A DoD VoIP system, device, or network is NOT configured in compliance with all applicable STIGs or the appropriate STIGs have not been applied to the fullest extent possible.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-7952	DSN10.02	SV-8438r1_rule		Medium

Description
Requirement: Voice Over IP systems and networks will comply with the DSN, VoIP, and all other applicable STIGs as well as other applicable DOD Component guides. The applicable STIGs define threat and vulnerability mitigations that must be applied to resolve the associated threat and/or vulnerability in accordance with DoD policy.

STIG	Date
Defense Switched Network (DSN) STIG	2017-01-19

Details

Check Text ( C-7665r1_chk )
> Obtain a copy of all applicable SRR or Self Assessment results and review for compliance OR perform all applicable SRRs on a representative number of RTS systems and devices. If there are a significant number of findings reported or if an applicable STIG was not applied, this is a finding. Note: The specific Voice/Video/RTS system server or device determines the applicability of any given STIG. Many Voice/Video/RTS system servers or devices are based on general-purpose operating system such as Microsoft Windows, Unix, or Linux. They may use general-purpose applications such as databases like MS-SQL or Oracle and/or employ web server technology like IIS or similar. Determine what the system under review is based upon and perform the associated SRRs. Additionally, an application SRR may be applicable for the vendor's application that makes the server or device perform the functions or the management of the system. Note: Voice/Video/RTS systems and devices are required to be tested, certified, accredited by the DSAWG and listed on the DSN APL. Each specific Voice/Video/RTS system or device may be approved while having certain open findings that are approved in light of certain mitigations. Such open findings are not to be considered in the status determination of this requirement.

Check Text ( C-7665r1_chk )

> Obtain a copy of all applicable SRR or Self Assessment results and review for compliance OR perform all applicable SRRs on a representative number of RTS systems and devices. If there are a significant number of findings reported or if an applicable STIG was not applied, this is a finding.

Note: The specific Voice/Video/RTS system server or device determines the applicability of any given STIG. Many Voice/Video/RTS system servers or devices are based on general-purpose operating system such as Microsoft Windows, Unix, or Linux. They may use general-purpose applications such as databases like MS-SQL or Oracle and/or employ web server technology like IIS or similar. Determine what the system under review is based upon and perform the associated SRRs. Additionally, an application SRR may be applicable for the vendor's application that makes the server or device perform the functions or the management of the system.

Note: Voice/Video/RTS systems and devices are required to be tested, certified, accredited by the DSAWG and listed on the DSN APL. Each specific Voice/Video/RTS system or device may be approved while having certain open findings that are approved in light of certain mitigations. Such open findings are not to be considered in the status determination of this requirement.

Fix Text (F-8034r1_fix)
> The IAO and/or SA is to configure all Voice/Video/RTS systems, server, and devices in accordance with all applicable STIGs for the specific system/server/device while taking into account any DSAWG approved open findings and their mitigations..