{
"stig": {
"date": "2020-12-04",
"description": "This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-206746": {
"checkid": "C-7002r363761_chk",
"checktext": "Verify the Voice Video Endpoint registers with a Voice Video Session Manager.\n\nIf the Voice Video Endpoint does not registers with a Voice Video Session Manager, this is a finding.",
"description": "Authentication must not automatically give an entity access to an asset. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Registration authenticates and authorizes endpoints with the Voice Video Session Manager.\n\nFor most VoIP systems, registration is the process of centrally recording the user ID, endpoint MAC address, service/policy profile with 2 stage authentication prior to authorizing the establishment of the session and user service. The event of successful registration creates the session record immediately. VC systems register using a similar process with a gatekeeper. Without enforcing registration, an adversary could impersonate a legitimate device on the Voice Video network. ",
"fixid": "F-7002r363762_fix",
"fixtext": "Configure the Voice Video Endpoint to register with a Voice Video Session Manager.",
"iacontrols": null,
"id": "V-206746",
"ruleID": "SV-206746r604140_rule",
"severity": "high",
"title": "The Voice Video Endpoint must register with a Voice Video Session Manager.",
"version": "SRG-NET-000015-VVEP-00013"
},
"V-206747": {
"checkid": "C-7003r363764_chk",
"checktext": "Verify the Voice Video Endpoint dynamically implements configuration file changes. \n\nIf the Voice Video Endpoint does not dynamically implement configuration file changes, this is a finding.",
"description": "Configuration management includes the management of security features and assurances through control of changes made to device hardware, software, and firmware throughout the life cycle of a product. Secure configuration management relies on performance and functional attributes of products to determine the appropriate security features and assurances used to measure a system configuration state. When configuration changes are made, it is critical for those changes to be implemented by the Voice Video Endpoint as quickly as possible. This ensures that Voice Video Endpoints communicate using the correct address books, session managers, gateways, and border elements.",
"fixid": "F-7003r363765_fix",
"fixtext": "Configure the Voice Video Endpoint to dynamically implement configuration file changes.",
"iacontrols": null,
"id": "V-206747",
"ruleID": "SV-206747r604140_rule",
"severity": "high",
"title": "The Voice Video Endpoint must dynamically implement configuration file changes.",
"version": "SRG-NET-000015-VVEP-00019"
},
"V-206748": {
"checkid": "C-7004r363767_chk",
"checktext": "If the Voice Video Endpoint is a hardware endpoint, this is Not Applicable.\n\nIf the Voice Video Endpoint is a Unified Capabilities (UC) or Video Conferencing (VC) software client, verify the Voice Video Endpoint displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the network.\n\nIf the Voice Video Endpoint does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the network, this is a finding.",
"description": "Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to Voice Video Endpoints that have the concept of a user account and have the logon function residing on the network element.\n\nThe banner must be formatted in accordance with current policy. Use the following verbiage for network elements that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"",
"fixid": "F-7004r363768_fix",
"fixtext": "Configure the Unified Capabilities (UC) or Video Conferencing (VC) software client Voice Video Endpoint to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the network.",
"iacontrols": null,
"id": "V-206748",
"ruleID": "SV-206748r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the network.",
"version": "SRG-NET-000041-VVEP-00020"
},
"V-206750": {
"checkid": "C-7006r363773_chk",
"checktext": "If the Voice Video Endpoint is a hardware endpoint, this is Not Applicable.\n\nIf the Voice Video Endpoint is a Unified Capabilities (UC) or Video Conferencing (VC) software client, verify the Voice Video Endpoint retains the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. \n\nIf the Voice Video Endpoint does not retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users take explicit actions to log on for further access, this is a finding.",
"description": "The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. To establish acceptance of the application usage policy, a click-through banner at application logon is required. The network element must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\". System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to Voice Video Endpoints that have the concept of a user account and have the logon function residing on the network element.",
"fixid": "F-7006r363774_fix",
"fixtext": "Configure the Unified Capabilities (UC) or Video Conferencing (VC) software client Voice Video Endpoint to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.",
"iacontrols": null,
"id": "V-206750",
"ruleID": "SV-206750r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.",
"version": "SRG-NET-000042-VVEP-00021"
},
"V-206751": {
"checkid": "C-7007r363776_chk",
"checktext": "Verify the Voice Video Endpoint limits the number of concurrent sessions to two users. Local policy may justify and increase the limit on concurrent user sessions to a number higher than two.\n\nIf the Voice Video Endpoint does not limit the number of concurrent sessions to two users, or the limit set by local policy, this is a finding.",
"description": "Voice video endpoint management includes the ability to control the number of user sessions and limiting the number of allowed user sessions helps limit risk related to DoS attacks. Voice video endpoint sessions occur peer-to-peer for media streams and client-server with session managers. For those endpoints that conference together multiple streams, the limit may be increased according to policy but a limit must still exist.",
"fixid": "F-7007r363777_fix",
"fixtext": "Configure the Voice Video Endpoint to limit the number of concurrent sessions to two users or the limit set by local policy.",
"iacontrols": null,
"id": "V-206751",
"ruleID": "SV-206751r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must limit the number of concurrent sessions to two (2) users.",
"version": "SRG-NET-000053-VVEP-00009"
},
"V-206752": {
"checkid": "C-7008r363779_chk",
"checktext": "If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable.\n\nVerify the hardware Voice Video Endpoint PC port maintains VLAN separation from the voice video VLAN or is disabled. For networks with both VoIP and videoconferencing, best practice is to have a separate voice VLAN and video VLAN.\n\nIf the hardware Voice Video Endpoint PC port is disabled, this is not a finding. If the hardware Voice Video Endpoint PC port does not maintain VLAN separation from the voice video VLAN, this is a finding.",
"description": "Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3, and works with Multiprotocol Label Switching (MPLS) for enterprise and WAN environments. When VRF is used without MPLS, it is referred to as VRF lite. For Voice Video systems, subnets, VLANs, and VRFs are used to separate media and signaling streams from all other traffic.",
"fixid": "F-7008r363780_fix",
"fixtext": "Configure the hardware Voice Video Endpoint PC port to maintain VLAN separation from the voice video VLAN or be disabled.",
"iacontrols": null,
"id": "V-206752",
"ruleID": "SV-206752r604140_rule",
"severity": "medium",
"title": "The hardware Voice Video Endpoint PC port must maintain VLAN separation from the voice video VLAN, or be disabled.",
"version": "SRG-NET-000057-VVEP-00012"
},
"V-206753": {
"checkid": "C-7009r363782_chk",
"checktext": "If the Voice Video Endpoint relies exclusively on the Voice Video Session Manager for session records and does not have any capability for generating session records, this check procedure is Not Applicable.\n\nVerify the Voice Video Endpoint produces session records containing what type of connection occurred. The record must include the session type (voice/direct, voice/conference, video/direct, video/conference, etc.), the specific protocols used for control and media traffic (SIP/SRTP, H.323, etc.), and the type of endpoint (mobile, telephone, codec, etc.).\n\nIf the Voice Video Endpoint does not produce session records containing what type of connection occurred, this is a finding.",
"description": "Session records are commonly produced by session management and border elements. Many Voice Video Endpoints are not capable of providing session records and instead rely on session management and border elements. Voice video endpoints capable of producing session records provide supplemental confirmation of monitored events. Voice video endpoints that communicate beyond these defined environments must generate session records.\n\nSession record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records. Detailed records are typically produced by the session manager but can be augmented by non-telephone endpoint records.",
"fixid": "F-7009r363783_fix",
"fixtext": "Configure the Voice Video Endpoint to produce session records containing what type of connection occurred.",
"iacontrols": null,
"id": "V-206753",
"ruleID": "SV-206753r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must produce session (call detail) records containing what type of connection occurred.",
"version": "SRG-NET-000074-VVEP-00022"
},
"V-206754": {
"checkid": "C-7010r363785_chk",
"checktext": "If the Voice Video Endpoint relies exclusively on the Voice Video Session Manager for session records and does not have any capability for generating session records, this check procedure is Not Applicable.\n\nVerify the Voice Video Endpoint produces session records containing when the connection occurred. The record must include session start/join/leave/stop times.\n\nIf the Voice Video Endpoint does not produce session records containing the date and time when the connection occurred, this is a finding.",
"description": "Session records are commonly produced by session management and border elements. Many Voice Video Endpoints are not capable of providing session records and instead rely on session management and border elements. Voice video endpoints capable of producing session records provide supplemental confirmation of monitored events. Voice video endpoints that communicate beyond these defined environments must generate session records.\n\nSession record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records. Detailed records are typically produced by the session manager but can be augmented by non-telephone endpoint records.",
"fixid": "F-7010r363786_fix",
"fixtext": "Configure the Voice Video Endpoint to produce session records containing the date and time when the connection occurred.",
"iacontrols": null,
"id": "V-206754",
"ruleID": "SV-206754r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must produce session (call detail) records containing when (date and time) the connection occurred.",
"version": "SRG-NET-000075-VVEP-00023"
},
"V-206755": {
"checkid": "C-7011r363788_chk",
"checktext": "If the Voice Video Endpoint relies exclusively on the Voice Video Session Manager for session records and does not have any capability for generating session records, this check procedure is Not Applicable.\n\nVerify the Voice Video Endpoint produces session records containing where the connection occurred. The record must include IP addresses and port numbers.\n\nIf the Voice Video Endpoint does not produce session records containing where the connection occurred, this is a finding.",
"description": "Session records are commonly produced by session management and border elements. Many Voice Video Endpoints are not capable of providing session records and instead rely on session management and border elements. Voice video endpoints capable of producing session records provide supplemental confirmation of monitored events. Voice video endpoints that communicate beyond these defined environments must generate session records.\n\nSession record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records. Detailed records are typically produced by the session manager but can be augmented by non-telephone endpoint records.",
"fixid": "F-7011r363789_fix",
"fixtext": "Configure the Voice Video Endpoint to produce session records containing where the connection occurred.",
"iacontrols": null,
"id": "V-206755",
"ruleID": "SV-206755r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must produce session (call detail) records containing where the connection occurred.",
"version": "SRG-NET-000076-VVEP-00024"
},
"V-206756": {
"checkid": "C-7012r363791_chk",
"checktext": "If the Voice Video Endpoint relies exclusively on the Voice Video Session Manager for session records and does not have any capability for generating session records, this check procedure is Not Applicable.\n\nVerify the Voice Video Endpoint produces session records containing the outcome of the connection. Outcomes of the connection would include call completed, conference completed, destination busy, network busy, etc. \n\nIf the Voice Video Endpoint does not produce session records containing the outcome of the connection, this is a finding.",
"description": "Session records are commonly produced by session management and border elements. Many Voice Video Endpoints are not capable of providing session records and instead rely on session management and border elements. Voice video endpoints capable of producing session records provide supplemental confirmation of monitored events. Voice video endpoints that communicate beyond these defined environments must generate session records.\n\nSession record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records. Detailed records are typically produced by the session manager but can be augmented by non-telephone endpoint records.",
"fixid": "F-7012r363792_fix",
"fixtext": "Configure the Voice Video Endpoint to produce session records containing the outcome of the connection.",
"iacontrols": null,
"id": "V-206756",
"ruleID": "SV-206756r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must produce session (call detail) records containing the outcome of the connection.",
"version": "SRG-NET-000078-VVEP-00025"
},
"V-206757": {
"checkid": "C-7013r363794_chk",
"checktext": "If the Voice Video Endpoint relies exclusively on the Voice Video Session Manager for session records and does not have any capability for generating session records, this check procedure is Not Applicable.\n\nVerify the Voice Video Endpoint produces session records containing the identity of all users on the call. \n\nIf the Voice Video Endpoint does not produce session records containing the identity of all users on the call, this is a finding.",
"description": "Session records are commonly produced by session management and border elements. Many Voice Video Endpoints are not capable of providing session records and instead rely on session management and border elements. Voice video endpoints capable of producing session records provide supplemental confirmation of monitored events. Voice video endpoints that communicate beyond these defined environments must generate session records.\n\nSession record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records. Detailed records are typically produced by the session manager but can be augmented by non-telephone endpoint records.",
"fixid": "F-7013r363795_fix",
"fixtext": "Configure the Voice Video Endpoint to produce session records containing the identity of all users on the call.",
"iacontrols": null,
"id": "V-206757",
"ruleID": "SV-206757r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must produce session (call detail) records containing the identity of all users.",
"version": "SRG-NET-000079-VVEP-00026"
},
"V-206758": {
"checkid": "C-7014r363797_chk",
"checktext": "If the Voice Video Endpoint relies exclusively on the Voice Video Session Manager for session records and does not have any capability for generating session records, this check procedure is Not Applicable.\n\nVerify the Voice Video Endpoint provides session record generation capability. \n\nIf the Voice Video Endpoint does not provide session record generation capability, this is a finding.",
"description": "Session records are commonly produced by session management and border elements. Many Voice Video Endpoints are not capable of providing session records and instead rely on session management and border elements. Voice video endpoints capable of producing session records provide supplemental confirmation of monitored events. Voice video endpoints that communicate beyond these defined environments must generate session records.\n\nSession records for Voice Video systems are generally handled in a similar fashion to audit records for other systems and are used for billing, usage analysis, and record support for actions taken. Detailed records are typically produced by the session manager but can be augmented by non-telephone endpoint records.",
"fixid": "F-7014r363798_fix",
"fixtext": "Configure the Voice Video Endpoint to provide session record generation capability.",
"iacontrols": null,
"id": "V-206758",
"ruleID": "SV-206758r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must provide session (call detail) record generation capability.",
"version": "SRG-NET-000113-VVEP-00027"
},
"V-206759": {
"checkid": "C-7015r363800_chk",
"checktext": "Verify the Voice Video Endpoint is configured to disable or remove non-essential capabilities. Non-essential capabilities would include peer services and other functions not directly pertaining to Voice Video Endpoint functionality.\n\nIf the Voice Video Endpoint cannot be configured to disable or remove non-essential capabilities, this is a finding.",
"description": "It is detrimental for Voice Video Endpoints when unnecessary features are enabled by default. Often these features are enabled by default with functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nNetwork elements are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).",
"fixid": "F-7015r363801_fix",
"fixtext": "Configure the Voice Video Endpoint to disable or remove non-essential capabilities.",
"iacontrols": null,
"id": "V-206759",
"ruleID": "SV-206759r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must be configured to disable or remove non-essential capabilities.",
"version": "SRG-NET-000131-VVEP-00056"
},
"V-206760": {
"checkid": "C-7016r459019_chk",
"checktext": "Verify the Voice Video Endpoint only uses ports, protocols, and services allowed per the PPSM CAL and VAs. If the Voice Video Endpoint uses ports, protocols, and services not allowed per the PPSM CAL and VAs, this is a finding.",
"description": "In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Voice video endpoints are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component but doing so increases risk compared to limiting the services provided by any one component. \n\nTo support the requirements and principles of least functionality, the network element must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. The current Category Assurance List (CAL) and Vulnerability Assessments (VA) listings for ports, protocols, and services are available on the DISA Information Assurance Support Environment (IASE) website for Ports, Protocols, and Services Management (PPSM) at https://cyber.mil/ppsm.",
"fixid": "F-7016r459020_fix",
"fixtext": "Configure the Voice Video Endpoint to only use ports, protocols, and services allowed per the PPSM CAL and VAs.",
"iacontrols": null,
"id": "V-206760",
"ruleID": "SV-206760r604140_rule",
"severity": "high",
"title": "The Voice Video Endpoint must only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).",
"version": "SRG-NET-000132-VVEP-00059"
},
"V-206761": {
"checkid": "C-7017r363806_chk",
"checktext": "Verify the Voice Video Endpoint used for videoconferencing uniquely identifies participating users. Identification must be visible and displayed locally.\n\nIf the Voice Video Endpoint used for videoconferencing does not uniquely identify participating users, this is a finding.",
"description": "To assure accountability and prevent unauthenticated access, users must be identified to prevent potential misuse and compromise of the system. The Voice Video Endpoint must display the source of an incoming call and the participant's identity to aid the user in deciding whether to answer a call. The information potentially at risk is that which can be seen in the physical area of the Voice Video Endpoint or carried by the conference in which it is participating. \n\nThis does not apply to authentication for the purpose of configuring the device itself (i.e., device management).",
"fixid": "F-7017r363807_fix",
"fixtext": "Configure the Voice Video Endpoint used for videoconferencing to uniquely identify participating users.",
"iacontrols": null,
"id": "V-206761",
"ruleID": "SV-206761r604140_rule",
"severity": "high",
"title": "The Voice Video Endpoint used for videoconferencing must uniquely identify participating users.",
"version": "SRG-NET-000138-VVEP-00029"
},
"V-206762": {
"checkid": "C-7018r588382_chk",
"checktext": "If the Voice Video Endpoint is a hardware endpoint, this check procedure is Not Applicable.\n\nVerify the Voice Video Endpoint used for videoconferencing uses multifactor authentication for network access.\n\nIf the Voice Video Endpoint used for videoconferencing does not use multifactor authentication for network access, this is a finding.\n",
"description": "To assure accountability and prevent unauthenticated access, users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. \n\nFactors include:\n(i) Something you know (e.g., password/PIN); \n(ii) Something you have (e.g., cryptographic identification device, token); or \n(iii) Something you are (e.g., biometric). \n\nNetwork access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection. The DoD CAC with DoD-approved PKI is an example of multifactor authentication. \n\nThis does not apply to authentication for the purpose of configuring the device itself (i.e., device management).",
"fixid": "F-7018r363810_fix",
"fixtext": "Configure the Voice Video Endpoint used for videoconferencing to use multifactor authentication for network access.",
"iacontrols": null,
"id": "V-206762",
"ruleID": "SV-206762r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint used for videoconferencing must use multifactor authentication for network access.",
"version": "SRG-NET-000140-VVEP-00032"
},
"V-206763": {
"checkid": "C-7019r363812_chk",
"checktext": "Verify the Voice Video Endpoint implements replay-resistant authentication mechanisms for network access. \n\nIf the Voice Video Endpoint does not implement replay-resistant authentication mechanisms for network access, this is a finding.",
"description": "A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Voice video endpoints often use passwords or PINs that can be easily exploited.\n\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user. This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).",
"fixid": "F-7019r363813_fix",
"fixtext": "Configure the Voice Video Endpoint to implement replay-resistant authentication mechanisms for network access.",
"iacontrols": null,
"id": "V-206763",
"ruleID": "SV-206763r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must implement replay-resistant authentication mechanisms for network access.",
"version": "SRG-NET-000147-VVEP-00015"
},
"V-206764": {
"checkid": "C-7020r363815_chk",
"checktext": "If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable.\n\nVerify the hardware Voice Video Endpoint using SIP or AS-SIP signaling prevents cross-site scripting attacks caused by improper filtering or validation of the content of SIP invitation fields.\n\nIf the hardware Voice Video Endpoint does not use SIP or AS-SIP, this is not a finding. \n\nIf the hardware Voice Video Endpoint does not prevent cross-site scripting attacks caused by improper filtering or validation of the content of SIP invitation fields, this is a finding.",
"description": "A cross-site scripting vulnerability has been demonstrated by adding scripting code to the \"From:\" field in the SIP invite. Upon receiving the invite, the embedded code can be executed by a vulnerable embedded web server to download additional malicious code and launch an attack. The demonstration of the vulnerability also exists on www.securityfocus.com under Bugtraq ID: 25987, which pops up a specific alert box on the user\u2019s workstation after downloading a SIP invite. \n\nWhile this vulnerability has been demonstrated on a specific IP phone, it could potentially affect all SIP-based endpoints or clients and their signaling partners. This vulnerability is a result of improper filtering or validation of the content of the various fields in the SIP invite and potentially the Session Description Protocol (SDP) portion of the invite. The injected code potentially causes malicious code to be run on the target device, to include an endpoint (hard or soft), a session controller, or any other SIP signaling partner. Additionally, this vulnerability may affect applications other than SIP VoIP clients, such as IM clients. A similar vulnerability results when URLs embedded in SIP messages are launched automatically.",
"fixid": "F-7020r363816_fix",
"fixtext": "Configure the hardware Voice Video Endpoint using SIP or AS-SIP signaling to prevent cross-site scripting attacks caused by improper filtering or validation of the content of SIP invitation fields.",
"iacontrols": null,
"id": "V-206764",
"ruleID": "SV-206764r604140_rule",
"severity": "medium",
"title": "The hardware Voice Video Endpoint using SIP or AS-SIP signaling must prevent cross-site scripting attacks caused by improper filtering or validation of the content of SIP invitation fields.",
"version": "SRG-NET-000147-VVEP-00016"
},
"V-206765": {
"checkid": "C-7021r363818_chk",
"checktext": "Verify the Voice Video Endpoint used for videoconferencing, when using PKI-based authentication, validates certificates by constructing a certification path to an accepted trust anchor. The constructed certification path must include status information. \n\nIf the Voice Video Endpoint used for videoconferencing, when using PKI-based authentication, does not validate certificates by constructing a certification path that includes status information to an accepted trust anchor, this is a finding.",
"description": "Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, the top entity to be trusted is the \"root certificate\" or \"trust anchors\" such as a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. \n\nThis requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.",
"fixid": "F-7021r363819_fix",
"fixtext": "Configure the Voice Video Endpoint used for videoconferencing, when using PKI-based authentication, to validate certificates by constructing a certification path, including status information, to an accepted trust anchor.",
"iacontrols": null,
"id": "V-206765",
"ruleID": "SV-206765r604140_rule",
"severity": "high",
"title": "When using PKI-based authentication, the Voice Video Endpoint used for videoconferencing must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.",
"version": "SRG-NET-000164-VVEP-00035"
},
"V-206766": {
"checkid": "C-7022r363821_chk",
"checktext": "Verify the Voice Video Endpoint, when using PKI-based authentication, enforces authorized access only to the corresponding private key. \n\nIf the Voice Video Endpoint, when using PKI-based authentication, does not enforce authorized access to the corresponding private key, this is a finding.",
"description": "If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to authenticate to network devices. \n\nThis does not apply to authentication for the purpose of configuring the device itself (management).",
"fixid": "F-7022r363822_fix",
"fixtext": "Configure the Voice Video Endpoint, when using PKI-based authentication, to enforce authorized access to the corresponding private key.",
"iacontrols": null,
"id": "V-206766",
"ruleID": "SV-206766r604140_rule",
"severity": "high",
"title": "When using PKI-based authentication, the Voice Video Endpoint must enforce authorized access to the corresponding private key.",
"version": "SRG-NET-000165-VVEP-00034"
},
"V-206767": {
"checkid": "C-7023r363824_chk",
"checktext": "Verify the Voice Video Endpoint prevents unauthorized and unintended information transfer via shared system resources.\n\nIf the Voice Video Endpoint does not prevent unauthorized and unintended information transfer via shared system resources, this is a finding.",
"description": "Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. \n\nUnified capability (UC) and videoconferencing (VC) vendors have included capabilities in products that must be disabled for users. Many current UC and VC products include hooks into email, IM, and local file transfer. Peer networking options allowing transfer often use holding storage locations that are accessible to all users. This would allow potentially sensitive information to be shared without central control.",
"fixid": "F-7023r363825_fix",
"fixtext": "Configure the Voice Video Endpoint to prevent unauthorized and unintended information transfer via shared system resources.",
"iacontrols": null,
"id": "V-206767",
"ruleID": "SV-206767r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must prevent unauthorized and unintended information transfer via shared system resources.",
"version": "SRG-NET-000190-VVEP-00044"
},
"V-206768": {
"checkid": "C-7024r363827_chk",
"checktext": "Verify the Voice Video Endpoint terminates all network connections associated with a communications session at the end of the session. \n\nIf the Voice Video Endpoint does not terminate all network connections associated with a communications session at the end of the session, this is a finding.",
"description": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, de-allocating associated TCP/IP address/port pairs at the device or operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection.",
"fixid": "F-7024r363828_fix",
"fixtext": "Configure the Voice Video Endpoint to terminate all network connections associated with a communications session at the end of the session.",
"iacontrols": null,
"id": "V-206768",
"ruleID": "SV-206768r604140_rule",
"severity": "high",
"title": "The Voice Video Endpoint must terminate all network connections associated with a communications session at the end of the session.",
"version": "SRG-NET-000213-VVEP-00028"
},
"V-206769": {
"checkid": "C-7025r363830_chk",
"checktext": "If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable.\n\nVerify that in the event of device failure, the hardware Voice Video Endpoint preserves any information necessary to determine cause of failure and return to operations with least disruption to service.\n\nIf the hardware Voice Video Endpoint does not preserve any information necessary to determine cause of failure, this is a finding. \n\nIf the hardware Voice Video Endpoint does not return to operations with least disruption to service after device failure, this is a finding.",
"description": "Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving network element state information helps to facilitate network element restart and return to the operational mode of the organization with less disruption to mission-essential processes.",
"fixid": "F-7025r363831_fix",
"fixtext": "Configure the hardware Voice Video Endpoint, in the event of device failure, to preserve any information necessary to determine cause of failure. Also configure the hardware Voice Video Endpoint to return to operations with least disruption to service.",
"iacontrols": null,
"id": "V-206769",
"ruleID": "SV-206769r604140_rule",
"severity": "medium",
"title": "In the event of a device failure, hardware Voice Video Endpoints must preserve any information necessary to determine cause of failure and return to operations with least disruption to service.",
"version": "SRG-NET-000236-VVEP-00043"
},
"V-206770": {
"checkid": "C-7026r363833_chk",
"checktext": "If the Voice Video Endpoint is a soft client, this is Not Applicable. \n\nIf the Voice Video Endpoint does not process classified calls, this is Not Applicable.\n\nVerify the Voice Video Endpoint processing classified calls is properly marked with the highest security level of the information being processed. \n\nIf the Voice Video Endpoint processing classified calls is not properly marked with the highest security level of the information being processed, this is a finding.",
"description": "Without the association of security attributes to information, there is no basis for the network element to make security related access-control and flow-control decisions. Security attributes includes marking data as classified or FOUO. These security attributes may be assigned manually or during data processing but either way, it is imperative these assignments are maintained while the data is in process. If the security attributes are lost when the data is being processed, there is the risk of a data compromise.\n\nAll hardware Voice Video endpoints processing classified calls, including phones and terminals, must be properly marked with the highest class-mark of the system. (Formerly DRSN 1098).",
"fixid": "F-7026r363834_fix",
"fixtext": "Properly mark the Voice Video Endpoint processing classified calls with the highest security level of the information being processed.",
"iacontrols": null,
"id": "V-206770",
"ruleID": "SV-206770r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint processing classified calls must be properly marked with the highest security level of the information being processed.",
"version": "SRG-NET-000311-VVEP-00062"
},
"V-206771": {
"checkid": "C-7027r363836_chk",
"checktext": "If the Voice Video Endpoint does not process classified calls, this is Not Applicable.\n\nVerify the Voice Video Endpoint processing classified calls displays the classification level and SAL for the call or conference in progress. \n\nIf the Voice Video Endpoint processing classified calls does not display the classification level and SAL for the call or conference in progress, this is a finding.",
"description": "Without the association of security attributes to information, there is no basis for the network element to make security related access-control and flow-control decisions. Security attributes includes marking data as classified or FOUO. These security attributes may be assigned manually or during data processing but either way, it is imperative these assignments are maintained while the data is in process. If the security attributes are lost when the data is being processed, there is the risk of a data compromise.\n\nVoice video endpoints processing classified calls must display the appropriate security classification and SAL to ensure users protect information accordingly. Further, endpoints must be compatible with STU-III and STE displays. Voice video endpoints must indicate:\n - SCI when the connected terminals are authorized to process SCI information\n - Foreign national presence when non-U.S. personnel are authorized uncontrolled access\n - Terminal identifier associated with distant STU-IIIs or STEs and RED switch subscriber terminals\n - Non-secure calls and conferences established through an unclassified switch or key system.\n\nNote: Each DRSN RED telephone (except for the IST) must have, at a minimum, a two-line alphanumeric display with a minimum of 16-characters per line. The Integrated Services Telephone (IST) has a one-line, 40-character display instead of the two-line by 16-character display. These displays will show the following:\n - The first line will display the self-authenticating security level of the call or conference in progress.\n - The second line will display the identity data of the distant terminal or identify the network and/or equipment type associated with the distant party and when a conference call is in progress.\n(Formerly DRSN 2384/2385)",
"fixid": "F-7027r363837_fix",
"fixtext": "Configure the Voice Video Endpoint to display the classification level and SAL for the call or conference in progress.",
"iacontrols": null,
"id": "V-206771",
"ruleID": "SV-206771r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint processing classified calls must display the classification level and Security Access Level (SAL) for the call or conference in progress.",
"version": "SRG-NET-000311-VVEP-00063"
},
"V-206772": {
"checkid": "C-7028r363839_chk",
"checktext": "If the Voice Video Endpoint is a hardware endpoint, this check procedure is Not Applicable.\n\nVerify the Voice Video Endpoint used for videoconferencing accepts a CAC or derived credentials. For hardware endpoints, the devices must use certificates to register with the session manager or multipoint controller.\n\nIf the Voice Video Endpoint used for videoconferencing does not accept a CAC or derived credentials, this is a finding.",
"description": "The use of CAC or derived credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.",
"fixid": "F-7028r363840_fix",
"fixtext": "Configure the Voice Video Endpoint used for videoconferencing to accept a CAC or derived credentials.",
"iacontrols": null,
"id": "V-206772",
"ruleID": "SV-206772r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint used for videoconferencing must accept a Common Access Card (CAC) or derived credentials.",
"version": "SRG-NET-000341-VVEP-00030"
},
"V-206773": {
"checkid": "C-7029r363842_chk",
"checktext": "If the Voice Video Endpoint is a hardware endpoint, this check procedure is Not Applicable.\n\nVerify the Voice Video Endpoint used for videoconferencing electronically verifies the CAC or derived credentials. For hardware endpoints, the devices must use certificates to register with the session manager or multipoint controller.\n\nIf the Voice Video Endpoint used for videoconferencing does not electronically verify the CAC or derived credentials, this is a finding.",
"description": "The use of CAC or derived credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.",
"fixid": "F-7029r363843_fix",
"fixtext": "Configure the Voice Video Endpoint used for videoconferencing to electronically verify the CAC or derived credentials.",
"iacontrols": null,
"id": "V-206773",
"ruleID": "SV-206773r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint used for videoconferencing must electronically verify the Common Access Card (CAC) or derived credentials.",
"version": "SRG-NET-000342-VVEP-00031"
},
"V-206774": {
"checkid": "C-7030r363845_chk",
"checktext": "Verify the Voice Video Endpoint used for videoconferencing, when using PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in the event the network path becomes unavailable.\n\nIf the Voice Video Endpoint used for videoconferencing, when using PKI-based authentication, does not implement a local cache of revocation data to support path discovery and validation in the event the network path becomes unavailable, this is a finding.",
"description": "Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). \n\nThis does not apply to authentication for the purpose of configuring the device itself (i.e., device management).",
"fixid": "F-7030r363846_fix",
"fixtext": "Configure the Voice Video Endpoint used for videoconferencing, when using PKI-based authentication, to implement a local cache of revocation data to support path discovery and validation in the event the network path becomes unavailable.",
"iacontrols": null,
"id": "V-206774",
"ruleID": "SV-206774r604140_rule",
"severity": "medium",
"title": "When using PKI-based authentication, the Voice Video Endpoint used for videoconferencing must implement a local cache of revocation data to support path discovery and validation in the event the network path becomes unavailable.",
"version": "SRG-NET-000345-VVEP-00036"
},
"V-206775": {
"checkid": "C-7031r363848_chk",
"checktext": "Verify the Voice Video Endpoint processing classified information over public networks implements NSA-approved cryptography. \n\nIf the Voice Video Endpoint processing classified information over public networks does not implement NSA-approved cryptography, this is a finding.",
"description": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.",
"fixid": "F-7031r363849_fix",
"fixtext": "Configure the Voice Video Endpoint processing classified information over public networks to implement NSA-approved cryptography.",
"iacontrols": null,
"id": "V-206775",
"ruleID": "SV-206775r604140_rule",
"severity": "high",
"title": "The Voice Video Endpoint processing classified information over public networks must implement NSA-approved cryptography.",
"version": "SRG-NET-000352-VVEP-00038"
},
"V-206776": {
"checkid": "C-7032r363851_chk",
"checktext": "Verify the Voice Video Endpoint provides an explicit indication of current participants in all VC-based and IP-based online meetings and conferences. This excludes audio-only teleconferences using traditional telephony.\n\nIf the Voice Video Endpoint does not provide an explicit indication of current participants in all VC-based and IP-based online meetings and conferences, this is a finding.",
"description": "Providing an explicit indication of current participants in teleconferences helps to prevent unauthorized individuals from participating in collaborative teleconference sessions without the explicit knowledge of other participants. Teleconferences allow groups of users to collaborate and exchange information. Without knowing who is in attendance, information could be compromised. This requirement excludes audio-only teleconferences using traditional telephony.\n\nNetwork elements that provide a teleconference capability must provide a clear indication of who is attending the meeting, thus providing all attendees with the capability to clearly identify users who are in attendance.",
"fixid": "F-7032r363852_fix",
"fixtext": "Configure the Voice Video Endpoint provides an explicit indication of current participants in all VC-based and IP-based online meetings and conferences.",
"iacontrols": null,
"id": "V-206776",
"ruleID": "SV-206776r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must provide an explicit indication of current participants in all Videoconference (VC)-based and IP-based online meetings and conferences.",
"version": "SRG-NET-000353-VVEP-00042"
},
"V-206777": {
"checkid": "C-7033r363854_chk",
"checktext": "If UC and VC clients cannot be independently configured by either end users or external service providers, this is Not Applicable. \n\nVerify the Voice Video Endpoint blocks both inbound and outbound communications traffic between UC and VC clients independently configured by end users and external service providers for voice and video. \n\nIf the Voice Video Endpoint does not block both inbound and outbound communications traffic between UC and VC clients independently configured by end users and external service providers, this is a finding.",
"description": "Various communication services such as public VoIP and Instant Messaging services route traffic over their own networks and are stored on their own servers; therefore, that traffic can be accessed at any time by the provider and potentially intercepted. \n\nCommunication clients independently configured by end users and external service providers include, for example, instant messaging clients. Traffic blocking does not apply to communication clients that are configured by organizations to perform authorized functions.",
"fixid": "F-7033r363855_fix",
"fixtext": "Configure the Voice Video Endpoint to block both inbound and outbound communications traffic between UC and VC clients independently configured by end users and external service providers.",
"iacontrols": null,
"id": "V-206777",
"ruleID": "SV-206777r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must block both inbound and outbound communications traffic between Unified Capability (UC) and Videoconferencing (VC) clients independently configured by end users and external service providers for voice and video.",
"version": "SRG-NET-000366-VVEP-00014"
},
"V-206778": {
"checkid": "C-7034r363857_chk",
"checktext": "Verify the Voice Video Endpoint protects the integrity of transmitted configuration files from the Voice Video Session Manager. \n\nIf the Voice Video Endpoint does not protect the integrity of transmitted configuration files from the Voice Video Session Manager, this is a finding.",
"description": "Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. When Voice Video Endpoint configuration files traverse a network without encryption for confidentiality, system information can be intercepted by an adversary. Encryption of the configuration files mitigates this vulnerability. However, TFTP is the most common protocol used for configuration file transfers and does not natively encrypt data. The Cisco TFTP implementation for VoIP systems uses encryption to both store and transfer configuration files. Refer to the \u201cCISCO-UCM-TFTP\u201d Vulnerability Analysis report provided by the Protocols, Ports, and Services management site for more details. Integrity checks during the transmission of configuration files ensure no changes have been introduced by adversarial attacks. TLS can be utilized to secure SIP and SCCP signaling by configuring the session manager in a secure mode.\n\nDoD-to-DoD voice communications are generally considered to contain sensitive information and therefore DoD voice and data traffic crossing the unclassified DISN must be encrypted. Cryptographic mechanisms such as Media Access Control Security (MACsec) implemented to protect information integrity include cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes.",
"fixid": "F-7034r363858_fix",
"fixtext": "Configure the Voice Video Endpoint to protect the integrity of transmitted configuration files from the Voice Video Session Manager.",
"iacontrols": null,
"id": "V-206778",
"ruleID": "SV-206778r604140_rule",
"severity": "high",
"title": "The Voice Video Endpoint must protect the integrity of transmitted configuration files from the Voice Video Session Manager.",
"version": "SRG-NET-000371-VVEP-00017"
},
"V-206779": {
"checkid": "C-7035r363860_chk",
"checktext": "Verify the Voice Video Endpoint protects the confidentiality of transmitted configuration files from the Voice Video Session Manager. \n\nIf the Voice Video Endpoint does not protect the confidentiality of transmitted configuration files from the Voice Video Session Manager, this is a finding.",
"description": "Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. When Voice Video Endpoint configuration files traverse a network without encryption for confidentiality, system information can be intercepted by an adversary. Encryption of the configuration files mitigates this vulnerability. However, TFTP is the most common protocol used for configuration file transfers and does not natively encrypt data. The Cisco TFTP implementation for VoIP systems uses encryption to both store and transfer configuration files. Refer to the \u201cCISCO-UCM-TFTP\u201d Vulnerability Analysis report provided by the Protocols, Ports, and Services management site for more details. Integrity checks during the transmission of configuration files ensure no changes have been introduced by adversarial attacks. TLS can be utilized to secure SIP and SCCP signaling by configuring the session manager in a secure mode.\n\nDoD-to-DoD voice communications are generally considered to contain sensitive information and therefore DoD voice and data traffic crossing the unclassified DISN must be encrypted. Cryptographic mechanisms such as Media Access Control Security (MACsec) implemented to protect information integrity include cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes.",
"fixid": "F-7035r363861_fix",
"fixtext": "Configure the Voice Video Endpoint to protect the confidentiality of transmitted configuration files from the Voice Video Session Manager.",
"iacontrols": null,
"id": "V-206779",
"ruleID": "SV-206779r604140_rule",
"severity": "high",
"title": "The Voice Video Endpoint must protect the confidentiality of transmitted configuration files from the Voice Video Session Manager.",
"version": "SRG-NET-000371-VVEP-00018"
},
"V-206780": {
"checkid": "C-7036r363863_chk",
"checktext": "Verify the Voice Video Endpoint uses encryption for signaling and media traffic. \n\nIf the Voice Video Endpoint does not use encryption for signaling and media traffic, this is a finding.",
"description": "Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. TLS can be utilized to secure SIP and SCCP signaling by configuring the session manager in a secure mode.\n\nDoD-to-DoD voice communications are generally considered to contain sensitive information and therefore DoD voice and data traffic crossing the unclassified DISN must be encrypted. Cryptographic mechanisms such as Media Access Control Security (MACsec) implemented to protect information include cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes.",
"fixid": "F-7036r363864_fix",
"fixtext": "Configure the Voice Video Endpoint to use encryption for signaling and media traffic.",
"iacontrols": null,
"id": "V-206780",
"ruleID": "SV-206780r604140_rule",
"severity": "high",
"title": "The Voice Video Endpoint must use encryption for signaling and media traffic.",
"version": "SRG-NET-000371-VVEP-00037"
},
"V-206781": {
"checkid": "C-7037r363866_chk",
"checktext": "Verify the Voice Video Endpoint, when using passwords or PINs for authentication or authorization, cryptographically protects the transmission. \n\nIf the Voice Video Endpoint, when using passwords or PINs for authentication or authorization, does not cryptographically protect the transmission, this is a finding.",
"description": "Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\nThis does not apply to authentication for the purpose of configuring the device itself (management).",
"fixid": "F-7037r363867_fix",
"fixtext": "Configure the Voice Video Endpoint, when using passwords or PINs for authentication or authorization, to cryptographically protect the transmission.",
"iacontrols": null,
"id": "V-206781",
"ruleID": "SV-206781r604140_rule",
"severity": "high",
"title": "The Voice Video Endpoint, when using passwords or PINs for authentication or authorization, must cryptographically-protect the transmission.",
"version": "SRG-NET-000400-VVEP-00033"
},
"V-206782": {
"checkid": "C-7038r363869_chk",
"checktext": "If the Voice Video Endpoint relies exclusively on the Voice Video Session Manager for session records and does not have any capability for generating session records, this check procedure is Not Applicable.\n\nVerify the Voice Video Endpoint produces session records containing classification level and SAL.\n\nIf the Voice Video Endpoint does not produce session records containing classification level and SAL, this is a finding.",
"description": "Session records are commonly produced by session management and border elements. Many Voice Video Endpoints are not capable of providing session records and instead rely on session management and border elements. Voice video endpoints capable of producing session records provide supplemental confirmation of monitored events. Voice video endpoints that communicate beyond these defined environments must generate session records.\n\nSession record content for classified calls may include additional information not pertinent to unclassified calls, such as the classification and SAL. Detailed records are typically produced by the session manager but can be augmented by non-telephone endpoint records.",
"fixid": "F-7038r363870_fix",
"fixtext": "Configure the Voice Video Endpoint to produce session records containing classification level and SAL.",
"iacontrols": null,
"id": "V-206782",
"ruleID": "SV-206782r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint processing classified calls must produce session (call detail) records containing classification level and Security Access Level (SAL).",
"version": "SRG-NET-000494-VVEP-00061"
},
"V-206783": {
"checkid": "C-7039r363872_chk",
"checktext": "Verify the Voice Video Endpoint processing unclassified information implements NIST FIPS-validated cryptography.\n\nIf the Voice Video Endpoint processing unclassified information does not implement NIST FIPS-validated cryptography, this is a finding.",
"description": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.",
"fixid": "F-7039r363873_fix",
"fixtext": "Configure the Voice Video Endpoint processing unclassified information to implement NIST FIPS-validated cryptography.",
"iacontrols": null,
"id": "V-206783",
"ruleID": "SV-206783r604140_rule",
"severity": "high",
"title": "The Voice Video Endpoint processing unclassified information must implement NIST FIPS-validated cryptography.",
"version": "SRG-NET-000510-VVEP-00039"
},
"V-206784": {
"checkid": "C-7040r363875_chk",
"checktext": "Verify the Voice Video Endpoint processing unclassified information implements NIST FIPS-validated cryptography to provision digital signatures.\n\nIf the Voice Video Endpoint processing unclassified information does not implement NIST FIPS-validated cryptography to provision digital signatures, this is a finding.",
"description": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.",
"fixid": "F-7040r363876_fix",
"fixtext": "Configure the Voice Video Endpoint processing unclassified information to implement NIST FIPS-validated cryptography to provision digital signatures.",
"iacontrols": null,
"id": "V-206784",
"ruleID": "SV-206784r604140_rule",
"severity": "high",
"title": "The Voice Video Endpoint processing unclassified information must implement NIST FIPS-validated cryptography to provision digital signatures.",
"version": "SRG-NET-000510-VVEP-00040"
},
"V-206785": {
"checkid": "C-7041r363878_chk",
"checktext": "Verify the Voice Video Endpoint processing unclassified information implements NIST FIPS-validated cryptography to generate cryptographic hashes.\n\nIf the Voice Video Endpoint processing unclassified information does not implement NIST FIPS-validated cryptography to generate cryptographic hashes, this is a finding.",
"description": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.",
"fixid": "F-7041r363879_fix",
"fixtext": "Configure the Voice Video Endpoint processing unclassified information to implement NIST FIPS-validated cryptography to generate cryptographic hashes.",
"iacontrols": null,
"id": "V-206785",
"ruleID": "SV-206785r604140_rule",
"severity": "high",
"title": "The Voice Video Endpoint processing unclassified information must implement NIST FIPS-validated cryptography to generate cryptographic hashes.",
"version": "SRG-NET-000510-VVEP-00041"
},
"V-206786": {
"checkid": "C-7042r363881_chk",
"checktext": "If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable.\n\nVerify the hardware Voice Video Endpoint integrates into the implemented 802.1x network access control system. \n\nIf the hardware Voice Video Endpoint does not integrate into the implemented 802.1x network access control system, this is a finding.",
"description": "IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before accessing the network. This standard is used to activate the network access switchport limiting traffic to a specific VLAN or install traffic filters. Implementing 802.1x port security on each access switchport denies all other MAC users, which eliminates the security risk of additional users attaching to a switch to bypass authentication. The hardware Voice Video Endpoint must be an 802.1x supplicant and integrate into the 802.1x access control system. When 802.1x is used, all devices connecting to the LAN are required to use 802.1x.",
"fixid": "F-7042r363882_fix",
"fixtext": "Configure the hardware Voice Video Endpoint to integrate into the implemented 802.1x network access control system.",
"iacontrols": null,
"id": "V-206786",
"ruleID": "SV-206786r604140_rule",
"severity": "medium",
"title": "The hardware Voice Video Endpoint must integrate into the implemented 802.1x network access control system.",
"version": "SRG-NET-000512-VVEP-00001"
},
"V-206787": {
"checkid": "C-7043r363884_chk",
"checktext": "If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable. If an 802.1x network access control system is not implemented on the network, this is Not Applicable. \n\nVerify the hardware Voice Video Endpoint is an 802.1x supplicant. \n\nIf the hardware Voice Video Endpoint is not an 802.1x supplicant, this is a finding.",
"description": "IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before accessing the network. This standard is used to activate the network access switchport limiting traffic to a specific VLAN or install traffic filters. Implementing 802.1x port security on each access switchport denies all other MAC users, which eliminates the security risk of additional users attaching to a switch to bypass authentication. The hardware Voice Video Endpoint must be an 802.1x supplicant and integrate into the 802.1x access control system. When 802.1x is used, all devices connecting to the LAN are required to use 802.1x.",
"fixid": "F-7043r363885_fix",
"fixtext": "Configure the hardware Voice Video Endpoint to be an 802.1x supplicant in the implemented 802.1x network access control system.",
"iacontrols": null,
"id": "V-206787",
"ruleID": "SV-206787r604140_rule",
"severity": "medium",
"title": "The hardware Voice Video Endpoint must be an 802.1x supplicant.",
"version": "SRG-NET-000512-VVEP-00002"
},
"V-206788": {
"checkid": "C-7044r363887_chk",
"checktext": "If the Voice Video Endpoint is not a hardware endpoint with a PC port, this check procedure is Not Applicable.\n\nVerify the hardware Voice Video Endpoint PC port connects to an 802.1x supplicant or is disabled. \n\nIf the hardware Voice Video Endpoint PC port is disabled, this is not a finding. If the hardware Voice Video Endpoint PC port is not disabled and is not an 802.1x authenticator, this is a finding.",
"description": "IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before accessing the network. This standard is used to activate the network access switchport limiting traffic to a specific VLAN or install traffic filters. Implementing 802.1x port security on each access switchport denies all other MAC users, which eliminates the security risk of additional users attaching to a switch to bypass authentication. The hardware Voice Video Endpoint must be an 802.1x supplicant and integrate into the 802.1x access control system. When 802.1x is used, all devices connecting to the LAN are required to use 802.1x.\n\nA Voice Video Endpoint with a PC port may break 802.1x LAN access control mechanisms when the network access switchport is authorized during the Voice Video Endpoint authentication to the network. This condition may permit devices connected to the PC port to access the LAN. The access switchport can be configured in one of the following modes: single-host, multi-host, or multi-domain. Single-host allows only one device to authenticate, and only packets from this devices MAC address will be allowed, dropping all other packets. Multi-host mode requires one host to authenticate but once this is done, all packets regardless of source MAC address will be allowed. For both the PC attached to the PC port and the Voice Video Endpoint to authenticate separately, multi-domain authentication on the access switchport must be configured. This divides the switchport into a data and a voice domain. In this case if more than one device attempts authorization on either the voice or the data domain of a port, the switchport goes into an error disable state. Disabling the PC port requires the network access switchports are configured with the appropriate VLAN for the VVoIP or VTC traffic and placing the disabled PC port traffic on the unused VLAN. MAC Address Bypass (MAB) is a possible mitigation for this vulnerability.",
"fixid": "F-7044r363888_fix",
"fixtext": "Configure the hardware Voice Video Endpoint PC port to connect to an 802.1x supplicant in the implemented 802.1x network access control system or be disabled.",
"iacontrols": null,
"id": "V-206788",
"ruleID": "SV-206788r604140_rule",
"severity": "medium",
"title": "The hardware Voice Video Endpoint PC port must connect to an 802.1x supplicant, or the PC port must be disabled.",
"version": "SRG-NET-000512-VVEP-00003"
},
"V-206789": {
"checkid": "C-7045r363890_chk",
"checktext": "If the Voice Video Endpoint is not a hardware endpoint with a PC port, this check procedure is Not Applicable.\n\nVerify the unused hardware Voice Video Endpoint PC port is disabled. \n\nIf the unused hardware Voice Video Endpoint PC port is not disabled, this is a finding.",
"description": "IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before accessing the network. This standard is used to activate the network access switchport limiting traffic to a specific VLAN or install traffic filters. Implementing 802.1x port security on each access switchport denies all other MAC users, which eliminates the security risk of additional users attaching to a switch to bypass authentication. The hardware Voice Video Endpoint must be an 802.1x supplicant and integrate into the 802.1x access control system. When 802.1x is used, all devices connecting to the LAN are required to use 802.1x.\n\nA Voice Video Endpoint with a PC port may break 802.1x LAN access control mechanisms when the network access switchport is authorized during the Voice Video Endpoint authentication to the network. This condition may permit devices connected to the PC port to access the LAN. Daisy chaining devices on a single LAN drop protected by 802.1x must be prohibited unless the PC port is an 802.1x authenticator and configured to work with an approved authentication server. Disabling the PC port requires the network access switchports are configured with the appropriate VLAN for the VVoIP or VTC traffic and placing the disabled PC port traffic on the unused VLAN. MAC Address Bypass (MAB) is a possible mitigation for this vulnerability.",
"fixid": "F-7045r363891_fix",
"fixtext": "Configure the unused hardware Video Endpoint PC port to be disabled.",
"iacontrols": null,
"id": "V-206789",
"ruleID": "SV-206789r604140_rule",
"severity": "medium",
"title": "The unused hardware Voice Video Endpoint PC port must be disabled.",
"version": "SRG-NET-000512-VVEP-00004"
},
"V-206790": {
"checkid": "C-7046r363893_chk",
"checktext": "If the Voice Video Endpoint is not a hardware endpoint with a PC port, this check procedure is Not Applicable.\n\nVerify the hardware Voice Video Endpoint with a PC port has the switchport configured as single-host or enable 802.1x multi-domain authentication. \n\nIf the hardware Voice Video Endpoint with a PC port has the switchport configured as single-host, this is not a finding. \n\nIf the hardware Voice Video Endpoint with a PC port does not have the switchport configured as single-host and does not enable 802.1x multi-domain authentication, this is a finding.",
"description": "IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before accessing the network. This standard is used to activate the network access switchport limiting traffic to a specific VLAN or install traffic filters. Implementing 802.1x port security on each access switchport denies all other MAC users, which eliminates the security risk of additional users attaching to a switch to bypass authentication. The hardware Voice Video Endpoint must be an 802.1x supplicant and integrate into the 802.1x access control system. When 802.1x is used, all devices connecting to the LAN are required to use 802.1x.\n\nA Voice Video Endpoint with a PC port may break 802.1x LAN access control mechanisms when the network access switchport is authorized during the Voice Video Endpoint authentication to the network. This condition may permit devices connected to the PC port to access the LAN. Daisy chaining devices on a single LAN drop protected by 802.1x must be prohibited unless the PC port is an 802.1x authenticator and configured to work with an approved authentication server. Disabling the PC port requires the network access switchports are configured with the appropriate VLAN for the VVoIP or VTC traffic and placing the disabled PC port traffic on the unused VLAN. MAC Address Bypass (MAB) is a possible mitigation for this vulnerability.",
"fixid": "F-7046r363894_fix",
"fixtext": "Configure the hardware Voice Video Endpoint with a PC port to have the switchport configured as single-host or enable 802.1x multi-domain authentication.",
"iacontrols": null,
"id": "V-206790",
"ruleID": "SV-206790r604140_rule",
"severity": "medium",
"title": "The hardware Voice Video Endpoint with a PC port must have the switchport configured as single-host or enable 802.1x multi-domain authentication.",
"version": "SRG-NET-000512-VVEP-00005"
},
"V-206791": {
"checkid": "C-7047r363896_chk",
"checktext": "If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable.\n\nVerify the hardware Voice Video Endpoint not supporting 802.1x is configured to use MAB on the access switchport. \n\nIf the hardware Voice Video Endpoint not supporting 802.1x is not configured to use MAB on the access switchport, this is a finding.",
"description": "IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before accessing the network. This standard is used to activate the network access switchport limiting traffic to a specific VLAN or install traffic filters. Implementing 802.1x port security on each access switchport denies all other MAC users, which eliminates the security risk of additional users attaching to a switch to bypass authentication. The hardware Voice Video Endpoint must be an 802.1x supplicant and integrate into the 802.1x access control system. When 802.1x is used, all devices connecting to the LAN are required to use 802.1x.\n\nA Voice Video Endpoint with a PC port may break 802.1x LAN access control mechanisms when the network access switchport is authorized during the Voice Video Endpoint authentication to the network. This condition may permit devices connected to the PC port to access the LAN. Daisy chaining devices on a single LAN drop protected by 802.1x must be prohibited unless the PC port is an 802.1x authenticator and configured to work with an approved authentication server. Disabling the PC port requires the network access switchports are configured with the appropriate VLAN for the VVoIP or VTC traffic and placing the disabled PC port traffic on the unused VLAN. MAC Address Bypass (MAB) is a possible mitigation for this vulnerability.",
"fixid": "F-7047r363897_fix",
"fixtext": "Configure the hardware Voice Video Endpoint not supporting 802.1x to use MAB on the access switchport.",
"iacontrols": null,
"id": "V-206791",
"ruleID": "SV-206791r604140_rule",
"severity": "medium",
"title": "The hardware Voice Video Endpoint not supporting 802.1x must be configured to use MAC Authentication Bypass (MAB) on the access switchport.",
"version": "SRG-NET-000512-VVEP-00006"
},
"V-206792": {
"checkid": "C-7048r363899_chk",
"checktext": "If the Voice Video Endpoint does not support C2 communications, this check procedure is Not Applicable.\n\nVerify the Voice Video Endpoint supporting C2 communications implements MLPP dialing to enable Routine, Priority, Immediate, Flash, and Flash Override.\n\nIf the Voice Video Endpoint supporting C2 communications does not implement MLPP dialing to enable Routine, Priority, Immediate, Flash, and Flash Override, this is a finding. If the MLPP dialing is not configured, this is a finding.",
"description": "Configuring the C2 Voice Video Endpoint to implement MLPP ensures vital high-level communications occurs regardless of environmental, geographical, and political conditions. When conditions require immediate discussion among high-level officials, the C2 communications systems must be capable of implementing MLPP. \n\nThe MLPP service allows properly validated users to place priority calls and when necessary, C2 users can preempt lower priority phone calls. Precedence designates the priority level that is associated with a call and preemption designates the process of terminating lower precedence calls currently using a Voice Video Endpoint. A call of higher precedence can be extended to or through the device. A validated C2 user can preempt calls to targeted stations when AS-SIP is fully implemented on the network or through fully subscribed time division multiplexing (TDM) trunks. This capability assures high-level personnel of communication to critical organizations and personnel during network stress situations, such as a national emergency or degraded network situations.",
"fixid": "F-7048r363900_fix",
"fixtext": "Configure the Voice Video Endpoint supporting C2 communications to implement MLPP dialing to enable Routine, Priority, Immediate, Flash, and Flash Override.",
"iacontrols": null,
"id": "V-206792",
"ruleID": "SV-206792r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint supporting Command and Control (C2) communications must implement Multilevel Precedence and Preemption (MLPP) dialing to enable Routine, Priority, Immediate, Flash, and Flash Override.",
"version": "SRG-NET-000512-VVEP-00045"
},
"V-206793": {
"checkid": "C-7049r363902_chk",
"checktext": "If the Voice Video Endpoint does not support C2 communications, this check procedure is Not Applicable.\n\nVerify the Voice Video Endpoint supporting C2 communications implements MLPP call disconnect to enable Routine, Priority, Immediate, Flash, and Flash Override.\n\nIf the Voice Video Endpoint supporting C2 communications does not implement MLPP call disconnect to enable Routine, Priority, Immediate, Flash, and Flash Override, this is a finding. If the MLPP call disconnect is not configured for use, this is a finding.",
"description": "Configuring the C2 Voice Video Endpoint to implement MLPP ensures vital high-level communication occurs regardless of environmental, geographical, and political conditions. When conditions require immediate discussion among high-level officials, the C2 communications systems must be capable of implementing MLPP.\n\nThe MLPP service allows properly validated users to place priority calls and when necessary, C2 users can preempt lower-priority phone calls. Precedence designates the priority level that is associated with a call and preemption designates the process of terminating lower-precedence calls currently using a Voice Video Endpoint. A call of higher precedence can be extended to or through the device. A validated C2 user can preempt calls to targeted stations when AS-SIP is fully implemented on the network or through fully subscribed time division multiplexing (TDM) trunks. This capability assures high-level personnel of communication to critical organizations and personnel during network stress situations, such as a national emergency or degraded network situations.",
"fixid": "F-7049r363903_fix",
"fixtext": "Configure the Voice Video Endpoint supporting C2 communications to implement MLPP call disconnect to enable Routine, Priority, Immediate, Flash, and Flash Override.",
"iacontrols": null,
"id": "V-206793",
"ruleID": "SV-206793r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint supporting Command and Control (C2) communications must implement Multilevel Precedence and Preemption (MLPP) call disconnect to enable Routine, Priority, Immediate, Flash, and Flash Override.",
"version": "SRG-NET-000512-VVEP-00046"
},
"V-206794": {
"checkid": "C-7050r363905_chk",
"checktext": "If the Voice Video Endpoint does not support C2 communications, this check procedure is Not Applicable.\n\nVerify the Voice Video Endpoint supporting C2 communications implements AS-SIP.\n\nIf the Voice Video Endpoint supporting C2 communications does not implement AS-SIP, this is a finding. If AS-SIP is not configured for use, this is a finding.",
"description": "Configuring the C2 Voice Video Endpoint to implement MLPP ensures vital high-level communication occurs regardless of environmental, geographical, and political conditions. When conditions require immediate discussion among high-level officials, the C2 communications systems must be capable of implementing MLPP.\n\nThe MLPP service allows properly validated users to place priority calls and when necessary, C2 users can preempt lower-priority phone calls. Precedence designates the priority level that is associated with a call and preemption designates the process of terminating lower-precedence calls currently using a Voice Video Endpoint. A call of higher precedence can be extended to or through the device. A validated C2 user can preempt calls to targeted stations when AS-SIP is fully implemented on the network or through fully subscribed time division multiplexing (TDM) trunks. This capability assures high-level personnel of communication to critical organizations and personnel during network stress situations, such as a national emergency or degraded network situations.",
"fixid": "F-7050r363906_fix",
"fixtext": "Configure the Voice Video Endpoint supporting C2 communications to implement AS-SIP.",
"iacontrols": null,
"id": "V-206794",
"ruleID": "SV-206794r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint supporting Command and Control (C2) communications must implement Assured Service Session Initiation Protocol (AS-SIP).",
"version": "SRG-NET-000512-VVEP-00047"
},
"V-206795": {
"checkid": "C-7051r363908_chk",
"checktext": "If the unclassified Voice Video Endpoint is not deployed where sensitive or classified information is discussed, this check procedure is Not Applicable.\n\nVerify the Voice Video Endpoint microphone provides hardware mechanisms, such as push-to-talk handset switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks.\n\nIf the Voice Video Endpoint microphone does not provide hardware mechanisms, such as push-to-talk handset switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks, this is a finding. If the Voice Video Endpoint microphone does provide hardware mechanisms but is not configured to use these features, this is a finding.",
"description": "Microphones used with videoconferencing are designed to be extremely sensitive, designed to pick up audio from anywhere within a conference room. The microphones may pick up sidebar conversations with no relationship to the conference or call in progress. Speakerphones exhibit a similar vulnerability. This is especially at risk when unclassified conversations are conducted in classified spaces. Users or operators of videoconferencing systems must take care regarding what is being said and seen during a conference call and what sensitive information can be picked up by a camera or microphone. \n\nVoice Video Endpoints used in classified areas must use hardware mechanisms such as push-to-talk (PTT) to prevent conversations occurring in the area of the call from being heard over unclassified systems. This capability mitigates the risk to compromise sensitive or classified information not related to the conversation in progress. Speakers embedded in or connected to a Voice Video Endpoint may be turned up loud enough to be heard across a room or in the next workspace, risking compromise or sensitive or classified information.",
"fixid": "F-7051r363909_fix",
"fixtext": "Configure the Voice Video Endpoint microphone hardware mechanisms, such as push-to-talk handset switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks.",
"iacontrols": null,
"id": "V-206795",
"ruleID": "SV-206795r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint microphone must provide hardware mechanisms, such as push-to-talk (PTT) handset switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks.",
"version": "SRG-NET-000512-VVEP-00048"
},
"V-206796": {
"checkid": "C-7052r363911_chk",
"checktext": "If the unclassified Voice Video Endpoint is not deployed where sensitive or classified information is displayed or discussed, this check procedure is Not Applicable.\n\nVerify the Voice Video Endpoint camera provides hardware mechanisms, such as push-to-see camera switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks.\n\nIf the Voice Video Endpoint camera does not provide hardware mechanisms, such as push-to-see camera switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks, this is a finding. If the Voice Video Endpoint camera does provide hardware mechanisms but is not configured to use these features, this is a finding.",
"description": "Cameras used with Voice Video Endpoints may reveal sensitive or classified information. This is especially at risk when unclassified conversations are conducted in classified spaces. Users or operators of videoconferencing systems must take care regarding what is being said and seen during a conference call and what sensitive information can be picked up by a camera or microphone. \n\nVoice Video Endpoints used in classified areas must use hardware mechanisms such as push-to-see (PTS) to prevent sensitive or classified information picked up by the camera in the area of the call from being transmitted over unclassified systems. This capability mitigates the risk to compromise sensitive or classified information not related to the conversation in progress.",
"fixid": "F-7052r363912_fix",
"fixtext": "Configure the Voice Video Endpoint camera hardware mechanisms, such as push-to-see camera switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks.",
"iacontrols": null,
"id": "V-206796",
"ruleID": "SV-206796r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint camera must provide hardware mechanisms, such as push-to-see (PTS) camera switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks.",
"version": "SRG-NET-000512-VVEP-00049"
},
"V-206797": {
"checkid": "C-7053r363914_chk",
"checktext": "Verify the Voice Video Endpoint auto-answer feature is disabled.\n\nIf the Voice Video Endpoint auto-answer feature is not disabled, this is a finding.",
"description": "A Voice Video Endpoint set to automatically answer a call with audio or video capabilities enabled risks transmitting information not intended for the caller. In the event a Voice Video Endpoint automatically answered a call during a classified meeting or discussion. Potentially sensitive or classified information could be transmitted. The auto-answer feature must not be activated by a user unless the feature is required to satisfy mission requirements.",
"fixid": "F-7053r363915_fix",
"fixtext": "Configure the Voice Video Endpoint auto-answer feature to be disabled.",
"iacontrols": null,
"id": "V-206797",
"ruleID": "SV-206797r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint auto-answer feature must be disabled.",
"version": "SRG-NET-000512-VVEP-00050"
},
"V-206798": {
"checkid": "C-7054r363917_chk",
"checktext": "If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable.\n\nVerify the hardware Voice Video Endpoint disables or restricts web browser capabilities permitting the endpoint to browse the Internet or intranet. External applications and services approved for accessibility on the Voice Video Endpoint and implemented by the enterprise are permissible.\n\nIf the hardware Voice Video does not disable or restrict web browser capabilities permitting the endpoint to browse the Internet or intranet, this is a finding.",
"description": "Permitting hardware Voice Video Endpoints to browse the internet or enterprise intranet freely opens the endpoint to the possibility of inadvertently downloading malicious code to the endpoint for which it may have no protection. Voice Video Endpoints typically do not support host based intrusion detection or anti-virus software. While the downloaded malicious code might not affect the endpoint itself, the endpoint could be used by the malicious code as a launching pad into the network and attached workstations or servers.",
"fixid": "F-7054r363918_fix",
"fixtext": "Configure the hardware Voice Video Endpoint to disable or restrict web browser capabilities permitting the endpoint to browse the Internet or intranet.",
"iacontrols": null,
"id": "V-206798",
"ruleID": "SV-206798r604140_rule",
"severity": "medium",
"title": "The hardware Voice Video Endpoint must disable or restrict web browser capabilities permitting the endpoint to browse the internet or intranet.",
"version": "SRG-NET-000512-VVEP-00051"
},
"V-206799": {
"checkid": "C-7055r363920_chk",
"checktext": "If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable. If the hardware Voice Video Endpoint does not contain a web server, this check procedure is Not Applicable.\n\nVerify the hardware Voice Video Endpoint disables or restricts built-in web servers. Web servers embedded in hardware Voice Video Endpoints must be restricted to authorized entities\u2019 devices through an authentication mechanism or, minimally, through IP address filtering, or be otherwise disabled. Additionally, the connection must be for direct user or administrative functions.\n\nIf the hardware Voice Video Endpoint does not disable or restrict built-in web servers, this is a finding.",
"description": "Hardware Voice Video Endpoints sometimes contain a web server for the implementation of various functions and features. In many cases these are used to configure the network settings or user preferences on the device. In some Voice Video Endpoints, a user can access a missed call list, call history, or other information. If access to such a web server is not restricted to authorized entities, the device supporting it is subject to unauthorized access and compromise.",
"fixid": "F-7055r363921_fix",
"fixtext": "Configure the hardware Voice Video Endpoint to disable or restrict built-in web servers.",
"iacontrols": null,
"id": "V-206799",
"ruleID": "SV-206799r604140_rule",
"severity": "medium",
"title": "The hardware Voice Video Endpoint must disable or restrict built-in web servers.",
"version": "SRG-NET-000512-VVEP-00052"
},
"V-206800": {
"checkid": "C-7056r363923_chk",
"checktext": "If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable.\n\nVerify the hardware Voice Video Endpoint prevents the configuration of network IP settings without the use of a PIN or password.\n\nIf the hardware Voice Video Endpoint does not prevent the configuration of network IP settings without the use of a PIN or password, this is a finding.",
"description": "Many Voice Video Endpoints can set or display configuration settings in the instrument itself. This presents a risk if a user obtains information such as the IP addresses and URLs of system components. This obtained information could be used to facilitate an attack on the system. Therefore these devices should be considered a target to be defended against such individuals that would collect voice network information for illicit purposes. To mitigate information gathering by the adversaries, measures must be taken to protect this information.",
"fixid": "F-7056r363924_fix",
"fixtext": "Configure the hardware Voice Video Endpoint to prevent the configuration of network IP settings without the use of a PIN or password.",
"iacontrols": null,
"id": "V-206800",
"ruleID": "SV-206800r604140_rule",
"severity": "medium",
"title": "The hardware Voice Video Endpoint must prevent the configuration of network IP settings without the use of a PIN or password.",
"version": "SRG-NET-000512-VVEP-00053"
},
"V-206801": {
"checkid": "C-7057r363926_chk",
"checktext": "If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable.\n\nVerify the hardware Voice Video Endpoint prevents the display of network IP settings without the use of a PIN or password.\n\nIf the hardware Voice Video Endpoint does not prevent the display of network IP settings without the use of a PIN or password, this is a finding.",
"description": "Many Voice Video Endpoints can set or display configuration settings in the instrument itself. This presents a risk if a user obtains information such as the IP addresses and URLs of system components. This obtained information could be used to facilitate an attack on the system. Therefore these devices should be considered a target to be defended against such individuals that would collect voice network information for illicit purposes. To mitigate information gathering by the adversaries, measures must be taken to protect this information.",
"fixid": "F-7057r363927_fix",
"fixtext": "Configure the hardware Voice Video Endpoint to prevent the display of network IP settings without the use of a PIN or password.",
"iacontrols": null,
"id": "V-206801",
"ruleID": "SV-206801r604140_rule",
"severity": "medium",
"title": "The hardware Voice Video Endpoint must prevent the display of network IP settings without the use of a PIN or password.",
"version": "SRG-NET-000512-VVEP-00054"
},
"V-206802": {
"checkid": "C-7058r363929_chk",
"checktext": "If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable.\n\nVerify the hardware Voice Video Endpoint does not use the default PIN or password to access configuration and display of network IP settings.\n\nIf the hardware Voice Video Endpoint uses the default PIN or password to access configuration and display of network IP settings, this is a finding.",
"description": "Many Voice Video Endpoints can set or display configuration settings in the instrument itself. This presents a risk if a user obtains information such as the IP addresses and URLs of system components. This obtained information could be used to facilitate an attack on the system. Therefore these devices should be considered a target to be defended against individuals that would collect voice network information for illicit purposes. To mitigate information gathering by the adversaries, measures must be taken to protect this information.",
"fixid": "F-7058r363930_fix",
"fixtext": "Configure the hardware Voice Video Endpoint to not use the default PIN or password to access configuration and display of network IP settings.",
"iacontrols": null,
"id": "V-206802",
"ruleID": "SV-206802r604140_rule",
"severity": "medium",
"title": "The hardware Voice Video Endpoint must not use the default PIN or password to access configuration and display of network IP settings.",
"version": "SRG-NET-000512-VVEP-00055"
},
"V-206803": {
"checkid": "C-7059r363932_chk",
"checktext": "Verify the Voice Video Endpoint prevents the user from installing third-party software.\n\nIf the Voice Video Endpoint does not prevent the user from installing third-party software, this is a finding.",
"description": "Unauthorized third-party software is challenging the security posture of DoD. Most established vendors have developed patch management process that prevents risk, resulting in an estimated 80 percent of threats arise from third-party software. Preventing users from installing third-party software limits organizational exposure. Additionally, preventing installation of untrusted software further reduces risk to the network.",
"fixid": "F-7059r363933_fix",
"fixtext": "Configure the Voice Video Endpoint to prevent the user from installing third-party software.",
"iacontrols": null,
"id": "V-206803",
"ruleID": "SV-206803r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must prevent the user from installing third-party software.",
"version": "SRG-NET-000512-VVEP-00057"
},
"V-206804": {
"checkid": "C-7060r363935_chk",
"checktext": "Verify the Voice Video Endpoint prevents installation of untrusted third-party software.\n\nIf the Voice Video Endpoint does not prevent installation of untrusted third-party software, this is a finding.",
"description": "Unauthorized third-party software is challenging the security posture of DoD. Most established vendors have developed a patch management process that prevents risk, resulting in an estimated 80 percent of threats arising from third-party software. Preventing users from installing third-party software limits organizational exposure. Additionally, preventing installation of untrusted software further reduces risk to the network. Vendors that prevent installation of all third-party software meet the intent of this requirement.",
"fixid": "F-7060r363936_fix",
"fixtext": "Configure the Voice Video Endpoint to prevent installation of untrusted third-party software.",
"iacontrols": null,
"id": "V-206804",
"ruleID": "SV-206804r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must prevent installation of untrusted third-party software.",
"version": "SRG-NET-000512-VVEP-00058"
},
"V-206805": {
"checkid": "C-7061r363938_chk",
"checktext": "Verify the Voice Video Endpoint is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. This requirement is intended to be used to allow best practices and other security guidance to be included within a vendor-produced STIG.\n\nIf the Voice Video Endpoint is not configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs, this is a finding.",
"description": "Configuring the Voice Video Endpoint to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. \n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.",
"fixid": "F-7061r363939_fix",
"fixtext": "Configure the Voice Video Endpoint to be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.",
"iacontrols": null,
"id": "V-206805",
"ruleID": "SV-206805r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.",
"version": "SRG-NET-000512-VVEP-00060"
},
"V-206806": {
"checkid": "C-7062r459021_chk",
"checktext": "If the Voice Video Endpoint is not used for unclassified communication within a SCIF or SAPF, this check procedure is Not Applicable.\n\nVerify the Voice Video Endpoint used for unclassified communication within a SCIF or SAPF is an NTSWG-approved device meeting the requirements outlined in CNSSI 5000.\n\nConfirm a valid NTSWG certification seal is affixed to the Voice Video Endpoint with no indication of tampering.\n\nIf the Voice Video Endpoint is not an NTSWG-approved device with an affixed certification seal, this is a finding.\n\nIf the Voice Video Endpoint reveals any evidence of tampering, or the seal is broken, cut, or in any way tampered with, this is a finding.",
"description": "Configuring the Voice Video Endpoint to implement CNSSI 5000 for unclassified communication within SCIFs and SAPF ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nVoice Video Endpoints may transmit classified conversations over unclassified networks. Voice Video Endpoint microphones, speakers, and supporting electronics may pick up conversation audio within the area and conduct it over the network connection, even when the endpoint is on-hook, powered or not. The Technical Surveillance Counter-Measures (TSCM) program protects sensitive government information, to include classified information, through the establishment of on-hook audio security standards. Voice Video Endpoints certified by NTSWG are modified to prevent this behavior, or limit it to within acceptable levels.\n\nReferences:\nCNSS Instruction No. 5000, Guidelines for Voice over Internet Protocol (VoIP), dated August 2016\nCNSS Instruction No. 5001, Type-Acceptance Program for Voice over Internet Protocol (VoIP) Telephones, dated December 2007\nCNSS Instruction No. 5007, Telephone Security Equipment Submission and Evaluation Procedures, dated April 2013\nIC Tech Spec-For ICD/ICS 705, Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities, version 1.3 dated September 10, 2015\nJoint Air Force, Army, Navy (JAFAN) 6/0 Manual; Special Access Program Security Manual \u2013 Revision 1, dated May 29, 2008\nJoint Air Force, Army, Navy (JAFAN) 6/9 Manual; Physical Security Standards for Special Access Program Facilities, dated March 23, 2004",
"fixid": "F-7062r459022_fix",
"fixtext": "Replace the Voice Video Endpoint used for unclassified communication within a SCIF or SAPF with an NTSWG-approved device meeting the requirements outlined in CNSSI 5000.\n\nConfirm a valid NTSWG certification seal is affixed to the Voice Video Endpoint with no indication of tampering. The list of NTSWG-approved instruments is available on the National Counterintelligence and Security Center website using the URL below, then clicking on \"TSG-6-Approved Telephones (PDF)\" link to download the list:\n\nhttps://www.dni.gov/index.php/ncsc-what-we-do/ncsc-physical-security-mission\n\nThe manufacturer places the certification seals prior to shipment, and if the seal is broken, cut, or in any way tampered with, it is no longer considered valid.",
"iacontrols": null,
"id": "V-206806",
"ruleID": "SV-206806r604140_rule",
"severity": "medium",
"title": "The Voice Video Endpoint used for unclassified communication within a Sensitive Compartmented Information Facility (SCIF) or Special Access Program Facility (SAPF) must be National Telecommunications Security Working Group (NTSWG)-approved device in accordance with the Committee on National Security Systems Instruction (CNSSI) 5000.",
"version": "SRG-NET-000512-VVEP-00065"
},
"V-206807": {
"checkid": "C-7063r363944_chk",
"checktext": "If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable.\n\nVerify the hardware Voice Video Endpoint applies 802.1Q VLAN tags to signaling and media traffic. \n\nIf the hardware Voice Video Endpoint does not apply 802.1Q VLAN tags to signaling and media traffic, this is a finding.",
"description": "When Voice Video Endpoints do not dynamically assign 802.1Q VLAN tags as data is created and combined, it is possible the VLAN tags will not correctly reflect the data type with which they are associated. VLAN tags are used as security attributes. These attributes are typically associated with signaling and media streams within the application and are used to enable the implementation of access control and flow control policies. Security labels for packets may include traffic flow information (e.g., source, destination, protocol combination), traffic classification based on QoS markings for preferred treatment, and VLAN identification.\n\nVirtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3, and works with Multiprotocol Label Switching (MPLS) for enterprise and WAN environments. When VRF is used without MPLS, it is referred to as VRF lite. For Voice Video systems, subnets, VLANs, and VRFs are used to separate media and signaling streams from all other traffic.",
"fixid": "F-7063r363945_fix",
"fixtext": "Configure the hardware Voice Video Endpoint to apply 802.1Q VLAN tags to signaling and media traffic.",
"iacontrols": null,
"id": "V-206807",
"ruleID": "SV-206807r604140_rule",
"severity": "medium",
"title": "The hardware Voice Video Endpoint must apply 802.1Q VLAN tags to signaling and media traffic.",
"version": "SRG-NET-000520-VVEP-00010"
},
"V-206808": {
"checkid": "C-7064r363947_chk",
"checktext": "If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable.\n\nVerify the hardware Voice Video Endpoint uses a voice video VLAN separate from all other VLANs. For networks with both VoIP and videoconferencing, best practice is to have a separate voice VLAN and video VLAN.\n\nIf the hardware Voice Video Endpoint does not use a voice video VLAN separate from all other VLANs, this is a finding.",
"description": "Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3, and works with Multiprotocol Label Switching (MPLS) for enterprise and WAN environments. When VRF is used without MPLS, it is referred to as VRF lite. For Voice Video systems, subnets, VLANs, and VRFs are used to separate media and signaling streams from all other traffic.",
"fixid": "F-7064r363948_fix",
"fixtext": "Configure the hardware Voice Video Endpoint to use a voice video VLAN separate from all other VLANs.",
"iacontrols": null,
"id": "V-206808",
"ruleID": "SV-206808r604140_rule",
"severity": "medium",
"title": "The hardware Voice Video Endpoint must use a voice video VLAN, separate from all other VLANs.",
"version": "SRG-NET-000520-VVEP-00011"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-206746": "true",
"V-206747": "true",
"V-206748": "true",
"V-206750": "true",
"V-206751": "true",
"V-206752": "true",
"V-206753": "true",
"V-206754": "true",
"V-206755": "true",
"V-206756": "true",
"V-206757": "true",
"V-206758": "true",
"V-206759": "true",
"V-206760": "true",
"V-206761": "true",
"V-206762": "true",
"V-206763": "true",
"V-206764": "true",
"V-206765": "true",
"V-206766": "true",
"V-206767": "true",
"V-206768": "true",
"V-206769": "true",
"V-206770": "true",
"V-206771": "true",
"V-206772": "true",
"V-206773": "true",
"V-206774": "true",
"V-206775": "true",
"V-206776": "true",
"V-206777": "true",
"V-206778": "true",
"V-206779": "true",
"V-206780": "true",
"V-206781": "true",
"V-206782": "true",
"V-206783": "true",
"V-206784": "true",
"V-206785": "true",
"V-206786": "true",
"V-206787": "true",
"V-206788": "true",
"V-206789": "true",
"V-206790": "true",
"V-206791": "true",
"V-206792": "true",
"V-206793": "true",
"V-206794": "true",
"V-206795": "true",
"V-206796": "true",
"V-206797": "true",
"V-206798": "true",
"V-206799": "true",
"V-206800": "true",
"V-206801": "true",
"V-206802": "true",
"V-206803": "true",
"V-206804": "true",
"V-206805": "true",
"V-206806": "true",
"V-206807": "true",
"V-206808": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-206746": "true",
"V-206747": "true",
"V-206748": "true",
"V-206750": "true",
"V-206751": "true",
"V-206752": "true",
"V-206753": "true",
"V-206754": "true",
"V-206755": "true",
"V-206756": "true",
"V-206757": "true",
"V-206758": "true",
"V-206759": "true",
"V-206760": "true",
"V-206761": "true",
"V-206762": "true",
"V-206763": "true",
"V-206764": "true",
"V-206765": "true",
"V-206766": "true",
"V-206767": "true",
"V-206768": "true",
"V-206769": "true",
"V-206770": "true",
"V-206771": "true",
"V-206772": "true",
"V-206773": "true",
"V-206774": "true",
"V-206775": "true",
"V-206776": "true",
"V-206777": "true",
"V-206778": "true",
"V-206779": "true",
"V-206780": "true",
"V-206781": "true",
"V-206782": "true",
"V-206783": "true",
"V-206784": "true",
"V-206785": "true",
"V-206786": "true",
"V-206787": "true",
"V-206788": "true",
"V-206789": "true",
"V-206790": "true",
"V-206791": "true",
"V-206792": "true",
"V-206793": "true",
"V-206794": "true",
"V-206795": "true",
"V-206796": "true",
"V-206797": "true",
"V-206798": "true",
"V-206799": "true",
"V-206800": "true",
"V-206801": "true",
"V-206802": "true",
"V-206803": "true",
"V-206804": "true",
"V-206805": "true",
"V-206806": "true",
"V-206807": "true",
"V-206808": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-206746": "true",
"V-206747": "true",
"V-206748": "true",
"V-206750": "true",
"V-206751": "true",
"V-206752": "true",
"V-206753": "true",
"V-206754": "true",
"V-206755": "true",
"V-206756": "true",
"V-206757": "true",
"V-206758": "true",
"V-206759": "true",
"V-206760": "true",
"V-206761": "true",
"V-206762": "true",
"V-206763": "true",
"V-206764": "true",
"V-206765": "true",
"V-206766": "true",
"V-206767": "true",
"V-206768": "true",
"V-206769": "true",
"V-206770": "true",
"V-206771": "true",
"V-206772": "true",
"V-206773": "true",
"V-206774": "true",
"V-206775": "true",
"V-206776": "true",
"V-206777": "true",
"V-206778": "true",
"V-206779": "true",
"V-206780": "true",
"V-206781": "true",
"V-206782": "true",
"V-206783": "true",
"V-206784": "true",
"V-206785": "true",
"V-206786": "true",
"V-206787": "true",
"V-206788": "true",
"V-206789": "true",
"V-206790": "true",
"V-206791": "true",
"V-206792": "true",
"V-206793": "true",
"V-206794": "true",
"V-206795": "true",
"V-206796": "true",
"V-206797": "true",
"V-206798": "true",
"V-206799": "true",
"V-206800": "true",
"V-206801": "true",
"V-206802": "true",
"V-206803": "true",
"V-206804": "true",
"V-206805": "true",
"V-206806": "true",
"V-206807": "true",
"V-206808": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-206746": "true",
"V-206747": "true",
"V-206748": "true",
"V-206750": "true",
"V-206751": "true",
"V-206752": "true",
"V-206753": "true",
"V-206754": "true",
"V-206755": "true",
"V-206756": "true",
"V-206757": "true",
"V-206758": "true",
"V-206759": "true",
"V-206760": "true",
"V-206761": "true",
"V-206762": "true",
"V-206763": "true",
"V-206764": "true",
"V-206765": "true",
"V-206766": "true",
"V-206767": "true",
"V-206768": "true",
"V-206769": "true",
"V-206770": "true",
"V-206771": "true",
"V-206772": "true",
"V-206773": "true",
"V-206774": "true",
"V-206775": "true",
"V-206776": "true",
"V-206777": "true",
"V-206778": "true",
"V-206779": "true",
"V-206780": "true",
"V-206781": "true",
"V-206782": "true",
"V-206783": "true",
"V-206784": "true",
"V-206785": "true",
"V-206786": "true",
"V-206787": "true",
"V-206788": "true",
"V-206789": "true",
"V-206790": "true",
"V-206791": "true",
"V-206792": "true",
"V-206793": "true",
"V-206794": "true",
"V-206795": "true",
"V-206796": "true",
"V-206797": "true",
"V-206798": "true",
"V-206799": "true",
"V-206800": "true",
"V-206801": "true",
"V-206802": "true",
"V-206803": "true",
"V-206804": "true",
"V-206805": "true",
"V-206806": "true",
"V-206807": "true",
"V-206808": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-206746": "true",
"V-206747": "true",
"V-206748": "true",
"V-206750": "true",
"V-206751": "true",
"V-206752": "true",
"V-206753": "true",
"V-206754": "true",
"V-206755": "true",
"V-206756": "true",
"V-206757": "true",
"V-206758": "true",
"V-206759": "true",
"V-206760": "true",
"V-206761": "true",
"V-206762": "true",
"V-206763": "true",
"V-206764": "true",
"V-206765": "true",
"V-206766": "true",
"V-206767": "true",
"V-206768": "true",
"V-206769": "true",
"V-206770": "true",
"V-206771": "true",
"V-206772": "true",
"V-206773": "true",
"V-206774": "true",
"V-206775": "true",
"V-206776": "true",
"V-206777": "true",
"V-206778": "true",
"V-206779": "true",
"V-206780": "true",
"V-206781": "true",
"V-206782": "true",
"V-206783": "true",
"V-206784": "true",
"V-206785": "true",
"V-206786": "true",
"V-206787": "true",
"V-206788": "true",
"V-206789": "true",
"V-206790": "true",
"V-206791": "true",
"V-206792": "true",
"V-206793": "true",
"V-206794": "true",
"V-206795": "true",
"V-206796": "true",
"V-206797": "true",
"V-206798": "true",
"V-206799": "true",
"V-206800": "true",
"V-206801": "true",
"V-206802": "true",
"V-206803": "true",
"V-206804": "true",
"V-206805": "true",
"V-206806": "true",
"V-206807": "true",
"V-206808": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-206746": "true",
"V-206747": "true",
"V-206748": "true",
"V-206750": "true",
"V-206751": "true",
"V-206752": "true",
"V-206753": "true",
"V-206754": "true",
"V-206755": "true",
"V-206756": "true",
"V-206757": "true",
"V-206758": "true",
"V-206759": "true",
"V-206760": "true",
"V-206761": "true",
"V-206762": "true",
"V-206763": "true",
"V-206764": "true",
"V-206765": "true",
"V-206766": "true",
"V-206767": "true",
"V-206768": "true",
"V-206769": "true",
"V-206770": "true",
"V-206771": "true",
"V-206772": "true",
"V-206773": "true",
"V-206774": "true",
"V-206775": "true",
"V-206776": "true",
"V-206777": "true",
"V-206778": "true",
"V-206779": "true",
"V-206780": "true",
"V-206781": "true",
"V-206782": "true",
"V-206783": "true",
"V-206784": "true",
"V-206785": "true",
"V-206786": "true",
"V-206787": "true",
"V-206788": "true",
"V-206789": "true",
"V-206790": "true",
"V-206791": "true",
"V-206792": "true",
"V-206793": "true",
"V-206794": "true",
"V-206795": "true",
"V-206796": "true",
"V-206797": "true",
"V-206798": "true",
"V-206799": "true",
"V-206800": "true",
"V-206801": "true",
"V-206802": "true",
"V-206803": "true",
"V-206804": "true",
"V-206805": "true",
"V-206806": "true",
"V-206807": "true",
"V-206808": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-206746": "true",
"V-206747": "true",
"V-206748": "true",
"V-206750": "true",
"V-206751": "true",
"V-206752": "true",
"V-206753": "true",
"V-206754": "true",
"V-206755": "true",
"V-206756": "true",
"V-206757": "true",
"V-206758": "true",
"V-206759": "true",
"V-206760": "true",
"V-206761": "true",
"V-206762": "true",
"V-206763": "true",
"V-206764": "true",
"V-206765": "true",
"V-206766": "true",
"V-206767": "true",
"V-206768": "true",
"V-206769": "true",
"V-206770": "true",
"V-206771": "true",
"V-206772": "true",
"V-206773": "true",
"V-206774": "true",
"V-206775": "true",
"V-206776": "true",
"V-206777": "true",
"V-206778": "true",
"V-206779": "true",
"V-206780": "true",
"V-206781": "true",
"V-206782": "true",
"V-206783": "true",
"V-206784": "true",
"V-206785": "true",
"V-206786": "true",
"V-206787": "true",
"V-206788": "true",
"V-206789": "true",
"V-206790": "true",
"V-206791": "true",
"V-206792": "true",
"V-206793": "true",
"V-206794": "true",
"V-206795": "true",
"V-206796": "true",
"V-206797": "true",
"V-206798": "true",
"V-206799": "true",
"V-206800": "true",
"V-206801": "true",
"V-206802": "true",
"V-206803": "true",
"V-206804": "true",
"V-206805": "true",
"V-206806": "true",
"V-206807": "true",
"V-206808": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-206746": "true",
"V-206747": "true",
"V-206748": "true",
"V-206750": "true",
"V-206751": "true",
"V-206752": "true",
"V-206753": "true",
"V-206754": "true",
"V-206755": "true",
"V-206756": "true",
"V-206757": "true",
"V-206758": "true",
"V-206759": "true",
"V-206760": "true",
"V-206761": "true",
"V-206762": "true",
"V-206763": "true",
"V-206764": "true",
"V-206765": "true",
"V-206766": "true",
"V-206767": "true",
"V-206768": "true",
"V-206769": "true",
"V-206770": "true",
"V-206771": "true",
"V-206772": "true",
"V-206773": "true",
"V-206774": "true",
"V-206775": "true",
"V-206776": "true",
"V-206777": "true",
"V-206778": "true",
"V-206779": "true",
"V-206780": "true",
"V-206781": "true",
"V-206782": "true",
"V-206783": "true",
"V-206784": "true",
"V-206785": "true",
"V-206786": "true",
"V-206787": "true",
"V-206788": "true",
"V-206789": "true",
"V-206790": "true",
"V-206791": "true",
"V-206792": "true",
"V-206793": "true",
"V-206794": "true",
"V-206795": "true",
"V-206796": "true",
"V-206797": "true",
"V-206798": "true",
"V-206799": "true",
"V-206800": "true",
"V-206801": "true",
"V-206802": "true",
"V-206803": "true",
"V-206804": "true",
"V-206805": "true",
"V-206806": "true",
"V-206807": "true",
"V-206808": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-206746": "true",
"V-206747": "true",
"V-206748": "true",
"V-206750": "true",
"V-206751": "true",
"V-206752": "true",
"V-206753": "true",
"V-206754": "true",
"V-206755": "true",
"V-206756": "true",
"V-206757": "true",
"V-206758": "true",
"V-206759": "true",
"V-206760": "true",
"V-206761": "true",
"V-206762": "true",
"V-206763": "true",
"V-206764": "true",
"V-206765": "true",
"V-206766": "true",
"V-206767": "true",
"V-206768": "true",
"V-206769": "true",
"V-206770": "true",
"V-206771": "true",
"V-206772": "true",
"V-206773": "true",
"V-206774": "true",
"V-206775": "true",
"V-206776": "true",
"V-206777": "true",
"V-206778": "true",
"V-206779": "true",
"V-206780": "true",
"V-206781": "true",
"V-206782": "true",
"V-206783": "true",
"V-206784": "true",
"V-206785": "true",
"V-206786": "true",
"V-206787": "true",
"V-206788": "true",
"V-206789": "true",
"V-206790": "true",
"V-206791": "true",
"V-206792": "true",
"V-206793": "true",
"V-206794": "true",
"V-206795": "true",
"V-206796": "true",
"V-206797": "true",
"V-206798": "true",
"V-206799": "true",
"V-206800": "true",
"V-206801": "true",
"V-206802": "true",
"V-206803": "true",
"V-206804": "true",
"V-206805": "true",
"V-206806": "true",
"V-206807": "true",
"V-206808": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "voice_video_endpoint_security_requirements_guide",
"title": "Voice Video Endpoint Security Requirements Guide",
"version": "2"
}
}