Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16108 | VVoIP 1130 (GENERAL) | SV-17096r1_rule | DCBP-1 ECSC-1 | Medium |
Description |
---|
Along with the measures described later to ensure application integrity, it is important that communications applications be tested and subsequently certified and accredited for IA purposes. This includes the applications as well as any upgrades and/or patches. DoDI 8500.2 IA control DCCT-1 under “Security Design and Configuration / Compliance Testing” states “A comprehensive set of procedures is implemented that tests all patches, upgrades, and new AIS applications prior to deployment.” This IA control relates to all PC communications applications and the accessories that work in conjunction with them such as USB phones or audio adapters, USB ATAs/PPGs, cameras, etc. Additionally, the specific network implementation(s) in which these applications are used must be addressed along with any central communications service for which the applications act as clients. The DoD certification and accreditation process in defined by DoDI 8510.01; Department of Defense Information Assurance Certification and Accreditation Process (DIACAP), 28 November 2007. |
STIG | Date |
---|---|
Voice/Video Services Policy STIG | 2014-04-07 |
Check Text ( C-17221r1_chk ) |
---|
Interview the IAO to validate compliance with the following requirement: Ensure upgrades and patches to communications systems supporting PC communications applications are tested and approved prior to implementation. Determine if upgrades and patches to communications systems supporting PC communications applications and PC communications applications are tested and approved prior to implementation. Review documentation relating to the testing of the patch or upgrade to the PC communications system and application(s) as verification. This is a finding if it is determined that upgrades and patches to systems supporting PC communications applications and/or the applications themselves were NOT tested and approved prior to implementation. |
Fix Text (F-16214r1_fix) |
---|
Ensure upgrades and patches to communications systems supporting PC communications applications are tested and approved prior to implementation. Test upgrades and patches to PC communications systems and applications for IA concerns and seek approval for their use prior to implementation. Document the testing and approval of the patch or upgrade to the PC communications system or application(s) before implementation. Maintain this documentation for auditors/inspectors. |