UCF STIG Viewer Logo

Defense Switched Network STIG


Overview

Date Finding Count (98)
2015-01-02 CAT I (High): 3 CAT II (Med): 67 CAT III (Low): 28
STIG Description
The Defense Switched Network (DSN) Security Technical Implementation Guide (STIG) provides the policy and architectual guidance for applying security concepts to DoD telecommunications systems. These policies ensure conformance to DoD requirements that govern DSN voice services deployment and operations, to include special-C2, C2, and non-C2 services. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-8515 High A SMU component is not installed in a controlled space with visitor access controls applied.
V-7960 High Management access points (i.e. administrative/maintenance ports, system access, etc.) are not protected by requiring a valid username and a valid password for access.
V-7957 High Default passwords and user names have not been changed.
V-8519 Medium Foreign/Local National personnel hired by a base/post/camp/station for the purpose of operating or performing OAM&P / NM functions on DSN switches and subsystems have not been vetted through the normal process for providing SA clearance as dictated by the local Status of Forces Agreement (SOFA).
V-8518 Medium An OOB Management DOES NOT comply with the Enclave and/or Network Infrastructure STIGs.
V-8513 Medium The ADIMSS server connected to the SMU is NOT dedicated to ADIMSS functions.
V-8512 Medium The SMU management port or management workstations is improperly connected to a network that is not dedicated to management of the SMU.
V-8517 Medium OOB management network are NOT dedicated to management of like or associated systems
V-8516 Medium Network management/maintenance ports are not configured to “force out” or drop any user session that is interrupted for more than 15 seconds.
V-7970 Medium Crash-restart vulnerabilities are present on the DSN system component.
V-7971 Medium The DSN system component is not installed in a controlled space with visitor access controls applied.
V-7972 Medium Documented procedures do not exist that will prepare for a suspected compromise of a DSN component.
V-7973 Medium Audit records are NOT stored in an unalterable file and can be accessed by individuals not authorized to analyze switch access activity.
V-7974 Medium Audit records do not record the identity of each person and terminal device having access to switch software or databases.
V-7975 Medium Audit records do not record the time of the access.
V-7976 Medium The auditing records do not record activities that may change, bypass, or negate safeguards built into the software.
V-7977 Medium Audit record archive and storage do not meet minimum requirements.
V-7978 Medium Audit records are not being reviewed by the ISSO/IAO weekly.
V-7979 Medium An Information Systems Security Officer/Information Assurance Officer (ISSO/IAO) is not designated for each telecommunications switching system or DSN Site.
V-8560 Medium Access to all management system workstations and administrative / management ports is NOT remotely authenticated
V-7969 Medium The system is not configured to disable a users account after three notifications of password expiration.
V-7967 Medium User passwords are displayed in the clear when logging into the system.
V-7966 Medium User passwords can be retrieved and viewed in clear text by another user.
V-7965 Medium The ISSO/IAO has not recorded the passwords of high level users (ADMIN) used on DSN components and stored them in a secure or controlled manner.
V-7963 Medium Users are permitted to change their passwords at an interval of less than 24 hours without ISSO/IAO intervention.
V-7962 Medium Maximum password age does not meet minimum requirements.
V-7992 Medium Authentication is not required for every session requested.
V-7990 Medium Modem phone lines are not restricted to single-line operation.
V-7996 Medium Administrative/maintenance ports are not being controlled by deactivating or physically disconnecting remote access devices when not in use.
V-7997 Medium Idle connections DO NOT disconnect in 15 min.
V-7998 Medium The DSN component is not configured to be unavailable for 60 seconds after 3 consecutive failed logon attempts.
V-8338 Medium IAVMs are not addressed using RTS system vendor approved or provided patches.
V-8541 Medium An OAM&P / NM or CTI network DOES NOT comply with the Enclave and/or Network Infrastructure STIGs.
V-8542 Medium An OAM&P / NM and CTI network/LAN is connected to the local general use (base) LAN without appropriate boundary protection.
V-8543 Medium Voice/Video/RTS devices located in SCIFs do not prevent on-hook audio pick-up and/or do not have a speakerphone feature disabled or are not implemented in accordance with DCID 6/9 or TSG Standard 2.
V-8544 Medium An OAM&P / NM and CTI network/LAN is connected to the local general use (base) LAN without appropriate boundary protection.
V-8545 Medium OAM&P / NM and CTI networks are NOT dedicated to the system that they serve in accordance with their separate DSN APL certifications.
V-8546 Medium The auditing process DOES NOT record security relevant actions such as the changing of security levels or categories of information
V-7980 Medium Site personnel have not received the proper security training and/or are not familiar with the documents located in the security library.
V-7983 Medium Site staff does not verify and record the identity of individuals installing or modifying a device or software.
V-7982 Medium System administrators are NOT appropriately cleared.
V-7985 Medium Site staff does not ensure backup media is available and up to date prior to software modification.
V-7984 Medium System images are not being backed up on a weekly basis to the local system and a copy is not being stored on a removable storage device and/or is not being stored off site.
V-7987 Medium A detailed listing of all modems is not being maintained.
V-7986 Medium Modems are not physically protected to prevent unauthorized device changes.
V-7989 Medium Modem phone lines are not restricted and configured to their mission required purpose (i.e. inward/outward dial only).
V-7988 Medium Unauthorized modems are installed.
V-16076 Medium Deficient Policy or SOP regarding VTC, PC, and speakerphone microphone operations regarding their ability to pickup and transmit sensitive or classified information in aural form.
V-8559 Medium Strong two-factor authentication is NOT used to access all management system workstations and administrative / management ports on all devices or systems
V-8558 Medium System administrative and maintenance users are assigned accounts with privileges that are not commensurate with their assigned responsibilities.
V-8345 Medium A Voice/Video/RTS system is in operation but is not listed on the DSN APL nor is it in the process of being tested.
V-8225 Medium Voice/Video Telecommunications infrastructure components (traditional TDM, VVoIP, or VTC) are not housed in secured or “controlled access” facilities with appropriate classification level or appropriate documented access control methods.
V-7936 Medium Applicable security packages have not been installed on the system.
V-7937 Medium The IAO DOES NOT ensure that all temporary Foreign/Local National personnel given access to DSN switches and subsystems for the purpose of installation and maintenance, are controlled and provided direct supervision and oversight (e.g., escort) by a knowledgeable and appropriately cleared U.S. citizen.
V-7930 Medium Switch administration, ADIMSS, or other Network Management terminals are not located on a dedicated LAN.
V-7931 Medium Network Management routers located at switch sites are not configured to provide IP and packet level filtering/protection.
V-7932 Medium Administration terminals are used for other day-to-day functions (i.e. email, web browsing, etc).
V-7933 Medium Switch Administration terminals do not connect directly to the switch administration port or connect via a controlled, dedicated, out of band network used for switch administration support.
V-7923 Medium The ISSO/IAO does not ensure that administration and maintenance personnel have proper access to the facilities, functions, commands, and calling privileges required to perform their job.
V-8531 Medium The latest software loads and patches are NOT applied to all systems to take advantage of security enhancements.
V-8532 Medium Maintenance and security patches are NOT approved by the local DAA prior to installation in the system
V-8535 Medium Major software version upgrades have NOT been tested, certified, and placed on the DSN APL before installation.
V-7926 Medium The ISSO/IAO and ISSM/IAM, in coordination with the SA, will be responsible for ensuring that all IAVM notices are responded to within the specified time period.
V-8539 Medium A policy is NOT in place and/or NOT enforced regarding the use of unclassified telephone/RTS instruments located in areas or rooms where classified meetings, conversations, or work normally occur.
V-7956 Medium Users are not required to change their password during their first session.
V-7952 Medium A DoD VoIP system, device, or network is NOT configured in compliance with all applicable STIGs or the appropriate STIGs have not been applied to the fullest extent possible.
V-7953 Medium Transport circuits are not encrypted.
V-7950 Medium Links within the SS7 network are not encrypted.
V-8520 Medium Foreign/Local National personnel have duties or access privileges that exceed those allowed by DODI 8500.2 E3.4.8.
V-7958 Medium Shared user accounts are used and not documented by the ISSO/IAO.
V-8514 Low The SMU ADIMSS connection is NOT dedicated to the ADIMSS network
V-7944 Low Privilege authorization, Direct Inward System Access and/or Voice Mail special authorization codes or individually assigned PINS are not changed when compromised.
V-7941 Low The Direct Inward System Access feature and/or access to Voice Mail is not controlled by either class of service, special authorization code, or PIN.
V-7943 Low Personal Identification Numbers (PIN) assigned to special subscribers used to control Direct Inward System Access and Voice Mail services are not being controlled like passwords and deactivated when no longer required.
V-7942 Low Direct Inward System Access and Voice Mail access codes are not changed semi-annually.
V-8000 Low DSN system components must display the Standard Mandatory DoD Notice and Consent Banner exactly as specified prior to logon or initial access.
V-7964 Low Password reuse is not set to 8 or greater.
V-7961 Low Passwords do not meet complexity requirements.
V-7993 Low The option to use the “callback” feature for remote access is not being used.
V-7999 Low Serial management/maintenance ports are not configured to “force out” or drop any interrupted user session.
V-8339 Low DoD voice/video/RTS information system assets and vulnerabilities are not tracked and managed using any vulnerability management system as required by DoD policy.
V-7981 Low The ISSO/IAO does not maintain a DSN Personnel Security Certification letter on file for each person involved in DSN A/NM duties.
V-8556 Low All system administrative and maintenance user accounts are not documented.
V-8554 Low The available option of Command classes or command screening is NOT being used to limit system privileges
V-8346 Low A Voice/Video/RTS system or device is NOT installed according to the deployment restrictions and/or mitigations contained in the IA test report, Certifying Authority’s recommendation and/or DSAWG approval documentation.
V-8340 Low A DoD Voice/Video/RTS system or device is NOT configured in compliance with all applicable STIGs or the appropriate STIGs have not been applied to the fullest extent possible.
V-8341 Low The purchase / maintenance contract, or specification, for the Voice/Video/RTS system under review does not contain verbiage requiring compliance and validation measures for all applicable STIGs.
V-7934 Low Attendant console ports are available to unauthorized users by not allowing any instrument other than the Attendant console to connect to the Attendant console port.
V-7935 Low The ISSO/IAO has not established Standard Operating Procedures.
V-8352 Low The voice or video system certification and accreditation must be maintained to reflect the installation or modification of the system configuration.
V-7925 Low System Administrators (SAs) responsible for DSN information systems are not registered with the DISA VMS.
V-7922 Low The sites telephone switch is not frequently monitored for changing calling patterns and system uses for possible security concerns.
V-7921 Low The IAO does not conduct and document self-inspections of the DSN components at least semi-annually for security risks.
V-7924 Low DSN systems are not registered in the DISA VMS
V-55025 Low DSN system components Standard Mandatory DoD Notice and Consent Banner must be acknowledged by the user prior to logon or initial access.
V-7954 Low Physical access to commercial Add/Drop Multiplexers (ADMs) is not restricted.
V-7955 Low The ISSO/IAO does not maintain a library of security documentation.
V-7959 Low The option to disable user accounts after 30 days of inactivity is not being used.
V-7945 unknown Equipment, cabling, and terminations that provide emergency life safety services such as 911 (or European 112) services and/or emergency evacuation paging systems are NOT clearly identified and marked.
V-7947 unknown The SS7 termination blocks are not clearly identified at the MDF.
V-7946 unknown SS7 links are not clearly identified and routed separately from termination point to termination point.
V-7940 unknown The option to restrict user access based on duty hours is available but is not being utilized.
V-7949 unknown Power cabling that serves SS7 equipment is not clearly identified at both the termination point and at the fusing position.
V-7948 unknown Power cabling that serves SS7 equipment is not diversely routed to separate Power Distribution Frames (PDF) and identified.
V-7968 unknown The option to use passwords that are randomly generated by the DSN component is available but not being used.
V-7991 unknown The option of Automatic Number Identification (ANI) is available but not being used.
V-7994 unknown FIPS 140-2 validated Link encryption mechanisms are not being used to provide end-to-end security of all data streams entering the remote access port of a telephone switch.
V-7995 unknown The option to use two-factor authentication when accessing remote access ports is not being used.
V-8347 unknown A Voice/Video/RTS system or device is NOT installed in the same configuration and being used for the same purpose that was tested for prior to DSAWG approval and DSN APL listing.
V-8342 unknown The DAA, IAM, IAO, or SA for the system DOES NOT enforce contract requirements for STIG compliance and validation
V-8348 unknown The requirement of DSN APL listing is not being considered during the procurement, installation, connection, or upgrade to the site’s Voice/Video/RTS infrastructure.
V-8537 unknown There is no system installed that can provide emergency life safety or security announcements