Title

IP-based VTC systems implementing a single CODEC that support conferences on multiple networks with different classification levels must sanitize nonvolatile memory while transitioning between networks by overwriting all configurable parameters with null settings before reconfiguring the CODEC for connection to the next network. (Cat II impact)

Discussion

A factory reset is the software restoration of an electronic device to its original system state by erasing all information stored on the device to restore the device to its original factory or unconfigured settings. This erases all data, settings, and applications that were previously on the device. Factory reset may be used as part of the sanitization process. This requirement is satisfied by the use of either a properly configured automated configuration management system or an inherent sanitization capability of the unit. However, this requirement results in a CAT III finding if a manual procedure is used.

Check Content

Verify the VTC system has an automated configuration management system configured to sanitize and reconfigure the CODEC when transitioning between networks. If it does, review documentation to determine if this capability is being implemented. If these conditions are met, this is not a finding. If the unit is not implementing an automated process, review documentation to determine if a manual procedure is specified and implemented when transitioning between networks. This will result in a CAT III finding if these conditions are met and a CAT II finding if they are not. If an automatic capability exists but is not being implemented, or an automated configuration management system is not being used, this is a CAT II finding unless a manual procedure is specified and is being implemented. I f a manual procedure is specified and is being implemented, this is a CAT III finding. If the unit is not being sanitized when transitioning between networks, this is a CAT II finding.

Fix Text

Obtain a VTC system that has an automated sanitization capability. Implement and document a procedure that uses this capability to sanitize the CODEC when transitioning between networks. As a last resort, implement and document a manual sanitization/reconfiguration procedure to perform this function.

Additional Identifiers

Rule ID: SV-259895r956913_rule

Vulnerability ID: V-259895

Group Title: SRG-VOIP-000150

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.