| V-8250 | High | DoD-to-DoD VVoIP traffic traversing any publicly accessible wide area network (i.e., Internet, NIPRnet) must use FIPS-validated encryption for unclassified traffic or NSA-approved encryption for classified traffic. | When VVoIP connections are established across a publicly accessible WAN, all communications confidentiality and integrity can be lost. Information gleaned from signaling messages can be used to... |
| V-8328 | High | The implementation of VoIP systems in the local enclave must not degrade the enclaves perimeter protection due to inadequate design of the VoIP boundary and its connection to external networks. | VoIP has the potential to significantly degrade the enclave boundary protection afforded by the required boundary firewall unless the firewall is designed to properly handle VoIP traffic. The... |
| V-16074 | High | Deficient Policy or SOP for VTC and PC camera operations regarding their ability to pickup and transmit sensitive or classified information in visual form. | Users of conference room or office based VTC systems and PC based communications applications that employ a camera must not inadvertently display information of a sensitive or classified nature... |
| V-19440 | Medium | VVoIP session signaling must be encrypted to provide end-to-end interoperable confidentiality and integrity. | Because vendors did not have interoperability, lacked end-to-end encryption, and did not provide assured service in support of Command and Control (C2) communications, VVoIP traffic originally was... |
| V-19441 | Medium | VVoIP session media must be encrypted to provide end-to-end interoperable confidentiality and integrity. | Because vendors did not have interoperability, lacked end-to-end encryption, and did not provide assured service in support of Command and Control (C2) communications, VVoIP traffic originally was... |
| V-19443 | Medium | The local VVoIP system must have the capability to place intra-site and local phone calls when network connectivity is severed from the remote centrally-located session controller. | Voice phone services are critical to the effective operation of a business, an office, or in support or control of a DoD mission. It is critical that phone service is available in the event of an... |
| V-8306 | Medium | A hardware based VVoIP or VTC endpoint possesses or provides a “PC Port” but does not maintain the required VLAN separation through the implementation of an Ethernet switch (not a hub). | Some VVoIP hardware endpoints and hardware based VTC endpoints have a second Ethernet port on the device to provide a connection to external devices such as a. This port is typically called a “PC... |
| V-19565 | Medium | The VVoIP system and supporting LAN design must contain one or more routing devices to provide support for required ACLs between the various required VVoIP VLANs. | VLAN and IP address segmentation enables access and traffic control for the VVoIP system components. Only the required protocols are to reach a given VVoIP device thereby protecting it from... |
| V-19627 | Medium | Remote access VoIP must be routed to the VoIP VLAN. | In addition to complying with the STIGs and VPN requirements for remotely connected PCs, there is an additional requirement for Unified Capabilities (UC) soft client and UC applications using the... |
| V-19562 | Medium | The VVoIP system and LAN design must provide segmentation and protection of the VVoIP system core device management traffic and interfaces such that role based access and traffic flow can be properly controlled. | The management interface on any system/device is its Achilles heel. Unauthorized access can lead to complete corruption of the system or device, causing the loss of availability... |
| V-21508 | Medium | The Fire and Emergency Services (FES) communications over a sites telephone system must be configured to support the Department of Defense (DoD) Instruction 6055.06 telecommunication capabilities. | Emergency communications must include requests for fire, police, and medical assistance. In DoD, these communications can also include requests for Aircraft Rescue and Fire Fighting (ARFF),... |
| V-21509 | Medium | The Fire and Emergency Services (FES) communications over a sites private telephone system must provide the originating telephone number to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) or Automatic Location Identification (ALI) information. | The implementation of Enhanced F&ES telecommunications services requires that the emergency services answering point or call center be able to automatically locate the calling party in the event... |
| V-19606 | Medium | Enclaves with commercial VoIP connections must be approved by the DoDIN Waiver Panel and signed by DOD CIO for a permanent alternate connection to the Internet Telephony Service Provider (ITSP). | The DoD requires the use of DISN services as the first choice to meet core communications needs. When additional services for SIP trunks are necessary, an ITSP may provide an “alternate... |
| V-19602 | Medium | The dual homed DISN core access circuits are NOT implemented such that each one can support the full bandwidth engineered for the enclave plus additional bandwidth to support surge conditions in time of crisis. | Providing dual homed access circuits from a C2 enclave to the DISN core is useless unless both circuits provide the same capacity to include enough overhead to support surge conditions. If one... |
| V-19603 | Medium | The required dual homed DISN Core or NIPRNet access circuits DO NOT follow geographically diverse paths from the CER(s) along the entire route to the geographically diverse SDNs. | In previous requirements we discussed the need for redundant DISN Core access circuits between the enclave and the DISN SDNs. Another method for providing the greatest reliability and availability... |
| V-19600 | Medium | The DISN Core access circuit is NOT properly sized to accommodate the calculated Assured Service Admission Control (ASAC) budgets for AS voice and video calls/sessions OR the required budgets have not been calculated. | The DISN NIPRNet IPVS PMO has developed a method to provide Assured Service voice and video communications over the bandwidth constrained portion of the DISN. This method includes or supports... |
| V-21523 | Medium | The VVoIP system time is not properly implemented and/or synched with the LAN’s NTP servers. | It is critical that the network time be synchronized across all network elements when troubleshooting network problems or investigating an incident. Each log entry is required to be time stamped.... |
| V-8254 | Medium | The Unified Mail system and/or server must implement applicable SRG and/or STIG guidance. | Unified Mail services are subject to the guidance and requirements in the Voice VIdeo STIGs. Older voice mail systems/servers commonly use proprietary Oss, while newer ones often run on Windows or... |
| V-8255 | Medium | Access to personal voice mail settings by the subscriber via an IP connection is not secured via encryption and/or web” server on the voicemail system is not configured in accordance with the “private web server” requirements in the Web Server STIG/Checklist. | In traditional TDM phone systems, personal voicemail settings and greetings are accessed / configured by the subscriber/user on traditional voicemail servers via the traditional telephone. Control... |
| V-61319 | Medium | VVoIP endpoint configuration files must not be downloaded automatically during initial endpoint registration. | During VVoIP endpoint registration with the session controller, a file is downloaded by the endpoint from the session manager containing specific configuration settings. This file contains the... |
| V-8323 | Medium | The VVoIP VLAN ACL design must document the control of VVoIP system access and traffic flow. | Previous requirements in this STIG/Checklist define the need for dedicated VVoIP VLANs and IP subnets to provide the capability for VVoIP system access and traffic control. This control is... |
| V-8329 | Medium | The sites enclave boundary protection must route DSN voice traffic via a local Media Gateway (MG) connected to a DSN service provider using the appropriate type of trunk based on the sites need to support C2 communications. | There are several reasons why DSN voice traffic must use a locally implemented MG connected to a DSN service provider using the appropriate type of trunk based on the site’s need to support C2... |
| V-47753 | Medium | Unencrypted and unsigned VVoIP endpoint configuration files traversing the DISN must be protected within a VPN between enclaves. | When VVoIP configuration files traverse a network in an unencrypted state, system information may be used by an adversary, which in the aggregate, may reveal sensitive data. When VVoIP traffic is... |
| V-8247 | Medium | Servers supporting the Voice Video and Unified Capability (UC) environment must be dedicated services, with unnecessary functions disabled or removed. | Voice Video and Unified Mail services are high-availability systems that must be separated from all other traffic. Unnecessary services will degrade performance. The RTS traffic may have latency... |
| V-16089 | Medium | Deficient training or training materials addressing secure PC communications client application usage. | Users of PC based voice, video, UC, and collaboration communications applications must be aware of, and trained in, the various aspects of the application’s safe and proper use. They must also be... |
| V-16088 | Medium | User training must include Unified Capability (UC) soft client accessory network bridging risks. | While a headset, microphone, webcam, combination headset/microphone, or a combination webcam/microphone can be considered to be UC soft client accessories; these are also accessories for other... |
| V-19545 | Medium | VVoIP core components are not assigned static addresses within the dedicated VVoIP address space | Assigning static addresses to core VVoIP devices permits tighter control using ACLs on firewalls and routers to help in the protection of these devices. |
| V-19547 | Medium | The VVoIP system management network must provide bidirectional enclave boundary protection between the local management network and the DISN voice services management network. | VVoIP core system devices and Time Division Multiplexer (TDM)-based telecom switches can be and in many cases are connected to multiple management networks. Such is the case when the system is... |
| V-16081 | Medium | Deficient training for the secure operation of PC desktop, presentation, or application sharing capabilities of a collaboration tool. | Visual collaboration often requires the sharing or display of presentations, open documents, and white board information to one or more communicating endpoints. While the technology for doing this... |
| V-16082 | Medium | Audio pickup or video capture capabilities (microphones and cameras) are not disabled when not needed for active participation in a communications session. | The VTC STIG discusses the possibility of undesired or improper viewing of and/or listening to activities and conversations in the vicinity of a hardware based VTC endpoint, whether it is a... |
| V-57951 | Medium | Two hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support Immediate or Priority precedence C2 users. | Unified Capabilities (UC) users require different levels of capability depending upon command and control needs. Special-C2 decision makers requiring Flash or Flash Override precedence must have... |
| V-16087 | Medium | Voice networks must not be bridged via a Unified Capability (UC) soft client accessory. | While a headset, microphone, or webcam can be considered to be UC soft client accessories, these are also accessories for other collaboration and communications applications. Our discussion here... |
| V-16096 | Medium | Deploying Unified Communications (UC) soft clients on DoD networks must have Authorizing Official (AO) approval. | This use case addresses situations whereby UC soft client applications on workstations are not the primary voice communications device in the work area. This means that there is a validated... |
| V-19654 | Medium | The 802.1x authentication server must place voice video traffic in the correct VLAN when authorizing LAN access for voice video endpoints. | 802.1x has the capability of configuring the network access switch port to assign a VLAN or apply filtering rules based upon the device that was just authenticated. This is done via the “success”... |
| V-16094 | Medium | Deficient support for COOP or emergency and life safety communications when soft-phones are implemented as the primary voice endpoint in user’s workspace caused by deficient placement of physical hardware based phones near all such workspaces. | This and several other requirements discuss the implementation of PC soft-phones or UC applications as the primary and only communications device in the user’s workspace. While this degrades the... |
| V-16095 | Medium | Implementing Unified Capabilities (UC) soft clients as the primary voice endpoint must have Authorizing Official (AO) approval. | The AO responsible for the implementation of a voice system that uses UC soft clients for its endpoints must be made aware of the risks and benefits. In addition, the commander of an organization... |
| V-19651 | Medium | When 802.1x is implemented and the voice video endpoint PC ports are disabled, the network access switch port must be configured to support a disabled PC port by configuring PC port traffic to the unused VLAN. | A voice video endpoint that provides a PC port typically breaks 802.1x LAN access control mechanisms. The cause is the network access switch port is enabled or authorized (and configured) when the... |
| V-16090 | Medium | An acceptable use policy or user agreement must be enforced for Unified Capabilities (UC) soft client users. | User agreements must be accompanied with a combination of user training and user guides reinforcing the organization's policies and prohibitions for UC soft clients (voice, video, and... |
| V-8230 | Medium | The VVoIP VLAN design for the supporting LAN must provide segmentation of the VVoIP service from the other services on the LAN and between the VVoIP components such that access and traffic flow can be properly controlled. | An IPT system is built on an IP infrastructure based on layer 2 and layer 3 switches and routers, which comprise the network’s access and distribution layers respectively. The layer 2 switches... |
| V-16098 | Medium | A Call Center or Computer Telephony Integration (CTI) system using soft clients must be segregated into a protected enclave and limit traffic traversing the boundary. | UC soft clients may be used on a strategic LAN when associated with or part of a CTI application. Traditional computer telephony integration CTI encompasses the control of a telephone or... |
| V-16099 | Medium | The architecture and/or configuration of a permanent, semi-permanent, or fixed (not highly mobile) tactical LAN supporting IP based voice, video, unified, and/or collaboration communications is not adequate to protect the VVoIP services and infrastructure. | The primary reason for the implementation of the LAN architecture and security measures defined in this and other STIGs is to improve the survivability (availability) of the VVoIP communications... |
| V-16078 | Medium | Deficient SOP or enforcement regarding presentation and application sharing via a PC or VTC. | Visual collaboration often requires the sharing or display of presentations, open documents, and white board information to one or more communicating endpoints. While the technology for doing this... |
| V-16070 | Medium | C2 and Special-C2 users are not aware of the assured service limitations of their PC based communications applications. | PC based communications applications rely on many different factors, but are dependant upon the platform on which they operate. A PC could be dedicated to a task, protected, and controlled such... |
| V-16073 | Medium | A C2 or Special-C2 user does not have a more reliable communications method in their normal or alternate fixed workspace than a PC based communications client. | PC based communications applications rely on many different factors, but are dependant upon the platform on which they operate. A PC could be dedicated to a task, protected, and controlled such... |
| V-16076 | Medium | VTC, Unified Capability (UC) soft client, and speakerphone microphone operations policy must prevent the pickup and transmission of sensitive or classified information over non-secure systems. | Microphones used with VTC systems and devices are designed to be extremely sensitive such that people speaking anywhere within a conference room is picked up and amplified so they can be heard... |
| V-16077 | Medium | Deficient Policy or SOP regarding PC communications video display positioning. | When communicating using a PC based voice, video, UC, or collaboration communications application, the user must protect the information displayed from being viewed by individuals that do not have... |
| V-8288 | Medium | A policy/SOP is NOT in place OR NOT enforced to ensure that the VVoIP terminal (VoIP phone or instrument) configuration and display password/PIN is managed IAW DOD password policies (e.g., password/PIN complexity (length and character mix), expiration, change intervals, other conditions requiring a change, reuse, protection and storage). |
Per other requirements, the network configuration information and settings on a VoIP instrument must be protected by a password or PIN. VVoIP endpoints do not typically provide automated... |
| V-8224 | Medium | MGCP and/or H.248 (MEGACO) is not restricted/controlled on the LAN and/or protected on the WAN using encryption OR MGCP and/or H.248 (MEGACO) packets are not authenticated or filtered by source IP address. | Media Gateway Control Protocol (MGCP) is a protocol that is used between Media Gateway Controllers (MGCs), Media Gateways (MGs), and other MGs to exchange sensitive gateway status and zone... |
| V-8227 | Medium | VVoIP system components must use separate address blocks from those used by non-VVoIP system devices. | VVoIP networks increasingly represent high-value targets for attacks and represent a greater risk to network security than most other network applications; hence, it is imperative that the voice... |
| V-8349 | Medium | Software patches for critical VoIP servers and other IPT devices DO NOT originate from the system manufacturer and are NOT applied in accordance with manufacturer’s instructions. | VVoIP systems and particularly voice telecommunications systems (that is to say phone systems) are considered critical infrastructure for communications, security, and life safety. As such they... |
| V-19482 | Medium | The integrity of a vendor provided application, upgrade, or patch is not validated via digital signature before installation. | It is important that the vendor provided upgrades or patches are not modified during their delivery and installation. This can be a problem if the application is obtained from a source other than... |
| V-19521 | Medium | The LAN hardware supporting VVoIP services must provide physically diverse pathways for redundant links supporting command and control (C2) assured services and Fire and Emergency Services (FES) communications. | Voice services in support of high priority military command and control precedence must meet minimum requirements for reliability and survivability of the supporting infrastructure. Design... |
| V-8290 | Medium | An inventory of authorized instruments is NOT documented or maintained in support of the detection of unauthorized instruments connected to the VoIP system. | Traditional telephone systems require physical wiring and/or switch configuration changes to add an instrument to the system. This makes it difficult for someone to add unauthorized digital... |
| V-47735 | Medium | VVoIP endpoint configuration files transferred via Cisco TFTP must be encrypted and signed using DoD PKI certificates. | When VVoIP configuration files traverse a network in an unencrypted state, system information may be used by an adversary, which in the aggregate, may reveal sensitive data. When VVoIP traffic is... |
| V-19652 | Medium | The access switch must only allow a maximum of one registered MAC address per access port, except when the Voice Video Endpoint has an enabled PC port. | Limiting the number of registered MAC addresses on a switch access port can help prevent a CAM table overflow attack. This type of attack lets an attacker exploit the hardware and memory... |
| V-19601 | Medium | The enclave is NOT dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) Aggregation Routers (AR) or DISN Provider Edge (PE) routers. | Redundancy and dual homing is used within the DISN core to provide for continuity of operations (COOP) in the event a piece of equipment, circuit path, or even an entire service delivery node is... |
| V-19535 | Medium | An uninterruptible power system (UPS) has not been designed or implemented to provide sufficient continuous backup power for the LAN Infrastructure, WAN boundary Infrastructure, VVoIP infrastructure, and/or VVoIP endpoints as required in support of special-C2 and C2 users system availability needs during a power outage OR sufficient backup power is not provided to C2-R or non-C2/admin user accessible endpoints, minimally in support of emergency life-safety and security calls. | An uninterruptible power source for the LAN and VVoIP infrastructure is a necessity for the continued survivability, availability, and reliability of the VVoIP services. In traditional... |
| V-16119 | Medium | Deficient PPS registration of those PPSs used by a Voice/Video/UC system to include its core infrastructure devices and hardware based or PC application based endpoints. | DoDI 8550.1 Ports, Protocols, and Services Management (PPSM) is the DoD’s policy on IP Ports, Protocols, and Services (PPS). It controls the PPS that are permitted or approved to cross DoD network... |
| V-16118 | Medium | Deficient user training regarding the use of non-approved applications and hardware. | The second mitigation for the vulnerability regarding personally installed apps and hardware is the administrative prevention of the installation of the applications in question by the PC user.... |
| V-16113 | Medium | A PC communications application is not maintained at the current/latest approved patch or version/upgrade level. | Managing, mitigating, or eliminating a newly discovered vulnerably in a communications application is just as important as managing and mitigating the vulnerabilities of the platform supporting... |
| V-16112 | Medium | The integrity of a PC Communications Application, upgrade, or patch is not validated via digital signature before installation. | It is important that the PC Communications application is not modified during its delivery and installation. This can be a problem if the application is obtained from a source other than directly... |
| V-16111 | Medium | Unified Capabilities (UC) soft clients must be supported by the manufacturer or vendor. | One of the measures to protect UC soft clients and collaboration applications is to ensure the application originates from a reputable source. The source of these applications can vary depending... |
| V-16117 | Medium | An unapproved Instant Messaging (IM) or Unified Capabilities (UC) soft client must not be used on Government Furnished Equipment (GFE). | DoD policies disallow general PC users from installing any unapproved application on their workstations or from attaching any unapproved or non-government furnished devices to them. Other DoD... |
| V-16116 | Medium | PC communications application server association is not properly limited. | All voice, video, UC, or collaboration communications endpoints must be configured to only associate with approved DoD controllers, gateways, and/or servers. While this is the norm for hardware... |
| V-16115 | Medium | The integrity of VVoIP endpoint configuration files downloaded during endpoint registration must be validated using digital signatures. | During VVoIP endpoint registration with the session controller, a file is downloaded by the endpoint from the session manager containing specific configuration settings. This file contains the... |
| V-16114 | Medium | A PC communications application is operated with administrative or root level privileges. | PC voice, video, UC, and collaboration communications applications must not be operated in a manner that can compromise the platform if the application itself becomes compromised. One way to... |
| V-21521 | Medium | Unnecessary PPS have not been disabled or removed from VVoIP system devices or servers. | The availability of applications and services that are not necessary for the OAM&P of the VVoIP system’s devices and servers, running or not as well as the existence of their code, places them at... |
| V-16108 | Medium | Unified Capabilities (UC) soft client patches and upgrades must be tested and approved prior to implementation. | It is important that UC soft clients be tested and subsequently certified and accredited for IA purposes, to include upgrades or patches. Applications that have not been sufficiently vetted may... |
| V-16109 | Medium | A PC Communications Application is not tested for IA and Interoperability and are not listed on the DoD UC APL. | DoDI 8100.3 provides policy for the DoD that requires the testing and certification of telecommunications systems for Interoperability and Information Assurance (IA) while establishing an Approved... |
| V-79051 | Medium | Video conferencing, Unified Capability (UC) soft client, and speakerphone speaker operations policy must prevent disclosure of sensitive or classified information over non-secure systems. | Speakers used with Voice Video systems and devices may be heard by people and microphones with no relationship to the conference or call in progress. In open areas, conference audio may be... |
| V-16101 | Medium | Deficient benefit vs. risk analysis and/or approval for reduced VVoIP IA configuration measures in highly mobile tactical LANs and systems supporting hardware or PC based voice, video, unified, and/or collaboration communications. | As discussed above, the network supporting a tactical VVoIP communications system must follow the same guidelines as a network supporting a strategic VVoIP system or application to help ensure the... |
| V-16106 | Medium | The Unified Capabilities (UC) soft client Certification and Accreditation (CA) documentation must be included in the CA documentation for the supporting VVoIP system. | Communications applications must be tested and subsequently certified and accredited for IA purposes. This includes the applications and any upgrades or patches. Since a UC soft client is... |
| V-16107 | Medium | Unified Capabilities (UC) soft clients must be tested and approved prior to implementation. | It is important that UC soft clients be tested and subsequently certified and accredited for IA purposes, to include upgrades or patches. Applications that have not been sufficiently vetted may... |
| V-19598 | Medium | The network IDS is not configured or implemented such that it can monitor the traffic to/from the required VVoIP firewall/EBC (function) as well as the traffic to/from the data firewall (function). | The purpose of the Internal Network IDS is to provide a backup for the enclave firewall(s) in the event they are compromised or mis-configured such that traffic which is normally blocked ends up... |
| V-19599 | Medium | All Local Session Controllers (LSC), Enterprise Session Controllers (ESC), and Multi-Function Soft Switches (MFSS) implemented within the enclave to provide session management for the DISN NIPRNet IP Voice Services (IPVS) must be listed on the DoD Approved Products List (APL). | DISA has developed the DISN IPVS to support C2 Assured Service reliability and availability. As such, the worldwide availability and effectiveness of this service is dependent upon the components... |
| V-19592 | Medium | The sites enclave boundary protection must route commercial VoIP traffic via a local Media Gateway (MG) connected to a commercial service provider using PRI, CAS, or POTS analog trunks. | There are several reasons why VVoIP system access to local voice services must use a locally implemented MG connected to commercial voice services, including:
- The implementation or receipt of... |
| V-19593 | Medium | Local commercial phone service must be provided in support of Continuity Of Operations (COOP) and Fire and Emergency Services (FES) communications. | Voice phone services are critical to the effective operation of the DoD mission. We rely on these services being available when they are needed. Additionally, it is critical that phone service is... |
| V-19596 | Medium | All Customer Edge Routers (CE-R) implemented as the DISN access circuit termination point for the DISN NIPRNet IP Voice Services (IPVS) must be listed on the DoD Approved Products List (APL). | DISA has developed the DISN IPVS to support C2 Assured Service reliability and availability. As such, the worldwide availability and effectiveness of this service is dependent upon the components... |
| V-19597 | Medium | A Session Border Controller (SBC) implemented as the DISN boundary element for the DISN NIPRNet IP Voice Services (IPVS) must be listed on the DoD Approved Products List (APL). | DISA has developed the DISN IPVS to support C2 Assured Service reliability and availability. As such, the worldwide availability and effectiveness of this service is dependent upon the components... |
| V-19594 | Medium | The VVoIP system connection to the DISN WAN, its components, and/or changes to them are not included in the site’s enclave / LAN baseline documentation and C&A documentation. | Documentation of the enclave / LAN configuration must include all VVoIP systems. If the current configuration cannot be determined then it is difficult to apply security policies effectively.... |
| V-19595 | Medium | The VVoIP system within the enclave is not subscribed to or integrated with the worldwide DISN IPVS network operating on the appropriately classified DISN IP WAN service | DISN IP based C2 Assured Service is about providing a highly available and reliable communications voice, video, and data service on a world wide scale that supports the command and control (C2)... |
| V-19514 | Medium | The LAN hardware supporting VVoIP services must provide redundancy to support command and control (C2) assured services and Fire and Emergency Services (FES) communications. | Voice services in support of high priority military command and control precedence must meet minimum requirements for reliability and survivability of the supporting infrastructure. Design... |
| V-21510 | Medium | The Fire and Emergency Services (FES) communications over a sites private telephone system must provide a direct callback telephone number and physical location of an FES caller to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) and extended Automatic Location Identification (ALI) information or access to an extended ALI database. | Under FCC rules and the laws of some states, the implementation of Enhanced F&ES telecommunications services requires that the emergency services answering point or call center must be... |
| V-21512 | Medium | The Fire and Emergency Services (FES) communications over a sites private telephone system must route emergency calls as a priority call in a non-blocking manner. | When calling the designated F&ES telephone number, the call must go through regardless of the state of other calls in the system. As such, emergency calls must be treated as a priority call by the... |
| V-21516 | Medium | Eight hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support special-C2 users. | Unified Capabilities (UC) users require different levels of capability depending upon command and control needs. Special-C2 decision makers requiring Flash or Flash Override precedence must have... |
| V-19442 | Low | The site’s V-VoIP system is NOT capable of maintaining call/session establishment capability such that it can minimally make local internal and local commercial network calls in the event the LSC or MFSS becomes unavailable to receive and act on EI signaling requests.
| Voice phone services are critical to the effective operation of a business, an office, or in support or control of a DoD mission. We rely on these services being available when they are needed.... |
| V-8302 | Low | The LAN supporting VVoIP services for command and control (C2) users must provide assured services in accordance with the Unified Capabilities Requirements (UCR). | Voice services in support of high priority military command and control precedence must meet minimum requirements for reliability and survivability of the supporting infrastructure. Design... |
| V-19604 | Low | Critical network equipment must be redundant and in geographically diverse locations for a site supporting C2 users. | The enhanced reliability and availability achieved by the implementation of redundancy and geographic diversity throughout the DISN Core along with the implementation of dual homed circuits via... |
| V-61323 | Low | The VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network must have ACLs permitting only specific inbound/outbound traffic and deny all other traffic. | VVoIP core system devices and Time Division Multiplexer (TDM)-based telecom switches can be and in many cases are connected to multiple management networks. Such is the case when the system is... |
| V-8253 | Low | The voicemail system and/or server must implement applicable SRG and/or STIG guidance. | Voice mail services are subject to the guidance and requirements in the Voice VIdeo STIGs. Older voice mail systems/servers commonly use proprietary Oss, while newer ones often run on Windows or... |
| V-8256 | Low | VVoIP services over wireless IP networks must apply the Wireless STIG to the wireless service and endpoints. | The incorporation of wireless technology into the VVoIP environment elevates many existing VVoIP concerns such as quality of service (QoS), network capacity, provisioning, architecture and... |
| V-16086 | Low | User training must deny the use of personally provided Unified Capability (UC) soft client accessories. | While a headset, microphone, webcam, combination headset/microphone, or a combination webcam/microphone can be considered to be UC soft client accessories; these are also accessories for other... |
| V-8248 | Low | All applicable STIGs have NOT been applied to the VVoIP / unified communications core infrastructure assets. | For the purpose of this requirement a VVoIP server is any server directly supporting the communications service. Unlike a regular PC or print server on the network VVoIP servers are “mission... |
| V-16085 | Low | Unified Capability (UC) soft client accessories must be tested and approved. | While a headset, microphone, or webcam can be considered to be UC soft client accessories, these are also accessories for other collaboration and communications applications. Our discussion here... |
| V-57953 | Low | Sufficient backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support non-C2 user accessible endpoints for emergency life-safety and security calls. | Unified Capabilities (UC) users require different levels of capability depending upon command and control needs. Special-C2 decision makers requiring Flash or Flash Override precedence must have... |
| V-16091 | Low | A user guide identifying the proper use of Unified Capabilities (UC) soft client applications must be provided to UC soft client users. | User agreements must be accompanied with a combination of user training and user guides reinforcing the organization's policies and prohibitions for UC soft clients (voice, video, and... |
| V-19493 | Low | The confidentiality of VVoIP endpoint configuration files downloaded during endpoint registration must be protected by encryption. | During VVoIP endpoint registration with the session controller, a file is downloaded by the endpoint from the session manager containing specific configuration settings. This file contains the... |
| V-8223 | Low | The VVoIP system, its components, and/or changes to them are not included in the site’s enclave / LAN baseline documentation and Configuration & Accreditation documentation | Documentation of the enclave / LAN configuration must include all VVoIP systems. If the current configuration cannot be determined then it is difficult to apply security policies effectively.... |
| V-8294 | Low | VVoIP system components must receive IP address assignment and configuration information from a DHCP server with a dedicated scope to the VVoIP system. | When using Dynamic Host Configuration Protocol (DHCP) for address assignment and host configuration, different DHCP scopes (different address space, subnets, and VLANs) must be used for voice... |
| V-8295 | Low | Customers of the DISN VoSIP service on ARE NOT utilizing address blocks assigned by the DRSN / VoSIP PMO. | A previous requirement states the following: Ensure a different, dedicated, address blocks or ranges are defined for the VVoIP system within the LAN (Enclave) that is separate from the address... |
| V-21506 | Low | Regular documented testing of hardware based COOP/backup or emergency telephones is not performed in accordance with a documented test plan or related documentation is deficient or non existent. | Backup/COOP or emergency telephones are useless if they don’t work. Thus they need to be tested regularly to ensure their functionality, particularly if they are not used regularly. Regular use... |
| V-19500 | Low | The LAN supporting VVoIP services must provide enhanced reliability, availability, and bandwidth. | The traditional circuit switched telecommunications network is highly available and reliable with 99.999% uptime for equipment and 99% to 99.9% for the entire system. This is achieved through a... |
| V-61325 | Low | The VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network must be scanned to confirm protections in place are effective. | VVoIP core system devices and Time Division Multiplexer (TDM)-based telecom switches can be and in many cases are connected to multiple management networks. Such is the case when the system is... |
| V-21522 | Low | The VVoIP system DNS server is not dedicated to the VVoIP system within the LAN; or the VVoIP system DNS server freely interacts with other DNS servers outside the VVoIP system; or the VVoIP system information is published to the enterprise WAN or the Internet. | In some cases a VVoIP endpoint will be configured with one or more URLs pointing to the locations of various servers with which they are associated such as their call controller. These URLs are... |
| V-61321 | Low | The VVoIP system management network with a single device providing bidirectional enclave boundary protection between the local management network and the DISN voice services management network must have a Memorandum of Agreement (MoA) in effect. | VVoIP core system devices and Time Division Multiplexer (TDM)-based telecom switches can be and in many cases are connected to multiple management networks. Such is the case when the system is... |
| V-54693 | Low | VVoIP system components and UC soft clients Standard Mandatory DoD Notice and Consent Banner must be acknowledged by the user prior to logon or initial access. | The operating system and remotely accessed information systems are required to display the DoD-approved system use notification message or banner before granting access to the system that provides... |
| V-54691 | Low | VVoIP system components and UC soft clients must display the Standard Mandatory DoD Notice and Consent Banner exactly as specified prior to logon or initial access. | The operating system and remotely accessed information systems are required to display the DoD-approved system use notification message or banner before granting access to the system that provides... |
