Title

A user guide identifying the proper use of Unified Capabilities (UC) soft client applications must be provided to UC soft client users. (Cat III impact)

Discussion

User agreements must be accompanied with a combination of user training and user guides reinforcing the organization's policies and prohibitions for UC soft clients (voice, video, and collaboration communications software clients). The training and guides should also provide additional information such as how to operate the UC soft client and implement cybersecurity features as required. Other topics that should be contained in a user guide include the use of webcams and microphones with both UC soft clients and hardware end instruments when used in a classified environment or where classified discussions occur. The user guide must contain a discussion pertaining to the use of UC soft client applications for assured service C2 communications. Cautions regarding the potentially unreliable nature of these communications applications or methods must be included in user guides so that C2 users are aware of, and reminded of, the non-assured service nature of these communications methods.

Check Content

Interview the ISSO to validate compliance with the following requirement: Verify a user guide is developed and distributed to users of UC soft client applications minimally providing the following information: - Review the policies and restrictions agreed to when the user agreement was signed upon receiving the communications application. - Provide a caution notice discussing the non-assured nature of UC soft client applications for C2 user awareness that for assured service a UC soft client should not be the primary method of communications. - Provide instruction for the proper and safe use of webcams or built-in cameras when used in a classified environment to prevent viewing classified work or classified material over non-secure networks. - Provide instruction for the proper and safe use of speakerphones or built-in microphones when used in a classified environment to prevent hearing classified discussions over non-secure networks. - Provide instruction regarding the proper and safe use of presentation, document, and desktop sharing. Inspect the user guide for the proper use of UC soft client and validate users received this guide by interviewing a random sampling of users. If the user guide is deficient in content or the guide is not provided to users, this is a finding.

Fix Text

Develop and distribute a user guide to users of UC soft client applications minimally providing the following information: - Review the policies and restrictions agreed to when the user agreement was signed upon receiving the communications application. - Provide a caution notice discussing the non-assured nature of UC soft client applications for C2 user awareness that for assured service a UC soft client should not be the primary method of communications. - Provide instruction for the proper and safe use of webcams or built-in cameras when used in a classified environment to prevent viewing classified work or classified material over non-secure networks. - Provide instruction for the proper and safe use of speakerphones or built-in microphones when used in a classified environment to prevent hearing classified discussions over non-secure networks. - Provide instruction regarding the proper and safe use of presentation, document, and desktop sharing.

Additional Identifiers

Rule ID: SV-17079r3_rule

Vulnerability ID: V-16091

Group Title: Provide UC soft client user guide

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.