UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Voice Video Services Policy Security Technical Implementation Guide


Overview

Date Finding Count (108)
2019-01-09 CAT I (High): 3 CAT II (Med): 83 CAT III (Low): 22
STIG Description
The Voice Video Services Policy STIG includes the non-computing requirements for Voice/Video systems operating to support the DoD. The Voice/Video over Internet Protocol (VVoIP) STIG containing the computing requirements must also be reviewed for each site using voice/video services. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-8250 High DoD-to-DoD VVoIP traffic traversing any publicly accessible wide area network (i.e., Internet, NIPRnet) must use FIPS-validated encryption for unclassified traffic or NSA-approved encryption for classified traffic.
V-8328 High The implementation of all VoIP systems in the local enclave must not degrade the enclaves perimeter protection due to inadequate design of the VoIP boundary and its connection to external networks.
V-16074 High Deficient Policy or SOP for VTC and PC camera operations regarding their ability to pickup and transmit sensitive or classified information in visual form.
V-19440 Medium VVoIP session signaling must be encrypted to provide end-to-end interoperable confidentiality and integrity.
V-19441 Medium VVoIP session media must be encrypted to provide end-to-end interoperable confidentiality and integrity.
V-19443 Medium The local VVoIP system must have the capability to place intra-site and local phone calls when network connectivity is severed from the remote centrally-located session controller.
V-8306 Medium A hardware based VVoIP or VTC endpoint possesses or provides a “PC Port” but does not maintain the required VLAN separation through the implementation of an Ethernet switch (not a hub).
V-19565 Medium The VVoIP system and supporting LAN design must contain one or more routing devices to provide support for required ACLs between the various required VVoIP VLANs.
V-19562 Medium The VVoIP system and LAN design must provide segmentation and protection of the VVoIP system core device management traffic and interfaces such that role based access and traffic flow can be properly controlled.
V-21508 Medium The Fire and Emergency Services (FES) communications over a sites telephone system must be configured to support the Department of Defense (DoD) Instruction 6055.06 telecommunication capabilities.
V-21509 Medium The Fire and Emergency Services (FES) communications over a sites private telephone system must provide the originating telephone number to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) or Automatic Location Identification (ALI) information.
V-19606 Medium Enclaves with commercial VoIP connections must be approved by the DoDIN Waiver Panel and signed by DOD CIO for a permanent alternate connection to the Internet Telephony Service Provider (ITSP).
V-21507 Medium Mitigations against data exfiltration via the voice and/or video communications network/system have not been implemented
V-19602 Medium The dual homed DISN core access circuits are NOT implemented such that each one can support the full bandwidth engineered for the enclave plus additional bandwidth to support surge conditions in time of crisis.
V-19603 Medium The required dual homed DISN Core or NIPRNet access circuits DO NOT follow geographically diverse paths from the CER(s) along the entire route to the geographically diverse SDNs.
V-19600 Medium The DISN Core access circuit is NOT properly sized to accommodate the calculated Assured Service Admission Control (ASAC) budgets for AS voice and video calls/sessions OR the required budgets have not been calculated.
V-19601 Medium The enclave is NOT dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) Aggregation Routers (AR) or DISN Provider Edge (PE) routers.
V-21523 Medium The VVoIP system time is not properly implemented and/or synched with the LAN’s NTP servers.
V-8254 Medium The Unified Mail system and/or server must implement applicable SRG and/or STIG guidance.
V-8255 Medium Access to personal voice mail settings by the subscriber via an IP connection is not secured via encryption and/or web” server on the voicemail system is not configured in accordance with the “private web server” requirements in the Web Server STIG/Checklist.
V-61319 Medium The VVoIP endpoint configuration files must not be downloaded automatically during endpoint registration.
V-8323 Medium The VVoIP VLAN ACL design must document the control of VVoIP system access and traffic flow.
V-8329 Medium Without an applicable exception the site’s enclave boundary protection is not designed or implemented to route all voice traffic to/from a DSN number via a locally implemented Media Gateway (MG) connected to a DSN EO or MFSS using the appropriate type of trunk based on the site’s need to support C2 communications via the DSN.
V-47753 Medium Unencrypted and unsigned VVoIP endpoint configuration files traversing the DISN must be protected within a VPN between enclaves.
V-8247 Medium Servers supporting the Voice Video and Unified Capability (UC) environment must be dedicated services, with unnecessary functions disabled or removed.
V-16089 Medium Deficient training or training materials addressing secure PC communications client application usage.
V-16088 Medium User training must include Unified Capability (UC) soft client accessory network bridging risks.
V-19545 Medium VVoIP core components are not assigned static addresses within the dedicated VVoIP address space
V-19547 Medium The VVoIP system management network must provide bidirectional enclave boundary protection between the local management network and the DISN voice services management network.
V-16081 Medium Deficient training for the secure operation of PC desktop, presentation, or application sharing capabilities of a collaboration tool.
V-16082 Medium Audio pickup or video capture capabilities (microphones and cameras) are not disabled when not needed for active participation in a communications session.
V-57951 Medium Two hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support Immediate or Priority precedence C2 users.
V-16087 Medium Voice networks must not be bridged via a Unified Capability (UC) soft client accessory.
V-16096 Medium Deploying Unified Communications (UC) soft clients on DoD networks must have Authorizing Official (AO) approval.
V-19654 Medium The 802.1x authentication server must place voice video traffic in the correct VLAN when authorizing LAN access for voice video endpoints.
V-16094 Medium Deficient support for COOP or emergency and life safety communications when soft-phones are implemented as the primary voice endpoint in user’s workspace caused by deficient placement of physical hardware based phones near all such workspaces.
V-16095 Medium Implementing Unified Capabilities (UC) soft clients as the primary voice endpoint must have Authorizing Official (AO) approval.
V-19651 Medium When 802.1x is implemented and the voice video endpoint PC ports are disabled, the network access switch port must be configured to support a disabled PC port by configuring PC port traffic to the unused VLAN.
V-16090 Medium An acceptable use policy or user agreement must be enforced for Unified Capabilities (UC) soft client users.
V-8230 Medium The VVoIP VLAN design for the supporting LAN must provide segmentation of the VVoIP service from the other services on the LAN and between the VVoIP components such that access and traffic flow can be properly controlled.
V-16098 Medium A Call Center or Computer Telephony Integration (CTI) system using soft clients must be segregated into a protected enclave and limit traffic traversing the boundary.
V-16099 Medium The architecture and/or configuration of a permanent, semi-permanent, or fixed (not highly mobile) tactical LAN supporting IP based voice, video, unified, and/or collaboration communications is not adequate to protect the VVoIP services and infrastructure.
V-16078 Medium Deficient SOP or enforcement regarding presentation and application sharing via a PC or VTC.
V-16070 Medium C2 and Special-C2 users are not aware of the assured service limitations of their PC based communications applications.
V-16073 Medium A C2 or Special-C2 user does not have a more reliable communications method in their normal or alternate fixed workspace than a PC based communications client.
V-16076 Medium VTC, Unified Capability (UC) soft client, and speakerphone microphone operations policy must prevent the pickup and transmission of sensitive or classified information over non-secure systems.
V-16077 Medium Deficient Policy or SOP regarding PC communications video display positioning.
V-8288 Medium A policy/SOP is NOT in place OR NOT enforced to ensure that the VVoIP terminal (VoIP phone or instrument) configuration and display password/PIN is managed IAW DOD password policies (e.g., password/PIN complexity (length and character mix), expiration, change intervals, other conditions requiring a change, reuse, protection and storage).
V-8224 Medium MGCP and/or H.248 (MEGACO) is not restricted/controlled on the LAN and/or protected on the WAN using encryption OR MGCP and/or H.248 (MEGACO) packets are not authenticated or filtered by source IP address.
V-8227 Medium VVoIP system components within the LAN must have separate address blocks from those used by non-VVoIP system devices.
V-8349 Medium Software patches for critical VoIP servers and other IPT devices DO NOT originate from the system manufacturer and are NOT applied in accordance with manufacturer’s instructions.
V-19482 Medium The integrity of a vendor provided application, upgrade, or patch is not validated via digital signature before installation.
V-19521 Medium The LAN hardware supporting VVoIP services must provide physically diverse pathways for redundant links supporting command and control (C2) assured services and Fire and Emergency Services (FES) communications.
V-8290 Medium An inventory of authorized instruments is NOT documented or maintained in support of the detection of unauthorized instruments connected to the VoIP system.
V-47735 Medium VVoIP endpoint configuration files transferred via Cisco TFTP must be encrypted and signed using DoD PKI certificates.
V-19652 Medium The access switch must only allow a maximum of one registered MAC address per access port, except when the Voice Video Endpoint has an enabled PC port.
V-19535 Medium An uninterruptible power system (UPS) has not been designed or implemented to provide sufficient continuous backup power for the LAN Infrastructure, WAN boundary Infrastructure, VVoIP infrastructure, and/or VVoIP endpoints as required in support of special-C2 and C2 users system availability needs during a power outage OR sufficient backup power is not provided to C2-R or non-C2/admin user accessible endpoints, minimally in support of emergency life-safety and security calls.
V-16119 Medium Deficient PPS registration of those PPSs used by a Voice/Video/UC system to include its core infrastructure devices and hardware based or PC application based endpoints.
V-16118 Medium Deficient user training regarding the use of non-approved applications and hardware.
V-16113 Medium A PC communications application is not maintained at the current/latest approved patch or version/upgrade level.
V-16112 Medium The integrity of a PC Communications Application, upgrade, or patch is not validated via digital signature before installation.
V-16111 Medium Unified Capabilities (UC) soft clients must be supported by the manufacturer or vendor.
V-16117 Medium An unapproved Instant Messaging (IM) or Unified Capabilities (UC) soft client must not be used on Government Furnished Equipment (GFE).
V-16116 Medium PC communications application server association is not properly limited.
V-16115 Medium The integrity of VVoIP endpoint configuration files downloaded during endpoint registration must be validated using digital signatures.
V-16114 Medium A PC communications application is operated with administrative or root level privileges.
V-19627 Medium Remote access VoIP must be routed to the VoIP VLAN.
V-21521 Medium Unnecessary PPS have not been disabled or removed from VVoIP system devices or servers.
V-16108 Medium Unified Capabilities (UC) soft client patches and upgrades must be tested and approved prior to implementation.
V-16109 Medium A PC Communications Application is not tested for IA and Interoperability and are not listed on the DoD UC APL.
V-79051 Medium Video conferencing, Unified Capability (UC) soft client, and speakerphone speaker operations policy must prevent disclosure of sensitive or classified information over non-secure systems.
V-16101 Medium Deficient benefit vs. risk analysis and/or approval for reduced VVoIP IA configuration measures in highly mobile tactical LANs and systems supporting hardware or PC based voice, video, unified, and/or collaboration communications.
V-16106 Medium The Unified Capabilities (UC) soft client Certification and Accreditation (CA) documentation must be included in the CA documentation for the supporting VVoIP system.
V-16107 Medium Unified Capabilities (UC) soft clients must be tested and approved prior to implementation.
V-19598 Medium The network IDS is not configured or implemented such that it can monitor the traffic to/from the required VVoIP firewall/EBC (function) as well as the traffic to/from the data firewall (function).
V-19599 Medium All Local Session Controllers (LSC), Enterprise Session Controllers (ESC), and Multi-Function Soft Switches (MFSS) implemented within the enclave to provide session management for the DISN NIPRNet IP Voice Services (IPVS) must be listed on the DoD Approved Products List (APL).
V-19592 Medium The site’s enclave boundary protection is not designed or implemented to route all VoIP traffic to/from a commercial number via a locally implemented Media Gateway (MG) connected to a PSTN CO using a PRI or CAS trunk.
V-19593 Medium Local commercial phone service must be provided in support of Continuity Of Operations (COOP) and Fire and Emergency Services (FES) communications.
V-19596 Medium All Customer Edge Routers (CE-R) implemented as the DISN access circuit termination point for the DISN NIPRNet IP Voice Services (IPVS) must be listed on the DoD Approved Products List (APL).
V-19597 Medium A Session Border Controller (SBC) implemented as the DISN boundary element for the DISN NIPRNet IP Voice Services (IPVS) must be listed on the DoD Approved Products List (APL).
V-19594 Medium The VVoIP system connection to the DISN WAN, its components, and/or changes to them are not included in the site’s enclave / LAN baseline documentation and C&A documentation.
V-19595 Medium The VVoIP system within the enclave is not subscribed to or integrated with the worldwide DISN IPVS network operating on the appropriately classified DISN IP WAN service
V-19514 Medium The LAN hardware supporting VVoIP services must provide redundancy to support command and control (C2) assured services and Fire and Emergency Services (FES) communications.
V-21510 Medium The Fire and Emergency Services (FES) communications over a sites private telephone system must provide a direct callback telephone number and physical location of an FES caller to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) and extended Automatic Location Identification (ALI) information or access to an extended ALI database.
V-21512 Medium The Fire and Emergency Services (FES) communications over a sites private telephone system must route emergency calls as a priority call in a non-blocking manner.
V-21516 Medium Eight hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support special-C2 users.
V-19442 Low The site’s V-VoIP system is NOT capable of maintaining call/session establishment capability such that it can minimally make local internal and local commercial network calls in the event the LSC or MFSS becomes unavailable to receive and act on EI signaling requests.
V-8302 Low The LAN supporting VVoIP services for command and control (C2) users must provide assured services in accordance with the Unified Capabilities Requirements (UCR).
V-61325 Low The VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network must be scanned to confirm protections in place are effective.
V-19604 Low Critical network equipment must be redundant and in geographically diverse locations for a site supporting C2 users.
V-8253 Low The voicemail system and/or server must implement applicable SRG and/or STIG guidance.
V-8256 Low VVoIP services over wireless IP networks must apply the Wireless STIG to the wireless service and endpoints.
V-16086 Low User training must deny the use of personally provided Unified Capability (UC) soft client accessories.
V-8248 Low All applicable STIGs have NOT been applied to the VVoIP / unified communications core infrastructure assets.
V-16085 Low Unified Capability (UC) soft client accessories must be tested and approved.
V-57953 Low Sufficient backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support non-C2 user accessible endpoints for emergency life-safety and security calls.
V-16091 Low A user guide identifying the proper use of Unified Capabilities (UC) soft client applications must be provided to UC soft client users.
V-19493 Low The confidentiality of VVoIP endpoint configuration files downloaded during endpoint registration must be protected by encryption.
V-8223 Low The VVoIP system, its components, and/or changes to them are not included in the site’s enclave / LAN baseline documentation and Configuration & Accreditation documentation
V-61323 Low The VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network must have ACLs permitting only specific inbound/outbound traffic and deny all other traffic.
V-8294 Low The VVoIP system DHCP server is not dedicated to the VVoIP system within the LAN.
V-8295 Low Customers of the DISN VoSIP service on ARE NOT utilizing address blocks assigned by the DRSN / VoSIP PMO.
V-21506 Low Regular documented testing of hardware based COOP/backup or emergency telephones is not performed in accordance with a documented test plan or related documentation is deficient or non existent.
V-19500 Low The LAN supporting VVoIP services must provide enhanced reliability, availability, and bandwidth.
V-21522 Low The VVoIP system DNS server is not dedicated to the VVoIP system within the LAN; or the VVoIP system DNS server freely interacts with other DNS servers outside the VVoIP system; or the VVoIP system information is published to the enterprise WAN or the Internet.
V-61321 Low The VVoIP system management network with a single device providing bidirectional enclave boundary protection between the local management network and the DISN voice services management network must have a Memorandum of Agreement (MoA) in effect.
V-54693 Low VVoIP system components and UC soft clients Standard Mandatory DoD Notice and Consent Banner must be acknowledged by the user prior to logon or initial access.
V-54691 Low VVoIP system components and UC soft clients must display the Standard Mandatory DoD Notice and Consent Banner exactly as specified prior to logon or initial access.