Dual sets of CER, EBC, and LSC are NOT implemented in geographically diverse locations within a site supporting large numbers of C2 users

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19604	VVoIP 6150 (DISN-IPVS)	SV-21745r1_rule	DCBP-1 ECSC-1	Low

Description
The enhanced reliability and availability achieved by the implementation of redundancy and geographic diversity throughout the DISN Core along with the implementation of dual homed circuits via geographically diverse pathways and facilities is negated if both access circuits enter the enclave via the same facility containing a single (or dual) CER connected to a single (or dual) EBC. It does not matter how reliable, redundant, and robust the CER, EBC, and power supply is (required to be 5 – 9s reliable), the facility housing this equipment represents a single point of failure. While this may be deemed to not be an issue for a small number of C2 users, the more C2 supported by the system, the greater the issue because all communications would be cut off in the event the facility is lost or severely damaged. Even less severe eventualities may also severely limit the capability of the system to support reliable communications. The mitigation for this system wide vulnerability is to implement redundant facilities to which the geographically diverse pathways containing the dual homed access circuits can run and terminate on redundant, geographically separated sets of CERs, EBCs, and core LAN equipment. LSCs can also be separated in this manner. Understandably, the mitigation for this issue is costly and facilities housing critical communications infrastructure are not lost very often. However, the cost of mitigating this vulnerability must be weighed against the loss of critical communications, particularly in time of crisis. If the site supports large numbers of high level C2 users or special C2 users, the cost of losing communications may outweigh the cost of providing redundant facilities. Another aspect of the loss of communications is that access to emergency services via the communications system would also be lost. The more users affected by such a loss the more the potential need to place calls to emergency services. As such, all sites, large and small can benefit from the implementation of redundant facilities and equipment. NOTE: The threat to strategic facilities is far greater from natural causes than from damage due to acts of war or terrorism, but all threats need to be considered. On the other hand, tactical facilities naturally have a higher vulnerability to acts of war, which are raised on a par with or exceed the vulnerability posed my natural events.

Description

The enhanced reliability and availability achieved by the implementation of redundancy and geographic diversity throughout the DISN Core along with the implementation of dual homed circuits via geographically diverse pathways and facilities is negated if both access circuits enter the enclave via the same facility containing a single (or dual) CER connected to a single (or dual) EBC. It does not matter how reliable, redundant, and robust the CER, EBC, and power supply is (required to be 5 – 9s reliable), the facility housing this equipment represents a single point of failure. While this may be deemed to not be an issue for a small number of C2 users, the more C2 supported by the system, the greater the issue because all communications would be cut off in the event the facility is lost or severely damaged. Even less severe eventualities may also severely limit the capability of the system to support reliable communications. The mitigation for this system wide vulnerability is to implement redundant facilities to which the geographically diverse pathways containing the dual homed access circuits can run and terminate on redundant, geographically separated sets of CERs, EBCs, and core LAN equipment. LSCs can also be separated in this manner. Understandably, the mitigation for this issue is costly and facilities housing critical communications infrastructure are not lost very often. However, the cost of mitigating this vulnerability must be weighed against the loss of critical communications, particularly in time of crisis. If the site supports large numbers of high level C2 users or special C2 users, the cost of losing communications may outweigh the cost of providing redundant facilities. Another aspect of the loss of communications is that access to emergency services via the communications system would also be lost. The more users affected by such a loss the more the potential need to place calls to emergency services. As such, all sites, large and small can benefit from the implementation of redundant facilities and equipment. NOTE: The threat to strategic facilities is far greater from natural causes than from damage due to acts of war or terrorism, but all threats need to be considered. On the other hand, tactical facilities naturally have a higher vulnerability to acts of war, which are raised on a par with or exceed the vulnerability posed my natural events.

STIG	Date
Voice / Video Services Policy STIG	2015-07-01

Details

Check Text ( C-23886r1_chk )
Inspect the redundant facilities and equipment to determine compliance with the requirement. This is a finding in the event dual sets of CER, EBC, and LSC are NOT implemented that are housed in redundant facilities in geographically diverse locations. NOTE: If it is determined, following a cost vs benefit study and risk analysis, that redundant facilities containing dual sets of CER, EBC, and LSC are not warranted, for the given site, this should be marked as a finding and the justification included in the POA&M such that the DAA is cognizant of and can accept the risk.

Check Text ( C-23886r1_chk )

Inspect the redundant facilities and equipment to determine compliance with the requirement.

This is a finding in the event dual sets of CER, EBC, and LSC are NOT implemented that are housed in redundant facilities in geographically diverse locations.

NOTE: If it is determined, following a cost vs benefit study and risk analysis, that redundant facilities containing dual sets of CER, EBC, and LSC are not warranted, for the given site, this should be marked as a finding and the justification included in the POA&M such that the DAA is cognizant of and can accept the risk.

Fix Text (F-20303r1_fix)
Ensure dual sets of CER, EBC, and LSC are implemented that are housed in redundant facilities in geographically diverse locations within the site such that if one of locations is lost or isolated from the network, communications service is maintained. NOTE: If a site has a MFSS, a backup LSC should be implemented in a geographically diverse location. If it is determined that meeting this requirement is not warranted as based upon a cost vs benefit study and risk analysis, take the finding and justify it such that the DAA is cognizant of and can accept the risk.

Fix Text (F-20303r1_fix)

Ensure dual sets of CER, EBC, and LSC are implemented that are housed in redundant facilities in geographically diverse locations within the site such that if one of locations is lost or isolated from the network, communications service is maintained.

NOTE: If a site has a MFSS, a backup LSC should be implemented in a geographically diverse location.

If it is determined that meeting this requirement is not warranted as based upon a cost vs benefit study and risk analysis, take the finding and justify it such that the DAA is cognizant of and can accept the risk.