| V-8515 | High | A SMU component is not installed in a controlled space with visitor access controls applied. | Requirement: The IAO at the SMU site will ensure that the SMU has adequate physical security protection.
The system design and architecture of the SMU provides for no security configuration... |
| V-7960 | High | Management access points (i.e. administrative/maintenance ports, system access, etc.) are not protected by requiring a valid username and a valid password for access. | A valid username and a valid password are required to access all management system workstations and administrative / management ports on any device or system.
All system... |
| V-7957 | High | Default passwords and user names have not been changed. | Requirement: The IAO will ensure that all system default passwords and user names are changed prior to connection to the DSN.
Systems not protected with strong... |
| V-8519 | Medium | Foreign/Local National personnel hired by a base/post/camp/station for the purpose of operating or performing OAM&P / NM functions on DSN switches and subsystems have not been vetted through the normal process for providing SA clearance as dictated by the local Status of Forces Agreement (SOFA). | Requirement: The IAO and IAM will ensure that all Foreign/Local National personnel hired by a base/post/camp/station for the purpose of operating or performing OAM&P / NM functions on DSN switches... |
| V-8518 | Medium | An OOB Management DOES NOT comply with the Enclave and/or Network Infrastructure STIGs. | Requirement: The IAO will ensure that out-of-band management networks comply with the Enclave and Network Infrastructure STIGs.
out-of-band management networks must comply with the requirements... |
| V-8513 | Medium | The ADIMSS server connected to the SMU is NOT dedicated to ADIMSS functions. | Requirement: The IAO at the SMU site will ensure that the ADIMSS server connected to the SMU is dedicated to ADIMSS functions.ADIMSS servers represent mission critical equipment that contain... |
| V-8512 | Medium | The SMU management port or management workstations is improperly connected to a network that is not dedicated to management of the SMU. | Requirement: The IAO at the SMU site will ensure that the SMU management port or stations are not connected to any network other than one dedicated to management of the SMU.The system design and... |
| V-8517 | Medium | OOB management network are NOT dedicated to management of like or associated systems | Requirement: The IAO will ensure that network connected switch and device management ports are connected to a network dedicated to management of the device only and/or that of other associated... |
| V-8516 | Medium | Network management/maintenance ports are not configured to “force out” or drop any user session that is interrupted for more than 15 seconds. | Requirement: The IAO will ensure that network connected management ports drop a connection that is interrupted for any reason within 15 seconds.
Network ports that are interrupted due to link... |
| V-7970 | Medium | Crash-restart vulnerabilities are present on the DSN system component.
| Requirement: The IAO will ensure that tests are performed for crash-restart vulnerabilities and develop procedures to eliminate vulnerabilities found (i.e., ensure ENHANCED_PASSWORD_CONTROL is... |
| V-7971 | Medium | The DSN system component is not installed in a controlled space with visitor access controls applied.
| Requirement: The IAO will ensure that DSN switches, peripheral, and OAM&P systems are installed in a controlled space with personnel and visitor access controls applied.
Controlling access to the... |
| V-7972 | Medium | Documented procedures do not exist that will prepare for a suspected compromise of a DSN component.
| Requirement: The IAO will ensure that compromise recovery procedures are documented that will accomplish the following:
- Verify the integrity of the hardware, software, and communication lines... |
| V-7973 | Medium | Audit records are NOT stored in an unalterable file and can be accessed by individuals not authorized to analyze switch access activity. | Requirement: The IAO will ensure that auditing records are placed in an unalterable audit or history file that is available only to those individuals authorized to analyze switch access and... |
| V-7974 | Medium | Audit records do not record the identity of each person and terminal device having access to switch software or databases.
| Requirement: The IAO will ensure that the auditing process records the identity of each person and terminal device having access to switch software or databases
The identity... |
| V-7975 | Medium | Audit records do not record the time of the access. | Requirement: The IAO will ensure that the auditing process records the time of the access.
The time of access needs to be recorded in the audit files to determine... |
| V-7976 | Medium | The auditing records do not record activities that may change, bypass, or negate safeguards built into the software. | Requirement: The IAO will ensure that the auditing process records commands, actions, and activities executed during each session that might change, bypass, or negate safeguards built into the... |
| V-7977 | Medium | Audit record archive and storage do not meet minimum requirements. | Requirement: The IAO will ensure that audit records (files) are stored on-line for 90 days and off-line for an additional 12 months.
Audit records provide the means for the ISSO/IAO or other... |
| V-7978 | Medium | Audit records are not being reviewed by the ISSO/IAO weekly. | Requirement: The IAO will ensure that audit records (files) are stored on-line for 90 days and off-line for an additional 12 months.
By reviewing audit records on a... |
| V-7979 | Medium | An Information System Security Officer (ISSO) must be appointed in writing for each site. | The PMO or local site command will document and ensure that an ISSO is designated to oversee the IA posture and security of each site, system, and facility. The ISSO will have the proper training... |
| V-8560 | Medium | Access to all management system workstations and administrative / management ports is NOT remotely authenticated | Requirement: The IAO will ensure that remote authentication is used to control access to all management system workstations and administrative / management ports on any device or system.
The... |
| V-7969 | Medium | The system is not configured to disable a users account after three notifications of password expiration. | Requirement: The IAO will ensure that users will be prompted by the system three times to change their passwords before or after the password has reached the maximum password lifetime. If the... |
| V-7967 | Medium | User passwords are displayed in the clear when logging into the system. | Requirement: The IAO will ensure that users’ passwords are not displayed in the clear when logging into the system.
When passwords are displayed (echoed) during... |
| V-7966 | Medium | User passwords can be retrieved and viewed in clear text by another user. | Requirement: The IAO will ensure that users’ passwords are not displayed in the clear when logging into the system.
Password integrity is non existent if passwords are... |
| V-7965 | Medium | The ISSO/IAO has not recorded the passwords of high level users (ADMIN) used on DSN components and stored them in a secure or controlled manner. | Requirement: The IAO will ensure that no user (to include Administrator) is permitted to retrieve the password of any user in clear text.
Passwords should be recorded and... |
| V-7963 | Medium | Users are permitted to change their passwords at an interval of less than 24 hours without ISSO/IAO intervention.
| Requirement: The IAO will ensure that NO user passwords will be changed at an interval of less than 24 hours without IAO intervention.
Permitting passwords... |
| V-7962 | Medium | Maximum password age does not meet minimum requirements. | Requirement: The IAO will ensure that all user passwords are changed at intervals of 90 days or less.
The longer a password is in use, the greater the opportunity for... |
| V-7992 | Medium | Authentication is not required for every session requested. | Requirement: The IAO will ensure that identification and authentication is required for every session requested in accordance with I&A / password policy.
Authentication is a measure used to... |
| V-7990 | Medium | Modem phone lines are not restricted to single-line operation.
| Requirement: The IAO will ensure that all modem phone lines are restricted to single-line operation without any special features such as the call forwarding capability.
By restricting modem phone... |
| V-7996 | Medium | Administrative/maintenance ports are not being controlled by deactivating or physically disconnecting remote access devices when not in use. | Requirement: The IAO will ensure that serial management ports are controlled by deactivating or physically disconnecting access devices (i.e. modems or terminals) that are not in use.
The... |
| V-7997 | Medium | Idle connections DO NOT disconnect in 15 min. | Requirement: The IAO will ensure that a timeout feature, set to 15 minutes, is used to disconnect idle connections.
Unattended systems are susceptible to unauthorized use. The system should be... |
| V-7998 | Medium | The DSN component is not configured to be unavailable for 60 seconds after 3 consecutive failed logon attempts. | Requirement: The IAO will ensure that management ports that receive three consecutive failed logon attempts will be unavailable for at least 60 seconds.
After three failed logon attempts the... |
| V-8338 | Medium | IAVMs are not addressed using RTS system vendor approved or provided patches. | Requirement: The IAO will ensure that all IAVM notices relating to the installation of security or other patches for general-purpose operating systems and software on devices other than... |
| V-8541 | Medium | An OAM&P / NM or CTI network DOES NOT comply with the Enclave and/or Network Infrastructure STIGs. | Requirement: The IAO will ensure that OAM&P / NM and CTI networks comply with the Enclave and Network Infrastructure STIGs.
OAM&P / NM and CTI networks must comply with the requirements... |
| V-8542 | Medium | An OAM&P / NM and CTI network/LAN is connected to the local general use (base) LAN without appropriate boundary protection.
| Requirement: The IAO will ensure that OAM&P / NM and CTI networks are not connected to the local general use (base) WAN.
The requirement to dedicate OAM&P / NM and CTI networks or LANS is... |
| V-8543 | Medium | Voice/Video/RTS devices located in SCIFs do not prevent on-hook audio pick-up and/or do not have a speakerphone feature disabled or are not implemented in accordance with DCID 6/9 or TSG Standard 2. | Requirement: In the event that a telephone instrument connected to an unclassified telecommunications system are placed within a Sensitive Compartmented Information Facility (SCIF), the IAO will... |
| V-8544 | Medium | An OAM&P / NM and CTI network/LAN is connected to the local general use (base) LAN without appropriate boundary protection. | Requirement: The IAO will ensure that OAM&P / NM and CTI networks are not connected to the local general use (base) LAN.
The requirement to dedicate OAM&P / NM and CTI networks or LANS is to... |
| V-8545 | Medium | OAM&P / NM and CTI networks are NOT dedicated to the system that they serve in accordance with their separate DSN APL certifications. | Requirement: The IAO will ensure that out-of-band OAM&P / NM and CTI networks are dedicated to the system that they serve in accordance with their separate DSN APL certifications. CTI networks may... |
| V-8546 | Medium | The auditing process DOES NOT record security relevant actions such as the changing of security levels or categories of information | Requirement: The IAO will ensure that the auditing process records security relevant actions (e.g., the changing of security levels or categories of information).
Security... |
| V-7980 | Medium | Site personnel have not received the proper security training and/or are not familiar with the documents located in the security library. | Requirement: The IAO will ensure that personnel are familiar with the security practices outlined by applicable documents found in the site’s library and have received the appropriate security... |
| V-7983 | Medium | The identity of maintenance personnel installing or modifying a device or software must be verified and recorded. | The identity of maintenance personnel performing software load upgrades or maintenance of a DSN component must be recorded. This will make a particular person or vendor representative accountable... |
| V-7982 | Medium | System administrators are NOT appropriately cleared. | Requirement: The IAO will ensure that all System Administrators are appropriately cleared.
In order to maintain positive control over personnel access to DSN system components, all who are... |
| V-7985 | Medium | The DSN local system backup media must be available and up-to-date prior to any software modification. | Site staff must ensure backup media is available and up-to-date prior to software modification that could cause a significant disruption to service if the new software is corrupted. Backup media... |
| V-7984 | Medium | The DSN local system must be backed up weekly on a removable device or media and stored off-site. | System backups must be taken frequently (weekly at a minimum) and stored in such a way that a current copy can be obtained if needed. By storing a copy on the local system and a copy on removable... |
| V-7987 | Medium | A detailed listing of all modems is not being maintained.
| Requirement: The IAO will maintain a listing of all modems by model number, serial number, associated phone number, and location.
Ensure an accurate listing of all modems supporting the DSN is... |
| V-7986 | Medium | Modems are not physically protected to prevent unauthorized device changes.
| Requirement: The IAO will ensure that all modems are physically protected to prevent unauthorized device changes.
Controlling physical access to modems supporting the DSN will limit the chance... |
| V-7989 | Medium | Modem phone lines are not restricted and configured to their mission required purpose (i.e. inward/outward dial only).
| Requirement: The IAO will ensure that all modem phone lines are restricted and configured to their mission required purpose (inward dial only or outward dial only).
Ubiquitous phone lines open... |
| V-7988 | Medium | Unauthorized modems are installed.
| Modems that are not provided by the Government for access to the DSN will not be allowed to connect to the DSN for access. No personally provided modems are permitted. This measure will assist... |
| V-16076 | Medium | VTC, Unified Capability (UC) soft client, and speakerphone microphone operations policy must prevent the pickup and transmission of sensitive or classified information over non-secure systems. | Microphones used with VTC systems and devices are designed to be extremely sensitive such that people speaking anywhere within a conference room is picked up and amplified so they can be heard... |
| V-8559 | Medium | Strong two-factor authentication is NOT used to access all management system workstations and administrative / management ports on all devices or systems | Requirement: The IAO will ensure strong two-factor authentication is required to access all management system workstations and administrative / management ports on any device or system. The term... |
| V-8558 | Medium | System administrative and maintenance users are assigned accounts with privileges that are not commensurate with their assigned responsibilities. | Requirement: The IAO will ensure that all systems and devices employ a role-based Discretionary Access Control system used to control access to OAM&P / NM systems, the devices they manage, and... |
| V-8345 | Medium | A Voice/Video/RTS system is in operation but is not listed on the DSN APL nor is it in the process of being tested. | Requirement: The IAO will ensure that all installed systems and associated software releases for which he/she is responsible appear on the DSN APL in accordance with DODI 8100.3 requirements. This... |
| V-8225 | Medium | Voice/Video Telecommunications infrastructure components (traditional TDM, VVoIP, or VTC) are not housed in secured or “controlled access” facilities with appropriate classification level or appropriate documented access control methods. | Controlling physical access to telecommunications infrastructure components is critical to assuring the reliability of the voice network and service delivery. Documenting or logging physical... |
| V-7936 | Medium | Applicable security packages have not been installed on the system.
| Requirement: The IAO will ensure that all applicable security feature packages have been installed on the system to enable the required security features.
In order for the requirements of this... |
| V-7937 | Medium | The IAO DOES NOT ensure that all temporary Foreign/Local National personnel given access to DSN switches and subsystems for the purpose of installation and maintenance, are controlled and provided direct supervision and oversight (e.g., escort) by a knowledgeable and appropriately cleared U.S. citizen. | Requirement: The IAO will ensure that all temporary Foreign/Local National personnel given access to DSN switches and subsystems for the purpose of installation and maintenance, is controlled and... |
| V-7930 | Medium | Switch administration, ADIMSS, or other Network Management terminals are not located on a dedicated LAN.
| All Network Management and switch administration terminals connecting to the DSN are to be through a dedicated DSN network segment. Only authorized systems will be connected to this LAN. No... |
| V-7931 | Medium | Network Management routers located at switch sites are not configured to provide IP and packet level filtering/protection.
| Requirement: The IAO will ensure that routers that provide remote connectivity to out-of-band management networks located at switch sites provide IP and packet level filtering/protection.
All... |
| V-7932 | Medium | Administration terminals are used for other day-to-day functions (i.e. email, web browsing, etc). | Requirement: The IAO will ensure that OAM&P / NM and CTI system workstations are not used for other day-to-day functions (i.e., e-mail, web browsing, etc). ... |
| V-7933 | Medium | Switch Administration terminals do not connect directly to the switch administration port or connect via a controlled, dedicated, out of band network used for switch administration support. | Requirement: The IAO will ensure that switch/device administration terminals are connected directly to the administration port of the switch/device or are connected via an out-of-band network used... |
| V-7923 | Medium | The ISSO/IAO does not ensure that administration and maintenance personnel have proper access to the facilities, functions, commands, and calling privileges required to perform their job. | Requirement: The IAO will ensure that internal and external administrator/maintenance personnel have appropriate but limited access to the facilities, functions, commands, and calling privileges... |
| V-8531 | Medium | The DSN local system must have the current software updates and patches applied to all components. | Many vendors provide patches or new versions of software to incorporate mitigations for newly discovered security vulnerabilities. In some cases, this is the only way to mitigate a threat to the... |
| V-8532 | Medium | The DSN local system must use approved software updates and patches for all components. | All patches and new system software must be tested on non-production systems and hardware prior to use to determine the effects the new software will have on systems operations and security.... |
| V-8535 | Medium | The DSN system major software version releases must be tested, certified, and placed on the DoD Approved Product List (APL) prior to installation. | All DSN system major software releases must be tested on non-production systems and hardware prior to use to determine the effects the new software will have on systems operations and security.... |
| V-7926 | Medium | The ISSO/IAO and ISSM/IAM, in coordination with the SA, will be responsible for ensuring that all IAVM notices are responded to within the specified time period. | Requirement: The IAO will ensure that all IAVM notices are responded to within the time period specified within the notice.
The JTF-GNO (DoD CERT) automatically sends out IAVM notices that affect... |
| V-8539 | Medium | A policy is NOT in place and/or NOT enforced regarding the use of unclassified telephone/RTS instruments located in areas or rooms where classified meetings, conversations, or work normally occur. | Requirement: The IAO will ensure that a policy is in place and enforced regarding the use of telephone instruments connected to unclassified telecommunications systems located in areas or rooms... |
| V-7956 | Medium | Users are not required to change their password during their first session. | Requirement: The IAO will ensure that user passwords are assigned with the requirement for the user to change their password at first logon.
The ISSO/IAO will... |
| V-7952 | Medium | A DoD VoIP system, device, or network is NOT configured in compliance with all applicable STIGs or the appropriate STIGs have not been applied to the fullest extent possible. | Requirement: Voice Over IP systems and networks will comply with the DSN, VoIP, and all other applicable STIGs as well as other applicable DOD Component guides.
The applicable STIGs define threat... |
| V-7953 | Medium | Transport circuits are not encrypted.
| Requirement: The IAO will ensure that all circuits leaving the B/C/P/S are bulk encrypted.
The transport system is responsible for the delivery of voice and data circuits from one switch node to... |
| V-7950 | Medium | Links within the SS7 network are not encrypted.
| Requirement: The IAO will ensure that all SS7 links leaving a base/post/camp/station are encrypted.
The examination of traffic patterns and statistics can reveal compromising information. Such... |
| V-8520 | Medium | Foreign national personnel access to DRSN systems must be limited as directed by applicable DoD policy. | Foreign national personnel must be limited in their access to DoD Information Systems (ISs) to prevent the unauthorized disclosure of classified information. Access to DoD ISs must be authorized... |
| V-7958 | Medium | Shared user accounts are used and not documented by the ISSO/IAO. | Requirement: The IAO will ensure that shared user accounts will not be used. Unless the use of shared user accounts is operationally essential and/or the device in question does not support... |
| V-8514 | Low | The SMU ADIMSS connection is NOT dedicated to the ADIMSS network | Requirement: The IAO at the SMU site will ensure that the SMU ADIMSS connection is dedicated to the ADIMSS network.In addition to the administrator terminal connection, a secondary connection is... |
| V-7945 | Low | Equipment, cabling, and terminations providing Fire and Emergency Services (FES) or evacuation paging systems must be clearly identified and marked. | All equipment providing emergency life safety services, such as 911 services, must be clearly identified. The availability of Fire and Emergency Services (FES) supporting emergency life safety... |
| V-7944 | Low | Privilege authorization, Direct Inward System Access and/or Voice Mail special authorization codes or individually assigned PINS are not changed when compromised. | Requirement: The IAO will ensure that all Voice Mail (and/or Privilege authorization, Direct Inward System Access) special authorization codes or individually assigned PINs are changed immediately... |
| V-7941 | Low | The Direct Inward System Access feature and/or access to Voice Mail is not controlled by either class of service, special authorization code, or PIN. | Requirement: The IAO will ensure that either class of service, special authorization code or PIN controls access to Voice Mail services.
If used, the Direct Inward System Access feature provides... |
| V-7940 | Low | DSN capability to restrict user access based on duty hours must be used when available. | User access should be restricted based on duty hours, where technically feasible. The restriction of user access by limiting access to the DSN associated to the users work hours and workweek will... |
| V-7943 | Low | Personal Identification Numbers (PIN) assigned to special subscribers used to control Direct Inward System Access and Voice Mail services are not being controlled like passwords and deactivated when no longer required. | The PIN used to control access to the DISA feature should be controlled much like a special access code or password. If this PIN is not changed periodically and deactivated when no longer... |
| V-7942 | Low | Direct Inward System Access and Voice Mail access codes are not changed semi-annually. | Requirement: The IAO will ensure that if Voice Mail services are controlled by special authorization code, this code will be controlled and changed semi-annually.
The special access code used by... |
| V-8000 | Low | DSN system components must display the Standard Mandatory DoD Notice and Consent Banner exactly as specified prior to logon or initial access. | The operating system and remotely accessed information systems are required to display the DoD-approved system use notification message or banner before granting access to the system that provides... |
| V-7964 | Low | Password reuse is not set to 8 or greater. | Requirement: The IAO will ensure that user passwords are not reused within eight of the previous passwords used. As a minimum.
A system is more vulnerable to... |
| V-7961 | Low | Passwords do not meet complexity requirements. | Requirement: The IAO will ensure that passwords are required and contain at a minimum, a case sensitive, eight-character mix of upper-case letters, lower-case letters, numbers, and special... |
| V-7993 | Low | The option to use the “callback” feature for remote access is not being used. | Requirement: The IAO will ensure that modem access to remote management ports incorporates the “callback” feature where technically feasible.
The callback feature ensures that pre-authorized user... |
| V-7991 | Low | Automatic Number Identification (ANI) must be enabled when available. | ANI must be enabled on modem lines to record access to remote access ports when this function is available. The logs will be maintained and reviewed. ANI logs should be kept for the previous... |
| V-7994 | Low | FIPS 140-2 validated link encryption must be used end-to-end for all data streams connecting to remote access ports of the telephone switch. | FIPS 140-2 validated encryption mechanism is used to provide security of all data streams between the management port of the DSN component and a remote management station whether connected via a... |
| V-7995 | Low | Two-factor authentication must be used for remote access ports. | Remote access ports must require two-factor authentication. This is defined as requiring something along the lines of a token in addition to a User ID and password combination. The use of... |
| V-7999 | Low | Serial management/maintenance ports are not configured to “force out” or drop any interrupted user session. | Requirement: The IAO will ensure that serial management ports immediately drop any connection that is interrupted for any reason. Reasons include modem power failure, link disconnection, loss of... |
| V-8339 | Low | DoD voice/video/RTS information system assets and vulnerabilities are not tracked and managed using any vulnerability management system as required by DoD policy. | Requirement: The IAO will ensure that all systems including switches, OAM&P systems, auxiliary/adjunct, and peripheral systems connected to the DSN along with their SAs are registered and tracked... |
| V-7981 | Low | The ISSO/IAO does not maintain a DSN Personnel Security Certification letter on file for each person involved in DSN A/NM duties. | A DSN Personnel Security Certification letter will provide documented proof that site personnel have attended and successfully passed a security training and awareness program. This program will... |
| V-8556 | Low | All system administrative and maintenance user accounts are not documented. | Requirement: The IAO will document all system administrative and maintenance user accounts.
It is imperative that the IAO and SA is aware of all administrative and maintenance... |
| V-8554 | Low | The available option of Command classes or command screening is NOT being used to limit system privileges | Requirement: The IAO will ensure that devices that are capable of command screening or command classes are configured to use this feature in conjunction with DAC.
Input... |
| V-8346 | Low | A Voice/Video/RTS system or device is NOT installed according to the deployment restrictions and/or mitigations contained in the IA test report, Certifying Authority’s recommendation and/or DSAWG approval documentation. | Requirement: The IAO will ensure that products or software releases are installed and maintained in accordance with all applicable STIGs AND the installation restrictions and vulnerability... |
| V-8347 | Low | DSN voice and video systems and devices must be used with the same configuration and intended purpose as listed in the APL. | Systems must be implemented using the configuration that was approved and for the approved purpose. Alternate configurations and purposes must be resubmitted for certification to approval... |
| V-8342 | Low | Contract requirements for STIG compliance and validation must be enforced. | The ISSO must ensure that commercially contracted systems and services supporting the DSN comply with all applicable STIGs in accordance with contract requirements. STIG compliance is DoD policy... |
| V-8340 | Low | A DoD Voice/Video/RTS system or device is NOT configured in compliance with all applicable STIGs or the appropriate STIGs have not been applied to the fullest extent possible. | Requirement: The IAO will ensure that all systems connected to DOD telecommunications systems that use technologies covered by a DISA/DOD STIG, is secured in compliance with the applicable STIG(s)... |
| V-8341 | Low | The purchase / maintenance contract, or specification, for the Voice/Video/RTS system under review does not contain verbiage requiring compliance and validation measures for all applicable STIGs. | Requirement: The DSN PMO and/or site command/management will ensure that “compliance with all applicable STIGs” requirements and validation measures are added to specifications and contracts for... |
| V-8348 | Low | DSN site procurement, installation, connection, or upgrade to voice video infrastructure must consider the APL. | The DSN PMO, DoD Component command, and site command must ensure that products being considered for procurement, installation, connection, or upgrade to the DSN are certified and appear on the DSN... |
| V-7934 | Low | Attendant console ports are available to unauthorized users by not allowing any instrument other than the Attendant console to connect to the Attendant console port.
| Requirement: The IAO will ensure that attendant console ports will not be available to unauthorized users by not allowing any instrument other than the attendant console to connect to the... |
| V-7935 | Low | The ISSO/IAO has not established Standard Operating Procedures.
| Requirement: The IAO will establish a standard operating procedure (SOP) or other form of record that will accomplish the following:
- Identify and document all users, administrators, maintainers,... |
| V-8352 | Low | The voice or video system certification and accreditation must be maintained to reflect the installation or modification of the system configuration. | The DSN system is certified and accredited per the DoD Risk Management Framework (RMF) either separately or as part of a larger site accreditation. Previous to the DoD RMF, the DoD Information... |
| V-7925 | Low | System Administrators (SAs) responsible for DSN information systems are not registered with the DISA VMS. | Requirement: The IAO will ensure that all Switch and System Administrators (SAs) responsible for VMS registered DSN critical assets will also be registered with the VMS. This includes non DISA... |
| V-7922 | Low | The sites telephone switch is not frequently monitored for changing calling patterns and system uses for possible security concerns. | Requirement: The IAO will ensure that the site’s telephone switch is frequently monitored for changing calling patterns and system uses for possible security concerns.
Changing calling patterns... |
| V-7921 | Low | The IAO does not conduct and document self-inspections of the DSN components at least semi-annually for security risks. | Requirement: The IAO will ensure that self-inspections of the telephone components, are conducted and documented for security risks at least semi annually.
If periodic security self-inspections... |
| V-8537 | Low | A Fire and Emergency Services (FES) or evacuation paging system must be installed and implemented for life safety or security announcements. | A Fire and Emergency Services (FES) or evacuation paging system must be installed to provide emergency announcements and messages in accordance with public law in response to 11 September 2001 and... |
| V-7924 | Low | DSN systems are not registered in the DISA VMS | Requirement: The IAO will ensure that all DISA owned and operated DSN critical assets are registered with the DISA/DoD VMS as follows:
- All backbone switches (TSs, STPs, MFSs)
- All other... |
| V-55025 | Low | DSN system components Standard Mandatory DoD Notice and Consent Banner must be acknowledged by the user prior to logon or initial access. | The operating system and remotely accessed information systems are required to display the DoD-approved system use notification message or banner before granting access to the system that provides... |
| V-7954 | Low | Physical access to commercial Add/Drop Multiplexers (ADMs) is not restricted.
| Requirement: The IAO or other responsible party will ensure that the physical access to commercial Add/Drop Multiplexers (ADMs) is limited.
Transport equipment to include ADMs may be located in... |
| V-7955 | Low | An IA policy and information library must be maintained. | The site ISSO will ensure an up-to-date IA policy and information library is maintained to ensure current DoD guidance is available for reference. The library must include current network, voice,... |
| V-7959 | Low | The option to disable user accounts after 30 days of inactivity is not being used. | Requirement: The IAO will ensure that user accounts are disabled after 30 days of inactivity.
User accounts that are inactive for more than 30 days should be disabled... |
