STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 11 Benchmark Date: 24 Apr 2020:

Remote monitoring is not disabled while connected to an IP Network.

DISA Rule

SV-18726r1_rule

Vulnerability Number

V-17599

Group Title

RTS-VTC 1160.00 [IP]

Rule Version

RTS-VTC 1160.00

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

[IP]; Perform the following tasks:
- Obtain validation of mission requirements and DAA approval if remote monitoring of a VTU is to be used.
OR
- Configure the VTU to disable remote monitoring if the feature is not needed to satisfy validated, approved, and documented mission requirements.

Check Contents

[IP]; Interview the IAO to validate compliance with the following requirement:

In the event the VTU is connected to an IP network ensure remote monitoring of the VTU via IP is disabled unless required to satisfy validated, approved, and documented mission requirements.

Note: The documented and validated mission requirements along with their approval(s) are maintained by the IAO for inspection by auditors. Such approval is obtained from the DAA or IAM responsible for the VTU(s) or system.

Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. i.e., remote monitoring must be able to be disabled or the feature/capability must not be supported.

Interview the IAO to determine if remote monitoring is required and approved to meet mission requirements. Have the IAO or SA demonstrate compliance with the requirement.

Vulnerability Number

V-17599

Documentable

False

Rule Version

RTS-VTC 1160.00

Severity Override Guidance

[IP]; Interview the IAO to validate compliance with the following requirement:

In the event the VTU is connected to an IP network ensure remote monitoring of the VTU via IP is disabled unless required to satisfy validated, approved, and documented mission requirements.

Note: The documented and validated mission requirements along with their approval(s) are maintained by the IAO for inspection by auditors. Such approval is obtained from the DAA or IAM responsible for the VTU(s) or system.

Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. i.e., remote monitoring must be able to be disabled or the feature/capability must not be supported.

Interview the IAO to determine if remote monitoring is required and approved to meet mission requirements. Have the IAO or SA demonstrate compliance with the requirement.

Check Content Reference

I

Potential Impact

The inadvertent disclosure of sensitive or classified information to a SA that is monitoring a VTU that may not have an appropriate need-to-know or proper security clearance.

Responsibility

Information Assurance Officer

Target Key

1418

Comments