UCF STIG Viewer Logo

Defense Switched Network (DSN) STIG


Overview

Date Finding Count (107)
2017-01-19 CAT I (High): 3 CAT II (Med): 67 CAT III (Low): 37
STIG Description
The Defense Switched Network (DSN) Security Technical Implementation Guide (STIG) provides the policy and architectual guidance for applying security concepts to DoD telecommunications systems. These policies ensure conformance to DoD requirements that govern DSN voice services deployment and operations, to include special-C2, C2, and non-C2 services. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-8515 High A SMU component is not installed in a controlled space with visitor access controls applied.
V-7960 High Management access points (i.e. administrative/maintenance ports, system access, etc.) are not protected by requiring a valid username and a valid password for access.
V-7957 High Default passwords and user names have not been changed.
V-8519 Medium Foreign/Local National personnel hired by a base/post/camp/station for the purpose of operating or performing OAM&P / NM functions on DSN switches and subsystems have not been vetted through the normal process for providing SA clearance as dictated by the local Status of Forces Agreement (SOFA).
V-8518 Medium An OOB Management DOES NOT comply with the Enclave and/or Network Infrastructure STIGs.
V-8513 Medium The ADIMSS server connected to the SMU is NOT dedicated to ADIMSS functions.
V-8512 Medium The SMU management port or management workstations is improperly connected to a network that is not dedicated to management of the SMU.
V-8517 Medium OOB management network are NOT dedicated to management of like or associated systems
V-8516 Medium Network management/maintenance ports are not configured to “force out” or drop any user session that is interrupted for more than 15 seconds.
V-7970 Medium Crash-restart vulnerabilities are present on the DSN system component.
V-7971 Medium The DSN system component is not installed in a controlled space with visitor access controls applied.
V-7972 Medium Documented procedures do not exist that will prepare for a suspected compromise of a DSN component.
V-7973 Medium Audit records are NOT stored in an unalterable file and can be accessed by individuals not authorized to analyze switch access activity.
V-7974 Medium Audit records do not record the identity of each person and terminal device having access to switch software or databases.
V-7975 Medium Audit records do not record the time of the access.
V-7976 Medium The auditing records do not record activities that may change, bypass, or negate safeguards built into the software.
V-7977 Medium Audit record archive and storage do not meet minimum requirements.
V-7978 Medium Audit records are not being reviewed by the ISSO/IAO weekly.
V-7979 Medium An Information System Security Officer (ISSO) must be appointed in writing for each site.
V-8560 Medium Access to all management system workstations and administrative / management ports is NOT remotely authenticated
V-7969 Medium The system is not configured to disable a users account after three notifications of password expiration.
V-7967 Medium User passwords are displayed in the clear when logging into the system.
V-7966 Medium User passwords can be retrieved and viewed in clear text by another user.
V-7965 Medium The ISSO/IAO has not recorded the passwords of high level users (ADMIN) used on DSN components and stored them in a secure or controlled manner.
V-7963 Medium Users are permitted to change their passwords at an interval of less than 24 hours without ISSO/IAO intervention.
V-7962 Medium Maximum password age does not meet minimum requirements.
V-7992 Medium Authentication is not required for every session requested.
V-7990 Medium Modem phone lines are not restricted to single-line operation.
V-7996 Medium Administrative/maintenance ports are not being controlled by deactivating or physically disconnecting remote access devices when not in use.
V-7997 Medium Idle connections DO NOT disconnect in 15 min.
V-7998 Medium The DSN component is not configured to be unavailable for 60 seconds after 3 consecutive failed logon attempts.
V-8338 Medium IAVMs are not addressed using RTS system vendor approved or provided patches.
V-8541 Medium An OAM&P / NM or CTI network DOES NOT comply with the Enclave and/or Network Infrastructure STIGs.
V-8542 Medium An OAM&P / NM and CTI network/LAN is connected to the local general use (base) LAN without appropriate boundary protection.
V-8543 Medium Voice/Video/RTS devices located in SCIFs do not prevent on-hook audio pick-up and/or do not have a speakerphone feature disabled or are not implemented in accordance with DCID 6/9 or TSG Standard 2.
V-8544 Medium An OAM&P / NM and CTI network/LAN is connected to the local general use (base) LAN without appropriate boundary protection.
V-8545 Medium OAM&P / NM and CTI networks are NOT dedicated to the system that they serve in accordance with their separate DSN APL certifications.
V-8546 Medium The auditing process DOES NOT record security relevant actions such as the changing of security levels or categories of information
V-7980 Medium Site personnel have not received the proper security training and/or are not familiar with the documents located in the security library.
V-7983 Medium The identity of maintenance personnel installing or modifying a device or software must be verified and recorded.
V-7982 Medium System administrators are NOT appropriately cleared.
V-7985 Medium The DSN local system backup media must be available and up-to-date prior to any software modification.
V-7984 Medium The DSN local system must be backed up weekly on a removable device or media and stored off-site.
V-7987 Medium A detailed listing of all modems is not being maintained.
V-7986 Medium Modems are not physically protected to prevent unauthorized device changes.
V-7989 Medium Modem phone lines are not restricted and configured to their mission required purpose (i.e. inward/outward dial only).
V-7988 Medium Unauthorized modems are installed.
V-16076 Medium VTC, Unified Capability (UC) soft client, and speakerphone microphone operations policy must prevent the pickup and transmission of sensitive or classified information over non-secure systems.
V-8559 Medium Strong two-factor authentication is NOT used to access all management system workstations and administrative / management ports on all devices or systems
V-8558 Medium System administrative and maintenance users are assigned accounts with privileges that are not commensurate with their assigned responsibilities.
V-8345 Medium A Voice/Video/RTS system is in operation but is not listed on the DSN APL nor is it in the process of being tested.
V-8225 Medium Voice/Video Telecommunications infrastructure components (traditional TDM, VVoIP, or VTC) are not housed in secured or “controlled access” facilities with appropriate classification level or appropriate documented access control methods.
V-7936 Medium Applicable security packages have not been installed on the system.
V-7937 Medium The IAO DOES NOT ensure that all temporary Foreign/Local National personnel given access to DSN switches and subsystems for the purpose of installation and maintenance, are controlled and provided direct supervision and oversight (e.g., escort) by a knowledgeable and appropriately cleared U.S. citizen.
V-7930 Medium Switch administration, ADIMSS, or other Network Management terminals are not located on a dedicated LAN.
V-7931 Medium Network Management routers located at switch sites are not configured to provide IP and packet level filtering/protection.
V-7932 Medium Administration terminals are used for other day-to-day functions (i.e. email, web browsing, etc).
V-7933 Medium Switch Administration terminals do not connect directly to the switch administration port or connect via a controlled, dedicated, out of band network used for switch administration support.
V-7923 Medium The ISSO/IAO does not ensure that administration and maintenance personnel have proper access to the facilities, functions, commands, and calling privileges required to perform their job.
V-8531 Medium The DSN local system must have the current software updates and patches applied to all components.
V-8532 Medium The DSN local system must use approved software updates and patches for all components.
V-8535 Medium The DSN system major software version releases must be tested, certified, and placed on the DoD Approved Product List (APL) prior to installation.
V-7926 Medium The ISSO/IAO and ISSM/IAM, in coordination with the SA, will be responsible for ensuring that all IAVM notices are responded to within the specified time period.
V-8539 Medium A policy is NOT in place and/or NOT enforced regarding the use of unclassified telephone/RTS instruments located in areas or rooms where classified meetings, conversations, or work normally occur.
V-7956 Medium Users are not required to change their password during their first session.
V-7952 Medium A DoD VoIP system, device, or network is NOT configured in compliance with all applicable STIGs or the appropriate STIGs have not been applied to the fullest extent possible.
V-7953 Medium Transport circuits are not encrypted.
V-7950 Medium Links within the SS7 network are not encrypted.
V-8520 Medium Foreign national personnel access to DRSN systems must be limited as directed by applicable DoD policy.
V-7958 Medium Shared user accounts are used and not documented by the ISSO/IAO.
V-8514 Low The SMU ADIMSS connection is NOT dedicated to the ADIMSS network
V-7945 Low Equipment, cabling, and terminations providing Fire and Emergency Services (FES) or evacuation paging systems must be clearly identified and marked.
V-7944 Low Privilege authorization, Direct Inward System Access and/or Voice Mail special authorization codes or individually assigned PINS are not changed when compromised.
V-7941 Low The Direct Inward System Access feature and/or access to Voice Mail is not controlled by either class of service, special authorization code, or PIN.
V-7940 Low DSN capability to restrict user access based on duty hours must be used when available.
V-7943 Low Personal Identification Numbers (PIN) assigned to special subscribers used to control Direct Inward System Access and Voice Mail services are not being controlled like passwords and deactivated when no longer required.
V-7942 Low Direct Inward System Access and Voice Mail access codes are not changed semi-annually.
V-8000 Low DSN system components must display the Standard Mandatory DoD Notice and Consent Banner exactly as specified prior to logon or initial access.
V-7964 Low Password reuse is not set to 8 or greater.
V-7961 Low Passwords do not meet complexity requirements.
V-7993 Low The option to use the “callback” feature for remote access is not being used.
V-7991 Low Automatic Number Identification (ANI) must be enabled when available.
V-7994 Low FIPS 140-2 validated link encryption must be used end-to-end for all data streams connecting to remote access ports of the telephone switch.
V-7995 Low Two-factor authentication must be used for remote access ports.
V-7999 Low Serial management/maintenance ports are not configured to “force out” or drop any interrupted user session.
V-8339 Low DoD voice/video/RTS information system assets and vulnerabilities are not tracked and managed using any vulnerability management system as required by DoD policy.
V-7981 Low The ISSO/IAO does not maintain a DSN Personnel Security Certification letter on file for each person involved in DSN A/NM duties.
V-8556 Low All system administrative and maintenance user accounts are not documented.
V-8554 Low The available option of Command classes or command screening is NOT being used to limit system privileges
V-8346 Low A Voice/Video/RTS system or device is NOT installed according to the deployment restrictions and/or mitigations contained in the IA test report, Certifying Authority’s recommendation and/or DSAWG approval documentation.
V-8347 Low DSN voice and video systems and devices must be used with the same configuration and intended purpose as listed in the APL.
V-8342 Low Contract requirements for STIG compliance and validation must be enforced.
V-8340 Low A DoD Voice/Video/RTS system or device is NOT configured in compliance with all applicable STIGs or the appropriate STIGs have not been applied to the fullest extent possible.
V-8341 Low The purchase / maintenance contract, or specification, for the Voice/Video/RTS system under review does not contain verbiage requiring compliance and validation measures for all applicable STIGs.
V-8348 Low DSN site procurement, installation, connection, or upgrade to voice video infrastructure must consider the APL.
V-7934 Low Attendant console ports are available to unauthorized users by not allowing any instrument other than the Attendant console to connect to the Attendant console port.
V-7935 Low The ISSO/IAO has not established Standard Operating Procedures.
V-8352 Low The voice or video system certification and accreditation must be maintained to reflect the installation or modification of the system configuration.
V-7925 Low System Administrators (SAs) responsible for DSN information systems are not registered with the DISA VMS.
V-7922 Low The sites telephone switch is not frequently monitored for changing calling patterns and system uses for possible security concerns.
V-7921 Low The IAO does not conduct and document self-inspections of the DSN components at least semi-annually for security risks.
V-8537 Low A Fire and Emergency Services (FES) or evacuation paging system must be installed and implemented for life safety or security announcements.
V-7924 Low DSN systems are not registered in the DISA VMS
V-55025 Low DSN system components Standard Mandatory DoD Notice and Consent Banner must be acknowledged by the user prior to logon or initial access.
V-7954 Low Physical access to commercial Add/Drop Multiplexers (ADMs) is not restricted.
V-7955 Low An IA policy and information library must be maintained.
V-7959 Low The option to disable user accounts after 30 days of inactivity is not being used.