STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 11 Benchmark Date: 24 Apr 2020:

VTC data in transit must be encrypted.

DISA Rule

SV-18857r2_rule

Vulnerability Number

V-17683

Group Title

RTS-VTC 1220

Rule Version

RTS-VTC 1220.00

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the VTC system architecture to require all data in transit be encrypted, with a preference for FIPS-validated or NSA-approved cryptography over legacy encryption.

Check Contents

If a VTU under review is connected to classified IP networks and the conference information owners provide is written confirmation that encryption is not required within the classified enclave, this requirement is not applicable.

If the VTC systems, endpoints, and MCUs under review are on a physically separate network from the enclave’s LAN and use dedicated point-to-point circuits outside the enclave to interconnect to MCUs and other endpoints, this requirement is not applicable.

If the VTC systems, endpoints, and MCUs under review are on a logically separate network on the enclave’s LAN using a dedicated and closed VTC VLAN, and protected on the WAN using an encrypted VPN between endpoints and the MCU, this requirement is not applicable.

Review the VTC system architecture and ensure the VTC data in transit is encrypted. If the VTC data in transit is not encrypted, this is a finding.

Ensure the strongest encryption algorithm is used for VTC media streams as supported by all communicating VTUs and associated MCUs.

Vulnerability Number

V-17683

Documentable

False

Rule Version

RTS-VTC 1220.00

Severity Override Guidance

If a VTU under review is connected to classified IP networks and the conference information owners provide is written confirmation that encryption is not required within the classified enclave, this requirement is not applicable.

If the VTC systems, endpoints, and MCUs under review are on a physically separate network from the enclave’s LAN and use dedicated point-to-point circuits outside the enclave to interconnect to MCUs and other endpoints, this requirement is not applicable.

If the VTC systems, endpoints, and MCUs under review are on a logically separate network on the enclave’s LAN using a dedicated and closed VTC VLAN, and protected on the WAN using an encrypted VPN between endpoints and the MCU, this requirement is not applicable.

Review the VTC system architecture and ensure the VTC data in transit is encrypted. If the VTC data in transit is not encrypted, this is a finding.

Ensure the strongest encryption algorithm is used for VTC media streams as supported by all communicating VTUs and associated MCUs.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

1418

Comments