STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:

A policy/SOP is NOT in place OR NOT enforced to ensure that the VVoIP terminal (VoIP phone or instrument) configuration and display password/PIN is managed IAW DOD password policies (e.g., password/PIN complexity (length and character mix), expiration, change intervals, other conditions requiring a change, reuse, protection and storage).

DISA Rule

SV-8783r1_rule

Vulnerability Number

V-8288

Group Title

Deficient SOP: endpt netwk config PIN/pswd mgmt

Rule Version

VVoIP 1500 (GENERAL)

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Ensure that a policy/SOP is in place and enforced to ensure that the IPT terminal (VoIP phone or instrument) configuration and display password/PIN is managed IAW DOD password policies (e.g., password/PIN complexity (length and character mix), expiration, change intervals, other conditions requiring a change, reuse, protection and storage).

Develop a policy/SOP and enforced it to ensure that the IPT terminal (VoIP phone or instrument) configuration and display password is managed IAW DOD password policies (e.g., password/PIN complexity (length and character mix), expiration, change intervals, other conditions requiring a change, reuse, protection and storage)).

Check Contents

Interview the IAO to validate compliance with the following requirement: Ensure that a policy/SOP is in place and enforced to ensure that the IPT terminal (VoIP phone or instrument) configuration and display password/PIN is managed IAW DOD password policies (e.g., password/PIN complexity (length and character mix), expiration, change intervals, other conditions requiring a change, reuse, protection and storage).

Additionally investigate the enforcement of the SOP.

This is a finding in the event there is no SOP addressing the concern here or the SOP does not adequately address the related DoD policies OR the policy/SOP is not enforced.

Vulnerability Number

V-8288

Documentable

False

Rule Version

VVoIP 1500 (GENERAL)

Severity Override Guidance

Interview the IAO to validate compliance with the following requirement: Ensure that a policy/SOP is in place and enforced to ensure that the IPT terminal (VoIP phone or instrument) configuration and display password/PIN is managed IAW DOD password policies (e.g., password/PIN complexity (length and character mix), expiration, change intervals, other conditions requiring a change, reuse, protection and storage).

Additionally investigate the enforcement of the SOP.

This is a finding in the event there is no SOP addressing the concern here or the SOP does not adequately address the related DoD policies OR the policy/SOP is not enforced.

Check Content Reference

I

Potential Impact

Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Loss of confidentiality.
Password or PIN code compromise. As compromise is easier or more likely if PINs are not managed.

Responsibility

Information Assurance Officer

Target Key

594

Comments