to the PC communications system and application(s) as verification. This is a finding if it is determined that upgrades and patches to systems supporting PC communications applications and/or the applications themselves were NOT tested and approved prior to implementation.

Check Text ( C-17221r1_chk )

Interview the IAO to validate compliance with the following requirement:

Ensure upgrades and patches to communications systems supporting PC communications applications are tested and approved prior to implementation.

Determine if upgrades and patches to communications systems supporting PC communications applications and PC communications applications are tested and approved prior to implementation. Review documentation relating to the testing of the patch or upgrade to the PC communications system and application(s) as verification. This is a finding if it is determined that upgrades and patches to systems supporting PC communications applications and/or the applications themselves were NOT tested and approved prior to implementation.

Fix Text (F-16214r1_fix)
Ensure upgrades and patches to communications systems supporting PC communications applications are tested and approved prior to implementation. Test upgrades and patches to PC communications systems and applications for IA concerns and seek approval for their use prior to implementation. Document the testing and approval of the patch or upgrade to the PC communications system or application(s) before implementation. Maintain this documentation for auditors/inspectors.

Fix Text (F-16214r1_fix)

Ensure upgrades and patches to communications systems supporting PC communications applications are tested and approved prior to implementation.

Test upgrades and patches to PC communications systems and applications for IA concerns and seek approval for their use prior to implementation. Document the testing and approval of the patch or upgrade to the PC communications system or application(s) before implementation. Maintain this documentation for auditors/inspectors.