UCF STIG Viewer Logo

Voice / Video Services Policy STIG


Overview

Date Finding Count (95)
2015-01-05 CAT I (High): 3 CAT II (Med): 74 CAT III (Low): 18
STIG Description
The Voice/Video Services Policy STIG includes the non-computing requirements for Voice/Video systems operating to support the DoD. The Voice/Video over Internet Protocol (VVoIP) STIG containing the computing requirements must also be reviewed for each site using voice/video services. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-8250 High DoD-to-DoD VVoIP traffic traversing any publicly accessible wide area network (i.e. Internet, NIPRNet) must use FIPS 140-2 or NSA approved encryption.
V-8328 High The implementation of a VVoIP system in the local enclave and its connection to external networks degrades the enclave’s perimeter protection due to an inadequate design of the VVoIP boundary with those external networks.
V-16074 High Deficient Policy or SOP for VTC and PC camera operations regarding their ability to pickup and transmit sensitive or classified information in visual form.
V-19440 Medium Deficient end-to-end interoperable confidentiality, integrity, and authentication for VVoIP session signaling per DISN IPVS Requirements.
V-19441 Medium Deficient end-to-end interoperable confidentiality and integrity for VVoIP session media streams per DISN IPVS requirements.
V-19443 Medium The local VVOIP system cannot place local intra-site or local commercial network calls in the event it is cut off from its remote, centrally located LSC.
V-8306 Medium A hardware based VVoIP or VTC endpoint possesses or provides a “PC Port” but does not maintain the required VLAN separation through the implementation of an Ethernet switch (not a hub).
V-19565 Medium The VVoIP system and supporting LAN design must contain one or more routing devices to provide support for required ACLs between the various required VVoIP VLANs.
V-19562 Medium The VVoIP system and LAN design must provide segmentation and protection of the VVoIP system core device management traffic and interfaces such that role based access and traffic flow can be properly controlled.
V-21508 Medium The site has not provided for Fire and Emergency Services (F&ES) telecommunications services (fire, police, medical, etc) and/or the telephone system does not support or is not configured to support enhanced emergency communications.
V-19606 Medium Enclaves with commercial VoIP connections must be approved by the DoDIN Waiver Panel and signed by DOD CIO for a permanent alternate connection to the Internet Telephony Service Provider (ITSP).
V-21507 Medium Mitigations against data exfiltration via the voice and/or video communications network/system have not been implemented
V-19602 Medium The dual homed DISN core access circuits are NOT implemented such that each one can support the full bandwidth engineered for the enclave plus additional bandwidth to support surge conditions in time of crisis.
V-19603 Medium The required dual homed DISN Core or NIPRNet access circuits DO NOT follow geographically diverse paths from the CER(s) along the entire route to the geographically diverse SDNs.
V-19600 Medium The DISN Core access circuit is NOT properly sized to accommodate the calculated Assured Service Admission Control (ASAC) budgets for AS voice and video calls/sessions OR the required budgets have not been calculated.
V-19601 Medium The enclave is NOT dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) Aggregation Routers (AR) or DISN Provider Edge (PE) routers.
V-8254 Medium IP connected Voice/Unified Mail servers have not been secured using all applicable general purpose application STIGs.
V-8255 Medium Access to personal voice mail settings by the subscriber via an IP connection is not secured via encryption and/or web” server on the voicemail system is not configured in accordance with the “private web server” requirements in the Web Server STIG/Checklist.
V-8257 Medium New or recently installed VVoIP systems, devices, and/or their software loads are NOT certified, accredited, and placed on the DoD Approved Products List per DODI 8100.3 and UCR OR existing systems DO NOT appear on the current APL or the “Retired APL” lists.
V-8323 Medium The VVoIP VLAN ACL design must document the control of VVoIP system access and traffic flow.
V-8329 Medium Without an applicable exception the site’s enclave boundary protection is not designed or implemented to route all voice traffic to/from a DSN number via a locally implemented Media Gateway (MG) connected to a DSN EO or MFSS using the appropriate type of trunk based on the site’s need to support C2 communications via the DSN.
V-47753 Medium Unencrypted and unsigned VVoIP endpoint configuration files traversing the DISN must be protected within a VPN between enclaves.
V-8247 Medium Servers supporting the VVoIP and UC/UM telephony environment are not dedicated to telephony (VVoIP, UC, or UM) applications or their support.
V-16089 Medium Deficient training or training materials addressing secure PC communications client application usage.
V-16088 Medium User training must include Unified Capability (UC) soft client accessory network bridging risks.
V-19545 Medium VVoIP core components are not assigned static addresses within the dedicated VVoIP address space
V-19547 Medium The voice/video system management network is not designed or implemented to provide the proper bidirectional enclave boundary protection between the local management network and the DISN Voice Services (VS) management network.
V-16081 Medium Deficient training for the secure operation of PC desktop, presentation, or application sharing capabilities of a collaboration tool.
V-16082 Medium Audio pickup or video capture capabilities (microphones and cameras) are not disabled when not needed for active participation in a communications session.
V-16087 Medium Voice networks must not be bridged via a Unified Capability (UC) soft client accessory.
V-16096 Medium Permitting Unified Communications (UC) soft clients to operate on a DoD LAN must have AO approval.
V-16094 Medium Deficient support for COOP or emergency and life safety communications when soft-phones are implemented as the primary voice endpoint in user’s workspace caused by deficient placement of physical hardware based phones near all such workspaces.
V-16095 Medium No command or DAA approval exists for implementing soft-phones as the primary voice endpoint.
V-16090 Medium An acceptable use policy or user agreement must be enforced for Unified Capabilities (UC) soft client users.
V-8230 Medium The VVoIP VLAN design for the supporting LAN must provide segmentation of the VVoIP service from the other services on the LAN and between the VVoIP components such that access and traffic flow can be properly controlled.
V-16098 Medium Deficient protection for a Call Center (or CTI) system that uses soft-phones.
V-16099 Medium The architecture and/or configuration of a permanent, semi-permanent, or fixed (not highly mobile) tactical LAN supporting IP based voice, video, unified, and/or collaboration communications is not adequate to protect the VVoIP services and infrastructure.
V-16078 Medium Deficient SOP or enforcement regarding presentation and application sharing via a PC or VTC.
V-16070 Medium C2 and Special-C2 users are not aware of the assured service limitations of their PC based communications applications.
V-16073 Medium A C2 or Special-C2 user does not have a more reliable communications method in their normal or alternate fixed workspace than a PC based communications client.
V-16076 Medium VTC, Unified Capability (UC) soft client, and speakerphone microphone operations policy must prevent the pickup and transmission of sensitive or classified information over non-secure systems.
V-16077 Medium Deficient Policy or SOP regarding PC communications video display positioning.
V-8288 Medium A policy/SOP is NOT in place OR NOT enforced to ensure that the VVoIP terminal (VoIP phone or instrument) configuration and display password/PIN is managed IAW DOD password policies (e.g., password/PIN complexity (length and character mix), expiration, change intervals, other conditions requiring a change, reuse, protection and storage).
V-8225 Medium Voice/Video Telecommunications infrastructure components (traditional TDM, VVoIP, or VTC) are not housed in secured or “controlled access” facilities with appropriate classification level or appropriate documented access control methods.
V-8224 Medium MGCP and/or H.248 (MEGACO) is not restricted/controlled on the LAN and/or protected on the WAN using encryption OR MGCP and/or H.248 (MEGACO) packets are not authenticated or filtered by source IP address.
V-8227 Medium VVoIP system components within the LAN must have separate address blocks from those used by non-VVoIP system devices.
V-8349 Medium Software patches for critical VoIP servers and other IPT devices DO NOT originate from the system manufacturer and are NOT applied in accordance with manufacturer’s instructions.
V-19482 Medium The integrity of a vendor provided application, upgrade, or patch is not validated via digital signature before installation.
V-19521 Medium The design of the LAN supporting VVoIP services does not provide for the interconnection of LAN NEs with redundant uplinks following physically diverse paths to physically diverse NEs in the layer above
V-8290 Medium An inventory of authorized instruments is NOT documented or maintained in support of the detection of unauthorized instruments connected to the VoIP system.
V-47735 Medium VVoIP endpoint configuration files transferred via Cisco TFTP must be encrypted and signed using DoD PKI certificates.
V-19535 Medium An uninterruptible power system (UPS) has not been designed or implemented to provide sufficient continuous backup power for the LAN Infrastructure, WAN boundary Infrastructure, VVoIP infrastructure, and/or VVoIP endpoints as required in support of special-C2 and C2 users system availability needs during a power outage OR sufficient backup power is not provided to C2-R or non-C2/admin user accessible endpoints, minimally in support of emergency life-safety and security calls.
V-16119 Medium Deficient PPS registration of those PPSs used by a Voice/Video/UC system to include its core infrastructure devices and hardware based or PC application based endpoints.
V-16118 Medium Deficient user training regarding the use of non-approved applications and hardware.
V-16113 Medium A PC communications application is not maintained at the current/latest approved patch or version/upgrade level.
V-16112 Medium The integrity of a PC Communications Application, upgrade, or patch is not validated via digital signature before installation.
V-16111 Medium Deficient PC Communications Application integrity or supportability.
V-16117 Medium A non-approved public or commercial IM or IP telephony service or soft-client application is in use.
V-16116 Medium PC communications application server association is not properly limited.
V-16115 Medium The integrity of VVoIP endpoint configuration files downloaded by hardware or PC based VVoIP endpoints during endpoint registration are not validated using digital signatures.
V-16114 Medium A PC communications application is operated with administrative or root level privileges.
V-21521 Medium Unnecessary PPS have not been disabled or removed from VVoIP system devices or servers.
V-21523 Medium The VVoIP system time is not properly implemented and/or synched with the LAN’s NTP servers.
V-16108 Medium Deficient testing or approval of PC communications application patches or upgrades.
V-16109 Medium A PC Communications Application is not tested for IA and Interoperability and are not listed on the DoD UC APL.
V-16101 Medium Deficient benefit vs. risk analysis and/or approval for reduced VVoIP IA configuration measures in highly mobile tactical LANs and systems supporting hardware or PC based voice, video, unified, and/or collaboration communications.
V-16106 Medium PC communications application C&A documentation is not included in the C&A documentation for the supporting VVoIP system .
V-16107 Medium Deficient PC communications application testing prior to implementation.
V-19598 Medium The network IDS is not configured or implemented such that it can monitor the traffic to/from the required VVoIP firewall/EBC (function) as well as the traffic to/from the data firewall (function).
V-19599 Medium One or more DOD APL listed Local Session Controller’s (LSCs) or Multi-Function Soft Switch (MFSS) are not implemented within the enclave for DISN IPVS session control.
V-19592 Medium The site’s enclave boundary protection is not designed or implemented to route all VoIP traffic to/from a commercial number via a locally implemented Media Gateway (MG) connected to a PSTN CO using a PRI or CAS trunk.
V-19593 Medium Local commercial phone service has not been implemented in support of COOP and local emergency services calls in the event the site is cut off from the DISN phone networks whether they are TDM of IP based.
V-19596 Medium One or more DOD APL listed Customer Edge Routers (CER) are not implemented as the DISN access circuit termination point for the DISN NIPRNet IPVS
V-19597 Medium A DOD APL listed Edge Boundary Controller (EBC) is not implemented as the DISN NIPRNet boundary to maintain the required enclave boundary protection while permitting DISN IPVS traffic to pass.
V-19594 Medium The VVoIP system connection to the DISN WAN, its components, and/or changes to them are not included in the site’s enclave / LAN baseline documentation and C&A documentation.
V-19595 Medium The VVoIP system within the enclave is not subscribed to or integrated with the worldwide DISN IPVS network operating on the appropriately classified DISN IP WAN service
V-19514 Medium The LAN hardware does not provide the required redundancy to support the availability/reliability needs of the C2 and Special C2 users of VVoIP services for command and control communications OR the needs of routine users for emergency life-safety and security related communications.
V-19442 Low The site’s V-VoIP system is NOT capable of maintaining call/session establishment capability such that it can minimally make local internal and local commercial network calls in the event the LSC or MFSS becomes unavailable to receive and act on EI signaling requests.
V-8302 Low The LAN supporting VVoIP services for special-C2 and C2 users is not designed or implemented as a DOD ASLAN in accordance with the current UCR and therefore cannot support assured service in support of C2 communications reliability and availability requirements.
V-19604 Low Dual sets of CER, EBC, and LSC are NOT implemented in geographically diverse locations within a site supporting large numbers of C2 users
V-8253 Low The stand alone or IP connected Voice mail system/server is not secured to applicable OS and DSN STIG guidance.
V-8256 Low VVoIP services over wireless IP networks must apply the Wireless STIG to the wireless service and endpoints.
V-8248 Low All applicable STIGs have NOT been applied to the VVoIP / unified communications core infrastructure assets.
V-16085 Low Unified Capability (UC) soft client accessories must be tested and approved.
V-16086 Low User training must deny the use of personally provided Unified Capability (UC) soft client accessories.
V-16091 Low A user guide identifying the proper use of Unified Capabilities (UC) soft client applications must be provided to UC soft client users.
V-19493 Low The confidentiality of endpoint configuration files downloaded by hardware based or PC based VVoIP endpoints during registration is not protected.
V-8223 Low The VVoIP system, its components, and/or changes to them are not included in the site’s enclave / LAN baseline documentation and Configuration & Accreditation documentation
V-8294 Low The VVoIP system DHCP server is not dedicated to the VVoIP system within the LAN.
V-8295 Low Customers of the DISN VoSIP service on ARE NOT utilizing address blocks assigned by the DRSN / VoSIP PMO.
V-21506 Low Regular documented testing of hardware based COOP/backup or emergency telephones is not performed in accordance with a documented test plan or related documentation is deficient or non existent.
V-19500 Low The LAN supporting VVoIP services is not designed or implemented to provide enhanced availability and reliability above that of a traditional data LAN.
V-21522 Low The VVoIP system DNS server is not dedicated to the VVoIP system within the LAN; or the VVoIP system DNS server freely interacts with other DNS servers outside the VVoIP system; or the VVoIP system information is published to the enterprise WAN or the Internet.
V-54693 Low VVoIP system components and UC soft clients Standard Mandatory DoD Notice and Consent Banner must be acknowledged by the user prior to logon or initial access.
V-54691 Low VVoIP system components and UC soft clients must display the Standard Mandatory DoD Notice and Consent Banner exactly as specified prior to logon or initial access.