Defense Switched Network (DSN) STIG

Requirement: The IAO will ensure that internal and external administrator/maintenance personnel have appropriate but limited access to the facilities, functions, commands, and calling privileges in accordance with their role as required when performing their job. Privileged access to any system should be controlled. Anyone with privileged access can cause serious system damage that could in turn have detrimental affects on the operational environment. Administration and maintenance personnel should be provided only that privileged access needed to perform their job. NONEInability to properly maintain and troubleshoot the systemInformation Assurance OfficerECLP-1, ECSC-1

Requirement: The IAO will ensure that all IAVM notices are responded to within the time period specified within the notice. The JTF-GNO (DoD CERT) automatically sends out IAVM notices that affect various systems. If appropriate actions are not taken, systems/assets may be open to a potential compromise. The DOD IAVM requirement is: Receipt of IAVM alerts will be acknowledged within 5 days and a report of compliance status provided within 30 days. For IAVM bulletins, receipt must also be acknowledged within 5 days, and a report of compliance status must be provided within 60 days. For IAVM technical advisories, receipt must be acknowledged within 5 days, but no compliance status report is required. Although DOD organizations are not required to report compliance for technical advisories, DISA organizations are required to provide a report of compliance status within 60 days.None Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > The telecommunications system will be left vulnerable to the issue detailed in the IAVA.Information Assurance OfficerECND-1, ECND-2, ECSC-1

All Network Management and switch administration terminals connecting to the DSN are to be through a dedicated DSN network segment. Only authorized systems will be connected to this LAN. No other networks may interface with components that are connected to this LAN. By connecting in this controlled manner, many vulnerabilities that are associated with IP networks are eliminated. NoneInformation Assurance Officer

Requirement: The IAO will ensure that routers that provide remote connectivity to out-of-band management networks located at switch sites provide IP and packet level filtering/protection. All routers connected to a DSN Switch are to be configured to control network access to the DSN switch by IP and port/service. Implementing standard and extended access lists to control network access to the switch will add another security access layer minimizing risk to the DSN.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1

Requirement: The IAO will ensure that OAM&P / NM and CTI system workstations are not used for other day-to-day functions (i.e., e-mail, web browsing, etc). Dedicating DSN administration terminals to their intended purpose and not using them for day-to-day functions such as email and web browsing, will reduce the risk of unauthorized access by those that could achieve entry by exploiting an existing IP based vulnerability. Not only should DSN administration terminals connect to DSN switching systems via a controlled network segment, the terminal should also be dedicated for administration purposes only.> Denial of Service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1

Requirement: The IAO will ensure that switch/device administration terminals are connected directly to the administration port of the switch/device or are connected via an out-of-band network used only for administration support. > Switch administration terminals must connect to the switch by using either a direct connection to the administration port or through a dedicated, out of band network. Connections other than these, for example through a non-dedicated network connection, will introduce security risks. > The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from sources external to the solution. Connecting these dedicated LANs to another LAN negates this protection.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance Officer

Requirement: The IAO will ensure that all applicable security feature packages have been installed on the system to enable the required security features. In order for the requirements of this STIG to be met, a number of specific security software packages may need to be loaded on each switch. However, in most cases these packages will be part of the software load at the time of purchase and no additional steps will need to be taken. It is, however, the responsibility of the IAO to ensure that all necessary software is installed and up-to-date as dictated by the PMO in coordination with the DSN APL certifications. Without all system security software installed, all system security features cannot be configured or implemented. It is the responsibility of the ISSO/IAO to ensure that security features are available on the DSN components under their control through the application of certain software packages.NoneThe inability to properly secure the system leaving it vulnerable to attack.Information Assurance OfficerECSC-1

Requirement: The IAO will ensure that all temporary Foreign/Local National personnel given access to DSN switches and subsystems for the purpose of installation and maintenance, is controlled and provided direct supervision and oversight (e.g. escort) by a knowledgeable and appropriately cleared U.S. citizen.Foreign Nationals are not permitted to access DOD unclassified information systems without the immediate supervision by a U.S. citizen.None> Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain.Information Assurance OfficerECSC-1, PECF-1

Requirement: The IAO will ensure that all SS7 links leaving a base/post/camp/station are encrypted. The examination of traffic patterns and statistics can reveal compromising information. Such information may include call source, destination, duration, frequency, and precedence level. The DSN common channel signaling links contain this type of information and must be protected.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.Information Assurance Officer

Requirement: Voice Over IP systems and networks will comply with the DSN, VoIP, and all other applicable STIGs as well as other applicable DOD Component guides. The applicable STIGs define threat and vulnerability mitigations that must be applied to resolve the associated threat and/or vulnerability in accordance with DoD policy. Voice/Video/RTS systems and devices are required to be tested, certified, accredited by the DSAWG and listed on the DSN APL. Each specific Voice/Video/RTS system or device may be approved while having certain open findings that are approved in light of certain mitigations. Such open findings are not to be considered in the status determination of this requirement.> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance Officer

Requirement: The IAO will ensure that all circuits leaving the B/C/P/S are bulk encrypted. The transport system is responsible for the delivery of voice and data circuits from one switch node to another. Though not classified, this type of information is sensitive. To ensure the security of all information being exchanged between nodes and to protect it from unauthorized monitoring and man in the middle attacks, the ISSO/IAO should ensure all circuits are bulk encrypted.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.Information Assurance OfficerECCT-1, ECSC-1

Requirement: The IAO will ensure that user passwords are assigned with the requirement for the user to change their password at first logon. The ISSO/IAO will assign passwords (typically a default) to new users of DSN components. The user will be required to change this assigned password during their first session. This gives the user full accountability for a session opened in their name since the IAO will no longer know the user’s password. If this is not technically feasible, the IAO should implement and enforce a policy that requires a manual change of passwords at the first logon.None> Unauthorized access to network or system resources or services and the information they contain. > Reduced accountabilitySystem AdministratorInformation Assurance OfficerECSC-1, IAIA-1, IAIA-2

Requirement: The IAO will ensure that shared user accounts will not be used. Unless the use of shared user accounts is operationally essential and/or the device in question does not support multiple accounts. The identity of users of DSN components need to be available to the ISSO/IAO through the use of unique usernames assigned to each user. This ensures that the ISSO/IAO is able to hold users accountable for their actions through the analysis of audit records. This type of accountability cannot be accomplished if shared accounts are used.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance Officer

Requirement: The IAO will ensure that all user passwords are changed at intervals of 90 days or less. The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Further, scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.This finding can be reduced to a Category III if the password change interval is between 90 and 180 days and the DAA has accepted the risk in writing. This is permissible only if there is a compelling need, such as too many devices requiring a manual change and too few SAs to accomplish the task.> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance Officer

Requirement: The IAO will ensure that NO user passwords will be changed at an interval of less than 24 hours without IAO intervention. Permitting passwords to be changed in immediate succession within the same day, allows users to cycle password through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1, IAIA-1, IAIA-2

Requirement: The IAO will ensure that no user (to include Administrator) is permitted to retrieve the password of any user in clear text. Passwords should be recorded and stored in a secure location for emergency use. This helps prevent time consuming password recovery techniques and denial of administrator access, in the event a password is forgotten or the individual with the access is incapacitated. The passwords of high level users should be recorded and controlled so that the ISSO/IAO would be able to gain high level access if an unforeseen situation occurred that prevented the high level user to perform their duties.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1, IAIA-1, IAIA-2

Requirement: The IAO will ensure that users’ passwords are not displayed in the clear when logging into the system. Password integrity is non existent if passwords are stored or displayed in clear text. Many attacks on DOD computer systems are launched internally by unsatisfied or disgruntled employees. It is imperative that all DSN systems be configured to store passwords in encrypted format. This will ensure password integrity by other system users who have privileged system access.None> Pasword compromise leading to any of the following: > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1, IAIA-1, IAIA-2

Requirement: The IAO will ensure that users’ passwords are not displayed in the clear when logging into the system. When passwords are displayed (echoed) during logon, the risk of password compromise is increased and password confidentiality is greatly reduced. If the password is displayed during logon, it can be easily compromised through the use of a simple technique of shoulder surfing.None> Pasword compromise leading to any of the following: > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance Officer

Requirement: The IAO will ensure that users will be prompted by the system three times to change their passwords before or after the password has reached the maximum password lifetime. If the user fails to change their password, their account will be disabled The user should be notified three times after their password has expired. If the user does not change their password after three notifications, the system should disable the account and require the ISSO/IAO or other designated individual intervention to reactivate the account. This measure ensures that all users comply with mandatory password changes.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1, IAIA-1, IAIA-2

Requirement: The IAO will ensure that tests are performed for crash-restart vulnerabilities and develop procedures to eliminate vulnerabilities found (i.e., ensure ENHANCED_PASSWORD_CONTROL is active to prevent system logons after restart on Nortel switches). Some systems reset to default settings (i.e. users names, passwords, user access privileges) when a re-boot is initiated. If this is the case and a restart occurs and action is not taken to reset default settings, the risk is increased for unauthorized access.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1

Requirement: The IAO will ensure that DSN switches, peripheral, and OAM&P systems are installed in a controlled space with personnel and visitor access controls applied. Controlling access to the DSN site is critical to determine accountability for auditing purposes as well as the obvious physical security violations.NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > Physical access to systems by unauthorized personnel leaves the system components vulnerable to a multitude of attack vectors and/or accidental de-activation or disconnection.Information Assurance OfficerECSC-1, PECF-2

Requirement: The IAO will ensure that compromise recovery procedures are documented that will accomplish the following: - Verify the integrity of the hardware, software, and communication lines configuration.- Verify the integrity of the switch tables (database). - Perform an audit trail analysis and evaluation. - Enforce the change of all passwords for accessing the A/NM domain .- Report to the Theater and other concerned authorities the detection of possible unauthorized physical intrusion.The following measures will ensure that a compromise of a DSN component will be handled and reported properly: verification of the integrity of the hardware, software, communication lines configuration, switch tables (database); performance of an audit trail analysis and evaluation; enforcing the change of all passwords for accessing the DSN component; reporting to the theater and other concerned authorities the detection of possible unauthorized physical intrusion.NoneDenial of service due to the inability to quickly recover from the compromise. Information Assurance OfficerECSC-1

Requirement: The IAO will ensure that auditing records are placed in an unalterable audit or history file that is available only to those individuals authorized to analyze switch access and configuration activity. Audit files must be available to only those individuals who are authorized and have a need to analyze DSN activity. These records must be stored in a format that will prevent any individual from making modifications to the records. Audit files are necessary to investigate switch activity that appears to be abusive, unauthorized, or damaging to the DSN.None> Compromise, corruption, or loss of audit records/files potentially by a user that performed a security violation and/or unauthorized access the information they contain. > The inability to take administrative action or prosecute for inappropriate actions or system abuse.System AdministratorInformation Assurance OfficerECSC-1, ECTP-1

Requirement: The IAO will ensure that the auditing process records the identity of each person and terminal device having access to switch software or databases The identity of the individual user and the terminal used during their session will be recorded in the audit records. This is needed for accountability of command issues and actions taken during each session. None> The inability to take administrative action or prosecute for inappropriate actions or system abuse. > The inability to effectively troubleshoot problemsSystem AdministratorInformation Assurance Officer

Requirement: The IAO will ensure that the auditing process records the time of the access. The time of access needs to be recorded in the audit files to determine accountability of personnel if an issue arises that requires analysis of the audit records.None> The inability to effectively troubleshoot problems> The inability to take administrative action or prosecute for inappropriate actions or system abuse.System AdministratorInformation Assurance OfficerECAR-3, ECSC-1

Requirement: The IAO will ensure that the auditing process records commands, actions, and activities executed during each session that might change, bypass, or negate safeguards built into the software. Actions that have the potential to change, bypass, or negate safeguards must be recorded in the audit files. This will identify suspicious activities that are being investigated and will assist investigators in following the course of events that have led to a situation that is being examined.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain. > The inability to take administrative action or prosecute for inappropriate actions or system abuse. > The inability to effectively troubleshoot problemsSystem AdministratorInformation Assurance Officer

Requirement: The IAO will ensure that audit records (files) are stored on-line for 90 days and off-line for an additional 12 months. Audit records provide the means for the ISSO/IAO or other designated person to investigate any suspicious activity and to hold users accountable for their actions. By storing audit records online for 90 days and offline for 12 months, the ISSO or other designated personnel will be able to investigate all suspicious activity even if the activity is not noticed immediately. APL NOTE: The storage of log data both online and offline for a given period of time is a site responsibility. While a vendor's product may provide the required storage capacity for a sufficient number of log entries internally to satisfy the online storage requirement, it must at a minimum work in conjunction with a logging server where the logs can be collected and maintained online. The remote logging process should also be automated such that logs are collected without SA intervention. The vendor's product and the architecture in which it is implemented as a whole must support the online storage requirement. Such requirements are covered elsewhere and do not constitute a finding here.. None> The inability to take administrative action or prosecute for inappropriate actions or system abuse.> The inability to effectively troubleshoot problemsSystem AdministratorInformation Assurance Officer

Requirement: The IAO will ensure that audit records (files) are stored on-line for 90 days and off-line for an additional 12 months. By reviewing audit records on a weekly schedule, the ISSO/IAO ensures that any suspicious activity is detected in a timely manner.None> The inability to take administrative action or prosecute for inappropriate actions or system abuse. 1> The inability to effectively troubleshoot problemsSystem AdministratorInformation Assurance OfficerECAT-1, ECAT-2, ECRG-1, ECSC-1

The PMO or local site command will document and ensure that an ISSO is designated to oversee the IA posture and security of each site, system, and facility. The ISSO will have the proper training and clearance level. The PMO will maintain documentation regarding ISSO assignments for all sites and systems in the inventory. The ISSO may have responsibility for systems other than DSN and may be responsible for remote sites attached to the main site or system. The local commander for DSN switch must appoint an ISSO to develop a security plan and manage its implementation. Information Assurance OfficerDesignated Approving Authority

Requirement: The IAO will ensure that personnel are familiar with the security practices outlined by applicable documents found in the site’s library and have received the appropriate security training.A personnel security program, combined with other protective measures, make up a security plan to keep DSN assets safe from intrusion or other types of disruptions. The DSN Security Guide describes the personnel security requirements for various types of individuals. To be effective, any security plan requires some type of familiarization and training for its users and participants.NoneThe system may be left vulnerable due to ignorance of policy, procedures, and threats to the system.Information Assurance OfficerInformation Assurance ManagerECSC-1, PRTN-1

Requirement: The IAO will ensure that all System Administrators are appropriately cleared. In order to maintain positive control over personnel access to DSN system components, all who are provided physical and administrative access to the components must be controlled. Confirmation of those who are authorized access must be confirmed before access is given. If physical and administrative access to systems is not confirmed and controlled, this may result in unauthorized access or compromise.NoneInformation Assurance OfficerInformation Assurance ManagerECSC-1, PECF-2

The identity of maintenance personnel performing software load upgrades or maintenance of a DSN component must be recorded. This will make a particular person or vendor representative accountable for all actions performed, giving the ISSO and site personnel the means to investigate activity. The preferred means of maintaining records is to obtain a DD form 2875 from all individuals performing work on the system.Information Assurance Officer

System backups must be taken frequently (weekly at a minimum) and stored in such a way that a current copy can be obtained if needed. By storing a copy on the local system and a copy on removable media, in most instances, a copy can be used to restore the system. The storage of a copy off-site improves the safety of the copy in the event of a catastrophe at the operations site.Information Assurance Officer

Site staff must ensure backup media is available and up-to-date prior to software modification that could cause a significant disruption to service if the new software is corrupted. Backup media will be available to site personnel prior to any software upgrades or major provisioning changes. This will enable site personnel to recover the DSN system in case of system failure under newly introduced software or major changes.System AdministratorInformation Assurance Officer

Requirement: The IAO will ensure that all modems are physically protected to prevent unauthorized device changes. Controlling physical access to modems supporting the DSN will limit the chance of unauthorized access to DSN system components. Failure to control physical access to modems could result in modem settings being changed to allow unauthorized access to DSN system components. None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1

Requirement: The IAO will maintain a listing of all modems by model number, serial number, associated phone number, and location. Ensure an accurate listing of all modems supporting the DSN is maintained. Maintaining a list of all approved modems will ensure that non-approved modems can be identified easily. None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance Officer

Modems that are not provided by the Government for access to the DSN will not be allowed to connect to the DSN for access. No personally provided modems are permitted. This measure will assist the ISSO/IAO in the task of controlling remote access to the DSN components. None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance Officer

Requirement: The IAO will ensure that all modem phone lines are restricted and configured to their mission required purpose (inward dial only or outward dial only). Ubiquitous phone lines open major security holes in a network. The more tightly they can be controlled, the less the exposure to vulnerabilities. Allowing special features to remain active on modem phone lines create advantageous situations for malicious attacks. An attacker may use special features to forward modem or voice calls to destinations that cause toll-fraud, or forward the number to itself causing a denial of service. Telephone lines that provide DSN modems dial tone will be provisioned only with their required functions. Some components of the DSN “dial back” option may require two modems for proper operation. If a modem is dedicated to receive calls, it should be provisioned to not allow outbound calling. If a modem is dedicated to place calls, it should be provisioned to not accept incoming calls. None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1

Requirement: The IAO will ensure that all modem phone lines are restricted to single-line operation without any special features such as the call forwarding capability. By restricting modem phone lines to single-line operation, the risk of unauthorized access is limited by preventing the added functions of a multi-line to be used by an unauthorized person to gain access. None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1

Requirement: The IAO will ensure that identification and authentication is required for every session requested in accordance with I&A / password policy. Authentication is a measure used to verify the eligibility of a subject and the ability of that subject to access certain information. Authentication protects against the fraudulent use of a system or the deceptive transmission of information. All users must be authenticated prior to every authorized session allowing system access. This is necessary to ensure that no unauthorized sessions are granted.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance Officer

Requirement: The IAO will ensure that serial management ports are controlled by deactivating or physically disconnecting access devices (i.e. modems or terminals) that are not in use. The disconnection of remote access devices when not being used will greatly reduce the risk of unauthorized access. None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1

Requirement: The IAO will ensure that a timeout feature, set to 15 minutes, is used to disconnect idle connections. Unattended systems are susceptible to unauthorized use. The system should be locked when unattended. The user idle timeout should be set to a maximum of 15 minutes. This setting protects critical and sensitive system areas from exposure to unauthorized personnel with physical access to an unattended administration/maintenance terminal.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1

Requirement: The IAO will ensure that management ports that receive three consecutive failed logon attempts will be unavailable for at least 60 seconds. After three failed logon attempts the system should be configured to force the user to wait for 60 seconds. This measure will prevent unauthorized access through the means of hacking a password. If the time that the port is unavailable is substantially greater than 60 seconds, denial of service could result by maliciously attempting logins on all ports.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1

Controlling physical access to telecommunications infrastructure components is critical to assuring the reliability of the voice network and service delivery. Documenting or logging physical access to these components is critical to determine accountability for auditing purposes. Key control and access logs are a large part of this. Additionally, the facilities housing the telecommunications infrastructure must be certified at a classification level commensurate with the highest classification level of the information communicated by the system. NOTE: The infrastructure addressed here are components of traditional TDM, VVoIP, UC or VTC systems that support the communications endpoints. This includes “wiring closets” for traditional non IP based systems. NOTE: Physical access to the LAN infrastructure (which may also support VVoIP, UC, and VTCoIP services) is covered by a Network Infrastructure STIG requirement. This requirement does not directly address the physical security of the general LAN infrastructure, such as LAN routers and switches. NOTE: While this requirement is based on best practice and requirements for protecting classified information, it is also supported in part by DOD 5200.08-R, Physical Security Program, April 9, 2007 Incorporating change 1, 27 May 2009, Chapter 6, Security of Communications Facilities, section C6.2.4 which states: “Access shall be controlled at all communications facilities and only authorized personnel shall be allowed to enter. Facilities should be designated and posted as a minimum, a Controlled Area, as directed.” NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Physical access to systems by unauthorized personnel leaves the system components vulnerable to a multitude of attack vectors and/or accidental de-activation or disconnection.Information Assurance Officer

Requirement: The IAO will ensure that all IAVM notices relating to the installation of security or other patches for general-purpose operating systems and software on devices other than workstations is vetted through the system vendor and approved by the local DAA before installation. Many IPT / VoIP systems are based on general-purpose operating systems and applications such as databases and web servers (i.e., Windows XX, MS-SQL, IIS, Unix, LINUX, etc). The original vendors of these general-purpose software packages provide patches for their individual packages. A vendor of a IPT / VoIP system must test and approve these patches for use on their system before they are applied in the event that the OEM patch might break a portion of the IPT / VoIP system or degrade its security. The IPT / VoIP vendor may have to modify the OEM patch before releasing it to their customers. IPT / VoIP vendors must be immediately advised of IAVAs that apply to their systems so that they can test the required patch / mitigation and subsequently distribute an approved patch for their system (in accordance with VoIP0281) so that the site can maintain IAVA compliance.NONEPotential Impacts: Denial of Service. Patches that have not been approved and provided by a vendor and/or applied in conflict with vendor’s instructions can break features or disable the system.Information Assurance Officer

Requirement: The IAO will ensure that all installed systems and associated software releases for which he/she is responsible appear on the DSN APL in accordance with DODI 8100.3 requirements. This applies to previously installed, new, and upgraded systems. DOD Instruction 8100.3 which governs DOD telecommunications and the Defense Switched Network (DSN), requires that “Telecommunications switches (and associated software releases) leased, procured (whether systems or services), or operated by the DOD Components, and connected or planned for connection to the DSN, shall be joint interoperability certified by the Defense Information Systems Agency (DISA), Joint Interoperability Test Command (JITC) and granted information assurance certification and accreditation by the Defense Information System Network (DISN) Designated Approval Authorities (DAAs).” DAA certification is obtained through the DISN Security Accreditation Working Group (DSAWG). DODI 8100.3 also requires that the DOD use (or connect to the DSN) only devices that appear on the DSN Approved Products List (APL). Both IA and Interoperability certification requirements must be met for inclusion on the DSN APL. The testing for IA and IO that occurs prior to DSN APL listing determines if the system/device meets, or can be configured to meet DoD requirements. The IA testing determines any residual risk for operating the system. This risk is accepted by the DSAWG prior to APL listing.This finding can be reduced to a CAT IV if the system is in process of being certified for placement on the APL.The possible inability to certify and accredit the system or operate it legally or connect it to another DoD system due to violation of DoD policy.Information Assurance OfficerDCAS-1, EBCR-1, ECSC-1

Requirement: The IAO at the SMU site will ensure that the SMU management port or stations are not connected to any network other than one dedicated to management of the SMU.The system design and architecture of the SMU provides for no security configuration capability (i.e., user account, password, privileged user, or auditing capability). Trunk and subscriber provisioning is accomplished via an administrator’s terminal, which is a dumb terminal, connected to the system via serial connection. From this terminal, at power up, the user has direct access to provisioning features of the system. Therefore, security protection to the SMU is provided through the physical security of the unit.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance Officer

Requirement: The IAO at the SMU site will ensure that the ADIMSS server connected to the SMU is dedicated to ADIMSS functions.ADIMSS servers represent mission critical equipment that contain potentially sensitive information that needs to be secured and treated with the same precautions as any other servers containing sensitive information. Dedicating critical ADIMSS servers to only ADIMSS required applications is key to securing the ADIMSS network. To minimize possible risk these servers are to be dedicated to the ADIMSS applications required for ADIMSS operations minimizing the chance of infection or attack through an unused, unnecessary application residing on the system.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.> Degradation of security of the ADIMSS network / extended enclaveSystem AdministratorInformation Assurance OfficerECSC-1

Requirement: The IAO will ensure that network connected management ports drop a connection that is interrupted for any reason within 15 seconds. Network ports that are interrupted due to link disconnection, power failure or other reasons must end any session using that connection. This will prevent a user from ending a session without logging off and leaving the maintenance port available with an active session that might allow unauthorized use by someone other than the authenticated user. None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1

Requirement: The IAO will ensure that network connected switch and device management ports are connected to a network dedicated to management of the device only and/or that of other associated devices, i.e. an out-of-band management network. Management networks must be dedicated to management to mitigate unauthorized access to the managed systems of the sensitive management information/traffic that is carried on the networkNone> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1

Requirement: The IAO will ensure that out-of-band management networks comply with the Enclave and Network Infrastructure STIGs. out-of-band management networks must comply with the requirements contained in the Enclave and Network Infrastructure STIGs so that the threats and/or vulnerabilities associated with all networks and enclaves are properly mitigated according to DoD policy.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1

Requirement: The IAO and IAM will ensure that all Foreign/Local National personnel hired by a base/post/camp/station for the purpose of operating or performing OAM&P / NM functions on DSN switches and subsystems shall be vetted through the normal process for providing SA clearance as dictated by the local Status of Forces Agreement (SOFA).All SAs and particularly those who are foreign or local nationals must have the appropriate clearance before being granted access to DoD systems. Failure to do this may result in unauthorized access or compromise.None Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain.Information Assurance Officer

Foreign national personnel must be limited in their access to DoD Information Systems (ISs) to prevent the unauthorized disclosure of classified information. Access to DoD ISs must be authorized by the DoD Component head in accordance with DoD, Department of State, and ODNI disclosure guidance, as applicable. Mechanisms must also be in place to limit access strictly to information that has been cleared for release to the represented foreign nation, coalition, or international organization.Information Assurance Officer

Many vendors provide patches or new versions of software to incorporate mitigations for newly discovered security vulnerabilities. In some cases, this is the only way to mitigate a threat to the system. Administrators are required to use the latest vendor-provided software or patch to take advantage of security enhancements. This is not the case if the new software only provides additional features or a patch only resolves an operational issue or bug. Information Assurance Officer

All patches and new system software must be tested on non-production systems and hardware prior to use to determine the effects the new software will have on systems operations and security. Approved products are listed on the DoD Approved Products list (APL) to include the specific versions and releases. Additionally, the Information Assurance Vulnerability Management (IAVM) system provides information on versions and releases that may have security issues, to include zero-day vulnerabilities. The Authorizing Official (AO) can accept the risk of using software updates or patches on the system when mission essential.Information Assurance Officer

All DSN system major software releases must be tested on non-production systems and hardware prior to use to determine the effects the new software will have on systems operations and security. DoD policy mandates testing on non-production configurations. Information Assurance Officer

Requirement: The IAO will ensure that a policy is in place and enforced regarding the use of telephone instruments connected to unclassified telecommunications systems located in areas or rooms where classified meetings, conversations, or work normally occur. All unclassified voice/video/RTS terminals or instruments present a potential risk to the security of areas where classified conversations are conducted. This is due to the ability of some phones to pick up room audio and transmitting it or sending it down the wire even when the phone is on hook. This ability is usually caused by poor design or malfunction in the hook switch circuitry. Additionally speakerphones in such areas may be activated by accident or surreptitiously. These vulnerabilities can affect the security or confidentiality of any conversation at any classification level. Of particular concern are those areas or rooms used for classified meetings, conversations, or work.None> Loss of confidentiality> Unauthorized access to classified information for which the recipient does not either have the proper clearance or need-to-know. Information Assurance OfficerECSC-1

Requirement: The IAO will ensure that OAM&P / NM and CTI networks comply with the Enclave and Network Infrastructure STIGs. OAM&P / NM and CTI networks must comply with the requirements contained in the Enclave and Network Infrastructure STIGs so that the threats and/or vulnerabilities associated with all networks and enclaves are properly mitigated according to DoD policy.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1

Requirement: The IAO will ensure that OAM&P / NM and CTI networks are not connected to the local general use (base) WAN. The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from sources external to the solution. Connecting these dedicated LANs to a WAN negates this protection unless a proper boundary is created. Such a boundary should be a firewall. Access to the dedicated LAN and the devices on it from the WAN must be filtered by source and destination IP addresses as well as the specific ports and protocols that are required or permitted to cross the boundary. This is not a finding if there is a DAA approved and documented requirement where the connection is controlled through a dedicated firewall that only allows restricted access from specific devices or management stations. Additionally, this is not a finding of the “WAN” connection is actually a connection to a dedicated management WAN that is an extended enclave such as the ADIMSS. Boundary protection in the form of a firewall or router ACL to provide the appropriate filtering is still required > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerDCID-1, DCPA-1, EBCR-1, ECSC-1

Requirement: In the event that a telephone instrument connected to an unclassified telecommunications system are placed within a Sensitive Compartmented Information Facility (SCIF), the IAO will ensure that the instrument is configured such that the instrument provides on-hook audio protection and that speakerphone audio pickup feature (microphone) is disabled or is nonexistent. (RE: Director of Central Intelligence Directive (DCID) 6/9 Annex G, Paragraphs 2.2.1, 2.2.1.1, 2.2.1.6, and Telecommunications Security Group (TSG) Standard 2) All voice/video/RTS terminals or instruments present a potential risk to the security of areas where classified conversations are conducted. This is due to the ability of some phones to pick up room audio and transmitting it or sending it down the wire even when the phone is on hook. This ability is usually caused by poor design or malfunction in the hook switch circuitry. This is covered in TSG Standard 2. Additionally speakerphones in such areas may be activated by accident or surreptitiously. These vulnerabilities can affect the security or confidentiality of any conversation at any classification level. Of particular concern are those areas or rooms used for classified meetings, conversations, or work such as SCIFs. Additionally, VoIP systems in which the central call manager controls the telephone instrument, there is the potential of hijacking control of the instrument from somewhere else on the network. This potential vulnerability means that audio pickup might be activated clandestinely without the knowledge of the people near it. Speakerphones and push to talk handsets are covered in DCID 6/9None> Loss of confidentiality> Unauthorized access to classified information for which the recipient does not either have the proper clearance or need-to-know.Information Assurance OfficerECSC-1

Requirement: The IAO will ensure that OAM&P / NM and CTI networks are not connected to the local general use (base) LAN. The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from sources external to the solution. Connecting these dedicated LANs to another LAN negates this protection unless a proper boundary is created. Such a boundary should be a firewall but minimally must be a router ACL. Access to the dedicated LAN and the devices on it must be filtered by source and destination IP addresses as well as the specific ports and protocols that are required or permitted to cross the boundary. This is not a finding if there is a DAA approved and documented requirement where the connection is controlled through a dedicated firewall or router ACL that only allows restricted access from specific devices or management stations.> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance Officer

Requirement: The IAO will ensure that out-of-band OAM&P / NM and CTI networks are dedicated to the system that they serve in accordance with their separate DSN APL certifications. CTI networks may be combined taking into consideration the vulnerabilities of each system and with documented local DAA approval. > OAM&P/NM and CTI terminals must connect to the switch by using either a direct connection to the system administration port or through a dedicated, out of band network. Connections other than these, for example through a non-dedicated network connection, will introduce security risks. > The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from sources external to the solution. Connecting these dedicated LANs to another LAN negates this protection. > OAM&P/NM and CTI solutions are tested and approved for DSN APL listing based on a dedicated / OOB network for each solution. In keeping with the requirement that APL solutions be implemented in the same configuration as was tested, these systems must be implemented on a dedicated LAN for each solution. This is because there is no way of knowing what security risks will result from merging different solutions on a single LAN without testing the specific combination. One solution could affect the security of the other. This is not a finding if testing has determined that the combination of solutions does not degrade the security posture of either solution AND local DAA has approved the combination of solutions in writing. This testing must be documented and maintained for review by auditors along with the DAA approval. > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance Officer

Requirement: The IAO will ensure that the auditing process records security relevant actions (e.g., the changing of security levels or categories of information). Security relevant actions such as the following should be recorded to provide an effective security audit process: - Logons and logouts - Excessive logon attempts/failures - Remote system access - Change in privileges or security attributes - Change of security levels or categories of information - Failed attempts to access restricted system privilege levels or data files - Audit file access (if possible) - Password changes - Device configuration changes The information that each audit record should have is as follows: - Date and time of the event - Origin of the request (e.g., terminal ID) - Unique ID of the user who initiated the event - Type of event - Success or failure - Description of modification to configurationsNone> The inability to take administrative action or prosecute for inappropriate actions or system abuse. > The inability to effectively troubleshoot problems > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECAR-1, ECAR-2, ECAR-3, ECSC-1

Requirement: The IAO will ensure that all systems and devices employ a role-based Discretionary Access Control system used to control access to OAM&P / NM systems, the devices they manage, and their command classes for administrative and maintenance users commensurate with their assigned responsibilities. To ensure system security, all assigned administrator and maintenance user account privileges must be limited to perform their specific function. Furthermore, super user access is to be held to a minimum and assigned to only those most knowledgeable of the system.This finding can be closed if a specific device does not support DAC but another device or system provides the DAC function. This situation must be documented and accepted by the local DAA. Additionally, this finding can be closed if the device appears on the DSN APL and is installed in accordance with its certification requirements.> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance Officer

Requirement: The IAO will ensure strong two-factor authentication is required to access all management system workstations and administrative / management ports on any device or system. The term strong two-factor authentication refers to the use of two forms of identification. This is usually something you know and something you have. A username and password is not considered two-factor authentication. It is actually the something you know. This could also be a security code. The something you have is a typically physical token. An example of this is a bankcard and PIN. Additionally there are tokens associated with one-time password access control systems available such as RSA Security’s SecurID and Quest Software’s NC-Pass. These provide a constantly changing code that is used in conjunction with an additional PIN or password to generate a one time password. The code is generated by a RNG algorithm that is synchronized with a server application (e.g., RSA ACE). These and similar tokens are, and have been, widely used in DoD for access control to network elements, servers, and mainframes. These and similar one-time password tokens used in conjunction with their associated access control servers meet the intent of this requirement. NOTE: One-time password tokens and systems are older technology which is no longer mentioned in DoD policy even though the technology has been in previous DoD policy; has been in use for some time; and is currently being used in many instances for access control to legacy systems. Going forward, however, DoD policy only supports DoD’s token of choice which is the Common Access Card (CAC) or Personal Identity Verification (PIV) card which contain DoD Public Key Infrastructure (PKI) certificates. The CAC/PIV is the DoD’s token of choice. Meeting this requirement does not satisfy requirements that dictate the use of CAC/PKI tokens. The use of a one-time-password token and access control server can only (and may only) serve as a mitigation for not being able to meet CAC/PKI requirements. This is typical of older legacy systems such as mainframes. APL NOTE: New systems being developed for use by DoD and those being tested for inclusion on the DoD Approved Products List (APL) should support CAC/PKI tokens rather than one-time password token systems. This finding can be reduced to a CAT IIII where access to the non-compliant device (except management stations) is directly controlled by a device that is compliant such as an access router.> Loss of management control of the system and potential system abuse. > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance Officer

Requirement: The IAO will ensure that remote authentication is used to control access to all management system workstations and administrative / management ports on any device or system. The term remote authentication refers to a system or device that communicates with a remote Authentication Authorization Accounting (AAA) server to validate the users account information before granting access. The remote server can also control user rights or permissions based on their defined roles. Systems such as RADIUS, DIAMETER, and TACACS+ typically provide this functionality for network elements. Systems such as domain controllers provide this functionality for network management workstations. The use of a centralized AAA server provides for centralized management of all network element SA’s accounts and privileges. This eliminates the need for an SA to have an individual account on each network element. This reduces the chance that an account will be compromised since the centralized server can be better protected than each network element. This also reduces the number of accounts in the network that can be easily accessed and compromised. A network consists of manu network elements that cannot be individually protected. An SA account on each multiplies the chance that an account can be compromised. Additionally, the use of a centralized AAA server supports proper password management when a SA is required to manage multiple devices. If the SA had to change his/her password on each device, the chance that a password is not changed (device missed) is greater. NOTE: This requirement supports, and is supported by, the Network Infrastructure STIG requirements that AAA servers are to be implemented in the enclave’s management network. In general the DSN system should integrate with the AAA service that already exists in the enclave’s management network if possible. This requirement is primarily focused on a group of distributed devices such as those that comprise a network (e.g., LAN switches, routers, backbone transport devices, distributed media gateways, endpoints, etc). While a system/device that is itself centralized (e.g., a telecom switch or VoIP controller); is capable of comprehensive role based AAA services such that it can stand on its own; which can protected from external access much as a centralized AAA server would be, It is still best practice to integrate such a device with a centralized AAA server particularly if multiple SAs must have access from multiple locations such as different local or remote NOCs. This finding can be reduced to a CAT III where access to the noncompliant device (except management workstations) is directly controlled by a device that is compliant such as an access router. This is a CAT III finding for a system/device that is itself centralized (e.g., a telecom switch or VoIP controller); that provides comprehensive role based AAA services on its own and is protected from external access much as a centralized AAA server would be. (NOTE: the finding cannot be eliminated since it is still beneficial and preferred that a centralized solution be used.) APL NOTE: the system/device should support the use of external AAA services particularly if it is normally deployed in a distributed manner (e.g., LAN switches, routers, backbone transport devices, distributed media gateways, endpoints, etc). If not, this is a CAT II finding. In the event the system/device is normally deployed in a centralized manner, AND it provides comprehensive role based AAA services such that it can stand on its own BUT it does not support remote AAA services, this is a CAT III finding. > Loss of management control of the system and potential system abuse. > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1, IAAC-1

Microphones used with VTC systems and devices are designed to be extremely sensitive such that people speaking anywhere within a conference room is picked up and amplified so they can be heard clearly and understood at the remote location on the call. This same sensitivity is included in VTUs that are used in office spaces. This has one disadvantage. The microphones can pick up sidebar conversations that have no relationship to the conference or call in progress. Likewise, in an open area, received conference audio can be broadcast to others in the area that are not part of the conference, and possibly should not be exposed to the conference information for need-to-know reasons. Speakerphones exhibit a similar vulnerability. This is the same confidentiality vulnerability posed to audible sound information in the environment as discussed above with the added twist that the conference audio is vulnerable to others in the environment. While this is more of an issue in environments where classified conversations normally occur, it is also an issue in any environment. This is of particularly concern in open work areas or open offices where multiple people work in near proximity. Users or operators of VTC systems of any type must take care regarding who can hear what is being said during a conference call and what unrelated conversations can be picked up by the sensitive microphone. Where a VTU is used by a single person in an open area, a partial mitigation for this could be the use of a headset with earphones and a microphone. While this would limit the ability of others to hear audio from the conference and could also limit the audio pickup of unrelated conversations, it may not be fully effective. In some instances, such as when a VTU is located in a SCIF, a Push-to-Talk (PTT) handset/headset may be required Microphones embedded in or connected to a communications endpoint, PC, or PC monitor can be sensitive enough to pick up sound that is not related to a given communications session. They could pick up nearby conversations and other sounds. This capability could compromise sensitive or classified information that is not related to the communications in progress. Speakers embedded in or connected to a communications endpoint or PC can be made loud enough to be heard across a room or in the next workspace. This capability could compromise sensitive or classified information that is being communicated during a session. Users must be aware of other conversations in the area and their sensitivity when using any communications endpoint, not only a PC based voice, video, or collaboration communications application. This awareness must then translate into protecting or eliminating these other conversations. A short range, reduced gain, or noise canceling microphone may be required. A push to talk microphone may also be required for classified areas. The microphone should be muted when the user is not speaking as both mitigation for this issue, and for proper etiquette when participating in a conference. The muting function should be performed using a positively controlled disconnect, shorting switch, or mechanism instead of a software controlled mute function on the PC. Users must be aware of other people in the area that could hear what is being communicated. This is particularly an issue if the communicated information is sensitive or classified since the parties overhearing the information may not have proper clearance or a need-to-know. To mitigate this issue, a headset or speakers should be used and at a volume that only the user can hear.Information Assurance OfficerInformation Assurance ManagerDCBP-1, ECND-1, ECSC-1