Check: VVoIP 1300 (GENERAL)
Voice Video Services Policy STIG:
VVoIP 1300 (GENERAL)
(in versions v3 r18 through v3 r15)
Title
C2 and Special-C2 users are not aware of the assured service limitations of their PC based communications applications. (Cat II impact)
Discussion
PC based communications applications rely on many different factors, but are dependant upon the platform on which they operate. A PC could be dedicated to a task, protected, and controlled such that it is highly available for mission critical applications and communications. However, a user’s general purpose PC or other computing device may not be highly available for mission critical communications, particularly if it is not dedicated to that task. This because it supports many applications and functions while being connected to a network through which any number of threats can come. Mission critical applications and communications are also negatively affected if the PC is powered off, busy with another process, the communications application is not loaded or running properly, or if the PC is compromised and/or is having operational problems. While a fixed desktop or tower PC may be kept in a powered on and network connected state most of the time, a portable PC (laptop) is much more likely to be powered off and disconnected from the network. There is more chance that the PC and communications application won’t work, or be available, when needed compared to a dedicated device such as purpose built hard phones or dedicated PCs. Power for operating the PCs is another consideration in our discussion of their support for assured services and mission critical systems, users, and locations. If there is no power in the user’s workspace, the PC will not function unless a backup power supply is provided. Thus may be provided using a battery based Uninterruptible Power Supply (UPS) or a backup generator. Either solution is very costly when providing backup power to the workspace for the PC, particularly for large numbers of users. Provisions for light and other environmental factors may also be necessary adding to cost. On the other hand, power is much more easily provided to a hardware based phone from the wiring closet using the LAN cabling. A UPS or generator will still be needed but in a centralized location reducing cost. Another factor is the robustness and reliability of the network to which the PC is connected. As noted above, DoD networks can and must be designed and controlled to provide the reliability and robustness needed to support assured service. This can work well for a dedicated communications endpoint but not necessarily for a PC communications application. This is because the PC will be connected to the portion of the LAN that carries normal data traffic by default. That is the portion of the LAN that can be compromised and degraded by various DoS attacks and other issues making it difficult for this portion of the LAN to provide assured service. The VoIP STIG defines some of the LAN requirements for the support of assured service, most notably the separation of the voice assets and traffic on the LAN from the data assets and traffic while maintaining a converged LAN architecture. Various solutions may also be available that can allow a PC to mitigate or manage these issues. These will be discussed later in the LAN use case section of this STIG. A remotely connected PC cannot be relied upon to support assured service if it is connected to a non-DoD network such as an Internet connected LAN or the internet itself. This is due to lack of DoD control over the network to which it is attached. While most non-DoD LANs and the Internet are relatively reliable and may be robust regarding bandwidth, there is no control over the conditions in, or the availability of, these networks, whether it is the LAN or WAN. Based on the factors noted in the previous paragraphs, PCs cannot provide the reliability and availability required for assured service when compared to the reliability and availability specifications for a LAN supporting assured service. These factors make it difficult to consider a user’s general purpose fixed, or portable, PC as being a stable platform for mission critical communications in an assured service sense, even though that is desired. All of these factors also affect non-assured service systems that provide life safety and emergency communications. In the future, PC and PC based communications application vendors may solve these problems and provide us with fully assured service capable PC based communications on a standard general purpose, general use platform at a reasonable cost. These issues do not, however, preclude a PC based communications application from attempting to place and receive priority communications sessions. A C2 user may use this type of end instrument for the origination of, or reception of routine and non-routine calls at their discretion, as long as a purpose built instrument or other backup communications system/device is also available for use as a backup communications method when necessary. This however, may not be feasible in all situations such as when using a portable PC outside of the normal workspace.
Check Content
Interview the IAO to validate compliance with the following requirement: Ensure C2 and special-C2 users are made aware of the potential for unreliability and reduced availability of PC based communications for assured service/C2 communications in the various situations in which they might use their PC for this purpose. The IAO will additionally ensure C2 and Special-C2 users are made aware of the need for, and availability of, backup communications methods are available and provided in these various situations. Additionally, interview a random sampling of C2 and special-C2 users to confirm their awareness. This is a finding in the event the users are unaware of the limitations of reliability and/or there is no attempt to make them aware.
Fix Text
Ensure C2 and Special-C2 users are made aware of the potential for unreliability and reduced availability of PC based communications for assured service/C2 communications in the various situations in which they might use their PC for this purpose. The IAO will additionally ensure C2 and Special-C2 users are made aware of the need for, and availability of, backup communications methods are available and provided in these various situations. Implement training for C2 and Special-C2 users to provide awareness of the potential for unreliability and reduced availability of PC based communications for assured service / C2 communications in the various situations in which they might use their PC for this purpose.
Additional Identifiers
Rule ID: SV-17057r1_rule
Vulnerability ID: V-16070
Group Title: Deficient C2 user Training: Non-AS of PC Comm apps
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |