Check: VVoIP 1205 (GENERAL)
Voice Video Services Policy STIG:
VVoIP 1205 (GENERAL)
(in versions v3 r18 through v3 r15)
Title
A C2 or Special-C2 user does not have a more reliable communications method in their normal or alternate fixed workspace than a PC based communications client. (Cat II impact)
Discussion
PC based communications applications rely on many different factors, but are dependant upon the platform on which they operate. A PC could be dedicated to a task, protected, and controlled such that it is highly available for mission critical applications and communications. However, a user’s general purpose PC or other computing device may not be highly available for mission critical communications, particularly if it is not dedicated to that task. This because it supports many applications and functions while being connected to a network through which any number of threats can come. Mission critical applications and communications are also negatively affected if the PC is powered off, busy with another process, the communications application is not loaded or is not running properly, or if the PC is compromised and/or is having operational problems. While a fixed desktop or tower PC may be kept in a powered on and network connected state most of the time, a portable PC (laptop) is much more likely to be powered off and disconnected from the network. There is more chance that the PC and communications application won’t work, or be available, when needed compared to a dedicated device such as purpose built hard phones or dedicated PCs. Power for PCs is another consideration in our discussion of their support for assured services and mission critical systems, users, and locations. If there is no power in the user’s workspace, the PC will not function unless a backup power supply is provided. Thus may be provided using a battery based Uninterruptible Power Supply (UPS) or a backup generator. Either solution is very costly when providing backup power to the workspace for the PC, particularly for large numbers of users. Provisions for light and other environmental factors may also be necessary adding to cost. On the other hand, power is much more easily provided to a hardware based phone from the wiring closet using the LAN cabling. A UPS or generator will still be needed but in a centralized location reducing cost. Another factor is the robustness and reliability of the network to which the PC is connected. As noted above, DoD networks can and must be designed and controlled to provide the reliability and robustness needed to support assured service. This can work well for a dedicated communications endpoint but not necessarily for a PC communications application. This is because the PC will be connected to the portion of the LAN that carries normal data traffic by default. That is the portion of the LAN that can be compromised and degraded by various DoS attacks and other issues making it difficult for this portion of the LAN to provide assured service. This STIG defines some of the LAN requirements for the support of assured service, most notably the separation of the voice assets and traffic on the LAN from the data assets and traffic while maintaining a converged LAN architecture. Various solutions may also be available that can allow a PC to mitigate or manage these issues. These will be discussed later in the LAN use case section of this STIG. A remotely connected PC cannot be relied upon to support assured service if it is connected to a non-DoD network such as an Internet connected LAN or the internet itself. This is due to lack of DoD control over the network to which it is attached. While most non-DoD LANs and the Internet are relatively reliable and may be robust regarding bandwidth, there is no control over the conditions in, or the availability of, these networks, whether it is the LAN or WAN. Based on the factors noted in the previous paragraphs, PCs cannot provide the reliability and availability required for assured service when compared to the reliability and availability specifications for a LAN supporting assured service. These factors make it difficult to consider a user’s general purpose fixed or portable PC as being a stable platform for mission critical communications in an assured service sense even though we desire it to be so. All of these factors also affect non-assured service systems that provide life safety and emergency communications. In the future, PC and PC based communications application vendors may solve these problems and provide us with fully assured service capable PC based communications on a standard general purpose, general use platform at a reasonable cost. These issues do not, however, preclude a PC based communications application from attempting to place and receive priority communications sessions. A C2 user may use this type of end instrument for the origination of, or reception of routine and non-routine calls at their discretion, as long as a purpose built instrument or other backup communications system/device is also available for use as a backup communications method when necessary. This however, may not be feasible in all situations such as when using a portable PC outside of the normal workspace. Note: Voice communications is the most critical communications service for C2 users. While VTC and collaboration is an important C2 tool, a telephone call is the minimal method needed to give and receive orders. Since a PC based application may not be available at all times, backup voice communications methods are needed. This could be accomplished in several ways. Minimally, in the normal workspace, there needs to be a hardware based telephone, either IP or otherwise, connected to a different portion of the network than the PC. While a hardware based IP phone could be associated with the PC, if the portion of the network serving the PC was the cause of the PC being inoperable for C2 communications, the phone might also not be available or operational.
Check Content
Interview the IAO and a sampling of C2 or Special-C2 users to determine if C2 or Special-C2 users are provided with a more reliable communications method than a PC based communications application in compliance with the following requirement: Within a C2 or Special-C2 user’s normal workspace (e.g., office) or alternate fixed workspace (e.g., quarters, alternate office), ensure C2 and Special-C2 users are provided with an alternate assured service communications device/system (e.g., hardware based IP or traditional telephone endpoint) is provided as backup to a PC based communications application (e.g., soft-phone) for their mission critical assured service (C2) voice communications needs if and when the PC or application fails or is unavailable. Note: Cell phones. PDA/PEDs, or other wireless devices are not considered reliable enough within a normal workspace to meet this requirement due to lack of reliable signal everywhere and their inability to be used in certain DoD environments. However these could be considered in a remote use case. NOTE: This is not intended to require the installation of assured service communications devices in alternate workspaces such as quarters unless there is a requirement for the C2 or Special-C2 user to place and receive C2 communications in that location. This is a finding if C2 or Special-C2 users are not provided with a more reliable communications method than a PC based communications application for their assured service needs.
Fix Text
Ensure C2 and Special-C2 users are provided with an alternate assured service communications device/system (e.g., hardware based IP or traditional telephone endpoint) is provided as backup to a PC based communications application (e.g., soft-phone) for their mission critical assured service (C2) voice communications needs Minimally provide C2 and Special-C2 users with a hardware based telephone and supporting infrastructure that can support reliable assured service communications within their normal or alternate workspaces.
Additional Identifiers
Rule ID: SV-17060r1_rule
Vulnerability ID: V-16073
Group Title: Deficient COOP: C2 User’s Backup for PC Comm app
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |