STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 11 Benchmark Date: 24 Apr 2020:

Use of media streaming is not documented properly or is not configured securely.

DISA Rule

SV-17559r1_rule

Vulnerability Number

V-16560

Group Title

RTS-VTC 2340.00 [IP]

Rule Version

RTS-VTC 2340.00

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

[IP]; Perform the following tasks:
- Discontinue the use of VTC media streaming OR obtain approval for the validated mission requirement, the distribution method, and fully document the requirement, distribution method, and the approval.
- If streaming from a CODEC is approved, configure the codec for a unicast connection such that the media stream is limited to the single IP address of a streaming/recording server.
- If IP multicast or IP broadcast is approved as the distribution method. Configure the streaming server/CODEC to encrypt the media stream and use a secure key exchange process.
- If streaming from a streaming/recording server is approved, configure the server to provide the streaming service via an authenticated and audited client to server (unicast) session or authenticated and audited access to an .sdp file; additionally configure the server to use DoD PKI for access control; and to provide an encrypted client server connection or encryption of the media stream.

Check Contents

[IP]; Interview the IAO to validate compliance with the following requirement:

Ensure the following regarding VTC streaming:
- Streaming of VTC content will not be implemented unless required to fulfill a specific, validated, authorized, and documented mission requirement.
- Streaming from a VTU/CODEC is to the unicast addresses of a streaming/recording server only, not to an IP multicast or broadcast address due to the lack of user/recipient access control.
- A streaming server is used that provides the streaming service via an authenticated and audited client to server (unicast) session or authenticated and audited access to an .sdp file.
- Streaming server access control will use DoD PKI.
- Streaming server to client connection is encrypted for confidentiality of the streamed media.
- If approved, and IP multicast must be used, the media stream must be encrypted and a secure key exchange process employed.

Determine if VTC media streaming is being used. If not, this is not a finding. If so, additionally determine the following:
- Inspect the documentation regarding the validated and authorized/approved mission requirement. This is a finding if the documentation or approval is deficient or non-existent.
- If IP multicast or IP broadcast is being used as the distribution method. If so, this is a finding unless the use is approved (inspect DAA approval documentation) and the media stream is encrypted and a secure key exchange process employed.
- If streaming from a CODEC is being used, this is a finding if the media stream is not limited to the single IP address of a streaming/recording server.
- If a streaming server is being used, this is a finding if the stream is not delivered via an authenticated and audited client to server (unicast) session or authenticated and audited access to an .sdp file; and/or Streaming server access control does not use DoD PKI; and/or the server to client connection is not encrypted.

Vulnerability Number

V-16560

Documentable

False

Rule Version

RTS-VTC 2340.00

Severity Override Guidance

[IP]; Interview the IAO to validate compliance with the following requirement:

Ensure the following regarding VTC streaming:
- Streaming of VTC content will not be implemented unless required to fulfill a specific, validated, authorized, and documented mission requirement.
- Streaming from a VTU/CODEC is to the unicast addresses of a streaming/recording server only, not to an IP multicast or broadcast address due to the lack of user/recipient access control.
- A streaming server is used that provides the streaming service via an authenticated and audited client to server (unicast) session or authenticated and audited access to an .sdp file.
- Streaming server access control will use DoD PKI.
- Streaming server to client connection is encrypted for confidentiality of the streamed media.
- If approved, and IP multicast must be used, the media stream must be encrypted and a secure key exchange process employed.

Determine if VTC media streaming is being used. If not, this is not a finding. If so, additionally determine the following:
- Inspect the documentation regarding the validated and authorized/approved mission requirement. This is a finding if the documentation or approval is deficient or non-existent.
- If IP multicast or IP broadcast is being used as the distribution method. If so, this is a finding unless the use is approved (inspect DAA approval documentation) and the media stream is encrypted and a secure key exchange process employed.
- If streaming from a CODEC is being used, this is a finding if the media stream is not limited to the single IP address of a streaming/recording server.
- If a streaming server is being used, this is a finding if the stream is not delivered via an authenticated and audited client to server (unicast) session or authenticated and audited access to an .sdp file; and/or Streaming server access control does not use DoD PKI; and/or the server to client connection is not encrypted.

Check Content Reference

I

Potential Impact

The inadvertent or improper disclosure of sensitive or classified information to a caller of a VTU that may not have an appropriate need-to-know or proper security clearance.

Responsibility

Information Assurance Officer

Target Key

1418

Comments