Title

An IP-based VTC system implementing a single CODEC that supports conferences on multiple networks with different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing by being sanitized of all information while transitioning from one period/network to the next. (Cat II impact)

Discussion

All residual data (data unintentionally left behind on computer media) must be cleared before transitioning from one period/network to the next. Because the equipment is reused, nondestructive techniques are used. According to NIST Special Publication 800-88: Clearing information is a level of media sanitization that would protect the confidentiality of information against a robust keyboard attack. Simple deletion of items would not suffice for clearing. Clearing must not allow information to be retrieved by data, disk, or file recovery utilities. It must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. For example, overwriting is an acceptable method for clearing media.

Check Content

Verify an automatic capability exists and review documentation to determine if this capability is being implemented before transitioning from one period/network to the next. If no automatic capability exists, review organizational documentation to determine if a manual procedure is specified and implemented before transitioning from one period/network to the next. Coordinate with the vendor/solutions provider and certifier to verify all residual information is sanitized based on equipment make and model. If an automatic capability exists and is being implemented, this is not a finding. If an automatic capability exists but is not being implemented, this is a finding unless a manual procedure is specified and is being implemented. If a manual procedure is specified and is being implemented, this is not a finding. If no procedure is specified or none is being implemented, this is a finding.

Fix Text

Obtain equipment that has an automatic capability to sanitize memory or implement and document a manual procedure. Implement the automatic capability or manual procedure to sanitize all information while transitioning from one period/network to the next.

Additional Identifiers

Rule ID: SV-259892r948736_rule

Vulnerability ID: V-259892

Group Title: SRG-VOIP-000120

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.