No command or DAA approval exists for implementing soft-phones as the primary voice endpoint.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16095	VVoIP 1110 (GENERAL)	SV-17083r1_rule	DCBP-1 ECSC-1	Medium

Description
The Designated Approving Authority (DAA) responsible for the implementation of a telephone system which primarily uses PC software applications for its endpoints must be made aware of the risks of operating such as system as well as the benefits. This is because the DAA must personally accept the risk of operating the system. In addition, the commander of an organization whose mission depends upon such a telephone system must also be made aware and provide their approval.

Description

The Designated Approving Authority (DAA) responsible for the implementation of a telephone system which primarily uses PC software applications for its endpoints must be made aware of the risks of operating such as system as well as the benefits. This is because the DAA must personally accept the risk of operating the system. In addition, the commander of an organization whose mission depends upon such a telephone system must also be made aware and provide their approval.

STIG	Date
Voice / Video Services Policy STIG	2015-07-01

Details

Check Text ( C-17139r1_chk )
In the event PC soft-phones and/or UC applications are implemented as the primary telephone endpoint in the user’s workspace. That is, there is no PC independent telephone. Interview the IAO to validate compliance with the following requirement: Ensure the command structure as well as the DAA approves the implementation or transition in writing. Approval documentation will be maintained by the IAO for inspection by IA reviewers or auditors. Review written DAA and Command approval for the implementation of a telephone system which primarily uses PC software applications for its endpoints. This is a finding if such approvals are not provided.

Check Text ( C-17139r1_chk )

In the event PC soft-phones and/or UC applications are implemented as the primary telephone endpoint in the user’s workspace. That is, there is no PC independent telephone. Interview the IAO to validate compliance with the following requirement:

Ensure the command structure as well as the DAA approves the implementation or transition in writing. Approval documentation will be maintained by the IAO for inspection by IA reviewers or auditors.

Review written DAA and Command approval for the implementation of a telephone system which primarily uses PC software applications for its endpoints.

This is a finding if such approvals are not provided.

Fix Text (F-16200r1_fix)
Ensure the command structure as well as the DAA approves the implementation or transition in writing. Approval documentation will be maintained by the IAO for inspection by IA reviewers or auditors. Obtain the required written DAA and Command approval for the implementation of a telephone system which primarily uses PC software applications for its endpoints or install a hardware based wired telephone system.

Fix Text (F-16200r1_fix)

Ensure the command structure as well as the DAA approves the implementation or transition in writing. Approval documentation will be maintained by the IAO for inspection by IA reviewers or auditors.

Obtain the required written DAA and Command approval for the implementation of a telephone system which primarily uses PC software applications for its endpoints or install a hardware based wired telephone system.