Deficient PC Communications Application integrity or supportability.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16111	VVoIP 1705 (GENERAL)	SV-17099r1_rule	DCBP-1 ECSC-1	Medium

Description
Another one of the measures in our defense in depth strategy to protect our PC based voice, video, UC, and collaboration applications is to ensure the application originates from a reputable source. The source of these applications can vary depending upon the type of application. To protect DoD interests, the source of the application depends on the criticality of the communications method. One source of possible compromise of a communications application is the use of freeware or shareware applications. This issue is covered in DoDI 8500.2 IA control DCPD-1 regarding “Security Design and Configuration / Public Domain Software Controls” which states “Binary or machine executable public domain software products and other software products with limited or no warranty such as those commonly known as freeware or shareware are not used in DoD information systems unless they are necessary for mission accomplishment and there are no alternative IT solutions available. Such products are assessed for information assurance impacts, and approved for use by the DAA. The assessment addresses the fact that such software products are difficult or impossible to review, repair, or extend, given that the Government does not have access to the original source code and there is no owner who could make such repairs on behalf of the Government.” Communications applications that primarily provide voice communications such as a soft-phone need to be designed to properly interoperate directly with the hardware based voice (VoIP) communications system. These applications should be a standard product of the voice system vendor or a partner whose product is approved by this vendor. The voice system is the most critical of all of the communications systems discussed in this document. Communications applications that primarily provide VTC ‘like’ communications can come from several sources. Some soft-phone applications provide VTC and collaboration features and should be sourced from the voice system vendor as noted previously. Applications that primarily provide VTC features and need to interoperate directly with a hardware based VTC system should be sourced from the VTC system’s vendor or a partner whose product is approved by this vendor. Communications applications that primarily provide collaboration services while also providing voice and video communications features must also be sourced from a major vendor in the business of providing collaboration systems or services. Unified communications applications that provide multiple services such as IM, presence, voice, VTC, web conferencing, and so forth, may also be a product of the PC’s operating system vendor as with Microsoft’s Office Communications applications. Application sourcing can also be dependant upon whether the application is to interoperate with a hardware based communications system located and operated within an enclave or whether it is a system operated by an interagency or inter-base program. This requirement is based on the fact that DoD components are required to use software and applications that are supported by a vendor that can maintain the security and integrity of the software or application. The vendor must be able to provide patches, upgrades or both to mitigate newly discovered vulnerabilities found in their product in a timely manner.

Description

Another one of the measures in our defense in depth strategy to protect our PC based voice, video, UC, and collaboration applications is to ensure the application originates from a reputable source. The source of these applications can vary depending upon the type of application. To protect DoD interests, the source of the application depends on the criticality of the communications method. One source of possible compromise of a communications application is the use of freeware or shareware applications. This issue is covered in DoDI 8500.2 IA control DCPD-1 regarding “Security Design and Configuration / Public Domain Software Controls” which states “Binary or machine executable public domain software products and other software products with limited or no warranty such as those commonly known as freeware or shareware are not used in DoD information systems unless they are necessary for mission accomplishment and there are no alternative IT solutions available. Such products are assessed for information assurance impacts, and approved for use by the DAA. The assessment addresses the fact that such software products are difficult or impossible to review, repair, or extend, given that the Government does not have access to the original source code and there is no owner who could make such repairs on behalf of the Government.” Communications applications that primarily provide voice communications such as a soft-phone need to be designed to properly interoperate directly with the hardware based voice (VoIP) communications system. These applications should be a standard product of the voice system vendor or a partner whose product is approved by this vendor. The voice system is the most critical of all of the communications systems discussed in this document. Communications applications that primarily provide VTC ‘like’ communications can come from several sources. Some soft-phone applications provide VTC and collaboration features and should be sourced from the voice system vendor as noted previously. Applications that primarily provide VTC features and need to interoperate directly with a hardware based VTC system should be sourced from the VTC system’s vendor or a partner whose product is approved by this vendor. Communications applications that primarily provide collaboration services while also providing voice and video communications features must also be sourced from a major vendor in the business of providing collaboration systems or services. Unified communications applications that provide multiple services such as IM, presence, voice, VTC, web conferencing, and so forth, may also be a product of the PC’s operating system vendor as with Microsoft’s Office Communications applications. Application sourcing can also be dependant upon whether the application is to interoperate with a hardware based communications system located and operated within an enclave or whether it is a system operated by an interagency or inter-base program. This requirement is based on the fact that DoD components are required to use software and applications that are supported by a vendor that can maintain the security and integrity of the software or application. The vendor must be able to provide patches, upgrades or both to mitigate newly discovered vulnerabilities found in their product in a timely manner.

STIG	Date
Voice/Video Services Policy STIG	2014-04-07

Details

Check Text ( C-17155r1_chk )
Interview the IAO to validate compliance with the following requirement: Ensure PC voice, video, UC, and collaboration communications applications are obtained from an approved reputable source such that the integrity of the application along with its interoperability and security is assured and can provide support for the application to resolve operational and IA issues for DoD implementations. NOTE: The following are applicable sources: - Soft-phone and/or UC applications providing voice telephone services source from the enclave’s voice (VoIP) system vendor (or their approved partner). - Soft-VTC applications source from the enclave’s or program’s VTC system vendor (or their approved partner). - Collaboration applications source from the enclave’s or program’s Collaboration system/service vendor (or their approved partner). - The PC’s operating system vendor (e.g., Microsoft) providing the application is approved to interoperate with the primary systems above. - An AIS program that has sourced the application from an appropriate source and provided the necessary testing, certification, and accreditation. Determine the source of the PC voice, video, UC, and collaboration communications applications that are installed or are in use. Determine if freeware or shareware PC voice, video, UC, or collaboration communications applications are in use. Examples are applications from yahoo, MSN, Google, Skype and other third party applications downloadable from the internet via freeware and shareware distribution web sites. Inspect a random sample of PCs to determine what PC voice, video, UC, or collaboration communications applications are installed. This is a finding if the PC voice, video, UC, or collaboration communications applications are either freeware / shareware, or are not sourced from the original manufacturer of the supporting voice, video, UC, and collaboration system. The only PC voice, video, UC, or collaboration communications applications that should be used are those licensed products from major communications system vendors such as Cisco, Nortel, Avaya, Polycom, Tandberg, and so on, for which a clear support path is defined. This is to ensure PC voice, video, UC, and collaboration communications applications are obtained from an approved reputable source such that the integrity of the application along with its interoperability and security is assured and that support for the application can be provided to resolve operational and IA issues for DoD. NOTE: this is NOT a finding in the event the applications in question are shareware/freeware or are sourced from a third party other than a major communications system vendor AND they are necessary for mission accomplishment; there are no alternative IT solutions available; and the product has been assessed for information assurance impacts, and approved for use by the DAA in writing. If this is the case, inspect the DAA approval documentation to validate.

Check Text ( C-17155r1_chk )

Interview the IAO to validate compliance with the following requirement:

Ensure PC voice, video, UC, and collaboration communications applications are obtained from an approved reputable source such that the integrity of the application along with its interoperability and security is assured and can provide support for the application to resolve operational and IA issues for DoD implementations.

NOTE: The following are applicable sources:
- Soft-phone and/or UC applications providing voice telephone services source from the enclave’s voice (VoIP) system vendor (or their approved partner).
- Soft-VTC applications source from the enclave’s or program’s VTC system vendor (or their approved partner).
- Collaboration applications source from the enclave’s or program’s Collaboration system/service vendor (or their approved partner).
- The PC’s operating system vendor (e.g., Microsoft) providing the application is approved to interoperate with the primary systems above.
- An AIS program that has sourced the application from an appropriate source and provided the necessary testing, certification, and accreditation.

Determine the source of the PC voice, video, UC, and collaboration communications applications that are installed or are in use.

Determine if freeware or shareware PC voice, video, UC, or collaboration communications applications are in use. Examples are applications from yahoo, MSN, Google, Skype and other third party applications downloadable from the internet via freeware and shareware distribution web sites.

Inspect a random sample of PCs to determine what PC voice, video, UC, or collaboration communications applications are installed.

This is a finding if the PC voice, video, UC, or collaboration communications applications are either freeware / shareware, or are not sourced from the original manufacturer of the supporting voice, video, UC, and collaboration system.

The only PC voice, video, UC, or collaboration communications applications that should be used are those licensed products from major communications system vendors such as Cisco, Nortel, Avaya, Polycom, Tandberg, and so on, for which a clear support path is defined.

This is to ensure PC voice, video, UC, and collaboration communications applications are obtained from an approved reputable source such that the integrity of the application along with its interoperability and security is assured and that support for the application can be provided to resolve operational and IA issues for DoD.

NOTE: this is NOT a finding in the event the applications in question are shareware/freeware or are sourced from a third party other than a major communications system vendor AND they are necessary for mission accomplishment; there are no alternative IT solutions available; and the product has been assessed for information assurance impacts, and approved for use by the DAA in writing. If this is the case, inspect the DAA approval documentation to validate.

Fix Text (F-16217r1_fix)
Ensure PC voice, video, UC, and collaboration communications applications are obtained from an approved reputable source such that the integrity of the application along with its interoperability and security is assured and can provide support for the application to resolve operational and IA issues for DoD implementations. Obtain PC voice, video, UC, and collaboration communications applications are obtained from an approved reputable source such that the integrity of the application along with its interoperability and security is assured and that can provide support for the application to resolve operational and IA issues for DoD implementations. NOTE: The following are applicable sources: - Soft-phone and/or UC applications providing voice telephone services source from the enclave’s voice (VoIP) system vendor (or their approved partner). - Soft-VTC applications source from the enclave’s or program’s VTC system vendor (or their approved partner). - Collaboration applications source from the enclave’s or program’s Collaboration system/service vendor (or their approved partner). - The PC’s operating system vendor (e.g., Microsoft) providing the application is approved to interoperate with the primary systems above. - An AIS program that has sourced the application from an appropriate source and provided the necessary testing, certification, and accreditation.

Fix Text (F-16217r1_fix)

Ensure PC voice, video, UC, and collaboration communications applications are obtained from an approved reputable source such that the integrity of the application along with its interoperability and security is assured and can provide support for the application to resolve operational and IA issues for DoD implementations.

Obtain PC voice, video, UC, and collaboration communications applications are obtained from an approved reputable source such that the integrity of the application along with its interoperability and security is assured and that can provide support for the application to resolve operational and IA issues for DoD implementations.
NOTE: The following are applicable sources:
- Soft-phone and/or UC applications providing voice telephone services source from the enclave’s voice (VoIP) system vendor (or their approved partner).
- Soft-VTC applications source from the enclave’s or program’s VTC system vendor (or their approved partner).
- Collaboration applications source from the enclave’s or program’s Collaboration system/service vendor (or their approved partner).
- The PC’s operating system vendor (e.g., Microsoft) providing the application is approved to interoperate with the primary systems above.
- An AIS program that has sourced the application from an appropriate source and provided the necessary testing, certification, and accreditation.