STIGQter STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide

Version: 3

Release: 16 Benchmark Date: 26 Apr 2019

CheckedNameTitle
SV-8709r1_ruleThe VVoIP system, its components, and/or changes to them are not included in the site’s enclave / LAN baseline documentation and Configuration & Accreditation documentation
SV-8710r2_ruleMGCP and/or H.248 (MEGACO) is not restricted/controlled on the LAN and/or protected on the WAN using encryption OR MGCP and/or H.248 (MEGACO) packets are not authenticated or filtered by source IP address.
SV-8713r3_ruleVVoIP system components must use separate address blocks from those used by non-VVoIP system devices.
SV-8716r2_ruleThe VVoIP VLAN design for the supporting LAN must provide segmentation of the VVoIP service from the other services on the LAN and between the VVoIP components such that access and traffic flow can be properly controlled.
SV-8733r2_ruleServers supporting the Voice Video and Unified Capability (UC) environment must be dedicated services, with unnecessary functions disabled or removed.
SV-8734r1_ruleAll applicable STIGs have NOT been applied to the VVoIP / unified communications core infrastructure assets.
SV-8736r4_ruleDoD-to-DoD VVoIP traffic traversing any publicly accessible wide area network (i.e., Internet, NIPRnet) must use FIPS-validated encryption for unclassified traffic or NSA-approved encryption for classified traffic.
SV-8739r2_ruleThe voicemail system and/or server must implement applicable SRG and/or STIG guidance.
SV-8740r2_ruleThe Unified Mail system and/or server must implement applicable SRG and/or STIG guidance.
SV-8741r1_ruleAccess to personal voice mail settings by the subscriber via an IP connection is not secured via encryption and/or web” server on the voicemail system is not configured in accordance with the “private web server” requirements in the Web Server STIG/Checklist.
SV-8742r2_ruleVVoIP services over wireless IP networks must apply the Wireless STIG to the wireless service and endpoints.
SV-8783r1_ruleA policy/SOP is NOT in place OR NOT enforced to ensure that the VVoIP terminal (VoIP phone or instrument) configuration and display password/PIN is managed IAW DOD password policies (e.g., password/PIN complexity (length and character mix), expiration, change intervals, other conditions requiring a change, reuse, protection and storage).
SV-8785r1_ruleAn inventory of authorized instruments is NOT documented or maintained in support of the detection of unauthorized instruments connected to the VoIP system.
SV-8789r2_ruleVVoIP system components must receive IP address assignment and configuration information from a DHCP server with a dedicated scope to the VVoIP system.
SV-8790r1_ruleCustomers of the DISN VoSIP service on ARE NOT utilizing address blocks assigned by the DRSN / VoSIP PMO.
SV-8797r3_ruleThe LAN supporting VVoIP services for command and control (C2) users must provide assured services in accordance with the Unified Capabilities Requirements (UCR).
SV-8801r1_ruleA hardware based VVoIP or VTC endpoint possesses or provides a “PC Port” but does not maintain the required VLAN separation through the implementation of an Ethernet switch (not a hub).
SV-8818r2_ruleThe VVoIP VLAN ACL design must document the control of VVoIP system access and traffic flow.
SV-8823r4_ruleThe implementation of VoIP systems in the local enclave must not degrade the enclaves perimeter protection due to inadequate design of the VoIP boundary and its connection to external networks.
SV-8824r2_ruleThe sites enclave boundary protection must route DSN voice traffic via a local Media Gateway (MG) connected to a DSN service provider using the appropriate type of trunk based on the sites need to support C2 communications.
SV-8844r1_ruleSoftware patches for critical VoIP servers and other IPT devices DO NOT originate from the system manufacturer and are NOT applied in accordance with manufacturer’s instructions.
SV-17057r1_ruleC2 and Special-C2 users are not aware of the assured service limitations of their PC based communications applications.
SV-17060r1_ruleA C2 or Special-C2 user does not have a more reliable communications method in their normal or alternate fixed workspace than a PC based communications client.
SV-17061r2_ruleDeficient Policy or SOP for VTC and PC camera operations regarding their ability to pickup and transmit sensitive or classified information in visual form.
SV-17063r2_ruleVTC, Unified Capability (UC) soft client, and speakerphone microphone operations policy must prevent the pickup and transmission of sensitive or classified information over non-secure systems.
SV-17064r1_ruleDeficient Policy or SOP regarding PC communications video display positioning.
SV-17065r1_ruleDeficient SOP or enforcement regarding presentation and application sharing via a PC or VTC.
SV-17069r1_ruleDeficient training for the secure operation of PC desktop, presentation, or application sharing capabilities of a collaboration tool.
SV-17070r1_ruleAudio pickup or video capture capabilities (microphones and cameras) are not disabled when not needed for active participation in a communications session.
SV-17073r2_ruleUnified Capability (UC) soft client accessories must be tested and approved.
SV-17074r2_ruleUser training must deny the use of personally provided Unified Capability (UC) soft client accessories.
SV-17075r2_ruleVoice networks must not be bridged via a Unified Capability (UC) soft client accessory.
SV-17076r2_ruleUser training must include Unified Capability (UC) soft client accessory network bridging risks.
SV-17077r1_ruleDeficient training or training materials addressing secure PC communications client application usage.
SV-17078r3_ruleAn acceptable use policy or user agreement must be enforced for Unified Capabilities (UC) soft client users.
SV-17079r3_ruleA user guide identifying the proper use of Unified Capabilities (UC) soft client applications must be provided to UC soft client users.
SV-17082r1_ruleDeficient support for COOP or emergency and life safety communications when soft-phones are implemented as the primary voice endpoint in user’s workspace caused by deficient placement of physical hardware based phones near all such workspaces.
SV-17083r2_ruleImplementing Unified Capabilities (UC) soft clients as the primary voice endpoint must have Authorizing Official (AO) approval.
SV-17084r3_ruleDeploying Unified Communications (UC) soft clients on DoD networks must have Authorizing Official (AO) approval.
SV-17086r2_ruleA Call Center or Computer Telephony Integration (CTI) system using soft clients must be segregated into a protected enclave and limit traffic traversing the boundary.
SV-17087r1_ruleThe architecture and/or configuration of a permanent, semi-permanent, or fixed (not highly mobile) tactical LAN supporting IP based voice, video, unified, and/or collaboration communications is not adequate to protect the VVoIP services and infrastructure.
SV-17089r1_ruleDeficient benefit vs. risk analysis and/or approval for reduced VVoIP IA configuration measures in highly mobile tactical LANs and systems supporting hardware or PC based voice, video, unified, and/or collaboration communications.
SV-17094r2_ruleThe Unified Capabilities (UC) soft client Certification and Accreditation (CA) documentation must be included in the CA documentation for the supporting VVoIP system.
SV-17095r2_ruleUnified Capabilities (UC) soft clients must be tested and approved prior to implementation.
SV-17096r2_ruleUnified Capabilities (UC) soft client patches and upgrades must be tested and approved prior to implementation.
SV-17097r1_ruleA PC Communications Application is not tested for IA and Interoperability and are not listed on the DoD UC APL.
SV-17099r2_ruleUnified Capabilities (UC) soft clients must be supported by the manufacturer or vendor.
SV-17100r1_ruleThe integrity of a PC Communications Application, upgrade, or patch is not validated via digital signature before installation.
SV-17101r1_ruleA PC communications application is not maintained at the current/latest approved patch or version/upgrade level.
SV-17102r1_ruleA PC communications application is operated with administrative or root level privileges.
SV-17103r2_ruleThe integrity of VVoIP endpoint configuration files downloaded during endpoint registration must be validated using digital signatures.
SV-17104r1_rulePC communications application server association is not properly limited.
SV-17105r2_ruleAn unapproved Instant Messaging (IM) or Unified Capabilities (UC) soft client must not be used on Government Furnished Equipment (GFE).
SV-17106r1_ruleDeficient user training regarding the use of non-approved applications and hardware.
SV-17107r1_ruleDeficient PPS registration of those PPSs used by a Voice/Video/UC system to include its core infrastructure devices and hardware based or PC application based endpoints.
SV-21491r3_ruleVVoIP session signaling must be encrypted to provide end-to-end interoperable confidentiality and integrity.
SV-21492r3_ruleVVoIP session media must be encrypted to provide end-to-end interoperable confidentiality and integrity.
SV-21493r1_ruleThe site’s V-VoIP system is NOT capable of maintaining call/session establishment capability such that it can minimally make local internal and local commercial network calls in the event the LSC or MFSS becomes unavailable to receive and act on EI signaling requests.
SV-21494r3_ruleThe local VVoIP system must have the capability to place intra-site and local phone calls when network connectivity is severed from the remote centrally-located session controller.
SV-21541r1_ruleThe integrity of a vendor provided application, upgrade, or patch is not validated via digital signature before installation.
SV-21552r2_ruleThe confidentiality of VVoIP endpoint configuration files downloaded during endpoint registration must be protected by encryption.
SV-21562r2_ruleThe LAN supporting VVoIP services must provide enhanced reliability, availability, and bandwidth.
SV-21576r2_ruleThe LAN hardware supporting VVoIP services must provide redundancy to support command and control (C2) assured services and Fire and Emergency Services (FES) communications.
SV-21583r2_ruleThe LAN hardware supporting VVoIP services must provide physically diverse pathways for redundant links supporting command and control (C2) assured services and Fire and Emergency Services (FES) communications.
SV-21597r1_ruleAn uninterruptible power system (UPS) has not been designed or implemented to provide sufficient continuous backup power for the LAN Infrastructure, WAN boundary Infrastructure, VVoIP infrastructure, and/or VVoIP endpoints as required in support of special-C2 and C2 users system availability needs during a power outage OR sufficient backup power is not provided to C2-R or non-C2/admin user accessible endpoints, minimally in support of emergency life-safety and security calls.
SV-21607r1_ruleVVoIP core components are not assigned static addresses within the dedicated VVoIP address space
SV-21610r3_ruleThe VVoIP system management network must provide bidirectional enclave boundary protection between the local management network and the DISN voice services management network.
SV-21626r2_ruleThe VVoIP system and LAN design must provide segmentation and protection of the VVoIP system core device management traffic and interfaces such that role based access and traffic flow can be properly controlled.
SV-21629r2_ruleThe VVoIP system and supporting LAN design must contain one or more routing devices to provide support for required ACLs between the various required VVoIP VLANs.
SV-21733r2_ruleThe sites enclave boundary protection must route commercial VoIP traffic via a local Media Gateway (MG) connected to a commercial service provider using PRI, CAS, or POTS analog trunks.
SV-21734r3_ruleLocal commercial phone service must be provided in support of Continuity Of Operations (COOP) and Fire and Emergency Services (FES) communications.
SV-21735r1_ruleThe VVoIP system connection to the DISN WAN, its components, and/or changes to them are not included in the site’s enclave / LAN baseline documentation and C&A documentation.
SV-21736r1_ruleThe VVoIP system within the enclave is not subscribed to or integrated with the worldwide DISN IPVS network operating on the appropriately classified DISN IP WAN service
SV-21737r2_ruleAll Customer Edge Routers (CE-R) implemented as the DISN access circuit termination point for the DISN NIPRNet IP Voice Services (IPVS) must be listed on the DoD Approved Products List (APL).
SV-21738r2_ruleA Session Border Controller (SBC) implemented as the DISN boundary element for the DISN NIPRNet IP Voice Services (IPVS) must be listed on the DoD Approved Products List (APL).
SV-21739r1_ruleThe network IDS is not configured or implemented such that it can monitor the traffic to/from the required VVoIP firewall/EBC (function) as well as the traffic to/from the data firewall (function).
SV-21740r2_ruleAll Local Session Controllers (LSC), Enterprise Session Controllers (ESC), and Multi-Function Soft Switches (MFSS) implemented within the enclave to provide session management for the DISN NIPRNet IP Voice Services (IPVS) must be listed on the DoD Approved Products List (APL).
SV-21741r1_ruleThe DISN Core access circuit is NOT properly sized to accommodate the calculated Assured Service Admission Control (ASAC) budgets for AS voice and video calls/sessions OR the required budgets have not been calculated.
SV-21742r1_ruleThe enclave is NOT dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) Aggregation Routers (AR) or DISN Provider Edge (PE) routers.
SV-21743r1_ruleThe dual homed DISN core access circuits are NOT implemented such that each one can support the full bandwidth engineered for the enclave plus additional bandwidth to support surge conditions in time of crisis.
SV-21744r1_ruleThe required dual homed DISN Core or NIPRNet access circuits DO NOT follow geographically diverse paths from the CER(s) along the entire route to the geographically diverse SDNs.
SV-21745r3_ruleCritical network equipment must be redundant and in geographically diverse locations for a site supporting C2 users.
SV-21747r1_ruleEnclaves with commercial VoIP connections must be approved by the DoDIN Waiver Panel and signed by DOD CIO for a permanent alternate connection to the Internet Telephony Service Provider (ITSP).
SV-21768r3_ruleRemote access VoIP must be routed to the VoIP VLAN.
SV-21792r3_ruleWhen 802.1x is implemented and the voice video endpoint PC ports are disabled, the network access switch port must be configured to support a disabled PC port by configuring PC port traffic to the unused VLAN.
SV-21793r4_ruleThe access switch must only allow a maximum of one registered MAC address per access port, except when the Voice Video Endpoint has an enabled PC port.
SV-21795r3_ruleThe 802.1x authentication server must place voice video traffic in the correct VLAN when authorizing LAN access for voice video endpoints.
SV-23715r1_ruleRegular documented testing of hardware based COOP/backup or emergency telephones is not performed in accordance with a documented test plan or related documentation is deficient or non existent.
SV-23716r2_ruleMitigations against data exfiltration via the voice and/or video communications network/system must be implemented.
SV-23717r2_ruleThe Fire and Emergency Services (FES) communications over a sites telephone system must be configured to support the Department of Defense (DoD) Instruction 6055.06 telecommunication capabilities.
SV-23718r3_ruleThe Fire and Emergency Services (FES) communications over a sites private telephone system must provide the originating telephone number to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) or Automatic Location Identification (ALI) information.
SV-23719r3_ruleThe Fire and Emergency Services (FES) communications over a sites private telephone system must provide a direct callback telephone number and physical location of an FES caller to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) and extended Automatic Location Identification (ALI) information or access to an extended ALI database.
SV-23721r3_ruleThe Fire and Emergency Services (FES) communications over a sites private telephone system must route emergency calls as a priority call in a non-blocking manner.
SV-23726r3_ruleEight hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support special-C2 users.
SV-23733r1_ruleUnnecessary PPS have not been disabled or removed from VVoIP system devices or servers.
SV-23734r1_ruleThe VVoIP system DNS server is not dedicated to the VVoIP system within the LAN; or the VVoIP system DNS server freely interacts with other DNS servers outside the VVoIP system; or the VVoIP system information is published to the enterprise WAN or the Internet.
SV-23735r1_ruleThe VVoIP system time is not properly implemented and/or synched with the LAN’s NTP servers.
SV-60611r1_ruleVVoIP endpoint configuration files transferred via Cisco TFTP must be encrypted and signed using DoD PKI certificates.
SV-60629r1_ruleUnencrypted and unsigned VVoIP endpoint configuration files traversing the DISN must be protected within a VPN between enclaves.
SV-68937r1_ruleVVoIP system components and UC soft clients must display the Standard Mandatory DoD Notice and Consent Banner exactly as specified prior to logon or initial access.
SV-68939r1_ruleVVoIP system components and UC soft clients Standard Mandatory DoD Notice and Consent Banner must be acknowledged by the user prior to logon or initial access.
SV-72381r2_ruleTwo hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support Immediate or Priority precedence C2 users.
SV-72383r2_ruleSufficient backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support non-C2 user accessible endpoints for emergency life-safety and security calls.
SV-75799r2_ruleVVoIP endpoint configuration files must not be downloaded automatically during initial endpoint registration.
SV-75801r1_ruleThe VVoIP system management network with a single device providing bidirectional enclave boundary protection between the local management network and the DISN voice services management network must have a Memorandum of Agreement (MoA) in effect.
SV-75803r1_ruleThe VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network must have ACLs permitting only specific inbound/outbound traffic and deny all other traffic.
SV-75805r1_ruleThe VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network must be scanned to confirm protections in place are effective.
SV-93757r2_ruleVideo conferencing, Unified Capability (UC) soft client, and speakerphone speaker operations policy must prevent disclosure of sensitive or classified information over non-secure systems.