STIGQter STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 11 Benchmark Date: 24 Apr 2020:

A VTU or conference room implemented using wireless components must be protected from external control or compromise.

DISA Rule

SV-18891r2_rule

Vulnerability Number

V-17717

Group Title

RTS-VTC 4420

Rule Version

RTS-VTC 4420.00

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Perform the following tasks:
Purchase and install wireless RF VTC system components that can support the following:
- The encryption of all information-bearing RF transmissions to prevent eavesdropping.
- The encrypted and/or authenticated of all control-bearing RF transmissions to prevent control hijacking.
- The configuration of wireless technologies covered by the wireless STIG and other DoD wireless policies is supported.
AND
Configure all wireless RF VTC system components to encrypt information-bearing RF transmissions to prevent eavesdropping and to encrypt and/or authenticate all control-bearing RF transmissions to prevent control hijacking.
AND
Obtain written approval from the responsible AO for the use of wireless RF components to assemble the VTC system.
AND/OR
Enclose the facility housing the VTC system in RF shielding so that the information or control bearing VTC radio signals cannot escape the facility and external control signals cannot enter the facility.
OR
Implement a hardwired VTC system.

Check Contents

Interview the ISSO and validate compliance with the following requirement:

If the audio, video, white boarding, data sharing capabilities or components of a VTC system are implemented using wireless RF technologies, ensure the following:
- All information-bearing RF transmissions are encrypted to prevent eavesdropping.
- All control-bearing RF transmissions are encrypted and/or authenticated to prevent control hijacking.
- Wireless technologies covered by the wireless STIG and other DoD wireless policies are implemented and configured in compliance with that STIG and other policies.
- Such implementations are approved by the responsible local AO in writing, and the ISSO will maintain approval documentation for inspection by IA auditors.

Note: A much more expensive mitigation to this issue would be to enclose the room in RF shielding so that the information or control bearing VTC radio signals cannot escape the facility and external control signals cannot enter the facility. This might not be practical.

Note: Wireless AV control systems or “touch panels were discussed and requirements provided earlier in this document. The earlier mentioned requirements are to be used in conjunction with this one.

Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU.

Inspect the configuration of the VTC system and all wireless RF components and their associated documentation to ensure that the wireless traffic is protected. Also inspect approval documentation to ensure the responsible local AO has approved, in writing, the implementation of VTU based wireless RF components. If a VTU or conference room implemented using wireless components is not protected from external control or compromise, this is a finding.

Vulnerability Number

V-17717

Documentable

False

Rule Version

RTS-VTC 4420.00

Severity Override Guidance

Interview the ISSO and validate compliance with the following requirement:

If the audio, video, white boarding, data sharing capabilities or components of a VTC system are implemented using wireless RF technologies, ensure the following:
- All information-bearing RF transmissions are encrypted to prevent eavesdropping.
- All control-bearing RF transmissions are encrypted and/or authenticated to prevent control hijacking.
- Wireless technologies covered by the wireless STIG and other DoD wireless policies are implemented and configured in compliance with that STIG and other policies.
- Such implementations are approved by the responsible local AO in writing, and the ISSO will maintain approval documentation for inspection by IA auditors.

Note: A much more expensive mitigation to this issue would be to enclose the room in RF shielding so that the information or control bearing VTC radio signals cannot escape the facility and external control signals cannot enter the facility. This might not be practical.

Note: Wireless AV control systems or “touch panels were discussed and requirements provided earlier in this document. The earlier mentioned requirements are to be used in conjunction with this one.

Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU.

Inspect the configuration of the VTC system and all wireless RF components and their associated documentation to ensure that the wireless traffic is protected. Also inspect approval documentation to ensure the responsible local AO has approved, in writing, the implementation of VTU based wireless RF components. If a VTU or conference room implemented using wireless components is not protected from external control or compromise, this is a finding.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

1418

Comments