STIGQter STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:

Critical network equipment must be redundant and in geographically diverse locations for a site supporting C2 users.

DISA Rule

SV-21745r3_rule

Vulnerability Number

V-19604

Group Title

VVoIP 6150

Rule Version

VVoIP 6150

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Implement and document critical network equipment as redundant and in geographically diverse locations for a site supporting C2 users. Critical network equipment includes CERs, SBCs, and session controllers (or Soft Switches in combination with session controllers).

NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Check Contents

Review site documentation to confirm critical network equipment is redundant and in geographically diverse locations for a site supporting C2 users. Redundant sets of CERs, SBCs, and session controllers must be housed in geographically diverse facilities within the site such that if one of locations is lost or isolated from the network, communications service is maintained. Sites facilities with a Soft Switch should have a session controller implemented in a geographically diverse location. If critical network equipment does not have redundant equipment, this is a finding. If redundant critical network equipment is not in a geographically diverse location, this is a finding.

If it is determined, following a cost versus benefit study and risk analysis, that redundant facilities containing dual sets of CERs, SBCs, and session controllers are not warranted for the given site, this requirement should be marked as a finding with a justification included in the POA&M stating the Authorizing Official (AO) is cognizant of and accepts the risk.

NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Vulnerability Number

V-19604

Documentable

False

Rule Version

VVoIP 6150

Severity Override Guidance

Review site documentation to confirm critical network equipment is redundant and in geographically diverse locations for a site supporting C2 users. Redundant sets of CERs, SBCs, and session controllers must be housed in geographically diverse facilities within the site such that if one of locations is lost or isolated from the network, communications service is maintained. Sites facilities with a Soft Switch should have a session controller implemented in a geographically diverse location. If critical network equipment does not have redundant equipment, this is a finding. If redundant critical network equipment is not in a geographically diverse location, this is a finding.

If it is determined, following a cost versus benefit study and risk analysis, that redundant facilities containing dual sets of CERs, SBCs, and session controllers are not warranted for the given site, this requirement should be marked as a finding with a justification included in the POA&M stating the Authorizing Official (AO) is cognizant of and accepts the risk.

NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Check Content Reference

M

Target Key

594

Comments