| V-206827 | High | The Voice Video Session Manager must only use of ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs). | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must... |
| V-206831 | High | The Voice Video Session Manager must terminate all network connections associated with a communications session at the end of the session, or the session must be terminated after 15 minutes of inactivity. | Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating... |
| V-206852 | High | The Voice Video Session Manager must protect the integrity of transmitted configuration files, signaling, and media streams. | Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. Communication paths... |
| V-206811 | High | The Voice Video Session Manager must enforce registration of only approved Voice Video endpoints prior to operation. | Authentication must not automatically give an entity access to an asset. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and... |
| V-206812 | High | The Voice Video Session Manager must disable (prevent) auto-registration of Voice Video endpoints. | Authentication must not automatically give an entity access to an asset. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and... |
| V-206851 | High | The Voice Video Session Manager must protect the confidentiality of transmitted configuration files, signaling, and media streams. | Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. Communication paths... |
| V-206853 | High | The Voice Video Session Manager must implement NIST FIPS-validated cryptography to generate cryptographic hashes and to protect sensitive unclassified information. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher... |
| V-206834 | High | The Voice Video Session Manager must protect the authenticity of communications sessions. | Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
This requirement focuses on communications... |
| V-206830 | High | The Voice Video Session Manager must use encryption for signaling and media traffic. | All signaling and media traffic from a Voice Video Session Manager must be encrypted. Network elements utilizing encryption are required to use FIPS compliant mechanisms for authenticating to... |
| V-206814 | High | The Voice Video Session Manager must control flow outside the enclave based on approved dial plans. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| V-206821 | Medium | The Voice Video Session Manager must produce session (call) records containing the identity of the users and identifiers associated with the session. | Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are... |
| V-206820 | Medium | The Voice Video Session Manager must produce session (call) records containing the outcome (status) of the connection. | Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are... |
| V-206823 | Medium | The Voice Video Session Manager must protect session (call) records from unauthorized modification. | If session records were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of... |
| V-206822 | Medium | The Voice Video Session Manager must alert the ISSO and SA (at a minimum) in the event of a session (call) record system failure. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process session records. Without this notification, the security personnel may be unaware of an... |
| V-206825 | Medium | The Voice Video Session Manager must produce session (call) records for events determined to be significant and relevant by local policy. | Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are... |
| V-206824 | Medium | The Voice Video Session Manager must protect session (call) records from unauthorized deletion. | If session records were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of... |
| V-206826 | Medium | The Voice Video Session Manager must be configured to disable non-essential capabilities. | It is detrimental for voice video session managers to provide, or enable by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are... |
| V-206829 | Medium | The Voice Video Session Manager must uniquely identify each Voice Video endpoint device before registration. | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Typically, devices can be identified by MAC or IP address but certificates... |
| V-206828 | Medium | The Voice Video Session Manager must implement attack-resistant mechanisms for Voice Video endpoint registration. | Attacks against a Voice Video Session Manager may include DoS, replay attacks, or cross site scripting. A replay attack may enable an unauthorized user to gain access to the application.... |
| V-206845 | Medium | The Voice Video Session Manager must require Voice Video peers to re-register (re-authenticate) at least every hour. | Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices and trunks can access the... |
| V-206849 | Medium | The Voice Video Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) system components. | If MLPP attributes are not associated with the information being transmitted between systems, then access control policies and information flows which depend on these MLPP attributes will not... |
| V-206848 | Medium | The Voice Video Session Manager must provide an explicit indication of current participants in all videoconference-based and IP-based online meetings and conferences (excluding audio-only teleconferences using traditional telephony). | Providing an explicit indication of current participants in videoconferences helps to prevent unauthorized individuals from participating in collaborative videoconference sessions without the... |
| V-206839 | Medium | The Voice Video Session Manager must immediately enforce changes to privileges of Voice Video endpoint user access. | Without the enforcement of immediate change to privilege levels, users and devices may not provide the correct level of service. Privileges include access to outside connections, precedence, and... |
| V-206844 | Medium | The Voice Video Session Manager must require Voice Video endpoints to re-register at least every three (3) hours. | Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system.... |
| V-206846 | Medium | The Voice Video Session Manager must authenticate each Voice Video endpoint devices before registration. | Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system.... |
| V-206843 | Medium | The Voice Video Session Manager must off-load session (call) records onto a different system or storage media. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited session record storage capacity. |
| V-206842 | Medium | The Voice Video Session Manager must provide centralized management of session (call) records. | Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a... |
| V-206840 | Medium | The Voice Video Session Manager must immediately enforce changes to privileges of Voice Video endpoint device access. | Without the enforcement of immediate change to privilege levels, users and devices may not provide the correct level of service. Privileges include access to outside connections, precedence, and... |
| V-206810 | Medium | The Voice Video Session Manager must automatically disable Voice Video endpoint user access after a 35 day period of account inactivity. | Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access... |
| V-206858 | Medium | The Voice Video Session Manager must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, Communication Tasking Orders (CTOs), and DTMs. | Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security... |
| V-206819 | Medium | The Voice Video Session Manager must produce session (call) records containing the identity of the initiator of the call. | Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are... |
| V-206818 | Medium | The Voice Video Session Manager must produce session (call) records containing where (location) the connection originated. | Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are... |
| V-206855 | Medium | The Voice Video Session Manager must route Fire and Emergency Services (FES) communications as a priority call in a non-blocking manner. | Configuring the voice video session manager to implement enhanced 911 (E911) and FES ensures compliance with Federal Communications Commission rules and establishes a common security baseline... |
| V-206856 | Medium | The Voice Video Session Manager must provide Fire and Emergency Services (FES) with the Automatic Number Identification (ANI) of the initiator of the call. | Configuring the voice video session manager to implement enhanced 911 (E911) and FES ensures compliance with Federal Communications Commission rules and establishes a common security baseline... |
| V-206857 | Medium | The Voice Video Session Manager must provide Fire and Emergency Services (FES) with the Automatic Location Identification (ALI) of the initiator of the call. | Configuring the voice video session manager to implement enhanced 911 (E911) and FES ensures compliance with Federal Communications Commission rules and establishes a common security baseline... |
| V-206850 | Medium | The Voice Video Session Manager supporting Command and Control (C2) communications must limit and reserve bandwidth based on priority of the traffic type. | Without the implementation of safeguards which allocate network communication resources based on priority, network availability, and particularly high priority traffic, may be dropped or delayed.... |
| V-206838 | Medium | The Voice Video Session Manager must restrict Voice Video endpoint user access outside of operational hours. | Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during operational hours can indicate hostile activity if it occurs during off hours.... |
| V-206836 | Medium | In the event of a system failure, Voice Video Session Managers must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. | Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality,... |
| V-206837 | Medium | The Voice Video Session Manager must generate session (call) records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information. | Any Voice Video session manager providing too much information in session records risks compromising the data and security of the application and system. The structure and content of session... |
| V-206835 | Medium | The Voice Video Session Manager must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. | Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality,... |
| V-206832 | Medium | The Voice Video Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) systems. | If MLPP attributes are not associated with the information being transmitted between systems, then access control policies and information flows which depend on these MLPP attributes will not... |
| V-206833 | Medium | The Voice Video Session Manager supporting Command and Control (C2) communications must validate the integrity of transmitted multilevel precedence and preemption (MLPP) attributes. | If MLPP attributes are not associated with the information being transmitted between components, then access control policies and information flows which depend on these MLPP attributes will not... |
| V-206816 | Medium | The Voice Video Session Manager must produce session (call) records containing when (date and time) the connection was established. | Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are... |
| V-206815 | Medium | The Voice Video Session Manager must produce session (call) records containing the type of session connection. | Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are... |
| V-206817 | Medium | The Voice Video Session Manager must produce session (call) records containing when (date and time) the connection was terminated. | Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are... |
| V-206854 | Medium | The Voice Video Session Manager must prohibit remote activation of collaborative computing devices (excluding centrally managed, dedicated videoconference suites located in approved videoconference locations). | An adversary may be able to gain access to information on whiteboards, listen to conversations on a microphone, or view areas with a camera since collaboration equipment is typically not designed... |
| V-206813 | Medium | The Voice Video Session Manager must control flow within the enclave based on approved dial plans. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| V-206859 | Medium | The Voice Video Session Manager must be configured to obfuscate passwords within configuration files. | Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily... |
| V-206847 | Medium | The Voice Video Session Manager must authenticate each Voice Video peer (trunk) before registration. | Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices and trunks can access the... |
| V-206861 | Medium | The Voice Video Session Manager must apply 802.1Q VLAN tags to signaling and media traffic or be in a private subnet. | When network elements do not dynamically reconfigure the data security attributes as data is created and combined, the possibility exists that security attributes will not correctly reflect the... |
| V-206860 | Medium | The Voice Video Session Manager used for unclassified communication within a Sensitive Compartmented Information Facility (SCIF) or Special Access Program Facility (SAPF) must be configured in accordance with the Committee on National Security Systems Instruction (CNSSI) 5000. | Configuring the Voice Video Session Manager in accordance with CNSSI 5000 for unclassified communication systems supporting VVoIP endpoints within SCIFs and SAPFs ensures compliance with federal... |
| V-206862 | Medium | The Voice Video Session Manager must use a voice or video VLAN, separate from all other VLANs. | When network elements do not dynamically reconfigure the data security attributes as data is created and combined, the possibility exist that security attributes will not correctly reflect the... |
