STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:

The VVoIP system, its components, and/or changes to them are not included in the site’s enclave / LAN baseline documentation and Configuration & Accreditation documentation

DISA Rule

SV-8709r1_rule

Vulnerability Number

V-8223

Group Title

Deficient C&A: VVoIP System in LAN C&A doc’n

Rule Version

VVoIP 1100 (GENERAL)

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Ensure the VVoIP system and its components as well as their upgrades and changes are included in the site’s enclave / LAN C&A documentation (i.e., the DIACAP Implementation Plan (DIP), System Identification Profile (SIP), Scorecard, etc.).
NOTE: This requirement applies to or includes the existence or implementation of soft-phone applications or wireless VoIP (Wi-Fi or WiMAX) endpoints.

Add all VVoIP installations and/or modifications to the site’s enclave / LAN baseline and C&A documentation. Obtain DAA approval for the updated documentation. Submit to the SRR team lead for validation and finding closure.

Check Contents

Interview the IAO to validate compliance with the following requirement: Ensure the VVoIP and/or IP connected VTC system and its components as well as their upgrades and changes are included in the site’s enclave / LAN C&A documentation (e.g., the DIACAP Implementation Plan (DIP), System Identification Profile (SIP), Scorecard, etc.).

NOTE: This requirement applies to or includes the existence or implementation of soft-phone applications or wireless VoIP (Wi-Fi or WiMAX) endpoints.

> Review the baseline documentation and/or C&A documentation to verify that all VVoIP installations and/or modifications are included. Verify there is a procedure for approving changes to configuration.
> Determine if soft-phone applications or wireless VoIP (Wi-Fi or WiMAX) endpoints are used or implemented within the network. Look for the appearance of these in the required documentation noted above.

Vulnerability Number

V-8223

Documentable

False

Rule Version

VVoIP 1100 (GENERAL)

Severity Override Guidance

Interview the IAO to validate compliance with the following requirement: Ensure the VVoIP and/or IP connected VTC system and its components as well as their upgrades and changes are included in the site’s enclave / LAN C&A documentation (e.g., the DIACAP Implementation Plan (DIP), System Identification Profile (SIP), Scorecard, etc.).

NOTE: This requirement applies to or includes the existence or implementation of soft-phone applications or wireless VoIP (Wi-Fi or WiMAX) endpoints.

> Review the baseline documentation and/or C&A documentation to verify that all VVoIP installations and/or modifications are included. Verify there is a procedure for approving changes to configuration.
> Determine if soft-phone applications or wireless VoIP (Wi-Fi or WiMAX) endpoints are used or implemented within the network. Look for the appearance of these in the required documentation noted above.

Check Content Reference

M

Potential Impact

The inability to effectively maintain the network or voice service and apply security policy and vulnerability mitigations. The inability for the DAA to understand the voice system’s and/or network’s security posture, threats, and vulnerabilities. The inability for the DAA to approve or accept the security risk of operating the system

Responsibility

Information Assurance Officer

Target Key

594

Comments