UCF STIG Viewer Logo

Voice Video Endpoint Security Requirements Guide


Overview

Date Finding Count (62)
2020-12-04 CAT I (High): 15 CAT II (Med): 47 CAT III (Low): 0
STIG Description
This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-206746 High The Voice Video Endpoint must register with a Voice Video Session Manager.
V-206747 High The Voice Video Endpoint must dynamically implement configuration file changes.
V-206766 High When using PKI-based authentication, the Voice Video Endpoint must enforce authorized access to the corresponding private key.
V-206765 High When using PKI-based authentication, the Voice Video Endpoint used for videoconferencing must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-206760 High The Voice Video Endpoint must only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).
V-206761 High The Voice Video Endpoint used for videoconferencing must uniquely identify participating users.
V-206768 High The Voice Video Endpoint must terminate all network connections associated with a communications session at the end of the session.
V-206784 High The Voice Video Endpoint processing unclassified information must implement NIST FIPS-validated cryptography to provision digital signatures.
V-206785 High The Voice Video Endpoint processing unclassified information must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
V-206780 High The Voice Video Endpoint must use encryption for signaling and media traffic.
V-206781 High The Voice Video Endpoint, when using passwords or PINs for authentication or authorization, must cryptographically-protect the transmission.
V-206783 High The Voice Video Endpoint processing unclassified information must implement NIST FIPS-validated cryptography.
V-206779 High The Voice Video Endpoint must protect the confidentiality of transmitted configuration files from the Voice Video Session Manager.
V-206778 High The Voice Video Endpoint must protect the integrity of transmitted configuration files from the Voice Video Session Manager.
V-206775 High The Voice Video Endpoint processing classified information over public networks must implement NSA-approved cryptography.
V-206808 Medium The hardware Voice Video Endpoint must use a voice video VLAN, separate from all other VLANs.
V-206803 Medium The Voice Video Endpoint must prevent the user from installing third-party software.
V-206802 Medium The hardware Voice Video Endpoint must not use the default PIN or password to access configuration and display of network IP settings.
V-206801 Medium The hardware Voice Video Endpoint must prevent the display of network IP settings without the use of a PIN or password.
V-206807 Medium The hardware Voice Video Endpoint must apply 802.1Q VLAN tags to signaling and media traffic.
V-206806 Medium The Voice Video Endpoint used for unclassified communication within a Sensitive Compartmented Information Facility (SCIF) or Special Access Program Facility (SAPF) must be National Telecommunications Security Working Group (NTSWG)-approved device in accordance with the Committee on National Security Systems Instruction (CNSSI) 5000.
V-206805 Medium The Voice Video Endpoint must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-206804 Medium The Voice Video Endpoint must prevent installation of untrusted third-party software.
V-206767 Medium The Voice Video Endpoint must prevent unauthorized and unintended information transfer via shared system resources.
V-206764 Medium The hardware Voice Video Endpoint using SIP or AS-SIP signaling must prevent cross-site scripting attacks caused by improper filtering or validation of the content of SIP invitation fields.
V-206762 Medium The Voice Video Endpoint used for videoconferencing must use multifactor authentication for network access.
V-206763 Medium The Voice Video Endpoint must implement replay-resistant authentication mechanisms for network access.
V-206748 Medium The Voice Video Endpoint must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the network.
V-206769 Medium In the event of a device failure, hardware Voice Video Endpoints must preserve any information necessary to determine cause of failure and return to operations with least disruption to service.
V-206786 Medium The hardware Voice Video Endpoint must integrate into the implemented 802.1x network access control system.
V-206787 Medium The hardware Voice Video Endpoint must be an 802.1x supplicant.
V-206782 Medium The Voice Video Endpoint processing classified calls must produce session (call detail) records containing classification level and Security Access Level (SAL).
V-206788 Medium The hardware Voice Video Endpoint PC port must connect to an 802.1x supplicant, or the PC port must be disabled.
V-206789 Medium The unused hardware Voice Video Endpoint PC port must be disabled.
V-206800 Medium The hardware Voice Video Endpoint must prevent the configuration of network IP settings without the use of a PIN or password.
V-206771 Medium The Voice Video Endpoint processing classified calls must display the classification level and Security Access Level (SAL) for the call or conference in progress.
V-206770 Medium The Voice Video Endpoint processing classified calls must be properly marked with the highest security level of the information being processed.
V-206773 Medium The Voice Video Endpoint used for videoconferencing must electronically verify the Common Access Card (CAC) or derived credentials.
V-206772 Medium The Voice Video Endpoint used for videoconferencing must accept a Common Access Card (CAC) or derived credentials.
V-206774 Medium When using PKI-based authentication, the Voice Video Endpoint used for videoconferencing must implement a local cache of revocation data to support path discovery and validation in the event the network path becomes unavailable.
V-206777 Medium The Voice Video Endpoint must block both inbound and outbound communications traffic between Unified Capability (UC) and Videoconferencing (VC) clients independently configured by end users and external service providers for voice and video.
V-206776 Medium The Voice Video Endpoint must provide an explicit indication of current participants in all Videoconference (VC)-based and IP-based online meetings and conferences.
V-206753 Medium The Voice Video Endpoint must produce session (call detail) records containing what type of connection occurred.
V-206752 Medium The hardware Voice Video Endpoint PC port must maintain VLAN separation from the voice video VLAN, or be disabled.
V-206751 Medium The Voice Video Endpoint must limit the number of concurrent sessions to two (2) users.
V-206750 Medium The Voice Video Endpoint must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
V-206757 Medium The Voice Video Endpoint must produce session (call detail) records containing the identity of all users.
V-206756 Medium The Voice Video Endpoint must produce session (call detail) records containing the outcome of the connection.
V-206755 Medium The Voice Video Endpoint must produce session (call detail) records containing where the connection occurred.
V-206754 Medium The Voice Video Endpoint must produce session (call detail) records containing when (date and time) the connection occurred.
V-206759 Medium The Voice Video Endpoint must be configured to disable or remove non-essential capabilities.
V-206758 Medium The Voice Video Endpoint must provide session (call detail) record generation capability.
V-206797 Medium The Voice Video Endpoint auto-answer feature must be disabled.
V-206796 Medium The Voice Video Endpoint camera must provide hardware mechanisms, such as push-to-see (PTS) camera switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks.
V-206795 Medium The Voice Video Endpoint microphone must provide hardware mechanisms, such as push-to-talk (PTT) handset switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks.
V-206794 Medium The Voice Video Endpoint supporting Command and Control (C2) communications must implement Assured Service Session Initiation Protocol (AS-SIP).
V-206793 Medium The Voice Video Endpoint supporting Command and Control (C2) communications must implement Multilevel Precedence and Preemption (MLPP) call disconnect to enable Routine, Priority, Immediate, Flash, and Flash Override.
V-206792 Medium The Voice Video Endpoint supporting Command and Control (C2) communications must implement Multilevel Precedence and Preemption (MLPP) dialing to enable Routine, Priority, Immediate, Flash, and Flash Override.
V-206791 Medium The hardware Voice Video Endpoint not supporting 802.1x must be configured to use MAC Authentication Bypass (MAB) on the access switchport.
V-206790 Medium The hardware Voice Video Endpoint with a PC port must have the switchport configured as single-host or enable 802.1x multi-domain authentication.
V-206799 Medium The hardware Voice Video Endpoint must disable or restrict built-in web servers.
V-206798 Medium The hardware Voice Video Endpoint must disable or restrict web browser capabilities permitting the endpoint to browse the internet or intranet.