UCF STIG Viewer Logo

Voice Video Endpoint Security Requirements Guide


Overview

Date Finding Count (64)
2018-07-03 CAT I (High): 15 CAT II (Med): 49 CAT III (Low): 0
STIG Description
This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-66741 High The Voice Video Endpoint used for videoconferencing must uniquely identify participating users.
V-66761 High The Voice Video Endpoint processing unclassified information must implement NIST FIPS-validated cryptography.
V-66749 High The Voice Video Endpoint, when using passwords or PINs for authentication or authorization, must cryptographically-protect the transmission.
V-66759 High The Voice Video Endpoint processing classified information over public networks must implement NSA-approved cryptography.
V-67985 High The Voice Video Endpoint must register with a Voice Video Session Manager.
V-66739 High The Voice Video Endpoint must terminate all network connections associated with a communications session at the end of the session.
V-66799 High The Voice Video Endpoint must only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).
V-66713 High The Voice Video Endpoint must protect the integrity of transmitted configuration files from the Voice Video Session Manager.
V-66717 High The Voice Video Endpoint must dynamically implement configuration file changes.
V-66715 High The Voice Video Endpoint must protect the confidentiality of transmitted configuration files from the Voice Video Session Manager.
V-66757 High The Voice Video Endpoint must use encryption for signaling and media traffic.
V-66753 High When using PKI-based authentication, the Voice Video Endpoint used for videoconferencing must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-66803 High The Voice Video Endpoint processing unclassified information must implement NIST FIPS-validated cryptography to provision digital signatures.
V-66751 High When using PKI-based authentication, the Voice Video Endpoint must enforce authorized access to the corresponding private key.
V-66763 High The Voice Video Endpoint processing unclassified information must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
V-66685 Medium The hardware Voice Video Endpoint must be an 802.1x supplicant.
V-66729 Medium The Voice Video Endpoint must produce session (call detail) records containing when (date and time) the connection occurred.
V-66687 Medium The hardware Voice Video Endpoint PC port must connect to an 802.1x supplicant, or the PC port must be disabled.
V-66745 Medium The Voice Video Endpoint used for videoconferencing must electronically verify the Common Access Card (CAC) or derived credentials.
V-66683 Medium The hardware Voice Video Endpoint must integrate into the implemented 802.1x network access control system.
V-66727 Medium The Voice Video Endpoint must produce session (call detail) records containing what type of connection occurred.
V-66689 Medium The unused hardware Voice Video Endpoint PC port must be disabled.
V-66725 Medium The Voice Video Endpoint must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
V-71671 Medium The Voice Video Endpoint used for unclassified communication within a Sensitive Compartmented Information Facility (SCIF) or Special Access Program Facility (SAPF) must be National Telecommunications Security Working Group (NTSWG) approved device in accordance with the Committee on National Security Systems Instruction (CNSSI) 5000.
V-66735 Medium The Voice Video Endpoint must produce session (call detail) records containing the identity of all users.
V-66705 Medium The hardware Voice Video Endpoint PC port must maintain VLAN separation from the voice video VLAN, or be disabled.
V-66747 Medium The Voice Video Endpoint used for videoconferencing must use multifactor authentication for network access.
V-66765 Medium The Voice Video Endpoint must provide an explicit indication of current participants in all Videoconference (VC)-based and IP-based online meetings and conferences.
V-66793 Medium The Voice Video Endpoint must be configured to disable or remove non-essential capabilities.
V-66791 Medium The hardware Voice Video Endpoint must not use the default PIN or password to access configuration and display of network IP settings.
V-66797 Medium The Voice Video Endpoint must prevent installation of untrusted third-party software.
V-66795 Medium The Voice Video Endpoint must prevent the user from installing third-party software.
V-66707 Medium The Voice Video Endpoint must block both inbound and outbound communications traffic between Unified Capability (UC) and Videoconferencing (VC) clients independently configured by end users and external service providers for voice and video.
V-66711 Medium The hardware Voice Video Endpoint using SIP or AS-SIP signaling must prevent cross-site scripting attacks caused by improper filtering or validation of the content of SIP invitation fields.
V-66719 Medium The Voice Video Endpoint must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the network.
V-66775 Medium The Voice Video Endpoint supporting Command and Control (C2) communications must implement Assured Service Session Initiation Protocol (AS-SIP).
V-66695 Medium The hardware Voice Video Endpoint must reauthenticate 802.1x or MAC Authentication Bypass (MAB) every three (3) hours or less.
V-66777 Medium The Voice Video Endpoint microphone must provide hardware mechanisms, such as push-to-talk (PTT) handset switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks.
V-66693 Medium The hardware Voice Video Endpoint not supporting 802.1x must be configured to use MAC Authentication Bypass (MAB) on the access switchport.
V-66771 Medium The Voice Video Endpoint supporting Command and Control (C2) communications must implement Multilevel Precedence and Preemption (MLPP) dialing to enable Routine, Priority, Immediate, Flash, and Flash Override.
V-66691 Medium The hardware Voice Video Endpoint with a PC port must have the switchport configured as single-host or enable 802.1x multi-domain authentication.
V-66773 Medium The Voice Video Endpoint supporting Command and Control (C2) communications must implement Multilevel Precedence and Preemption (MLPP) call disconnect to enable Routine, Priority, Immediate, Flash, and Flash Override.
V-66743 Medium The Voice Video Endpoint used for videoconferencing must accept a Common Access Card (CAC) or derived credentials.
V-66755 Medium When using PKI-based authentication, the Voice Video Endpoint used for videoconferencing must implement a local cache of revocation data to support path discovery and validation in the event the network path becomes unavailable.
V-79055 Medium The hardware Voice Video Endpoint must have a physical DD 2056 affixed, or display a digital representation.
V-77283 Medium The Voice Video Endpoint processing classified calls must display the classification level and Security Access Level (SAL) for the call or conference in progress.
V-66699 Medium The Voice Video Endpoint must limit the number of concurrent sessions to two (2) users.
V-66731 Medium The Voice Video Endpoint must produce session (call detail) records containing where the connection occurred.
V-66801 Medium The Voice Video Endpoint must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-66769 Medium The Voice Video Endpoint must prevent unauthorized and unintended information transfer via shared system resources.
V-66789 Medium The hardware Voice Video Endpoint must prevent the display of network IP settings without the use of a PIN or password.
V-66737 Medium The Voice Video Endpoint must provide session (call detail) record generation capability.
V-77277 Medium The Voice Video Endpoint processing classified calls must produce session (call detail) records containing classification level and Security Access Level (SAL).
V-66785 Medium The hardware Voice Video Endpoint must disable or restrict built-in web servers.
V-66767 Medium In the event of a device failure, hardware Voice Video Endpoints must preserve any information necessary to determine cause of failure and return to operations with least disruption to service.
V-66781 Medium The Voice Video Endpoint auto-answer feature must be disabled.
V-66783 Medium The hardware Voice Video Endpoint must disable or restrict web browser capabilities permitting the endpoint to browse the internet or intranet.
V-66733 Medium The Voice Video Endpoint must produce session (call detail) records containing the outcome of the connection.
V-66779 Medium The Voice Video Endpoint camera must provide hardware mechanisms, such as push-to-see (PTS) camera switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks.
V-77281 Medium The Voice Video Endpoint processing classified calls must be properly marked with the highest security level of the information being processed.
V-66701 Medium The hardware Voice Video Endpoint must apply 802.1Q VLAN tags to signaling and media traffic.
V-66703 Medium The hardware Voice Video Endpoint must use a voice video VLAN, separate from all other VLANs.
V-66709 Medium The Voice Video Endpoint must implement replay-resistant authentication mechanisms for network access.
V-66787 Medium The hardware Voice Video Endpoint must prevent the configuration of network IP settings without the use of a PIN or password.