| Checked | Name | Title |
|---|
| ☐ | SV-8709r1_rule | The VVoIP system, its components, and/or changes to them are not included in the site’s enclave / LAN baseline documentation and Configuration & Accreditation documentation |
| ☐ | SV-8710r2_rule | MGCP and/or H.248 (MEGACO) is not restricted/controlled on the LAN and/or protected on the WAN using encryption OR MGCP and/or H.248 (MEGACO) packets are not authenticated or filtered by source IP address. |
| ☐ | SV-8713r3_rule | VVoIP system components must use separate address blocks from those used by non-VVoIP system devices. |
| ☐ | SV-8716r2_rule | The VVoIP VLAN design for the supporting LAN must provide segmentation of the VVoIP service from the other services on the LAN and between the VVoIP components such that access and traffic flow can be properly controlled. |
| ☐ | SV-8733r2_rule | Servers supporting the Voice Video and Unified Capability (UC) environment must be dedicated services, with unnecessary functions disabled or removed. |
| ☐ | SV-8734r1_rule | All applicable STIGs have NOT been applied to the VVoIP / unified communications core infrastructure assets. |
| ☐ | SV-8736r4_rule | DoD-to-DoD VVoIP traffic traversing any publicly accessible wide area network (i.e., Internet, NIPRnet) must use FIPS-validated encryption for unclassified traffic or NSA-approved encryption for classified traffic. |
| ☐ | SV-8739r2_rule | The voicemail system and/or server must implement applicable SRG and/or STIG guidance. |
| ☐ | SV-8740r2_rule | The Unified Mail system and/or server must implement applicable SRG and/or STIG guidance. |
| ☐ | SV-8741r1_rule | Access to personal voice mail settings by the subscriber via an IP connection is not secured via encryption and/or web” server on the voicemail system is not configured in accordance with the “private web server” requirements in the Web Server STIG/Checklist. |
| ☐ | SV-8742r2_rule | VVoIP services over wireless IP networks must apply the Wireless STIG to the wireless service and endpoints. |
| ☐ | SV-8783r1_rule | A policy/SOP is NOT in place OR NOT enforced to ensure that the VVoIP terminal (VoIP phone or instrument) configuration and display password/PIN is managed IAW DOD password policies (e.g., password/PIN complexity (length and character mix), expiration, change intervals, other conditions requiring a change, reuse, protection and storage). |
| ☐ | SV-8785r1_rule | An inventory of authorized instruments is NOT documented or maintained in support of the detection of unauthorized instruments connected to the VoIP system. |
| ☐ | SV-8789r2_rule | VVoIP system components must receive IP address assignment and configuration information from a DHCP server with a dedicated scope to the VVoIP system. |
| ☐ | SV-8790r1_rule | Customers of the DISN VoSIP service on ARE NOT utilizing address blocks assigned by the DRSN / VoSIP PMO. |
| ☐ | SV-8797r3_rule | The LAN supporting VVoIP services for command and control (C2) users must provide assured services in accordance with the Unified Capabilities Requirements (UCR). |
| ☐ | SV-8801r1_rule | A hardware based VVoIP or VTC endpoint possesses or provides a “PC Port” but does not maintain the required VLAN separation through the implementation of an Ethernet switch (not a hub). |
| ☐ | SV-8818r2_rule | The VVoIP VLAN ACL design must document the control of VVoIP system access and traffic flow. |
| ☐ | SV-8823r4_rule | The implementation of VoIP systems in the local enclave must not degrade the enclaves perimeter protection due to inadequate design of the VoIP boundary and its connection to external networks. |
| ☐ | SV-8824r2_rule | The sites enclave boundary protection must route DSN voice traffic via a local Media Gateway (MG) connected to a DSN service provider using the appropriate type of trunk based on the sites need to support C2 communications. |
| ☐ | SV-8844r1_rule | Software patches for critical VoIP servers and other IPT devices DO NOT originate from the system manufacturer and are NOT applied in accordance with manufacturer’s instructions. |
| ☐ | SV-17057r1_rule | C2 and Special-C2 users are not aware of the assured service limitations of their PC based communications applications. |
| ☐ | SV-17060r1_rule | A C2 or Special-C2 user does not have a more reliable communications method in their normal or alternate fixed workspace than a PC based communications client. |
| ☐ | SV-17061r2_rule | Deficient Policy or SOP for VTC and PC camera operations regarding their ability to pickup and transmit sensitive or classified information in visual form. |
| ☐ | SV-17063r2_rule | VTC, Unified Capability (UC) soft client, and speakerphone microphone operations policy must prevent the pickup and transmission of sensitive or classified information over non-secure systems. |
| ☐ | SV-17064r1_rule | Deficient Policy or SOP regarding PC communications video display positioning. |
| ☐ | SV-17065r1_rule | Deficient SOP or enforcement regarding presentation and application sharing via a PC or VTC. |
| ☐ | SV-17069r1_rule | Deficient training for the secure operation of PC desktop, presentation, or application sharing capabilities of a collaboration tool. |
| ☐ | SV-17070r1_rule | Audio pickup or video capture capabilities (microphones and cameras) are not disabled when not needed for active participation in a communications session. |
| ☐ | SV-17073r2_rule | Unified Capability (UC) soft client accessories must be tested and approved. |
| ☐ | SV-17074r2_rule | User training must deny the use of personally provided Unified Capability (UC) soft client accessories. |
| ☐ | SV-17075r2_rule | Voice networks must not be bridged via a Unified Capability (UC) soft client accessory. |
| ☐ | SV-17076r2_rule | User training must include Unified Capability (UC) soft client accessory network bridging risks. |
| ☐ | SV-17077r1_rule | Deficient training or training materials addressing secure PC communications client application usage. |
| ☐ | SV-17078r3_rule | An acceptable use policy or user agreement must be enforced for Unified Capabilities (UC) soft client users. |
| ☐ | SV-17079r3_rule | A user guide identifying the proper use of Unified Capabilities (UC) soft client applications must be provided to UC soft client users. |
| ☐ | SV-17082r1_rule | Deficient support for COOP or emergency and life safety communications when soft-phones are implemented as the primary voice endpoint in user’s workspace caused by deficient placement of physical hardware based phones near all such workspaces. |
| ☐ | SV-17083r2_rule | Implementing Unified Capabilities (UC) soft clients as the primary voice endpoint must have Authorizing Official (AO) approval. |
| ☐ | SV-17084r3_rule | Deploying Unified Communications (UC) soft clients on DoD networks must have Authorizing Official (AO) approval. |
| ☐ | SV-17086r2_rule | A Call Center or Computer Telephony Integration (CTI) system using soft clients must be segregated into a protected enclave and limit traffic traversing the boundary. |
| ☐ | SV-17087r1_rule | The architecture and/or configuration of a permanent, semi-permanent, or fixed (not highly mobile) tactical LAN supporting IP based voice, video, unified, and/or collaboration communications is not adequate to protect the VVoIP services and infrastructure. |
| ☐ | SV-17089r1_rule | Deficient benefit vs. risk analysis and/or approval for reduced VVoIP IA configuration measures in highly mobile tactical LANs and systems supporting hardware or PC based voice, video, unified, and/or collaboration communications. |
| ☐ | SV-17094r2_rule | The Unified Capabilities (UC) soft client Certification and Accreditation (CA) documentation must be included in the CA documentation for the supporting VVoIP system. |
| ☐ | SV-17095r2_rule | Unified Capabilities (UC) soft clients must be tested and approved prior to implementation. |
| ☐ | SV-17096r2_rule | Unified Capabilities (UC) soft client patches and upgrades must be tested and approved prior to implementation. |
| ☐ | SV-17097r1_rule | A PC Communications Application is not tested for IA and Interoperability and are not listed on the DoD UC APL. |
| ☐ | SV-17099r2_rule | Unified Capabilities (UC) soft clients must be supported by the manufacturer or vendor. |
| ☐ | SV-17100r1_rule | The integrity of a PC Communications Application, upgrade, or patch is not validated via digital signature before installation. |
| ☐ | SV-17101r1_rule | A PC communications application is not maintained at the current/latest approved patch or version/upgrade level. |
| ☐ | SV-17102r1_rule | A PC communications application is operated with administrative or root level privileges. |
| ☐ | SV-17103r2_rule | The integrity of VVoIP endpoint configuration files downloaded during endpoint registration must be validated using digital signatures. |
| ☐ | SV-17104r1_rule | PC communications application server association is not properly limited. |
| ☐ | SV-17105r2_rule | An unapproved Instant Messaging (IM) or Unified Capabilities (UC) soft client must not be used on Government Furnished Equipment (GFE). |
| ☐ | SV-17106r1_rule | Deficient user training regarding the use of non-approved applications and hardware. |
| ☐ | SV-17107r1_rule | Deficient PPS registration of those PPSs used by a Voice/Video/UC system to include its core infrastructure devices and hardware based or PC application based endpoints. |
| ☐ | SV-21491r3_rule | VVoIP session signaling must be encrypted to provide end-to-end interoperable confidentiality and integrity. |
| ☐ | SV-21492r3_rule | VVoIP session media must be encrypted to provide end-to-end interoperable confidentiality and integrity. |
| ☐ | SV-21493r1_rule | The site’s V-VoIP system is NOT capable of maintaining call/session establishment capability such that it can minimally make local internal and local commercial network calls in the event the LSC or MFSS becomes unavailable to receive and act on EI signaling requests. |
| ☐ | SV-21494r3_rule | The local VVoIP system must have the capability to place intra-site and local phone calls when network connectivity is severed from the remote centrally-located session controller. |
| ☐ | SV-21541r1_rule | The integrity of a vendor provided application, upgrade, or patch is not validated via digital signature before installation. |
| ☐ | SV-21552r2_rule | The confidentiality of VVoIP endpoint configuration files downloaded during endpoint registration must be protected by encryption. |
| ☐ | SV-21562r2_rule | The LAN supporting VVoIP services must provide enhanced reliability, availability, and bandwidth. |
| ☐ | SV-21576r2_rule | The LAN hardware supporting VVoIP services must provide redundancy to support command and control (C2) assured services and Fire and Emergency Services (FES) communications. |
| ☐ | SV-21583r2_rule | The LAN hardware supporting VVoIP services must provide physically diverse pathways for redundant links supporting command and control (C2) assured services and Fire and Emergency Services (FES) communications. |
| ☐ | SV-21597r1_rule | An uninterruptible power system (UPS) has not been designed or implemented to provide sufficient continuous backup power for the LAN Infrastructure, WAN boundary Infrastructure, VVoIP infrastructure, and/or VVoIP endpoints as required in support of special-C2 and C2 users system availability needs during a power outage OR sufficient backup power is not provided to C2-R or non-C2/admin user accessible endpoints, minimally in support of emergency life-safety and security calls. |
| ☐ | SV-21607r1_rule | VVoIP core components are not assigned static addresses within the dedicated VVoIP address space |
| ☐ | SV-21610r3_rule | The VVoIP system management network must provide bidirectional enclave boundary protection between the local management network and the DISN voice services management network. |
| ☐ | SV-21626r2_rule | The VVoIP system and LAN design must provide segmentation and protection of the VVoIP system core device management traffic and interfaces such that role based access and traffic flow can be properly controlled. |
| ☐ | SV-21629r2_rule | The VVoIP system and supporting LAN design must contain one or more routing devices to provide support for required ACLs between the various required VVoIP VLANs. |
| ☐ | SV-21733r2_rule | The sites enclave boundary protection must route commercial VoIP traffic via a local Media Gateway (MG) connected to a commercial service provider using PRI, CAS, or POTS analog trunks. |
| ☐ | SV-21734r3_rule | Local commercial phone service must be provided in support of Continuity Of Operations (COOP) and Fire and Emergency Services (FES) communications. |
| ☐ | SV-21735r1_rule | The VVoIP system connection to the DISN WAN, its components, and/or changes to them are not included in the site’s enclave / LAN baseline documentation and C&A documentation. |
| ☐ | SV-21736r1_rule | The VVoIP system within the enclave is not subscribed to or integrated with the worldwide DISN IPVS network operating on the appropriately classified DISN IP WAN service |
| ☐ | SV-21737r2_rule | All Customer Edge Routers (CE-R) implemented as the DISN access circuit termination point for the DISN NIPRNet IP Voice Services (IPVS) must be listed on the DoD Approved Products List (APL). |
| ☐ | SV-21738r2_rule | A Session Border Controller (SBC) implemented as the DISN boundary element for the DISN NIPRNet IP Voice Services (IPVS) must be listed on the DoD Approved Products List (APL). |
| ☐ | SV-21739r1_rule | The network IDS is not configured or implemented such that it can monitor the traffic to/from the required VVoIP firewall/EBC (function) as well as the traffic to/from the data firewall (function). |
| ☐ | SV-21740r2_rule | All Local Session Controllers (LSC), Enterprise Session Controllers (ESC), and Multi-Function Soft Switches (MFSS) implemented within the enclave to provide session management for the DISN NIPRNet IP Voice Services (IPVS) must be listed on the DoD Approved Products List (APL). |
| ☐ | SV-21741r1_rule | The DISN Core access circuit is NOT properly sized to accommodate the calculated Assured Service Admission Control (ASAC) budgets for AS voice and video calls/sessions OR the required budgets have not been calculated. |
| ☐ | SV-21742r1_rule | The enclave is NOT dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) Aggregation Routers (AR) or DISN Provider Edge (PE) routers. |
| ☐ | SV-21743r1_rule | The dual homed DISN core access circuits are NOT implemented such that each one can support the full bandwidth engineered for the enclave plus additional bandwidth to support surge conditions in time of crisis. |
| ☐ | SV-21744r1_rule | The required dual homed DISN Core or NIPRNet access circuits DO NOT follow geographically diverse paths from the CER(s) along the entire route to the geographically diverse SDNs. |
| ☐ | SV-21745r3_rule | Critical network equipment must be redundant and in geographically diverse locations for a site supporting C2 users. |
| ☐ | SV-21747r1_rule | Enclaves with commercial VoIP connections must be approved by the DoDIN Waiver Panel and signed by DOD CIO for a permanent alternate connection to the Internet Telephony Service Provider (ITSP). |
| ☐ | SV-21768r3_rule | Remote access VoIP must be routed to the VoIP VLAN. |
| ☐ | SV-21792r3_rule | When 802.1x is implemented and the voice video endpoint PC ports are disabled, the network access switch port must be configured to support a disabled PC port by configuring PC port traffic to the unused VLAN. |
| ☐ | SV-21793r4_rule | The access switch must only allow a maximum of one registered MAC address per access port, except when the Voice Video Endpoint has an enabled PC port. |
| ☐ | SV-21795r3_rule | The 802.1x authentication server must place voice video traffic in the correct VLAN when authorizing LAN access for voice video endpoints. |
| ☐ | SV-23715r1_rule | Regular documented testing of hardware based COOP/backup or emergency telephones is not performed in accordance with a documented test plan or related documentation is deficient or non existent. |
| ☐ | SV-23717r2_rule | The Fire and Emergency Services (FES) communications over a sites telephone system must be configured to support the Department of Defense (DoD) Instruction 6055.06 telecommunication capabilities. |
| ☐ | SV-23718r3_rule | The Fire and Emergency Services (FES) communications over a sites private telephone system must provide the originating telephone number to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) or Automatic Location Identification (ALI) information. |
| ☐ | SV-23719r3_rule | The Fire and Emergency Services (FES) communications over a sites private telephone system must provide a direct callback telephone number and physical location of an FES caller to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) and extended Automatic Location Identification (ALI) information or access to an extended ALI database. |
| ☐ | SV-23721r3_rule | The Fire and Emergency Services (FES) communications over a sites private telephone system must route emergency calls as a priority call in a non-blocking manner. |
| ☐ | SV-23726r3_rule | Eight hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support special-C2 users. |
| ☐ | SV-23733r1_rule | Unnecessary PPS have not been disabled or removed from VVoIP system devices or servers. |
| ☐ | SV-23734r1_rule | The VVoIP system DNS server is not dedicated to the VVoIP system within the LAN; or the VVoIP system DNS server freely interacts with other DNS servers outside the VVoIP system; or the VVoIP system information is published to the enterprise WAN or the Internet. |
| ☐ | SV-23735r1_rule | The VVoIP system time is not properly implemented and/or synched with the LAN’s NTP servers. |
| ☐ | SV-60611r1_rule | VVoIP endpoint configuration files transferred via Cisco TFTP must be encrypted and signed using DoD PKI certificates. |
| ☐ | SV-60629r1_rule | Unencrypted and unsigned VVoIP endpoint configuration files traversing the DISN must be protected within a VPN between enclaves. |
| ☐ | SV-68937r1_rule | VVoIP system components and UC soft clients must display the Standard Mandatory DoD Notice and Consent Banner exactly as specified prior to logon or initial access. |
| ☐ | SV-68939r1_rule | VVoIP system components and UC soft clients Standard Mandatory DoD Notice and Consent Banner must be acknowledged by the user prior to logon or initial access. |
| ☐ | SV-72381r2_rule | Two hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support Immediate or Priority precedence C2 users. |
| ☐ | SV-72383r2_rule | Sufficient backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support non-C2 user accessible endpoints for emergency life-safety and security calls. |
| ☐ | SV-75799r2_rule | VVoIP endpoint configuration files must not be downloaded automatically during initial endpoint registration. |
| ☐ | SV-75801r1_rule | The VVoIP system management network with a single device providing bidirectional enclave boundary protection between the local management network and the DISN voice services management network must have a Memorandum of Agreement (MoA) in effect. |
| ☐ | SV-75803r1_rule | The VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network must have ACLs permitting only specific inbound/outbound traffic and deny all other traffic. |
| ☐ | SV-75805r1_rule | The VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network must be scanned to confirm protections in place are effective. |
| ☐ | SV-93757r2_rule | Video conferencing, Unified Capability (UC) soft client, and speakerphone speaker operations policy must prevent disclosure of sensitive or classified information over non-secure systems. |
STIGQter: STIG Summary: