V-8250 | High | DoD-to-DoD VVoIP traffic traversing any publicly accessible wide area network (i.e. Internet, NIPRNet) must use FIPS 140-2 or NSA approved encryption. | When VVoIP connections are established across a publicly accessible WAN, all communications confidentiality and integrity can be lost. Information gleaned from signaling messages can be used to... |
V-8328 | High | The implementation of a VVoIP system in the local enclave and its connection to external networks degrades the enclave’s perimeter protection due to an inadequate design of the VVoIP boundary with those external networks. | VVoIP has the potential to significantly degrade the enclave boundary protection afforded by the required boundary firewall unless the firewall is designed to properly handle VVoIP traffic. The... |
V-16074 | High | Deficient Policy or SOP for VTC and PC camera operations regarding their ability to pickup and transmit sensitive or classified information in visual form. | Users of conference room or office based VTC systems and PC based communications applications that employ a camera must not inadvertently display information of a sensitive or classified nature... |
V-19440 | Medium | Deficient end-to-end interoperable confidentiality, integrity, and authentication for VVoIP session signaling per DISN IPVS Requirements. | Until recently VVoIP traffic has been restricted to the LAN/CAN within the enclave for most VVoIP systems. This is due to the lack of inter-vendor interoperability, end-to-end encryption, and the... |
V-19441 | Medium | Deficient end-to-end interoperable confidentiality and integrity for VVoIP session media streams per DISN IPVS requirements. | Until recently VVoIP traffic has been restricted to the LAN/CAN within the enclave for most VVoIP systems. This is due to the lack of inter-vendor interoperability, end-to-end encryption, and the... |
V-19443 | Medium | The local VVOIP system cannot place local intra-site or local commercial network calls in the event it is cut off from its remote, centrally located LSC. | Voice phone services are critical to the effective operation of a business, an office, or in support or control of a DoD mission. We rely on these services being available when they are needed.... |
V-8306 | Medium | A hardware based VVoIP or VTC endpoint possesses or provides a “PC Port” but does not maintain the required VLAN separation through the implementation of an Ethernet switch (not a hub). | Some VVoIP hardware endpoints and hardware based VTC endpoints have a second Ethernet port on the device to provide a connection to external devices such as a. This port is typically called a “PC... |
V-19565 | Medium | The VVoIP system and supporting LAN design does not contain one or more routing devices (router or layer-3 switch) or they are not implemented to provide support for required ACLs between the various required VVoIP VLANs. | VLAN and IP address segmentation enables access and traffic control for the VVoIP system components. Only the required protocols are to reach a given VVoIP device thereby protecting it from... |
V-19562 | Medium | The VVoIP system and LAN design does not provide the necessary segmentation and protection of the VVoIP system core device management traffic and interfaces such that role based access and traffic flow can be properly controlled. | The management interface on any system/device is its Achilles heel. Unauthorized access can lead to complete corruption of the system or device, causing the loss of availability... |
V-21508 | Medium | The site has not provided for Fire and Emergency Services (F&ES) telecommunications services (fire, police, medical, etc) and/or the telephone system does not support or is not configured to support enhanced emergency communications. | The inability to contact emergency services via the public telephone system and/or privately-owned Multi-Line Telephone Systems (MLTS) (such as PBXs and VoIP telephone systems) threatens life... |
V-21507 | Medium | Mitigations against data exfiltration via the voice and/or video communications network/system have not been implemented | The voice and video communications network provides an often overlooked pathway to spirit sensitive data out of an enterprise network without the likelihood of detection. Data exfiltration... |
V-19602 | Medium | The dual homed DISN core access circuits are NOT implemented such that each one can support the full bandwidth engineered for the enclave plus additional bandwidth to support surge conditions in time of crisis. | Providing dual homed access circuits from a C2 enclave to the DISN core is useless unless both circuits provide the same capacity to include enough overhead to support surge conditions. If one... |
V-19603 | Medium | The required dual homed DISN Core or NIPRNet access circuits DO NOT follow geographically diverse paths from the CER(s) along the entire route to the geographically diverse SDNs. | In previous requirements we discussed the need for redundant DISN Core access circuits between the enclave and the DISN SDNs. Another method for providing the greatest reliability and availability... |
V-19600 | Medium | The DISN Core access circuit is NOT properly sized to accommodate the calculated Assured Service Admission Control (ASAC) budgets for AS voice and video calls/sessions OR the required budgets have not been calculated. | The DISN NIPRNet IPVS PMO has developed a method to provide Assured Service voice and video communications over the bandwidth constrained portion of the DISN. This method includes or supports... |
V-19601 | Medium | The enclave is NOT dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) Aggregation Routers (AR) or DISN Provider Edge (PE) routers. | Redundancy and dual homing is used within the DISN core to provide for continuity of operations (COOP) in the event a piece of equipment, circuit path, or even an entire service delivery node is... |
V-8254 | Medium | IP connected Voice/Unified Mail servers have not been secured using all applicable general purpose application STIGs. | Voice mail and Unified Mail services in a VoIP environment are available in several different configurations. For example, a legacy voice mail platform can connect to a VoIP gateway to provide... |
V-8255 | Medium | Access to personal voice mail settings by the subscriber via an IP connection is not secured via encryption and/or web” server on the voicemail system is not configured in accordance with the “private web server” requirements in the Web Server STIG/Checklist. | In traditional TDM phone systems, personal voicemail settings and greetings are accessed / configured by the subscriber/user on traditional voicemail servers via the traditional telephone. Control... |
V-8257 | Medium | New or recently installed VVoIP systems, devices, and/or their software loads are NOT certified, accredited, and placed on the DoD Approved Products List per DODI 8100.3 and UCR OR existing systems DO NOT appear on the current APL or the “Retired APL” lists. | DoD Instruction 8100.3 governs DoD telecommunications, the Defense Switched Network (DSN), and the Defense RED Switched Network (DRSN), and requires that “Telecommunications switches (and... |
V-8323 | Medium | The necessary protection of the VVoIP system, its components, and its provided services are not supported by a comprehensive VVoIP VLAN ACL design for the supporting LAN such that VVoIP system access and traffic flow is properly controlled. | Previous requirements in this STIG/Checklist define the need for dedicated VVoIP VLANs and IP subnets to provide the capability for VVoIP system access and traffic control. This control is... |
V-8329 | Medium | Without an applicable exception the site’s enclave boundary protection is not designed or implemented to route all voice traffic to/from a DSN number via a locally implemented Media Gateway (MG) connected to a DSN EO or MFSS using the appropriate type of trunk based on the site’s need to support C2 communications via the DSN. | There are several reasons why voice traffic to/from the DSN must use a locally implemented Media Gateway (MG) connected to a DSN EO or MFSS via the appropriate type of trunk based on the site’s... |
V-47753 | Medium | Unencrypted and unsigned VVoIP endpoint configuration files traversing the DISN must be protected within a VPN between enclaves. | When VVoIP configuration files traverse a network in an unencrypted state, system information may be used by an adversary, which in the aggregate, may reveal sensitive data. When VVoIP traffic is... |
V-8247 | Medium | Servers supporting the VVoIP and UC/UM telephony environment are not dedicated to telephony (VVoIP, UC, or UM) applications or their support. | For the purpose of this requirement a VVoIP, UC, or UM server is any server directly supporting the communications service. Unlike a regular PC or print server on the network VVoIP servers are... |
V-16089 | Medium | Deficient training or training materials addressing secure PC communications client application usage. | Users of PC based voice, video, UC, and collaboration communications applications must be aware of, and trained in, the various aspects of the application’s safe and proper use. They must also be... |
V-16088 | Medium | Deficient user training regarding soft-phone accessory network bridging capabilities. | While a headset, microphone, webcam, combination headset/microphone, or a combination webcam/microphone can be considered to be soft-phone accessories, these are also accessories for other... |
V-19545 | Medium | VVoIP core components are not assigned static addresses within the dedicated VVoIP address space | Assigning static addresses to core VVoIP devices permits tighter control using ACLs on firewalls and routers to help in the protection of these devices. |
V-19547 | Medium | The voice/video system management network is not designed or implemented to provide the proper bidirectional enclave boundary protection between the local management network and the DISN Voice Services (VS) management network. | VVoIP core system devices and TDM based telecom switches can be and in many cases are connected to multiple management networks. Such is the case when the system is managed by local SAs and... |
V-16081 | Medium | Deficient training for the secure operation of PC desktop, presentation, or application sharing capabilities of a collaboration tool. | Visual collaboration often requires the sharing or display of presentations, open documents, and white board information to one or more communicating endpoints. While the technology for doing this... |
V-16082 | Medium | Audio pickup or video capture capabilities (microphones and cameras) are not disabled when not needed for active participation in a communications session. | The VTC STIG discusses the possibility of undesired or improper viewing of and/or listening to activities and conversations in the vicinity of a hardware based VTC endpoint, whether it is a... |
V-16087 | Medium | Voice networks are improperly bridged via a soft-phone accessory. | While a headset, microphone, webcam, combination headset/microphone, or a combination webcam/microphone can be considered to be soft-phone accessories, these are also accessories for other... |
V-16096 | Medium | No DAA approval for permitting limited numbers of soft-phones to operate in LAN. | This use case addresses situations whereby the soft-phone/UC application and PC is not the primary voice communications “device” in the work area. This means that there is a validated mission need... |
V-16094 | Medium | Deficient support for COOP or emergency and life safety communications when soft-phones are implemented as the primary voice endpoint in user’s workspace caused by deficient placement of physical hardware based phones near all such workspaces. | This and several other requirements discuss the implementation of PC soft-phones or UC applications as the primary and only communications device in the user’s workspace. While this degrades the... |
V-16095 | Medium | No command or DAA approval exists for implementing soft-phones as the primary voice endpoint. | The Designated Approving Authority (DAA) responsible for the implementation of a telephone system which primarily uses PC software applications for its endpoints must be made aware of the risks of... |
V-16090 | Medium | Deficient acceptable use policy or user agreement regarding PC communication clients. | DoDI 8500.2 IA control PRRB-1 regarding “Security Rules of Behavior or Acceptable Use Policy” states “A set of rules that describe the IA operations of the DoD information system and clearly... |
V-8230 | Medium | The VVoIP VLAN design for the supporting LAN does not provide the necessary segmentation of the VVoIP system and service from the other services on the LAN and/or between the VVoIP components such that access and traffic flow can be properly controlled. | An IPT system is built on an IP infrastructure based on layer 2 and layer 3 switches and routers, which comprise the network’s access and distribution layers respectively. The layer 2 switches... |
V-16098 | Medium | Deficient protection for a Call Center (or CTI) system that uses soft-phones. | The third scenario in which limited numbers of PC soft-phones might be used in a strategic LAN is when they are associated with or are actually part of a Computer Telephony Integration (CTI)... |
V-16099 | Medium | The architecture and/or configuration of a permanent, semi-permanent, or fixed (not highly mobile) tactical LAN supporting IP based voice, video, unified, and/or collaboration communications is not adequate to protect the VVoIP services and infrastructure. | The primary reason for the implementation of the LAN architecture and security measures defined in this and other STIGs is to improve the survivability (availability) of the VVoIP communications... |
V-16078 | Medium | Deficient SOP or enforcement regarding presentation and application sharing via a PC or VTC. | Visual collaboration often requires the sharing or display of presentations, open documents, and white board information to one or more communicating endpoints. While the technology for doing this... |
V-16070 | Medium | C2 and Special-C2 users are not aware of the assured service limitations of their PC based communications applications. | PC based communications applications rely on many different factors, but are dependant upon the platform on which they operate. A PC could be dedicated to a task, protected, and controlled such... |
V-16073 | Medium | A C2 or Special-C2 user does not have a more reliable communications method in their normal or alternate fixed workspace than a PC based communications client. | PC based communications applications rely on many different factors, but are dependant upon the platform on which they operate. A PC could be dedicated to a task, protected, and controlled such... |
V-16076 | Medium | Deficient Policy or SOP regarding VTC, PC, and speakerphone microphone operations regarding their ability to pickup and transmit sensitive or classified information in aural form. | Microphones used with VTC systems and devices are designed to be extremely sensitive such that people speaking anywhere within a conference room is picked up and amplified so they can be heard... |
V-16077 | Medium | Deficient Policy or SOP regarding PC communications video display positioning. | When communicating using a PC based voice, video, UC, or collaboration communications application, the user must protect the information displayed from being viewed by individuals that do not have... |
V-8288 | Medium | A policy/SOP is NOT in place OR NOT enforced to ensure that the VVoIP terminal (VoIP phone or instrument) configuration and display password/PIN is managed IAW DOD password policies (e.g., password/PIN complexity (length and character mix), expiration, change intervals, other conditions requiring a change, reuse, protection and storage). |
Per other requirements, the network configuration information and settings on a VoIP instrument must be protected by a password or PIN. VVoIP endpoints do not typically provide automated... |
V-8225 | Medium | Voice/Video Telecommunications infrastructure components (traditional TDM, VVoIP, or VTC) are not housed in secured or “controlled access” facilities with appropriate classification level or appropriate documented access control methods. | Controlling physical access to telecommunications infrastructure components is critical to assuring the reliability of the voice network and service delivery. Documenting or logging physical... |
V-8224 | Medium | MGCP and/or H.248 (MEGACO) is not restricted/controlled on the LAN and/or protected on the WAN using encryption OR MGCP and/or H.248 (MEGACO) packets are not authenticated or filtered by source IP address. | Media Gateway Control Protocol (MGCP) is a protocol that is used between Media Gateway Controllers (MGCs), Media Gateways (MGs), and other MGs to exchange sensitive gateway status and zone... |
V-8227 | Medium | Different contiguous address blocks or ranges are NOT defined for the V-VoIP system within the LAN (Enclave) that is separate from the address blocks/ranges used by the rest of the LAN for non V-VoIP system devices thus allowing V-VoIP system traffic and access control using firewalls and router ACLs.
| VoIP networks increasingly represent high-value targets for attacks and represent a greater risk to network security than most other network applications; hence, it is imperative that the voice... |
V-8349 | Medium | Software patches for critical VoIP servers and other IPT devices DO NOT originate from the system manufacturer and are NOT applied in accordance with manufacturer’s instructions. | VVoIP systems and particularly voice telecommunications systems (that is to say phone systems) are considered critical infrastructure for communications, security, and life safety. As such they... |
V-19482 | Medium | The integrity of a vendor provided application, upgrade, or patch is not validated via digital signature before installation. | It is important that the vendor provided upgrades or patches are not modified during their delivery and installation. This can be a problem if the application is obtained from a source other than... |
V-19521 | Medium | The design of the LAN supporting VVoIP services does not provide for the interconnection of LAN NEs with redundant uplinks following physically diverse paths to physically diverse NEs in the layer above | Policy sets the minimum requirements for the availability and reliability of VVoIP systems and the supporting LAN with emphasis on C2 communications. The UCR in section 5.3.1.7.7.1 Single Product... |
V-8290 | Medium | An inventory of authorized instruments is NOT documented or maintained in support of the detection of unauthorized instruments connected to the VoIP system. | Traditional telephone systems require physical wiring and/or switch configuration changes to add an instrument to the system. This makes it difficult for someone to add unauthorized digital... |
V-47735 | Medium | VVoIP endpoint configuration files transferred via Cisco TFTP must be encrypted and signed using DoD PKI certificates. | When VVoIP configuration files traverse a network in an unencrypted state, system information may be used by an adversary, which in the aggregate, may reveal sensitive data. When VVoIP traffic is... |
V-19535 | Medium | An uninterruptible power system (UPS) has not been designed or implemented to provide sufficient continuous backup power for the LAN Infrastructure, WAN boundary Infrastructure, VVoIP infrastructure, and/or VVoIP endpoints as required in support of special-C2 and C2 users system availability needs during a power outage OR sufficient backup power is not provided to C2-R or non-C2/admin user accessible endpoints, minimally in support of emergency life-safety and security calls. | An uninterruptible power source for the LAN and VVoIP infrastructure is a necessity for the continued survivability, availability, and reliability of the VVoIP services. In traditional... |
V-16119 | Medium | Deficient PPS registration of those PPSs used by a Voice/Video/UC system to include its core infrastructure devices and hardware based or PC application based endpoints. | DoDI 8550.1 Ports, Protocols, and Services Management (PPSM) is the DoD’s policy on IP Ports, Protocols, and Services (PPS). It controls the PPS that are permitted or approved to cross DoD network... |
V-16118 | Medium | Deficient user training regarding the use of non-approved applications and hardware. | The second mitigation for the vulnerability regarding personally installed apps and hardware is the administrative prevention of the installation of the applications in question by the PC user.... |
V-16113 | Medium | A PC communications application is not maintained at the current/latest approved patch or version/upgrade level. | Managing, mitigating, or eliminating a newly discovered vulnerably in a communications application is just as important as managing and mitigating the vulnerabilities of the platform supporting... |
V-16112 | Medium | The integrity of a PC Communications Application, upgrade, or patch is not validated via digital signature before installation. | It is important that the PC Communications application is not modified during its delivery and installation. This can be a problem if the application is obtained from a source other than directly... |
V-16111 | Medium | Deficient PC Communications Application integrity or supportability. | Another one of the measures in our defense in depth strategy to protect our PC based voice, video, UC, and collaboration applications is to ensure the application originates from a reputable... |
V-16117 | Medium | A non-approved public or commercial IM or IP telephony service or soft-client application is in use. | Various DoD policies disallow general PC users from installing any non-approved application on their workstations or from attaching any non-approved or non-government furnished devices to them.... |
V-16116 | Medium | PC communications application server association is not properly limited. | All voice, video, UC, or collaboration communications endpoints must be configured to only associate with approved DoD controllers, gateways, and/or servers. While this is the norm for hardware... |
V-16115 | Medium | The integrity of VVoIP endpoint configuration files downloaded by hardware or PC based VVoIP endpoints during endpoint registration are not validated using digital signatures. | During VVoIP endpoint registration with the LSC, a file is downloaded by the endpoint from the LSC that contains specific configuration parameters needed by the endpoint to operate as needed to... |
V-16114 | Medium | A PC communications application is operated with administrative or root level privileges. | PC voice, video, UC, and collaboration communications applications must not be operated in a manner that can compromise the platform if the application itself becomes compromised. One way to... |
V-21521 | Medium | Unnecessary PPS have not been disabled or removed from VVoIP system devices or servers. | The availability of applications and services that are not necessary for the OAM&P of the VVoIP system’s devices and servers, running or not as well as the existence of their code, places them at... |
V-21523 | Medium | The VVoIP system time is not properly implemented and/or synched with the LAN’s NTP servers. | It is critical that the network time be synchronized across all network elements when troubleshooting network problems or investigating an incident. Each log entry is required to be time stamped.... |
V-16108 | Medium | Deficient testing or approval of PC communications application patches or upgrades. | Along with the measures described later to ensure application integrity, it is important that communications applications be tested and subsequently certified and accredited for IA purposes. This... |
V-16109 | Medium | A PC Communications Application is not tested for IA and Interoperability and are not listed on the DoD UC APL. | DoDI 8100.3 provides policy for the DoD that requires the testing and certification of telecommunications systems for Interoperability and Information Assurance (IA) while establishing an Approved... |
V-16101 | Medium | Deficient benefit vs. risk analysis and/or approval for reduced VVoIP IA configuration measures in highly mobile tactical LANs and systems supporting hardware or PC based voice, video, unified, and/or collaboration communications. | As discussed above, the network supporting a tactical VVoIP communications system must follow the same guidelines as a network supporting a strategic VVoIP system or application to help ensure the... |
V-16106 | Medium | PC communications application C&A documentation is not included in the C&A documentation for the supporting VVoIP system . | Along with the measures described later to ensure application integrity, it is important that communications applications be tested and subsequently certified and accredited for IA purposes. This... |
V-16107 | Medium | Deficient PC communications application testing prior to implementation. | Along with the measures described later to ensure application integrity, it is important that communications applications be tested and subsequently certified and accredited for IA purposes. This... |
V-19598 | Medium | The network IDS is not configured or implemented such that it can monitor the traffic to/from the required VVoIP firewall/EBC (function) as well as the traffic to/from the data firewall (function). | The purpose of the Internal Network IDS is to provide a backup for the enclave firewall(s) in the event they are compromised or mis-configured such that traffic which is normally blocked ends up... |
V-19599 | Medium | One or more DOD APL listed Local Session Controller’s (LSCs) or Multi-Function Soft Switch (MFSS) are not implemented within the enclave for DISN IPVS session control. | DISA has developed the DISN IPVS to support C2 Assured Service reliability and availability. As such, the worldwide availability and effectiveness of this service is dependant upon the components... |
V-19592 | Medium | The site’s enclave boundary protection is not designed or implemented to route all VoIP traffic to/from a commercial number via a locally implemented Media Gateway (MG) connected to a PSTN CO using a PRI or CAS trunk. | There are several reasons why VVoIP system access to commercial voice services (i.e., the PSTN) must be via a Media Gateway if exceptions do not apply. These reasons are as follows:
> Most high... |
V-19593 | Medium | Local commercial phone service has not been implemented in support of COOP and local emergency services calls in the event the site is cut off from the DISN phone networks whether they are TDM of IP based. | Voice phone services are critical to the effective operation of a business, an office, or in support or control of a DoD mission. We rely on these services being available when they are needed.... |
V-19596 | Medium | One or more DOD APL listed Customer Edge Routers (CER) are not implemented as the DISN access circuit termination point for the DISN NIPRNet IPVS | DISA has developed the DISN IPVS to support C2 Assured Service reliability and availability. As such, the worldwide availability and effectiveness of this service is dependant upon the components... |
V-19597 | Medium | A DOD APL listed Edge Boundary Controller (EBC) is not implemented as the DISN NIPRNet boundary to maintain the required enclave boundary protection while permitting DISN IPVS traffic to pass. | DISA has developed the DISN IPVS to support C2 Assured Service reliability and availability. As such, the worldwide availability and effectiveness of this service is dependant upon the components... |
V-19594 | Medium | The VVoIP system connection to the DISN WAN, its components, and/or changes to them are not included in the site’s enclave / LAN baseline documentation and C&A documentation. | Documentation of the enclave / LAN configuration must include all VVoIP systems. If the current configuration cannot be determined then it is difficult to apply security policies effectively.... |
V-19595 | Medium | The VVoIP system within the enclave is not subscribed to or integrated with the worldwide DISN IPVS network operating on the appropriately classified DISN IP WAN service | DISN IP based C2 Assured Service is about providing a highly available and reliable communications voice, video, and data service on a world wide scale that supports the command and control (C2)... |
V-19514 | Medium | The LAN hardware does not provide the required redundancy to support the availability/reliability needs of the C2 and Special C2 users of VVoIP services for command and control communications OR the needs of routine users for emergency life-safety and security related communications. | Policy sets the minimum requirements for the availability and reliability of VVoIP systems and the supporting LAN with emphasis on C2 communications. Policy excerpts are as follows: From CJCSI... |
V-19442 | Low | The site’s V-VoIP system is NOT capable of maintaining call/session establishment capability such that it can minimally make local internal and local commercial network calls in the event the LSC or MFSS becomes unavailable to receive and act on EI signaling requests.
| Voice phone services are critical to the effective operation of a business, an office, or in support or control of a DoD mission. We rely on these services being available when they are needed.... |
V-8302 | Low | The LAN supporting VVoIP services for special-C2 and C2 users is not designed or implemented as a DOD ASLAN in accordance with the current UCR and therefore cannot support assured service in support of C2 communications reliability and availability requirements. | Voice services in support of C2 and Special C2 users are required to meet certain minimum requirements relating to reliability and survivability of the supporting infrastructure. These... |
V-21506 | Low | Regular documented testing of hardware based COOP/backup or emergency telephones is not performed in accordance with a documented test plan or related documentation is deficient or non existent. | Backup/COOP or emergency telephones are useless if they don’t work. Thus they need to be tested regularly to ensure their functionality, particularly if they are not used regularly. Regular use... |
V-19604 | Low | Dual sets of CER, EBC, and LSC are NOT implemented in geographically diverse locations within a site supporting large numbers of C2 users | The enhanced reliability and availability achieved by the implementation of redundancy and geographic diversity throughout the DISN Core along with the implementation of dual homed circuits via... |
V-8253 | Low | The stand alone or IP connected Voice mail system/server is not secured to applicable OS and DSN STIG guidance. | Voice mail services are subject to the guidance and requirements in the DSN STIG. Older voice mail systems/servers commonly use proprietary OSs while newer ones can be designed to run on common... |
V-8256 | Low | IP based VVoIP services over Wireless LAN (WLAN - Wi-Fi 802.11x) or Wireless MAN (WMAN - WiMAX 802.16) are being used without the applicable Wireless STIG/Checklist security guidance applied to the wireless service or endpoints in addition to the VoIP STIG/Checklist requirements. | The incorporation of wireless technology into the VVoIP environment or service elevates many existing VoIP concerns such as quality of service (QoS), network capacity, provisioning, architecture... |
V-8248 | Low | All applicable STIGs have NOT been applied to the VVoIP / unified communications core infrastructure assets. | For the purpose of this requirement a VVoIP server is any server directly supporting the communications service. Unlike a regular PC or print server on the network VVoIP servers are “mission... |
V-16085 | Low | Deficient testing of, or lack of approval for, soft-phone accessories. | While a headset, microphone, webcam, combination headset/microphone, or a combination webcam/microphone can be considered to be soft-phone accessories, these are also accessories for other... |
V-16086 | Low | Deficient user training regarding the use of personally provided soft-phone accessories. | While a headset, microphone, webcam, combination headset/microphone, or a combination webcam/microphone can be considered to be soft-phone accessories, these are also accessories for other... |
V-16091 | Low | Deficient or Non-Existent user guide regarding the proper use of PC based voice, video, UC, and collaboration communications applications. | User agreements must be accompanied with a combination of user training and user guides that will reiterate the agreed to policies and prohibitions. The training and guides should also provide... |
V-19493 | Low | The confidentiality of endpoint configuration files downloaded by hardware based or PC based VVoIP endpoints during registration is not protected. | During VVoIP endpoint registration with the LSC, a file is downloaded by the endpoint from the LSC that contains specific configuration parameters needed by the endpoint to operate as needed to... |
V-8228 | Low | The dedicated VVoIP address range is NOT defined using “private” (non WAN routed) addresses IAW RFC 1918. | RFC 1918 defines “private” IP address blocks as follows: 10.x.x.x, 172.16.x.x, and 192.168.x.x. The purpose of this is to conserve the available public address pool since there are far more hosts... |
V-8223 | Low | The VVoIP system, its components, and/or changes to them are not included in the site’s enclave / LAN baseline documentation and Configuration & Accreditation documentation | Documentation of the enclave / LAN configuration must include all VVoIP systems. If the current configuration cannot be determined then it is difficult to apply security policies effectively.... |
V-8294 | Low | The VVoIP system DHCP server is not dedicated to the VVoIP system within the LAN. | When using Dynamic Host Configuration Protocol (DHCP) for address assignment and host configuration, different DHCP scopes (different address space, subnets, and VLANs) must be used for voice... |
V-8295 | Low | Customers of the DISN VoSIP service on ARE NOT utilizing address blocks assigned by the DRSN / VoSIP PMO. | A previous requirement states the following: Ensure a different, dedicated, address blocks or ranges are defined for the VVoIP system within the LAN (Enclave) that is separate from the address... |
V-19500 | Low | The LAN supporting VVoIP services is not designed or implemented to provide enhanced availability and reliability above that of a traditional data LAN. | • The traditional circuit switched telecommunications network is in general highly available highly and reliable on the order of 5 - 9s (99.999% uptime) reliability for the equipment and an... |
V-21522 | Low | The VVoIP system DNS server is not dedicated to the VVoIP system within the LAN; or the VVoIP system DNS server freely interacts with other DNS servers outside the VVoIP system; or the VVoIP system information is published to the enterprise WAN or the Internet. | In some cases a VVoIP endpoint will be configured with one or more URLs pointing to the locations of various servers with which they are associated such as their call controller. These URLs are... |