Defense Switched Network STIG

  • Version/Release: V2R4
  • Published: 2014-10-06
  • Released: 2014-10-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

The Defense Switched Network (DSN) Security Technical Implementation Guide (STIG) provides the policy and architectual guidance for applying security concepts to DoD telecommunications systems. These policies ensure conformance to DoD requirements that govern DSN voice services deployment and operations, to include special-C2, C2, and non-C2 services. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.
a
The IAO does not conduct and document self-inspections of the DSN components at least semi-annually for security risks.
Low - V-7921 - SV-8407r1_rule
RMF Control
Severity
Low
CCI
Version
DSN01.01
Vuln IDs
  • V-7921
Rule IDs
  • SV-8407r1_rule
Requirement: The IAO will ensure that self-inspections of the telephone components, are conducted and documented for security risks at least semi annually. If periodic security self-inspections are not conducted, vulnerabilities could go unnoticed during day to day operations resulting in an unacceptable level of risk that could lead to possible compromise. By conducting security self-inspections, security risks can be identified, analyzed, and if not mitigated, appropriately addressed.None Potential Impacts: Denial of Service, loss of confidentiality, and/or unauthorized access to network or voice system resources or services and the information they contain.Information Assurance OfficerInformation Assurance ManagerECMT-1, ECSC-1, ECMT-2
Checks: C-7302r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Fix: F-7965r1_fix

Establish policy and procedures to ensure that, at a minimum, semi-annual security self-inspections are conducted.

a
The sites telephone switch is not frequently monitored for changing calling patterns and system uses for possible security concerns.
Low - V-7922 - SV-8408r1_rule
RMF Control
Severity
Low
CCI
Version
DSN01.02
Vuln IDs
  • V-7922
Rule IDs
  • SV-8408r1_rule
Requirement: The IAO will ensure that the site’s telephone switch is frequently monitored for changing calling patterns and system uses for possible security concerns. Changing calling patterns and system uses can be an indication of telephone misuse, abuse, or even security compromise. The ISSO/IAO should ensure the sites telephone switch is frequently monitored for changing calling patterns and system uses for possible security concerns.NoneTheft of services, misuse of services, degradations of service provided by the system, unauthorized access.Information Assurance OfficerECMT-2, ECSC-1, ECMT-1
Checks: C-7303r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
The ISSO/IAO does not ensure that administration and maintenance personnel have proper access to the facilities, functions, commands, and calling privileges required to perform their job.
Medium - V-7923 - SV-8409r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN01.03
Vuln IDs
  • V-7923
Rule IDs
  • SV-8409r1_rule
Requirement: The IAO will ensure that internal and external administrator/maintenance personnel have appropriate but limited access to the facilities, functions, commands, and calling privileges in accordance with their role as required when performing their job. Privileged access to any system should be controlled. Anyone with privileged access can cause serious system damage that could in turn have detrimental affects on the operational environment. Administration and maintenance personnel should be provided only that privileged access needed to perform their job. NONEInability to properly maintain and troubleshoot the systemInformation Assurance OfficerECSC-1, ECLP-1
Checks: C-7304r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7969r1_fix

The ISSO/IAO should Implement appropriate processes, local policies, and/or procedures to provide maintenance personnel and SAs with the appropriate access and system privileges needed to properly perform their tasks and responsibilities

a
DSN systems are not registered in the DISA VMS
Low - V-7924 - SV-8410r1_rule
RMF Control
Severity
Low
CCI
Version
DSN02.01
Vuln IDs
  • V-7924
Rule IDs
  • SV-8410r1_rule
Requirement: The IAO will ensure that all DISA owned and operated DSN critical assets are registered with the DISA/DoD VMS as follows: - All backbone switches (TSs, STPs, MFSs) - All other switches (EOs, SMEOs, PBX1s, PBX2s and RSUs) owned by DISA - All components of the ADIMSS - All components of auxiliary/adjunct or peripheral systems owned by DISA - All TSs or MFSs owned and operated by DOD components Exception: This requirement is not applicable to systems owned, operated, and maintained by DOD components other than DISA such as EOs, SMEOs, PBX1s, PBX2s and RSUs or their OAM&P and auxiliary/adjunct or peripheral systems. See DSN02.02 below.The DISA/DoD VMS in conjunction with JTF-GNO sends out notifications on vulnerabilities (IAVMs) as they are discovered in commercial and military information infrastructures. If DSN assets and their SAs are not registered with the DISA/DoD VMS,, administrators will not be notified of important vulnerabilities such as viruses, denial of service attacks, system weaknesses, back doors and other potentially harmful situations.None Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain .> The DOD voice system may not be protected as required and may be vulnerable to attack or loss of availability due to a multitude of OS and application vulnerabilities. > Systems may be left vulnerable to the issue detailed in the IAVA.Information Assurance OfficerECND-1, ECSC-1, ECND-2
Checks: C-7305r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7988r1_fix

Comply with policy. Register all assets and their SAs in the DISA/DoD VMS that are required to be registered.

a
System Administrators (SAs) responsible for DSN information systems are not registered with the DISA VMS.
Low - V-7925 - SV-8411r1_rule
RMF Control
Severity
Low
CCI
Version
DSN02.02
Vuln IDs
  • V-7925
Rule IDs
  • SV-8411r1_rule
Requirement: The IAO will ensure that all Switch and System Administrators (SAs) responsible for VMS registered DSN critical assets will also be registered with the VMS. This includes non DISA personnel responsible for TSs or MFSs owned and operated by DoD components Exception: This does not apply to SAs that are ONLY responsible for systems owned, operated, and maintained by DoD components other than DISA.The DISA/DoD VMS in conjunction with JTF-GNO sends out notifications on vulnerabilities (IAVMs) as they are discovered in commercial and military information infrastructures. If DSN assets and their SAs are not registered with the DISA/DoD VMS, administrators will not be notified of important vulnerabilities such as viruses, denial of service attacks, system weaknesses, back doors and other potentially harmful situations.None> Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > The DOD voice system may not be protected as required and may be vulnerable to attack or loss of availability due to a multitude of OS and application vulnerabilities. > Systems may be left vulnerable to the issue detailed in the IAVA.Information Assurance OfficerECND-2, ECND-1, ECSC-1
Checks: C-7306r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7989r1_fix

Comply with policy. Register all assets and their SAs in the DISA/DoD VMS that are required to be registered.

b
The ISSO/IAO and ISSM/IAM, in coordination with the SA, will be responsible for ensuring that all IAVM notices are responded to within the specified time period.
Medium - V-7926 - SV-8412r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN02.03
Vuln IDs
  • V-7926
Rule IDs
  • SV-8412r1_rule
Requirement: The IAO will ensure that all IAVM notices are responded to within the time period specified within the notice. The JTF-GNO (DoD CERT) automatically sends out IAVM notices that affect various systems. If appropriate actions are not taken, systems/assets may be open to a potential compromise. The DOD IAVM requirement is: Receipt of IAVM alerts will be acknowledged within 5 days and a report of compliance status provided within 30 days. For IAVM bulletins, receipt must also be acknowledged within 5 days, and a report of compliance status must be provided within 60 days. For IAVM technical advisories, receipt must be acknowledged within 5 days, but no compliance status report is required. Although DOD organizations are not required to report compliance for technical advisories, DISA organizations are required to provide a report of compliance status within 60 days.None Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > The telecommunications system will be left vulnerable to the issue detailed in the IAVA.Information Assurance OfficerECSC-1, ECND-1, ECND-2
Checks: C-7307r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7977r1_fix

Comply with policy. The ISSM/IAM/IAO will establish a policy to ensure that IAVMs are being acknowledged, implemented, and closed, in accordance with DOD policy. SAs will update affected systems in accordance with the IAVM recommendations. The ISSM/IAM/IAO will insure that systems, devices, and SAs are registered in the DISA/DoD VMS as a means for receipt and acknowledgement of IAVMs OR will insure that there is a clear and well defined path for receipt and acknowledgement of IAVMs.

b
Switch administration, ADIMSS, or other Network Management terminals are not located on a dedicated LAN.
Medium - V-7930 - SV-8416r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN04.01
Vuln IDs
  • V-7930
Rule IDs
  • SV-8416r1_rule
All Network Management and switch administration terminals connecting to the DSN are to be through a dedicated DSN network segment. Only authorized systems will be connected to this LAN. No other networks may interface with components that are connected to this LAN. By connecting in this controlled manner, many vulnerabilities that are associated with IP networks are eliminated. NoneInformation Assurance OfficerECSC-1
Checks: C-7311r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7505r1_fix

The ISSO/IAO will ensure that all DSN Network Management, switch administration components and other authorized systems are connected to a dedicated network and prohibit all connections to the ADMISS or other Network Management network that are not relevant to the operations of the DSN.

b
Network Management routers located at switch sites are not configured to provide IP and packet level filtering/protection.
Medium - V-7931 - SV-8417r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN04.02
Vuln IDs
  • V-7931
Rule IDs
  • SV-8417r1_rule
Requirement: The IAO will ensure that routers that provide remote connectivity to out-of-band management networks located at switch sites provide IP and packet level filtering/protection. All routers connected to a DSN Switch are to be configured to control network access to the DSN switch by IP and port/service. Implementing standard and extended access lists to control network access to the switch will add another security access layer minimizing risk to the DSN.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7302r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Fix: F-8033r1_fix

> Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
Administration terminals are used for other day-to-day functions (i.e. email, web browsing, etc).
Medium - V-7932 - SV-8418r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN04.03
Vuln IDs
  • V-7932
Rule IDs
  • SV-8418r1_rule
Requirement: The IAO will ensure that OAM&P / NM and CTI system workstations are not used for other day-to-day functions (i.e., e-mail, web browsing, etc). Dedicating DSN administration terminals to their intended purpose and not using them for day-to-day functions such as email and web browsing, will reduce the risk of unauthorized access by those that could achieve entry by exploiting an existing IP based vulnerability. Not only should DSN administration terminals connect to DSN switching systems via a controlled network segment, the terminal should also be dedicated for administration purposes only.> Denial of Service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7690r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7507r1_fix

Ensure dedicated terminals and workstations are used to administer DSN switching systems to that purpose only. Do not administer DSN switching systems from computer terminals that are used for day-to-day functions (i.e. email, web browsing, etc).

b
Switch Administration terminals do not connect directly to the switch administration port or connect via a controlled, dedicated, out of band network used for switch administration support.
Medium - V-7933 - SV-8419r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN04.04
Vuln IDs
  • V-7933
Rule IDs
  • SV-8419r1_rule
Requirement: The IAO will ensure that switch/device administration terminals are connected directly to the administration port of the switch/device or are connected via an out-of-band network used only for administration support. > Switch administration terminals must connect to the switch by using either a direct connection to the administration port or through a dedicated, out of band network. Connections other than these, for example through a non-dedicated network connection, will introduce security risks. > The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from sources external to the solution. Connecting these dedicated LANs to another LAN negates this protection.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7372r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7508r1_fix

Ensure that the connections used are through either a dedicated out of band network or direct connection to the administration port. Any other connections to administration terminals should be disconnected and their use should be discontinued.

a
Attendant console ports are available to unauthorized users by not allowing any instrument other than the Attendant console to connect to the Attendant console port.
Low - V-7934 - SV-8420r1_rule
RMF Control
Severity
Low
CCI
Version
DSN04.05
Vuln IDs
  • V-7934
Rule IDs
  • SV-8420r1_rule
Requirement: The IAO will ensure that attendant console ports will not be available to unauthorized users by not allowing any instrument other than the attendant console to connect to the attendant console port. Additionally the attendant console shall not be able to connect to a regular instrument port. Attendant console ports provide privileged access to switch features not normally provided to the normal subscriber community. This type of access to unauthorized users or subscribers can result in disruption of calls processing, calls monitoring, or unauthorized class of service. Positive control of attendant consoles and ports must be enforced to mitigate these types of vulnerabilities.NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Information Assurance OfficerECSC-1
Checks: C-7315r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
The ISSO/IAO has not established Standard Operating Procedures.
Low - V-7935 - SV-8421r1_rule
RMF Control
Severity
Low
CCI
Version
DSN04.06
Vuln IDs
  • V-7935
Rule IDs
  • SV-8421r1_rule
Requirement: The IAO will establish a standard operating procedure (SOP) or other form of record that will accomplish the following: - Identify and document all users, administrators, maintainers, managers, and their associated training requirements. - Identify and document all telephone system assets - Identify and document all telephone services required - Identify and document all telephone services that are not to be allowed - Identify and document all telephone system threats. - Identify and document all audit items as required by this document.At a minimum, the ISSO/IAO should be aware of who has what level of access to the DSN switching system, as well as possible threats to the system based on its environment. By establishing an SOP that identifies and documents all assets, services, threats, as well as users, administrators, managers and their associated operational requirements in supporting DSN systems, the ISSO/IAO will ensure that the DSN is providing the proper service securely.None> The inability to effectively maintain the network or voice service and apply security policy and vulnerability mitigations. The inability for the DAA to understand the voice system’s and/or network’s security posture, threats, and vulnerabilities. The inability for the DAA to approve or accept the security risk of operating the system. > Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain.Information Assurance OfficerDCSW-1, ECSC-1, DCID-1, DCHW-1, DCSD-1
Checks: C-7316r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7510r1_fix

The ISSO/IAO should develop an SOP that will satisfy the requirements as outlined in the DSN STIG.

b
Applicable security packages have not been installed on the system.
Medium - V-7936 - SV-8422r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN05.01
Vuln IDs
  • V-7936
Rule IDs
  • SV-8422r1_rule
Requirement: The IAO will ensure that all applicable security feature packages have been installed on the system to enable the required security features. In order for the requirements of this STIG to be met, a number of specific security software packages may need to be loaded on each switch. However, in most cases these packages will be part of the software load at the time of purchase and no additional steps will need to be taken. It is, however, the responsibility of the IAO to ensure that all necessary software is installed and up-to-date as dictated by the PMO in coordination with the DSN APL certifications. Without all system security software installed, all system security features cannot be configured or implemented. It is the responsibility of the ISSO/IAO to ensure that security features are available on the DSN components under their control through the application of certain software packages.NoneThe inability to properly secure the system leaving it vulnerable to attack.Information Assurance OfficerECSC-1
Checks: C-7317r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7511r1_fix

Apply all required security software to the DSN components as required.

b
The IAO DOES NOT ensure that all temporary Foreign/Local National personnel given access to DSN switches and subsystems for the purpose of installation and maintenance, are controlled and provided direct supervision and oversight (e.g., escort) by a knowledgeable and appropriately cleared U.S. citizen.
Medium - V-7937 - SV-8423r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN06.01
Vuln IDs
  • V-7937
Rule IDs
  • SV-8423r1_rule
Requirement: The IAO will ensure that all temporary Foreign/Local National personnel given access to DSN switches and subsystems for the purpose of installation and maintenance, is controlled and provided direct supervision and oversight (e.g. escort) by a knowledgeable and appropriately cleared U.S. citizen.Foreign Nationals are not permitted to access DOD unclassified information systems without the immediate supervision by a U.S. citizen.None> Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain.Information Assurance OfficerPECF-1, ECSC-1
Checks: C-7650r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
The option to restrict user access based on duty hours is available but is not being utilized.
Unknown - V-7940 - SV-8426r1_rule
RMF Control
Severity
Unknown
CCI
Version
DSN06.04
Vuln IDs
  • V-7940
Rule IDs
  • SV-8426r1_rule
Requirement: The IAO will ensure that user access is restricted based on duty hours, where technically feasible. The restriction of user access by limiting access to the DSN associated to the users work hours and workweek will mitigate security vulnerabilities if a user account is compromised. If available, technically feasible (i.e., the system is capable of performing the restriction), and implemented, this option provides additional access control to the system.This is not a finding if the feature is not available in the switch.Unauthorized access to the system outside of duty hours providing the opportunity for misuse or abuse of the system and its resources.System AdministratorInformation Assurance OfficerECLO-1, ECSC-1
Checks: C-7372r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7515r1_fix

If the time of day (TOD) access restriction function is available through the DSN system, it should be provisioned to allow user access within a specified window. For example, if a user is assigned to work on a DSN component Monday through Friday 8 am – 5 pm, these are the hours the DSN component will allow that user to gain access.

a
The Direct Inward System Access feature and/or access to Voice Mail is not controlled by either class of service, special authorization code, or PIN.
Low - V-7941 - SV-8427r1_rule
RMF Control
Severity
Low
CCI
Version
DSN07.01
Vuln IDs
  • V-7941
Rule IDs
  • SV-8427r1_rule
Requirement: The IAO will ensure that either class of service, special authorization code or PIN controls access to Voice Mail services. If used, the Direct Inward System Access feature provides subscriber access to the DSN from outside facilities. Users of this feature may connect to the DSN switch from the trunk side of the system and appear to the system as a local user having access to system features. Such users can make calls on the DSN as if they are on the line side of the switch. If this feature is not controlled, risk of unauthorized access to the DSN could result in call fraud and abuse. If operationally required, this feature should be implemented with class of service, special authorization code, or PIN assigned. Additionally. Voice Mail access should be configured to require a PIN.NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > Loss of confidentiality> Theft of services Information Assurance OfficerECSC-1
Checks: C-7374r1_chk

Review current configuration files of effected devices to confirm compliance

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
Direct Inward System Access and Voice Mail access codes are not changed semi-annually.
Low - V-7942 - SV-8428r1_rule
RMF Control
Severity
Low
CCI
Version
DSN07.02
Vuln IDs
  • V-7942
Rule IDs
  • SV-8428r1_rule
Requirement: The IAO will ensure that if Voice Mail services are controlled by special authorization code, this code will be controlled and changed semi-annually. The special access code used by all subscribers to control access to the Direct Inward System Access and Voice Mail features should be controlled much like a password. If this special access code is not changed periodically, the service is more likely to be compromised, thus degrading system access security.None> Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > Loss of confidentiality > Theft of servicesInformation Assurance OfficerECSC-1
Checks: C-7323r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
Personal Identification Numbers (PIN) assigned to special subscribers used to control Direct Inward System Access and Voice Mail services are not being controlled like passwords and deactivated when no longer required.
Low - V-7943 - SV-8429r1_rule
RMF Control
Severity
Low
CCI
Version
DSN07.03
Vuln IDs
  • V-7943
Rule IDs
  • SV-8429r1_rule
The PIN used to control access to the DISA feature should be controlled much like a special access code or password. If this PIN is not changed periodically and deactivated when no longer required, the DISA feature is more likely to be compromised, thus degrading system access security.None> Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > Loss of confidentiality > Theft of servicesInformation Assurance OfficerECSC-1
Checks: C-7324r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
Privilege authorization, Direct Inward System Access and/or Voice Mail special authorization codes or individually assigned PINS are not changed when compromised.
Low - V-7944 - SV-8430r1_rule
RMF Control
Severity
Low
CCI
Version
DSN07.04
Vuln IDs
  • V-7944
Rule IDs
  • SV-8430r1_rule
Requirement: The IAO will ensure that all Voice Mail (and/or Privilege authorization, Direct Inward System Access) special authorization codes or individually assigned PINs are changed immediately if it is determined that they are compromised. If special authorization codes or individually assigned PINS are determined to be compromised, all access control to this feature is lost. Furthermore, this can lead to call fraud and abuse. As with any access control mechanism, once compromised, changes should be implemented to ensure secure access.None> Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > Loss of confidentiality > Theft of servicesInformation Assurance OfficerECSC-1
Checks: C-7325r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
Equipment, cabling, and terminations that provide emergency life safety services such as 911 (or European 112) services and/or emergency evacuation paging systems are NOT clearly identified and marked.
Unknown - V-7945 - SV-8431r1_rule
RMF Control
Severity
Unknown
CCI
Version
DSN08.01
Vuln IDs
  • V-7945
Rule IDs
  • SV-8431r1_rule
Requirement: The IAO will ensure that all equipment that provides emergency life safety services such as 911 services is clearly identified. The availability of systems supporting emergency life safety services such as 911 (or European 112) and/or emergency evacuation paging services is essential. The specific equipment that handles Emergency 911 (112) service must be clearly identified to maintenance and administration personnel. Identification of the transmission equipment, i.e. DS-1 circuit packs and T-1 cross connect ports, should additionally be the focus for identification as well as any terminations occurring at the MDF. This will help to preclude unnecessary service outages due to making wrong system or wiring changes due to unidentified and unmarked systems supporting this function while maintenance and administration personnel perform standard tasks or work nearby which could result in denial of service of emergency services.NoneDenial of service, loss of system availability, loss of lifeInformation Assurance OfficerECSC-1
Checks: C-7326r1_chk

Inspect a sampling of effected devices and confirm compliance

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
SS7 links are not clearly identified and routed separately from termination point to termination point.
Unknown - V-7946 - SV-8432r1_rule
RMF Control
Severity
Unknown
CCI
Version
DSN09.01
Vuln IDs
  • V-7946
Rule IDs
  • SV-8432r1_rule
Requirement: The IAO will ensure that all SS7 Links are clearly identified and redundant links are diversely routed from termination point to termination point.The A links that connect an SSP to the STPs need to be clearly identified and routed diversely throughout the switching facility. The A links will take separate routes from termination point to termination point. The termination blocks of the A links should be clearly identified at the MDF. The routes should not cross each other. If the routes need to cross each other, they should cross at 90-degree angles. These precautions will limit possible service degradations to the SS7 network by making service personnel aware of their location and ensure that the switching facility is not isolated from the DSN network.NoneInadvertent Denial of Service or degradation of serviceInformation Assurance OfficerECSC-1
Checks: C-7327r1_chk

Perform a walk through of the facility and confirm compliance via inspection of the effected devices or items

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
The SS7 termination blocks are not clearly identified at the MDF.
Unknown - V-7947 - SV-8433r1_rule
RMF Control
Severity
Unknown
CCI
Version
DSN09.02
Vuln IDs
  • V-7947
Rule IDs
  • SV-8433r1_rule
Requirement: The IAO will ensure that the SS7 termination blocks are clearly identified at the MDF. The A links that connect an SSP to the STPs need to be clearly identified and routed diversely throughout the switching facility. The A links will take separate routes from termination point to termination point. The termination blocks of the A links should be clearly identified at the MDF. The routes should not cross each other. If the routes need to cross each other, they should cross at 90-degree angles. These precautions will limit possible service degradations to the SS7 network by making service personnel aware of their location and ensure that the switching facility is not isolated from the DSN network.Nonenadvertent Denial of Service or degradation of serviceInformation Assurance OfficerECSC-1
Checks: C-7328r1_chk

Perform a walk through of the facility and confirm compliance via inspection of the effected devices or items

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
Power cabling that serves SS7 equipment is not diversely routed to separate Power Distribution Frames (PDF) and identified.
Unknown - V-7948 - SV-8434r1_rule
RMF Control
Severity
Unknown
CCI
Version
DSN09.03
Vuln IDs
  • V-7948
Rule IDs
  • SV-8434r1_rule
Requirement: The IAO will ensure that the power cabling serving SS7 equipment is diversely routed to separate and redundant PDFs. The power cabling of the SS7 equipment needs to be routed diversely and terminate in separate PDF. All power cabling should be clearly marked near the termination of the cabling and near the fuse assignments. These precautions will limit possible service degradations to the SS7 network by making service personnel aware of their location and ensure that the switching facility is not isolated from the DSN network.NoneInadvertent Denial of Service or degradation of serviceInformation Assurance OfficerECSC-1
Checks: C-7329r1_chk

Perform a walk through of the facility and confirm compliance via inspection of the effected devices or items

Fix: F-7523r1_fix

Label the termination points and fuse positions of power cabling that provides power to signaling equipment. A and B feed power cabling should be routed separately between the signaling frame and the power distribution frame. Power cabling paths that are not diversely routed should be documented and escalated to the ISSO/IAO for resolution.

a
Power cabling that serves SS7 equipment is not clearly identified at both the termination point and at the fusing position.
Unknown - V-7949 - SV-8435r1_rule
RMF Control
Severity
Unknown
CCI
Version
DSN09.04
Vuln IDs
  • V-7949
Rule IDs
  • SV-8435r1_rule
Requirement: The IAO will ensure that the power cabling serving SS7 equipment is clearly identified at both the termination point and at the fusing position. The power cabling serving SS7 equipment needs to be routed diversely and terminate in separate PDFs. All power cabling should be clearly marked near the termination of the cabling and near the fuse assignments. These precautions will limit possible service degradations to the SS7 network by making service personnel aware of their location and ensure that the switching facility is not isolated from the DSN network.None.Inadvertent Denial of ServiceInformation Assurance OfficerECSC-1
Checks: C-7330r1_chk

Perform a walk through of the facility and confirm compliance via inspection of the effected devices or items

Fix: F-7524r1_fix

Label the termination points and fuse positions of power cabling that provides power to signaling equipment. A and B feed power cabling should be routed separately between the signaling frame and the power distribution frame. Power cabling paths that are not diversely routed should be documented and escalated to the ISSO/IAO for resolution.

b
Links within the SS7 network are not encrypted.
Medium - V-7950 - SV-8436r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN09.05
Vuln IDs
  • V-7950
Rule IDs
  • SV-8436r1_rule
Requirement: The IAO will ensure that all SS7 links leaving a base/post/camp/station are encrypted. The examination of traffic patterns and statistics can reveal compromising information. Such information may include call source, destination, duration, frequency, and precedence level. The DSN common channel signaling links contain this type of information and must be protected.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.Information Assurance OfficerECCT-1, ECSC-1
Checks: C-7331r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7525r1_fix

Ensure all SS7 links are, at a minimum, bulk encrypted before leaving the facility or installation.

b
A DoD VoIP system, device, or network is NOT configured in compliance with all applicable STIGs or the appropriate STIGs have not been applied to the fullest extent possible.
Medium - V-7952 - SV-8438r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN10.02
Vuln IDs
  • V-7952
Rule IDs
  • SV-8438r1_rule
Requirement: Voice Over IP systems and networks will comply with the DSN, VoIP, and all other applicable STIGs as well as other applicable DOD Component guides. The applicable STIGs define threat and vulnerability mitigations that must be applied to resolve the associated threat and/or vulnerability in accordance with DoD policy. Voice/Video/RTS systems and devices are required to be tested, certified, accredited by the DSAWG and listed on the DSN APL. Each specific Voice/Video/RTS system or device may be approved while having certain open findings that are approved in light of certain mitigations. Such open findings are not to be considered in the status determination of this requirement.> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7665r1_chk

> Obtain a copy of all applicable SRR or Self Assessment results and review for compliance OR perform all applicable SRRs on a representative number of RTS systems and devices. If there are a significant number of findings reported or if an applicable STIG was not applied, this is a finding. Note: The specific Voice/Video/RTS system server or device determines the applicability of any given STIG. Many Voice/Video/RTS system servers or devices are based on general-purpose operating system such as Microsoft Windows, Unix, or Linux. They may use general-purpose applications such as databases like MS-SQL or Oracle and/or employ web server technology like IIS or similar. Determine what the system under review is based upon and perform the associated SRRs. Additionally, an application SRR may be applicable for the vendor's application that makes the server or device perform the functions or the management of the system. Note: Voice/Video/RTS systems and devices are required to be tested, certified, accredited by the DSAWG and listed on the DSN APL. Each specific Voice/Video/RTS system or device may be approved while having certain open findings that are approved in light of certain mitigations. Such open findings are not to be considered in the status determination of this requirement.

Fix: F-8034r1_fix

> The IAO and/or SA is to configure all Voice/Video/RTS systems, server, and devices in accordance with all applicable STIGs for the specific system/server/device while taking into account any DSAWG approved open findings and their mitigations..

b
Transport circuits are not encrypted.
Medium - V-7953 - SV-8439r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN11.01
Vuln IDs
  • V-7953
Rule IDs
  • SV-8439r1_rule
Requirement: The IAO will ensure that all circuits leaving the B/C/P/S are bulk encrypted. The transport system is responsible for the delivery of voice and data circuits from one switch node to another. Though not classified, this type of information is sensitive. To ensure the security of all information being exchanged between nodes and to protect it from unauthorized monitoring and man in the middle attacks, the ISSO/IAO should ensure all circuits are bulk encrypted.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.Information Assurance OfficerECSC-1, ECCT-1
Checks: C-7334r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7528r1_fix

Bulk encrypt all trunking circuits leaving and entering the DSN switching facility of installation.

a
Physical access to commercial Add/Drop Multiplexers (ADMs) is not restricted.
Low - V-7954 - SV-8440r1_rule
RMF Control
Severity
Low
CCI
Version
DSN11.02
Vuln IDs
  • V-7954
Rule IDs
  • SV-8440r1_rule
Requirement: The IAO or other responsible party will ensure that the physical access to commercial Add/Drop Multiplexers (ADMs) is limited. Transport equipment to include ADMs may be located in isolated areas with no personnel assigned to work in these facilities on a regular basis. The site must protect these systems from unauthorized access in order to protect the integrity and reliability of the DSN.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain. > Physical access to systems by unauthorized personnel leaves the system components vulnerable to a multitude of attack vectors and/or accidental de-activation or disconnection.Information Assurance OfficerECSC-1
Checks: C-7732r1_chk

Perform a walk through of the facility to confirm that all DSN core and transmission devices that are part of the system are located in a secure room or locked cabinet.

Fix: F-8011r1_fix

> Take measures to apply or install or upgrade physical security for system core assets (Switches, Servers,) and transmission devices (network switches, routers, muxes, devices). Limit, control, and document the distribution of keys to access the equipment.

a
The ISSO/IAO does not maintain a library of security documentation.
Low - V-7955 - SV-8441r1_rule
RMF Control
Severity
Low
CCI
Version
DSN12.01
Vuln IDs
  • V-7955
Rule IDs
  • SV-8441r1_rule
Requirement: The site IAO will maintain an up-to-date library to include, at a minimum. - CJCSI 6215.01B, 23SEP01, Policy For Department Of Defense Voice Networks - CJCSM 6510.01, 15 MAR02, Defense In Depth Information Assurance and Computer Network Defense - DODI 8100.3, 16 JAN 03, Department of Defense DOD Voice Networks - DODD 8500.1, 24OCT02, Information Assurance- DODI 8500.2, 6FEB03, Information Assurance Implementation - DSN STIG - Other STIGs applicable to equipment or systems that are the responsibility of the IAO - A copy of the Security Assessment Report and Certifying Authority’s Recommendation Memo to the DSAWG for each DSN APL certified system or product installed at the site that are the responsibility of the IAO - The SSAA for the site(s)and system(s) for which the IAO is responsibleThe ISSO/IAO is responsible to maintain a library of relevant security documentation and make this documentation available to users, administrators, maintainers, and managers associated with the DSN. The minimum documents that the ISSO/IAO should maintain are the: CJCSI 6215.01B, 23 SEP 01, Policy For Department Of Defense Voice Networks; CJCSM 6510.01, 23 MAR 2003, Defense In Depth Information Assurance and Computer Network Defense; DODD 8500.1, 24 OCT 02, Information Assurance; DODI 8500.2, 6 FEB 03, Information Assurance Implementation; DSN Security Guide (under revision). The library will support the required security training program.NoneThe inability of site personnel to easily access security related information and be aware of policy and vulnerabilities associated with the system.Information Assurance OfficerECSC-1
Checks: C-7336r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7530r1_fix

Obtain the above mentioned documents and make them available to users, administrators, maintainers, and managers associated with the DSN.

b
Users are not required to change their password during their first session.
Medium - V-7956 - SV-8442r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN13.01
Vuln IDs
  • V-7956
Rule IDs
  • SV-8442r1_rule
Requirement: The IAO will ensure that user passwords are assigned with the requirement for the user to change their password at first logon. The ISSO/IAO will assign passwords (typically a default) to new users of DSN components. The user will be required to change this assigned password during their first session. This gives the user full accountability for a session opened in their name since the IAO will no longer know the user’s password. If this is not technically feasible, the IAO should implement and enforce a policy that requires a manual change of passwords at the first logon.None> Unauthorized access to network or system resources or services and the information they contain. > Reduced accountabilitySystem AdministratorInformation Assurance OfficerIAIA-2, ECSC-1, IAIA-1
Checks: C-7373r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

c
Default passwords and user names have not been changed.
High - V-7957 - SV-8443r1_rule
RMF Control
Severity
High
CCI
Version
DSN13.02
Vuln IDs
  • V-7957
Rule IDs
  • SV-8443r1_rule
Requirement: The IAO will ensure that all system default passwords and user names are changed prior to connection to the DSN. Systems not protected with strong password schemes provide the opportunity for anyone to crack the password, gain access to the system, and cause information damage, or denial of service. Default user accounts and passwords must be changed prior to any user connection to a DSN system. This will prevent commonly known and used user accounts from being used by unauthorized users.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1, IAIA-1, IAIA-2
Checks: C-7338r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7532r1_fix

Delete / change default accts and passwords - Check the component or system for default vendor accounts and passwords. If possible, delete or rename the account and change the default password.

b
Shared user accounts are used and not documented by the ISSO/IAO.
Medium - V-7958 - SV-8444r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN13.03
Vuln IDs
  • V-7958
Rule IDs
  • SV-8444r1_rule
Requirement: The IAO will ensure that shared user accounts will not be used. Unless the use of shared user accounts is operationally essential and/or the device in question does not support multiple accounts. The identity of users of DSN components need to be available to the ISSO/IAO through the use of unique usernames assigned to each user. This ensures that the ISSO/IAO is able to hold users accountable for their actions through the analysis of audit records. This type of accountability cannot be accomplished if shared accounts are used.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerIAIA-1, ECSC-1, IAIA-2
Checks: C-7378r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices.

Fix: F-7533r1_fix

Document shared accounts - i.e., Keep a record of the human user and their assigned username. Shared accounts will only be used if required out of operational necessity and documented by the ISSO/IAO.

a
The option to disable user accounts after 30 days of inactivity is not being used.
Low - V-7959 - SV-8445r1_rule
RMF Control
Severity
Low
CCI
Version
DSN13.04
Vuln IDs
  • V-7959
Rule IDs
  • SV-8445r1_rule
Requirement: The IAO will ensure that user accounts are disabled after 30 days of inactivity. User accounts that are inactive for more than 30 days should be disabled by the system. Outdated or unused user accounts provide penetration points that may go undetected. Deleting or disabling these types of accounts will help to prevent unauthorized users from gaining access to the DSN system by using an old account that is not needed.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerIAIA-1, IAIA-2, ECSC-1
Checks: C-4130r1_chk

Tekelec: rtrv-secu-dflt; UOUT=30

Fix: F-7534r1_fix

Configure systems to disable accounts that are inactive for more than 30 days, if technically feasible. If the system does not provide this functionality, the ISSO/IAO should review accounts every 30 days to ensure that only needed accounts are active.

c
Management access points (i.e. administrative/maintenance ports, system access, etc.) are not protected by requiring a valid username and a valid password for access.
High - V-7960 - SV-8446r1_rule
RMF Control
Severity
High
CCI
Version
DSN13.05
Vuln IDs
  • V-7960
Rule IDs
  • SV-8446r1_rule
A valid username and a valid password are required to access all management system workstations and administrative / management ports on any device or system. All system management access points must be password protected to ensure that all actions performed on the DSN component can be associated with a specific user. Lack of an account password provides access to anyone who knows the user account name.This finding can be reduced to a CAT II where access to the noncompliant device (except management stations) is directly controlled by a device that is compliant such as an access router.System AdministratorInformation Assurance OfficerECSC-1, IAIA-2, IAIA-1
Checks: C-7373r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7535r1_fix

Ensure that all access points are password protected.

a
Passwords do not meet complexity requirements.
Low - V-7961 - SV-8447r1_rule
RMF Control
Severity
Low
CCI
Version
DSN13.06
Vuln IDs
  • V-7961
Rule IDs
  • SV-8447r1_rule
Requirement: The IAO will ensure that passwords are required and contain at a minimum, a case sensitive, eight-character mix of upper-case letters, lower-case letters, numbers, and special characters, including at least one of each (e.g., emPagd2! Devices not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing system or information damage, or denial of service. By requiring passwords to be eight non-repeating characters in length, contain numbers, upper and lower case characters, and a special character, the probability of password guessing is mitigated.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1, IAIA-2, IAIA-1
Checks: C-7372r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7536r1_fix

Enforce a password policy to ensure complex passwords. Configure the system to require passwords to be eight non-repeating characters in length, contain numbers, upper and lower case characters, and a special character, if technically feasible.

b
Maximum password age does not meet minimum requirements.
Medium - V-7962 - SV-8448r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN13.07
Vuln IDs
  • V-7962
Rule IDs
  • SV-8448r1_rule
Requirement: The IAO will ensure that all user passwords are changed at intervals of 90 days or less. The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Further, scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.This finding can be reduced to a Category III if the password change interval is between 90 and 180 days and the DAA has accepted the risk in writing. This is permissible only if there is a compelling need, such as too many devices requiring a manual change and too few SAs to accomplish the task.> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1, IAIA-2, IAIA-1
Checks: C-7373r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7537r1_fix

Ensure password life is no greater than 90 (180) days from the last password change.

b
Users are permitted to change their passwords at an interval of less than 24 hours without ISSO/IAO intervention.
Medium - V-7963 - SV-8449r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN13.08
Vuln IDs
  • V-7963
Rule IDs
  • SV-8449r1_rule
Requirement: The IAO will ensure that NO user passwords will be changed at an interval of less than 24 hours without IAO intervention. Permitting passwords to be changed in immediate succession within the same day, allows users to cycle password through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerIAIA-2, IAIA-1, ECSC-1
Checks: C-7372r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7538r1_fix

Eensure that user passwords are not allowed to be changed for at least 24 hours after change operation.

a
Password reuse is not set to 8 or greater.
Low - V-7964 - SV-8450r1_rule
RMF Control
Severity
Low
CCI
Version
DSN13.09
Vuln IDs
  • V-7964
Rule IDs
  • SV-8450r1_rule
Requirement: The IAO will ensure that user passwords are not reused within eight of the previous passwords used. As a minimum. A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change a password to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerIAIA-2, ECSC-1, IAIA-1
Checks: C-7378r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices.

Fix: F-7539r1_fix

Ensure password uniqueness is set to remember 8 passwords.

b
The ISSO/IAO has not recorded the passwords of high level users (ADMIN) used on DSN components and stored them in a secure or controlled manner.
Medium - V-7965 - SV-8451r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN13.14
Vuln IDs
  • V-7965
Rule IDs
  • SV-8451r1_rule
Requirement: The IAO will ensure that no user (to include Administrator) is permitted to retrieve the password of any user in clear text. Passwords should be recorded and stored in a secure location for emergency use. This helps prevent time consuming password recovery techniques and denial of administrator access, in the event a password is forgotten or the individual with the access is incapacitated. The passwords of high level users should be recorded and controlled so that the ISSO/IAO would be able to gain high level access if an unforeseen situation occurred that prevented the high level user to perform their duties.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerIAIA-2, ECSC-1, IAIA-1
Checks: C-7690r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7540r1_fix

Record the passwords of high level users and store in a controlled manner.

b
User passwords can be retrieved and viewed in clear text by another user.
Medium - V-7966 - SV-8452r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN13.10
Vuln IDs
  • V-7966
Rule IDs
  • SV-8452r1_rule
Requirement: The IAO will ensure that users’ passwords are not displayed in the clear when logging into the system. Password integrity is non existent if passwords are stored or displayed in clear text. Many attacks on DOD computer systems are launched internally by unsatisfied or disgruntled employees. It is imperative that all DSN systems be configured to store passwords in encrypted format. This will ensure password integrity by other system users who have privileged system access.None> Pasword compromise leading to any of the following: > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1, IAIA-1, IAIA-2
Checks: C-4155r1_chk

>TABLE OFCOPT; PASSWORD_ENCRYPTED =Y

Fix: F-7541r1_fix

Ensure that the DSN component is provisioned to store all passwords in an encrypted format.

b
User passwords are displayed in the clear when logging into the system.
Medium - V-7967 - SV-8453r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN13.11
Vuln IDs
  • V-7967
Rule IDs
  • SV-8453r1_rule
Requirement: The IAO will ensure that users’ passwords are not displayed in the clear when logging into the system. When passwords are displayed (echoed) during logon, the risk of password compromise is increased and password confidentiality is greatly reduced. If the password is displayed during logon, it can be easily compromised through the use of a simple technique of shoulder surfing.None> Pasword compromise leading to any of the following: > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerIAIA-1, ECSC-1, IAIA-2
Checks: C-7373r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7542r1_fix

Ensure systems are configured not to display passwords in the clear during logon. If hardware or firmware restrict the implementation of this function, upgrade as soon as possible.

a
The option to use passwords that are randomly generated by the DSN component is available but not being used.
Unknown - V-7968 - SV-8454r1_rule
RMF Control
Severity
Unknown
CCI
Version
DSN13.12
Vuln IDs
  • V-7968
Rule IDs
  • SV-8454r1_rule
Requirement: The IAO will ensure that users will be prompted by the system three times to change their passwords before or after the password has reached the maximum password lifetime. If the user fails to change their password, their account will be disabled. Randomly generated passwords are preferred over user-defined passwords because a user-defined password has more potential to be guessed.This is not a finding if the device does not have the capability.> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerIAIA-2, ECSC-1, IAIA-1
Checks: C-7372r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7543r1_fix

Configure the system to randomly generate user passwords if the system provides this functionality.

b
The system is not configured to disable a users account after three notifications of password expiration.
Medium - V-7969 - SV-8455r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN13.13
Vuln IDs
  • V-7969
Rule IDs
  • SV-8455r1_rule
Requirement: The IAO will ensure that users will be prompted by the system three times to change their passwords before or after the password has reached the maximum password lifetime. If the user fails to change their password, their account will be disabled The user should be notified three times after their password has expired. If the user does not change their password after three notifications, the system should disable the account and require the ISSO/IAO or other designated individual intervention to reactivate the account. This measure ensures that all users comply with mandatory password changes.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerIAIA-2, ECSC-1, IAIA-1
Checks: C-4162r1_chk

>TABLE OFCENG; EXPIRED_PASSWORD_GRACE = 3

Fix: F-7544r1_fix

Ensure the DSN component is configured to disable a user account after the user has received three notifications of password expiration.

b
Crash-restart vulnerabilities are present on the DSN system component.
Medium - V-7970 - SV-8456r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN13.15
Vuln IDs
  • V-7970
Rule IDs
  • SV-8456r1_rule
Requirement: The IAO will ensure that tests are performed for crash-restart vulnerabilities and develop procedures to eliminate vulnerabilities found (i.e., ensure ENHANCED_PASSWORD_CONTROL is active to prevent system logons after restart on Nortel switches). Some systems reset to default settings (i.e. users names, passwords, user access privileges) when a re-boot is initiated. If this is the case and a restart occurs and action is not taken to reset default settings, the risk is increased for unauthorized access.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-4163r1_chk

ensure ENHANCED_PASSWORD_CONTROL is active to prevent system logons after restart on Nortel switches

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
The DSN system component is not installed in a controlled space with visitor access controls applied.
Medium - V-7971 - SV-8457r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN14.01
Vuln IDs
  • V-7971
Rule IDs
  • SV-8457r1_rule
Requirement: The IAO will ensure that DSN switches, peripheral, and OAM&P systems are installed in a controlled space with personnel and visitor access controls applied. Controlling access to the DSN site is critical to determine accountability for auditing purposes as well as the obvious physical security violations.NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > Physical access to systems by unauthorized personnel leaves the system components vulnerable to a multitude of attack vectors and/or accidental de-activation or disconnection.Information Assurance OfficerPECF-2, ECSC-1
Checks: C-7352r1_chk

Perform a walk through of the facility and confirm compliance via inspection of the effected devices or items

Fix: F-8011r1_fix

> Take measures to apply or install or upgrade physical security for system core assets (Switches, Servers,) and transmission devices (network switches, routers, muxes, devices). Limit, control, and document the distribution of keys to access the equipment.

b
Documented procedures do not exist that will prepare for a suspected compromise of a DSN component.
Medium - V-7972 - SV-8458r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN14.02
Vuln IDs
  • V-7972
Rule IDs
  • SV-8458r1_rule
Requirement: The IAO will ensure that compromise recovery procedures are documented that will accomplish the following: - Verify the integrity of the hardware, software, and communication lines configuration.- Verify the integrity of the switch tables (database). - Perform an audit trail analysis and evaluation. - Enforce the change of all passwords for accessing the A/NM domain .- Report to the Theater and other concerned authorities the detection of possible unauthorized physical intrusion.The following measures will ensure that a compromise of a DSN component will be handled and reported properly: verification of the integrity of the hardware, software, communication lines configuration, switch tables (database); performance of an audit trail analysis and evaluation; enforcing the change of all passwords for accessing the DSN component; reporting to the theater and other concerned authorities the detection of possible unauthorized physical intrusion.NoneDenial of service due to the inability to quickly recover from the compromise. Information Assurance OfficerECSC-1
Checks: C-7650r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
Audit records are NOT stored in an unalterable file and can be accessed by individuals not authorized to analyze switch access activity.
Medium - V-7973 - SV-8459r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN15.01
Vuln IDs
  • V-7973
Rule IDs
  • SV-8459r1_rule
Requirement: The IAO will ensure that auditing records are placed in an unalterable audit or history file that is available only to those individuals authorized to analyze switch access and configuration activity. Audit files must be available to only those individuals who are authorized and have a need to analyze DSN activity. These records must be stored in a format that will prevent any individual from making modifications to the records. Audit files are necessary to investigate switch activity that appears to be abusive, unauthorized, or damaging to the DSN.None> Compromise, corruption, or loss of audit records/files potentially by a user that performed a security violation and/or unauthorized access the information they contain. > The inability to take administrative action or prosecute for inappropriate actions or system abuse.System AdministratorInformation Assurance OfficerECSC-1, ECTP-1
Checks: C-7379r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices.

Fix: F-7548r1_fix

Ensure that all auditing records are recorded to a device that will not allow any individual to make alterations to their content. Ensure that only authorized individuals have access to these files.

b
Audit records do not record the identity of each person and terminal device having access to switch software or databases.
Medium - V-7974 - SV-8460r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN15.02
Vuln IDs
  • V-7974
Rule IDs
  • SV-8460r1_rule
Requirement: The IAO will ensure that the auditing process records the identity of each person and terminal device having access to switch software or databases The identity of the individual user and the terminal used during their session will be recorded in the audit records. This is needed for accountability of command issues and actions taken during each session. None> The inability to take administrative action or prosecute for inappropriate actions or system abuse. > The inability to effectively troubleshoot problemsSystem AdministratorInformation Assurance OfficerECAR-3, ECAR-2, ECSC-1, ECAR-1
Checks: C-7373r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7549r1_fix

Ensure audit records contain the user and terminal identity.

b
Audit records do not record the time of the access.
Medium - V-7975 - SV-8461r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN15.03
Vuln IDs
  • V-7975
Rule IDs
  • SV-8461r1_rule
Requirement: The IAO will ensure that the auditing process records the time of the access. The time of access needs to be recorded in the audit files to determine accountability of personnel if an issue arises that requires analysis of the audit records.None> The inability to effectively troubleshoot problems> The inability to take administrative action or prosecute for inappropriate actions or system abuse.System AdministratorInformation Assurance OfficerECSC-1, ECAR-3
Checks: C-4165r1_chk

review TABLXXX for compliance

Fix: F-7550r1_fix

Ensure a time stamp is provided by the system on all audit records.

b
The auditing records do not record activities that may change, bypass, or negate safeguards built into the software.
Medium - V-7976 - SV-8462r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN15.04
Vuln IDs
  • V-7976
Rule IDs
  • SV-8462r1_rule
Requirement: The IAO will ensure that the auditing process records commands, actions, and activities executed during each session that might change, bypass, or negate safeguards built into the software. Actions that have the potential to change, bypass, or negate safeguards must be recorded in the audit files. This will identify suspicious activities that are being investigated and will assist investigators in following the course of events that have led to a situation that is being examined.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain. > The inability to take administrative action or prosecute for inappropriate actions or system abuse. > The inability to effectively troubleshoot problemsSystem AdministratorInformation Assurance OfficerECAR-3, ECSC-1, ECLC-1
Checks: C-7373r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7551r1_fix

Ensure that the system records commands, actions, and activities executed during each user session that might change, bypass, or negate safeguards built into the software.

b
Audit record archive and storage do not meet minimum requirements.
Medium - V-7977 - SV-8463r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN15.05
Vuln IDs
  • V-7977
Rule IDs
  • SV-8463r1_rule
Requirement: The IAO will ensure that audit records (files) are stored on-line for 90 days and off-line for an additional 12 months. Audit records provide the means for the ISSO/IAO or other designated person to investigate any suspicious activity and to hold users accountable for their actions. By storing audit records online for 90 days and offline for 12 months, the ISSO or other designated personnel will be able to investigate all suspicious activity even if the activity is not noticed immediately. APL NOTE: The storage of log data both online and offline for a given period of time is a site responsibility. While a vendor's product may provide the required storage capacity for a sufficient number of log entries internally to satisfy the online storage requirement, it must at a minimum work in conjunction with a logging server where the logs can be collected and maintained online. The remote logging process should also be automated such that logs are collected without SA intervention. The vendor's product and the architecture in which it is implemented as a whole must support the online storage requirement. Such requirements are covered elsewhere and do not constitute a finding here.. None> The inability to take administrative action or prosecute for inappropriate actions or system abuse.> The inability to effectively troubleshoot problemsSystem AdministratorInformation Assurance OfficerECSC-1, ECTP-1, ECRR-1, ECTB-1
Checks: C-7703r1_chk

Inspect or review the required “documents on file” that are necessary for compliance with the requirement.

Fix: F-7552r1_fix

Ensure audit records are stored online for 90 days and offline for 12 months.

b
Audit records are not being reviewed by the ISSO/IAO weekly.
Medium - V-7978 - SV-8464r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN15.06
Vuln IDs
  • V-7978
Rule IDs
  • SV-8464r1_rule
Requirement: The IAO will ensure that audit records (files) are stored on-line for 90 days and off-line for an additional 12 months. By reviewing audit records on a weekly schedule, the ISSO/IAO ensures that any suspicious activity is detected in a timely manner.None> The inability to take administrative action or prosecute for inappropriate actions or system abuse. 1> The inability to effectively troubleshoot problemsSystem AdministratorInformation Assurance OfficerECAT-2, ECAT-1, ECSC-1, ECRG-1
Checks: C-7690r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7553r1_fix

The ISSO/IAO or security auditor should review audit records weekly for suspicious activity.

b
An Information Systems Security Officer/Information Assurance Officer (ISSO/IAO) is not designated for each telecommunications switching system or DSN Site.
Medium - V-7979 - SV-8465r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN16.01
Vuln IDs
  • V-7979
Rule IDs
  • SV-8465r1_rule
Requirement: The DSN Program Management Office (PMO) or local site command/management, as appropriate, will document and ensure that an IAO is designated to oversee the IA posture and security of each switch, site, system, and facility. The IAO will have the proper training and clearance level as directed by DODI 8500.2 E3.4.8. The DSN PMO should maintain documentation regarding IAO assignments for all sites and/or systems in the inventory. The DSN IAO may have responsibility for systems other than DSN systems and may be responsible for remote sites attached to his/her main site or system. Security Administration is accomplished through the ongoing efforts of a number of personnel. The Security Manager is the principal advisor to the site Commander/Director for the administration and management of the overall site security program. The Information Systems Security Manager/Information Assurance Manager (ISSM/IAM) is responsible for managing the AIS security program. The ISSO/IAO is responsible for implementing security requirements for one or more computer systems and reports directly to the ISSM/IAM. To oversee the security of the systems within the DSN, all sites will establish an onsite DSN ISSO/IAO position. This individual should be knowledgeable of the security features available in the sites telecommunications switching system and how these features are employed. NoneNo or inadequate oversight or concern for security issues relating to the telecommunications switching system or DSN Site.Information Assurance OfficerDesignated Approving AuthorityDCSD-1, PECF-1
Checks: C-7649r2_chk

Or review the required “documents on file” that are necessary for compliance with the requirement.

Fix: F-7554r1_fix

Establish a DSN ISSO/IAO position. In general, this individual will be responsible for establishing, implementing, monitoring, and controlling the sites telephone system security program which will ensure the evaluation of all components of the sites telephone system.

b
Site personnel have not received the proper security training and/or are not familiar with the documents located in the security library.
Medium - V-7980 - SV-8466r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN16.02
Vuln IDs
  • V-7980
Rule IDs
  • SV-8466r1_rule
Requirement: The IAO will ensure that personnel are familiar with the security practices outlined by applicable documents found in the site’s library and have received the appropriate security training.A personnel security program, combined with other protective measures, make up a security plan to keep DSN assets safe from intrusion or other types of disruptions. The DSN Security Guide describes the personnel security requirements for various types of individuals. To be effective, any security plan requires some type of familiarization and training for its users and participants.NoneThe system may be left vulnerable due to ignorance of policy, procedures, and threats to the system.Information Assurance OfficerInformation Assurance ManagerECSC-1, PRTN-1
Checks: C-7361r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7555r1_fix

The ISSO/IAO will establish a security practices plan, as outlined in the DSN Security Guide, to ensure that personnel are familiar with the security practices outlined by applicable documents found in the site’s library and have received the appropriate security training.

a
The ISSO/IAO does not maintain a DSN Personnel Security Certification letter on file for each person involved in DSN A/NM duties.
Low - V-7981 - SV-8467r1_rule
RMF Control
Severity
Low
CCI
Version
DSN16.03
Vuln IDs
  • V-7981
Rule IDs
  • SV-8467r1_rule
A DSN Personnel Security Certification letter will provide documented proof that site personnel have attended and successfully passed a security training and awareness program. This program will provide training appropriate to the security needs of each person involved with the DSN. The program will ensure that all personnel understand the risks to the DSN. This type of program reminds the personnel of the proper security-related operational and control procedures for which they are responsible.None> Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain.Information Assurance OfficerInformation Assurance ManagerECAN-1, PECF-2
Checks: C-7362r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7556r1_fix

Establish a DSN security awareness-training program. Review all DSN personnel security-related responsibilities and document certification by signing a Personnel Security Certification letter.

b
System administrators are NOT appropriately cleared.
Medium - V-7982 - SV-8468r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN16.04
Vuln IDs
  • V-7982
Rule IDs
  • SV-8468r1_rule
Requirement: The IAO will ensure that all System Administrators are appropriately cleared. In order to maintain positive control over personnel access to DSN system components, all who are provided physical and administrative access to the components must be controlled. Confirmation of those who are authorized access must be confirmed before access is given. If physical and administrative access to systems is not confirmed and controlled, this may result in unauthorized access or compromise.NoneInformation Assurance OfficerInformation Assurance ManagerECSC-1, PECF-2
Checks: C-7363r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-7513r1_fix

Obtain a System Authorization Access Request (SAAR) DD Form 2875 for each DRSN user to validate their need-to-know

b
Site staff does not verify and record the identity of individuals installing or modifying a device or software.
Medium - V-7983 - SV-8469r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN17.01
Vuln IDs
  • V-7983
Rule IDs
  • SV-8469r1_rule
Requirement: The IAO will ensure that site staff will verify and record the identity of individuals installing or modifying a device or software. The identity of individuals performing software load upgrades or maintenance of a DSN component must be recorded. This will make a particular person or vendor representative accountable for all actions performed, giving the ISSO/IAO and site personnel the means to investigate all activity.One means of maintaining such records, is to obtain a DD2875 from all individuals this type of work.NoneDenial of Service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.Information Assurance OfficerECSC-1, PECF-1
Checks: C-7650r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7513r1_fix

Obtain a System Authorization Access Request (SAAR) DD Form 2875 for each DRSN user to validate their need-to-know

b
System images are not being backed up on a weekly basis to the local system and a copy is not being stored on a removable storage device and/or is not being stored off site.
Medium - V-7984 - SV-8470r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN17.02
Vuln IDs
  • V-7984
Rule IDs
  • SV-8470r1_rule
Requirement: The IAO will ensure that systems will be backed up on a weekly basis to the local system and a copy will be stored, off site, on a removable storage device by the Switch Administrator.System backup images or views need to be taken frequently and stored in such a way that a current copy can be obtained if needed. By storing a copy on the local system and a copy on removable media, in most instances, a copy can be used to restore the system. The storage of a copy off site improved the safety of the copy in the event of a catastrophe at the operations site.NoneDenial of Service or degradation of service caused by the inability to restore operations swiftly following a system failure or compromise.Information Assurance OfficerCODB-1, ECSC-1
Checks: C-7374r1_chk

Review current configuration files of effected devices to confirm compliance

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
Site staff does not ensure backup media is available and up to date prior to software modification.
Medium - V-7985 - SV-8471r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN17.03
Vuln IDs
  • V-7985
Rule IDs
  • SV-8471r1_rule
Requirement: The IAO will ensure that site staff will ensure back-up media is available and up-to-date prior to software modification that could cause a significant disruption to service if the new software is corrupted. Back up media will be available to site personnel prior to any software upgrades or major provisioning changes. This will enable site personnel to recover the DSN system in case of system failure under newly introduced software or major changes.None> Denial of Service or degradation of service caused by the inability to restore operations swiftly following a system failure or compromise.System AdministratorInformation Assurance OfficerCODB-2, CODB-1, ECSC-1, COBR-1, CODB-3
Checks: C-7366r1_chk

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix: F-8038r1_fix

f technically feasible, configure the system to automatically perform weekly backups and record them locally on the component and on removable media. Alternately insure that weekly backups are performed manually. The SA must also ensure the removable media is removed and stored locally by site personnel. Storing an additional copy off site is also highly recommended. Perform a system backup just prior to any system change, maintenance, or upgrade. If this is not feasible insure that the most recent weekly backup is readily available for use.

b
Modems are not physically protected to prevent unauthorized device changes.
Medium - V-7986 - SV-8472r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN18.01
Vuln IDs
  • V-7986
Rule IDs
  • SV-8472r1_rule
Requirement: The IAO will ensure that all modems are physically protected to prevent unauthorized device changes. Controlling physical access to modems supporting the DSN will limit the chance of unauthorized access to DSN system components. Failure to control physical access to modems could result in modem settings being changed to allow unauthorized access to DSN system components. None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7329r1_chk

Perform a walk through of the facility and confirm compliance via inspection of the effected devices or items

Fix: F-7561r1_fix

Ensure all modems are secured that are used to access the DSN administration/maintenance user ports. Allow only authorized personnel to have physical access to these modems.

b
A detailed listing of all modems is not being maintained.
Medium - V-7987 - SV-8473r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN18.02
Vuln IDs
  • V-7987
Rule IDs
  • SV-8473r1_rule
Requirement: The IAO will maintain a listing of all modems by model number, serial number, associated phone number, and location. Ensure an accurate listing of all modems supporting the DSN is maintained. Maintaining a list of all approved modems will ensure that non-approved modems can be identified easily. None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerDCID-1, ECSC-1
Checks: C-7690r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7562r1_fix

Collect information on all approved modems, including model number, serial number, installed location, etc. Maintain this list / inventory and update as needed.

b
Unauthorized modems are installed.
Medium - V-7988 - SV-8474r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN18.03
Vuln IDs
  • V-7988
Rule IDs
  • SV-8474r1_rule
Modems that are not provided by the Government for access to the DSN will not be allowed to connect to the DSN for access. No personally provided modems are permitted. This measure will assist the ISSO/IAO in the task of controlling remote access to the DSN components. None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerDCID-1, EBCR-1, ECSC-1
Checks: C-7328r1_chk

Perform a walk through of the facility and confirm compliance via inspection of the effected devices or items

Fix: F-7563r1_fix

Remove all modems that are not provided by the Government. The ISSO/IAO may conduct periodic inspections for unauthorized modems.

b
Modem phone lines are not restricted and configured to their mission required purpose (i.e. inward/outward dial only).
Medium - V-7989 - SV-8475r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN18.04
Vuln IDs
  • V-7989
Rule IDs
  • SV-8475r1_rule
Requirement: The IAO will ensure that all modem phone lines are restricted and configured to their mission required purpose (inward dial only or outward dial only). Ubiquitous phone lines open major security holes in a network. The more tightly they can be controlled, the less the exposure to vulnerabilities. Allowing special features to remain active on modem phone lines create advantageous situations for malicious attacks. An attacker may use special features to forward modem or voice calls to destinations that cause toll-fraud, or forward the number to itself causing a denial of service. Telephone lines that provide DSN modems dial tone will be provisioned only with their required functions. Some components of the DSN “dial back” option may require two modems for proper operation. If a modem is dedicated to receive calls, it should be provisioned to not allow outbound calling. If a modem is dedicated to place calls, it should be provisioned to not accept incoming calls. None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7373r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7564r1_fix

Ensure that all modem lines are restricted to single line operation and configured to their mission required purpose (inward or outward dial only), without any special features (i.e. call forwarding). DSN System Administrators will ensure that the modems phone line will be disconnected until needed. Site personnel should restrict the functions of all phone lines that provide dial tone to the DSN modems based upon the needs of the modems function.

b
Modem phone lines are not restricted to single-line operation.
Medium - V-7990 - SV-8476r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN18.05
Vuln IDs
  • V-7990
Rule IDs
  • SV-8476r1_rule
Requirement: The IAO will ensure that all modem phone lines are restricted to single-line operation without any special features such as the call forwarding capability. By restricting modem phone lines to single-line operation, the risk of unauthorized access is limited by preventing the added functions of a multi-line to be used by an unauthorized person to gain access. None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7302r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Fix: F-7565r1_fix

Ensure that only single-line phone lines are used for modem access.

a
The option of Automatic Number Identification (ANI) is available but not being used.
Unknown - V-7991 - SV-8477r1_rule
RMF Control
Severity
Unknown
CCI
Version
DSN18.06
Vuln IDs
  • V-7991
Rule IDs
  • SV-8477r1_rule
Requirement: The IAO will ensure that Automatic Number Identification (ANI) is enabled on modem lines to record access to remote access ports if this function is available. The IAO, or authorized security personnel, will maintain and review ANI logs. These records should be kept for the previous twelve months. Automatic Number Identification (ANI) logs are ideal for auditing unauthorized accesses and toll-fraud.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7302r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Fix: F-7566r1_fix

> Ensure the use of the the ANI feature, if available, for all modems connected to DSN system administration/maintenance dial-up ports. Maintain and review ANI logs periodically. Audit records should be stored for a period of twelve months.

b
Authentication is not required for every session requested.
Medium - V-7992 - SV-8478r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN18.07
Vuln IDs
  • V-7992
Rule IDs
  • SV-8478r1_rule
Requirement: The IAO will ensure that identification and authentication is required for every session requested in accordance with I&A / password policy. Authentication is a measure used to verify the eligibility of a subject and the ability of that subject to access certain information. Authentication protects against the fraudulent use of a system or the deceptive transmission of information. All users must be authenticated prior to every authorized session allowing system access. This is necessary to ensure that no unauthorized sessions are granted.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7373r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7567r1_fix

Ensure that all interfaces to the DSN component require authentication before a session is granted.

a
The option to use the “callback” feature for remote access is not being used.
Low - V-7993 - SV-8479r1_rule
RMF Control
Severity
Low
CCI
Version
DSN18.08
Vuln IDs
  • V-7993
Rule IDs
  • SV-8479r1_rule
Requirement: The IAO will ensure that modem access to remote management ports incorporates the “callback” feature where technically feasible. The callback feature ensures that pre-authorized user directory numbers are being used to access the DSN components. Callback features are an attempt to protect the network by providing a service that disconnects an incoming call and reestablishes the call, dialing back to a predetermined number. Upon establishment of the callback connection, the communications device will require the user to authenticate to the system. This feature enhances security authentication access to the system. If available, this feature should be used. This feature is especially important for remote unmanned switch sites where modem connections can not be physically disconnected when not in use.This is not a finding if the modem is approved and listed on the DSN APL and does not support the callback feature.> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7302r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Fix: F-7568r1_fix

> The ISSO/IAO should ensure that all DSN components are using the callback feature, if this feature is available.

a
FIPS 140-2 validated Link encryption mechanisms are not being used to provide end-to-end security of all data streams entering the remote access port of a telephone switch.
Unknown - V-7994 - SV-8480r1_rule
RMF Control
Severity
Unknown
CCI
Version
DSN18.09
Vuln IDs
  • V-7994
Rule IDs
  • SV-8480r1_rule
Requirement: The IAO will ensure that a FIPS 140-2 validated encryption mechanism is used to provide security of all data streams between the management port of the DSN component and a remote management station whether connected via a modem or network. The most secure authenticated session to any remote system is accomplished via a secure connection. Encryption provides confidentiality and should be used, if possible, to secure remote access connections to DSN administration/maintenance ports.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1, ECCT-1
Checks: C-7372r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7569r1_fix

Ensure that FIPS 140-2 validated link encryption mechanisms are implemented for all dial-up/remote connections to the administration/maintenance ports of the DSN system.

a
The option to use two-factor authentication when accessing remote access ports is not being used.
Unknown - V-7995 - SV-8481r1_rule
RMF Control
Severity
Unknown
CCI
Version
DSN18.10
Vuln IDs
  • V-7995
Rule IDs
  • SV-8481r1_rule
Requirement: The IAO will ensure that remote access ports require two-factor authentication. This is defined as requiring something along the lines of a token in addition to a User ID and password combination. The use of two-factor authentication will help prevent unauthorized persons from accessing the DSN component.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7376r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices.

Fix: F-7570r1_fix

Ensure policies and configurations are in place for remote access ports to require two-factor authentication.

b
Administrative/maintenance ports are not being controlled by deactivating or physically disconnecting remote access devices when not in use.
Medium - V-7996 - SV-8482r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN18.11
Vuln IDs
  • V-7996
Rule IDs
  • SV-8482r1_rule
Requirement: The IAO will ensure that serial management ports are controlled by deactivating or physically disconnecting access devices (i.e. modems or terminals) that are not in use. The disconnection of remote access devices when not being used will greatly reduce the risk of unauthorized access. None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7302r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Fix: F-7571r1_fix

Ensure that all remote access devices are deactivated or disconnected when not in use.

b
Idle connections DO NOT disconnect in 15 min.
Medium - V-7997 - SV-8483r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN18.12
Vuln IDs
  • V-7997
Rule IDs
  • SV-8483r1_rule
Requirement: The IAO will ensure that a timeout feature, set to 15 minutes, is used to disconnect idle connections. Unattended systems are susceptible to unauthorized use. The system should be locked when unattended. The user idle timeout should be set to a maximum of 15 minutes. This setting protects critical and sensitive system areas from exposure to unauthorized personnel with physical access to an unattended administration/maintenance terminal.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7378r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices.

Fix: F-7572r1_fix

The system administrator will ensure that the timeout for unattended user administration/maintenance ports is set for no longer than 15 minutes, if technically feasible.

b
The DSN component is not configured to be unavailable for 60 seconds after 3 consecutive failed logon attempts.
Medium - V-7998 - SV-8484r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN18.13
Vuln IDs
  • V-7998
Rule IDs
  • SV-8484r1_rule
Requirement: The IAO will ensure that management ports that receive three consecutive failed logon attempts will be unavailable for at least 60 seconds. After three failed logon attempts the system should be configured to force the user to wait for 60 seconds. This measure will prevent unauthorized access through the means of hacking a password. If the time that the port is unavailable is substantially greater than 60 seconds, denial of service could result by maliciously attempting logins on all ports.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7372r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7573r1_fix

Ensure the system is configured to make the port unavailable for 60 seconds after 3 failed logon attempts.

a
Serial management/maintenance ports are not configured to “force out” or drop any interrupted user session.
Low - V-7999 - SV-8485r1_rule
RMF Control
Severity
Low
CCI
Version
DSN18.14
Vuln IDs
  • V-7999
Rule IDs
  • SV-8485r1_rule
Requirement: The IAO will ensure that serial management ports immediately drop any connection that is interrupted for any reason. Reasons include modem power failure, link disconnection, loss of carrier, etc. Serial ports that are interrupted due to link disconnection, power failure or other reasons will force out the user (i.e., end the session using the port). This will prevent a remote user from ending a session without logging off and leaving the remote maintenance port available with an active session that might allow unauthorized use by someone other than the authenticated user. This will also prevent the physical hijacking of an active session by unplugging the connected cable and plugging in another. NOTE: This requirement primarily addresses the use of EIA/RS-232 serial interfaces (serial craft or console ports) in conjunction with a modem. It requires the enablement of the hardware handshaking capabilities that are typically inherent in the interface and the associated Universal Asynchronous Receiver/Transmitter (UART). The hardware handshaking capabilities can easily detect modem power failure, link disconnection, and loss of carrier. The software response to these hardware indicators is to terminate any active session such that re-authentication is required if the session is re-established. This capability also supports the prevention of physically hijacking the connection or session by unplugging the modem and plugging in a local workstation or other communications device. However, such physical hijacking is substantially mitigated by limiting physical access to the port connection to authorized personnel via physical access security methods. Unfortunately, some EIA/RS-232 port implementations in some vendor’s products do not include the physical handshaking lead connections needed to fulfill this requirement. In some cases only the three minimally required data leads (TX, RX, and GND) are implemented. In this case, Xon-Xoff flow control is used to synchronize communications as opposed to the hardware handshaking. Additional measures must be implemented in hardware or software to detect session interruption and effect its termination. This may require special serial communications software or middleware that implements a keep-alive signal. When the keep-alive signal is lost, the session is terminated. Other methods may be employed as well. None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7302r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Fix: F-7574r1_fix

> Configure the DSN component to force out users when the session is interrupted.

a
DSN system components must display the Standard Mandatory DoD Notice and Consent Banner exactly as specified prior to logon or initial access.
Low - V-8000 - SV-8486r2_rule
RMF Control
Severity
Low
CCI
Version
DSN19.01
Vuln IDs
  • V-8000
Rule IDs
  • SV-8486r2_rule
The operating system and remotely accessed information systems are required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. This ensures the legal requirements for auditing and monitoring are met. System use notification messages must be displayed when individuals log on to the information system. The approved DoD text must be used as specified in the DoD Instruction 8500.01 dated March 14, 2014.System AdministratorInformation Assurance OfficerECSC-1, ECWM-1
Checks: C-17202r2_chk

: Interview the ISSO to validate compliance with the following requirement: Verify all DSN system components display the Standard Mandatory DoD Notice and Consent Banner prior to logon or initial access. If the displayed text is not exactly as specified in the DoD Instruction 8500.01 dated March 14, 2014, this is a finding. The text is posted on the IASE website: http://iase.disa.mil/Documents/unclass-consent_banner.zip

Fix: F-16271r2_fix

Configure all DSN system components to display the Standard Mandatory DoD Notice and Consent Banner prior to logon or initial access.

b
Voice/Video Telecommunications infrastructure components (traditional TDM, VVoIP, or VTC) are not housed in secured or “controlled access” facilities with appropriate classification level or appropriate documented access control methods.
Medium - V-8225 - SV-8711r1_rule
RMF Control
Severity
Medium
CCI
Version
VVT/VTC 1000 (GENERAL)
Vuln IDs
  • V-8225
Rule IDs
  • SV-8711r1_rule
Controlling physical access to telecommunications infrastructure components is critical to assuring the reliability of the voice network and service delivery. Documenting or logging physical access to these components is critical to determine accountability for auditing purposes. Key control and access logs are a large part of this. Additionally, the facilities housing the telecommunications infrastructure must be certified at a classification level commensurate with the highest classification level of the information communicated by the system. NOTE: The infrastructure addressed here are components of traditional TDM, VVoIP, UC or VTC systems that support the communications endpoints. This includes “wiring closets” for traditional non IP based systems. NOTE: Physical access to the LAN infrastructure (which may also support VVoIP, UC, and VTCoIP services) is covered by a Network Infrastructure STIG requirement. This requirement does not directly address the physical security of the general LAN infrastructure, such as LAN routers and switches. NOTE: While this requirement is based on best practice and requirements for protecting classified information, it is also supported in part by DOD 5200.08-R, Physical Security Program, April 9, 2007 Incorporating change 1, 27 May 2009, Chapter 6, Security of Communications Facilities, section C6.2.4 which states: “Access shall be controlled at all communications facilities and only authorized personnel shall be allowed to enter. Facilities should be designated and posted as a minimum, a Controlled Area, as directed.” NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Physical access to systems by unauthorized personnel leaves the system components vulnerable to a multitude of attack vectors and/or accidental de-activation or disconnection.Information Assurance OfficerDCBP-1, ECSC-1
Checks: C-23525r1_chk

Perform a walk through of the facilities the IAO to validate compliance with the following requirement: Ensure all telecommunications infrastructure components (traditional TDM, VVoIP, UC or VTC) are housed in secured facilities with appropriate classification level and appropriate documented access control methods. NOTE: This does not apply to end instruments. Additionally ensure all facilities housing telecommunications infrastructure components are rated at or above the highest classification level of the information communicated. For example, VoSIP (VoIP on SIPRNet) infrastructure components must be housed in facilities rated at or above the secret level. NOTE: This DOES apply to end instruments. During the walk through inspection, visually confirm that telecommunications infrastructure (traditional TDM, VVoIP, UC or VTC specific network and server) components are installed in secured areas to include locked rooms, closets, and/or cabinets. Interview the IAO to determine how the distribution of keys to access the equipment is limited, controlled, and documented. Additionally, determine if access control procedures/documentation are/is being used and review the access logs for compliance. Finally; interview the IAO regarding the security classification of the facilities housing the telecommunications infrastructure components in relation to the highest classification level of the information communicated. This is a finding in the event of the following: > Any telecommunications infrastructure component is not housed in a secured facility (locked room or cabinet). > The facility access control procedures or its documentation is deficient. > Access to the facility is not logged or the procedures are not followed. > The facility classification of any facility housing telecommunications infrastructure components is rated below the highest classification level of the information communicated. NOTE: The infrastructure addressed here are components of traditional TDM, VVoIP, UC or VTC systems that support the communications endpoints. This includes “wiring closets” for traditional non IP based systems. NOTE: Physical access to the LAN infrastructure (which may also support VVoIP, UC, and VTCoIP services) is covered by a Network Infrastructure STIG requirement. This requirement does not directly address the physical security of the general LAN infrastructure, such as LAN routers and switches. NOTE: While this requirement is based on best practice and requirements for protecting classified information, it is also supported in part by DOD 5200.08-R, Physical Security Program, April 9, 2007 Incorporating change 1, 27 May 2009, Chapter 6, Security of Communications Facilities, section C6.2.4 which states: “Access shall be controlled at all communications facilities and only authorized personnel shall be allowed to enter. Facilities should be designated and posted as a minimum, a Controlled Area, as directed.”

Fix: F-20063r1_fix

Ensure all telecommunications infrastructure components are housed in secured facilities with appropriate classification level and appropriate documented access control methods. NOTE: This does not apply to end instruments. Additionally, ensure all facilities housing telecommunications infrastructure components are rated at or above the highest classification level of the information communicated. For example, VoSIP (VVoIP on SIPRNet) infrastructure components must be housed in facilities rated at or above the secret level. NOTE: This DOES apply to end instruments. Ensure that all equipment is installed in a locked room, closet, or cabinet. Ensure the distribution of keys to access the equipment is limited, controlled, and documented. Ensure access control procedures are implemented to ensure that physical access is documented such that an audit trail can be established if necessary. NOTE: The infrastructure addressed here are components of traditional TDM, VVoIP, UC or VTC systems that support the communications endpoints. This includes “wiring closets” for traditional non IP based systems. NOTE: Physical access to the LAN infrastructure (which may also support VVoIP, UC, and VTCoIP services) is covered by a Network Infrastructure STIG requirement. This requirement does not directly address the physical security of the general LAN infrastructure, such as LAN routers and switches. NOTE: While this requirement is based on best practice and requirements for protecting classified information, it is also supported in part by DOD 5200.08-R, Physical Security Program, April 9, 2007 Incorporating change 1, 27 May 2009, Chapter 6, Security of Communications Facilities, section C6.2.4 which states: “Access shall be controlled at all communications facilities and only authorized personnel shall be allowed to enter. Facilities should be designated and posted as a minimum, a Controlled Area, as directed.”

b
IAVMs are not addressed using RTS system vendor approved or provided patches.
Medium - V-8338 - SV-8833r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN02.04
Vuln IDs
  • V-8338
Rule IDs
  • SV-8833r1_rule
Requirement: The IAO will ensure that all IAVM notices relating to the installation of security or other patches for general-purpose operating systems and software on devices other than workstations is vetted through the system vendor and approved by the local DAA before installation. Many IPT / VoIP systems are based on general-purpose operating systems and applications such as databases and web servers (i.e., Windows XX, MS-SQL, IIS, Unix, LINUX, etc). The original vendors of these general-purpose software packages provide patches for their individual packages. A vendor of a IPT / VoIP system must test and approve these patches for use on their system before they are applied in the event that the OEM patch might break a portion of the IPT / VoIP system or degrade its security. The IPT / VoIP vendor may have to modify the OEM patch before releasing it to their customers. IPT / VoIP vendors must be immediately advised of IAVAs that apply to their systems so that they can test the required patch / mitigation and subsequently distribute an approved patch for their system (in accordance with VoIP0281) so that the site can maintain IAVA compliance.NONEPotential Impacts: Denial of Service. Patches that have not been approved and provided by a vendor and/or applied in conflict with vendor’s instructions can break features or disable the system.Information Assurance OfficerECSC-1, ECND-1, ECND-2
Checks: C-7650r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7977r1_fix

Comply with policy. The ISSM/IAM/IAO will establish a policy to ensure that IAVMs are being acknowledged, implemented, and closed, in accordance with DOD policy. SAs will update affected systems in accordance with the IAVM recommendations. The ISSM/IAM/IAO will insure that systems, devices, and SAs are registered in the DISA/DoD VMS as a means for receipt and acknowledgement of IAVMs OR will insure that there is a clear and well defined path for receipt and acknowledgement of IAVMs.

a
DoD voice/video/RTS information system assets and vulnerabilities are not tracked and managed using any vulnerability management system as required by DoD policy.
Low - V-8339 - SV-8834r1_rule
RMF Control
Severity
Low
CCI
Version
DSN02.05
Vuln IDs
  • V-8339
Rule IDs
  • SV-8834r1_rule
Requirement: The IAO will ensure that all systems including switches, OAM&P systems, auxiliary/adjunct, and peripheral systems connected to the DSN along with their SAs are registered and tracked with an asset and vulnerability management system similar to VMS.NONEInformation Assurance OfficerECND-1, ECND-2, ECSC-1
Checks: C-7650r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
A DoD Voice/Video/RTS system or device is NOT configured in compliance with all applicable STIGs or the appropriate STIGs have not been applied to the fullest extent possible.
Low - V-8340 - SV-8835r1_rule
RMF Control
Severity
Low
CCI
Version
DSN03.01
Vuln IDs
  • V-8340
Rule IDs
  • SV-8835r1_rule
Requirement: The IAO will ensure that all systems connected to DOD telecommunications systems that use technologies covered by a DISA/DOD STIG, is secured in compliance with the applicable STIG(s) The applicable STIGs define threat and vulnerability mitigations that must be applied to resolve the associated threat and/or vulnerability in accordance with DoD policy.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7653r1_chk

Obtain a copy of all applicable SRR or Self Assessment results and review for compliance OR perform all applicable SRRs on a representative number of RTS systems and devices. If there are a significant number of findings reported or if an applicable STIG was not applied, this is a finding. Note: The specific Voice/Video/RTS system server or device determines the applicability of any given STIG. Many Voice/Video/RTS system servers or devices are based on general-purpose operating system such as Microsoft Windows, Unix, or Linux. They may use general-purpose applications such as databases like MS-SQL or Oracle and/or employ web server technology like IIS or similar. Determine what the system under review is based upon and perform the associated SRRs. Additionally, an application SRR may be applicable for the vendor's application that makes the server or device perform the functions or the management of the system. Note: Voice/Video/RTS systems and devices are required to be tested, certified, accredited by the DSAWG and listed on the DSN APL. Each specific Voice/Video/RTS system or device may be approved while having certain open findings that are approved in light of certain mitigations. Such open findings are not to be considered in the status determination of this requirement.

Fix: F-7990r1_fix

The IAO and/or SA is to configure all Voice/Video/RTS systems, server, and devices in accordance with all applicable STIGs for the specific system/server/device while taking into account any DSAWG approved open findings and their mitigations.

a
The purchase / maintenance contract, or specification, for the Voice/Video/RTS system under review does not contain verbiage requiring compliance and validation measures for all applicable STIGs.
Low - V-8341 - SV-8836r1_rule
RMF Control
Severity
Low
CCI
Version
DSN03.02
Vuln IDs
  • V-8341
Rule IDs
  • SV-8836r1_rule
Requirement: The DSN PMO and/or site command/management will ensure that “compliance with all applicable STIGs” requirements and validation measures are added to specifications and contracts for commercially leased or procured telecommunications services or systems.STIG compliance is DoD policy and must be accomplished to the greatest extent possible so that any information system may be Certified and Accredited, operated, and connected to other systems if applicable. Placing this requirement in procurement contracts puts the vendor on notice that their product or solution must support these DoD policy requirements. NoneAdditional cost to DoD for complying with DoD security policy.Possible inability to operate the system or connect it to another DoD system.Information Assurance OfficerEBCR-1, ECSC-1, DCAS-1
Checks: C-7650r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
The DAA, IAM, IAO, or SA for the system DOES NOT enforce contract requirements for STIG compliance and validation
Unknown - V-8342 - SV-8837r1_rule
RMF Control
Severity
Unknown
CCI
Version
DSN03.03
Vuln IDs
  • V-8342
Rule IDs
  • SV-8837r1_rule
Requirement: The IAO will ensure that commercially contracted (leased or procured) systems and services supporting the DSN comply with all applicable STIGs in accordance with contract requirements.STIG compliance is DoD policy and must be accomplished to the greatest extent possible so that any information system may be Certified and Accredited, operated, and connected to other systems if applicable. Placing this requirement in procurement contracts puts the vendor on notice that their product or solution must support these DoD policy requirements. The responsibility of monitoring compliance of contract requirements falls to the DAA, IAM, IAO, and/or SA responsible for operating the system in compliance with policy. Placing compliance requirements in a contract provides no assurance that they are being met if there is no validation or enforcement of the contract requirements. NONEAdditional cost to DoD for complying with DoD security policy.The possible inability to certify and accredit the system or operate it legally or connect it to another DoD system due to violation of DoD policy.System AdministratorInformation Assurance OfficerDesignated Approving AuthorityInformation Assurance ManagerECSC-1
Checks: C-7650r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7991r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
A Voice/Video/RTS system is in operation but is not listed on the DSN APL nor is it in the process of being tested.
Medium - V-8345 - SV-8840r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN03.04
Vuln IDs
  • V-8345
Rule IDs
  • SV-8840r1_rule
Requirement: The IAO will ensure that all installed systems and associated software releases for which he/she is responsible appear on the DSN APL in accordance with DODI 8100.3 requirements. This applies to previously installed, new, and upgraded systems. DOD Instruction 8100.3 which governs DOD telecommunications and the Defense Switched Network (DSN), requires that “Telecommunications switches (and associated software releases) leased, procured (whether systems or services), or operated by the DOD Components, and connected or planned for connection to the DSN, shall be joint interoperability certified by the Defense Information Systems Agency (DISA), Joint Interoperability Test Command (JITC) and granted information assurance certification and accreditation by the Defense Information System Network (DISN) Designated Approval Authorities (DAAs).” DAA certification is obtained through the DISN Security Accreditation Working Group (DSAWG). DODI 8100.3 also requires that the DOD use (or connect to the DSN) only devices that appear on the DSN Approved Products List (APL). Both IA and Interoperability certification requirements must be met for inclusion on the DSN APL. The testing for IA and IO that occurs prior to DSN APL listing determines if the system/device meets, or can be configured to meet DoD requirements. The IA testing determines any residual risk for operating the system. This risk is accepted by the DSAWG prior to APL listing.This finding can be reduced to a CAT IV if the system is in process of being certified for placement on the APL.The possible inability to certify and accredit the system or operate it legally or connect it to another DoD system due to violation of DoD policy.Information Assurance OfficerEBCR-1, ECSC-1, DCAS-1
Checks: C-7656r1_chk

Verify that the VoIP system is listed on the DSN APL by checking at the following link: http://jitc.fhu.disa.mil/tssi/apl.html If not, contact the VCAO to determine if the system is in the testing process.

Fix: F-7997r1_fix

Ensure non-certified VoIP systems are not connected to the DSN. Sponsor the system for DSN APL testing and certification.

a
A Voice/Video/RTS system or device is NOT installed according to the deployment restrictions and/or mitigations contained in the IA test report, Certifying Authority’s recommendation and/or DSAWG approval documentation.
Low - V-8346 - SV-8841r1_rule
RMF Control
Severity
Low
CCI
Version
DSN03.05
Vuln IDs
  • V-8346
Rule IDs
  • SV-8841r1_rule
Requirement: The IAO will ensure that products or software releases are installed and maintained in accordance with all applicable STIGs AND the installation restrictions and vulnerability mitigations presented in the Security Assessment Report and Certifying Authority’s (CA’s) Recommendation Memo to the DSAWG. Systems listed on the DSN APL have been approved by the DSAWG as having acceptable risk for operation by DoD components. The residual risk is determined by the mitigations for any findings that cannot be closed. These mitigations may be determined or proposed by the vendor, IA test team, Certifying Authority, and/or the DSAWG and may take the form of deployment limitations and/or installation restrictions. The application of the recommended mitigations along with complying with any deployment limitations and/or installation restrictions is paramount to legally operating the system in a secure manner. The required mitigations, limitations, and restrictions should be contained in final test report produced by the VCAO following DSAWG approval. The IAO should maintain a copy of the final system testing report so that the required mitigations, limitations, and restrictions can be applied and compliance can be validated or verified.NoneThe possible inability to certify and accredit the system or operate it legally or connect it to another DoD system due to violation of DoD policy.Information Assurance OfficerECSC-1, DCAS-1, EBCR-1
Checks: C-7649r2_chk

Or review the required “documents on file” that are necessary for compliance with the requirement.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
A Voice/Video/RTS system or device is NOT installed in the same configuration and being used for the same purpose that was tested for prior to DSAWG approval and DSN APL listing.
Unknown - V-8347 - SV-8842r1_rule
RMF Control
Severity
Unknown
CCI
Version
DSN03.06
Vuln IDs
  • V-8347
Rule IDs
  • SV-8842r1_rule
Requirement: The IAO will ensure that systems are implemented using the configuration that was approved and for the approved purpose. Alternate configurations and purposes must be resubmitted for certification.DSN APL listed systems are submitted for testing in coordination with the sponsor’s needs. Systems and devices are submitted with a specific suite of equipment, software, software versions, connection types, configurations, and use cases or purposes. The resulting test results are only applicable to the specific solution/purpose submitted. As a result, it is the specific solution and purpose that is approved and listed on the APL. If any of submitted solution is changed, there may be different vulnerabilities associated with the modified solution that were not present in the originally tested solution. For this reason, modified solutions must be tested to assure that any newly acquired vulnerabilities are found and addressed. NONEThe possible inability to certify and accredit the system or operate it legally or connect it to another DoD system due to violation of DoD policy and un-discovered vulnerabilities.Information Assurance OfficerEBCR-1, ECSC-1, DCAS-1
Checks: C-7649r2_chk

Or review the required “documents on file” that are necessary for compliance with the requirement.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
The requirement of DSN APL listing is not being considered during the procurement, installation, connection, or upgrade to the site’s Voice/Video/RTS infrastructure.
Unknown - V-8348 - SV-8843r1_rule
RMF Control
Severity
Unknown
CCI
Version
DSN03.07
Vuln IDs
  • V-8348
Rule IDs
  • SV-8843r1_rule
Requirement: The DSN PMO, DOD Component command, site command/management, or the IAO will ensure that products being considered for procurement, installation, connection, or upgrade to the DSN are certified and appear on the DSN APL, OR are in the process of being certified, OR will sponsor the product for certification.NONEThe possible inability to certify and accredit the system or operate it legally or connect it to another DoD system due to violation of DoD policy and un-discovered vulnerabilities.Information Assurance OfficerDCAS-1, EBCR-1, ECSC-1
Checks: C-7650r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7997r1_fix

Ensure non-certified VoIP systems are not connected to the DSN. Sponsor the system for DSN APL testing and certification.

b
The SMU management port or management workstations is improperly connected to a network that is not dedicated to management of the SMU.
Medium - V-8512 - SV-9007r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN20.04
Vuln IDs
  • V-8512
Rule IDs
  • SV-9007r1_rule
Requirement: The IAO at the SMU site will ensure that the SMU management port or stations are not connected to any network other than one dedicated to management of the SMU.The system design and architecture of the SMU provides for no security configuration capability (i.e., user account, password, privileged user, or auditing capability). Trunk and subscriber provisioning is accomplished via an administrator’s terminal, which is a dumb terminal, connected to the system via serial connection. From this terminal, at power up, the user has direct access to provisioning features of the system. Therefore, security protection to the SMU is provided through the physical security of the unit.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7302r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Fix: F-8033r1_fix

> Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
The ADIMSS server connected to the SMU is NOT dedicated to ADIMSS functions.
Medium - V-8513 - SV-9008r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN20.03
Vuln IDs
  • V-8513
Rule IDs
  • SV-9008r1_rule
Requirement: The IAO at the SMU site will ensure that the ADIMSS server connected to the SMU is dedicated to ADIMSS functions.ADIMSS servers represent mission critical equipment that contain potentially sensitive information that needs to be secured and treated with the same precautions as any other servers containing sensitive information. Dedicating critical ADIMSS servers to only ADIMSS required applications is key to securing the ADIMSS network. To minimize possible risk these servers are to be dedicated to the ADIMSS applications required for ADIMSS operations minimizing the chance of infection or attack through an unused, unnecessary application residing on the system.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.> Degradation of security of the ADIMSS network / extended enclaveSystem AdministratorInformation Assurance OfficerECSC-1
Checks: C-7302r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Fix: F-8033r1_fix

> Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
The SMU ADIMSS connection is NOT dedicated to the ADIMSS network
Low - V-8514 - SV-9009r1_rule
RMF Control
Severity
Low
CCI
Version
DSN20.02
Vuln IDs
  • V-8514
Rule IDs
  • SV-9009r1_rule
Requirement: The IAO at the SMU site will ensure that the SMU ADIMSS connection is dedicated to the ADIMSS network.In addition to the administrator terminal connection, a secondary connection is also provided for the ADIMSS network. This connection is used for remote access to the system to collect call processing and billing information. This connection is a serial connection to the SMU from an ADIMSS server physically located on site. This ADIMSS server is in turn connected to the ADIMSS network via an Ethernet connection. This server should be dedicated to the ADIMSS and SMU and not connected to any other networkNone> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7302r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Fix: F-8033r1_fix

> Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

c
A SMU component is not installed in a controlled space with visitor access controls applied.
High - V-8515 - SV-9010r1_rule
RMF Control
Severity
High
CCI
Version
DSN20.01
Vuln IDs
  • V-8515
Rule IDs
  • SV-9010r1_rule
Requirement: The IAO at the SMU site will ensure that the SMU has adequate physical security protection. The system design and architecture of the SMU provides for no security configuration capability (i.e., user account, password, privileged user, or auditing capability). Trunk and subscriber provisioning is accomplished via an administrator’s terminal, which is a dumb terminal, connected to the system via serial connection. From this terminal, at power up, the user has direct access to provisioning features of the system. Therefore, security protection to the SMU is provided through the physical security of the unit.None> Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > Physical access to systems by unauthorized personnel leaves the system components vulnerable to a multitude of attack vectors and/or accidental de-activation or disconnection.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7664r1_chk

> Perform a walk through of the facility to confirm that all DSN core and transmission devices that are part of the system are located in a secure room or locked cabinet.

Fix: F-8011r1_fix

> Take measures to apply or install or upgrade physical security for system core assets (Switches, Servers,) and transmission devices (network switches, routers, muxes, devices). Limit, control, and document the distribution of keys to access the equipment.

b
Network management/maintenance ports are not configured to “force out” or drop any user session that is interrupted for more than 15 seconds.
Medium - V-8516 - SV-9011r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN18.17
Vuln IDs
  • V-8516
Rule IDs
  • SV-9011r1_rule
Requirement: The IAO will ensure that network connected management ports drop a connection that is interrupted for any reason within 15 seconds. Network ports that are interrupted due to link disconnection, power failure or other reasons must end any session using that connection. This will prevent a user from ending a session without logging off and leaving the maintenance port available with an active session that might allow unauthorized use by someone other than the authenticated user. None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7302r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
OOB management network are NOT dedicated to management of like or associated systems
Medium - V-8517 - SV-9012r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN18.16
Vuln IDs
  • V-8517
Rule IDs
  • SV-9012r1_rule
Requirement: The IAO will ensure that network connected switch and device management ports are connected to a network dedicated to management of the device only and/or that of other associated devices, i.e. an out-of-band management network. Management networks must be dedicated to management to mitigate unauthorized access to the managed systems of the sensitive management information/traffic that is carried on the networkNone> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7302r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Fix: F-8033r1_fix

> Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
An OOB Management DOES NOT comply with the Enclave and/or Network Infrastructure STIGs.
Medium - V-8518 - SV-9013r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN18.15
Vuln IDs
  • V-8518
Rule IDs
  • SV-9013r1_rule
Requirement: The IAO will ensure that out-of-band management networks comply with the Enclave and Network Infrastructure STIGs. out-of-band management networks must comply with the requirements contained in the Enclave and Network Infrastructure STIGs so that the threats and/or vulnerabilities associated with all networks and enclaves are properly mitigated according to DoD policy.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7302r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
Foreign/Local National personnel hired by a base/post/camp/station for the purpose of operating or performing OAM&P / NM functions on DSN switches and subsystems have not been vetted through the normal process for providing SA clearance as dictated by the local Status of Forces Agreement (SOFA).
Medium - V-8519 - SV-9016r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN06.02
Vuln IDs
  • V-8519
Rule IDs
  • SV-9016r1_rule
Requirement: The IAO and IAM will ensure that all Foreign/Local National personnel hired by a base/post/camp/station for the purpose of operating or performing OAM&P / NM functions on DSN switches and subsystems shall be vetted through the normal process for providing SA clearance as dictated by the local Status of Forces Agreement (SOFA).All SAs and particularly those who are foreign or local nationals must have the appropriate clearance before being granted access to DoD systems. Failure to do this may result in unauthorized access or compromise.None Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain.Information Assurance OfficerPECF-1, ECAN-1
Checks: C-7650r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7513r1_fix

Obtain a System Authorization Access Request (SAAR) DD Form 2875 for each DRSN user to validate their need-to-know

b
Foreign/Local National personnel have duties or access privileges that exceed those allowed by DODI 8500.2 E3.4.8.
Medium - V-8520 - SV-9017r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN06.03
Vuln IDs
  • V-8520
Rule IDs
  • SV-9017r1_rule
Requirement: The IAO and IAM will ensure that all Foreign/Local National personnel hired by a base/post/camp/station for the purpose of operating or performing OAM&P / NM functions on DSN switches and subsystems shall be granted duties and system access in accordance with DODI 8500.2 E3.4.8. All SAs and particularly those who are foreign or local nationals must not be given duties or access privileges that exceed those allowed by DoD policy and must only be granted enough access as required to perform the assigned duties.Failure to do this may result in unauthorized access or compromise.None> Denial of Service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.Information Assurance OfficerECAN-1, PECF-1
Checks: C-7650r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
The latest software loads and patches are NOT applied to all systems to take advantage of security enhancements.
Medium - V-8531 - SV-9028r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN17.04
Vuln IDs
  • V-8531
Rule IDs
  • SV-9028r1_rule
Requirement: The IAO will ensure that the latest software loads and patches are applied to all systems to take advantage of security enhancements. Many vendors provide patches or new versions of software to incorporate mitigations for newly discovered security vulnerabilities. In some cases this is the only way to mitigate a threat to the system. SAs are therefore required to use the latest vendor provided software or patch that addresses security. This is not the case if the new software only provides additional features or a patch only resolves a operational issue or bug. None Denial of Service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.Information Assurance OfficerECSC-1
Checks: C-7594r1_chk

Review current configuration files of effected devices to confirm compliance.

Fix: F-8033r1_fix

> Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
Maintenance and security patches are NOT approved by the local DAA prior to installation in the system
Medium - V-8532 - SV-9029r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN17.05
Vuln IDs
  • V-8532
Rule IDs
  • SV-9029r1_rule
Requirement: The IAO will ensure that maintenance and security patches that are applied to a system are approved by the local DAA before installation. All patches and new system software must be tested on non-production systems/hardware prior to use / installation to determine the effects that the new software will have on systems operations and security. Furthermore the local DAA responsible for personally accepting the risk of operating the system must be aware of these effects and approve their use if the risk of using the software is acceptable.None Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain. > The inability to restore operations swiftly following a system failure due to the application of untested code.Information Assurance OfficerECSC-1
Checks: C-7374r1_chk

Review current configuration files of effected devices to confirm compliance

Fix: F-8033r1_fix

> Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
Major software version upgrades have NOT been tested, certified, and placed on the DSN APL before installation.
Medium - V-8535 - SV-9032r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN17.06
Vuln IDs
  • V-8535
Rule IDs
  • SV-9032r1_rule
Requirement: The IAO will ensure that major software version upgrades have been tested, certified, and placed on the DSN APL before installation. All new system major software releases must be tested on non-production systems/hardware prior to use / installation to determine the effects that the new software will have on systems operations and security. This is a requirement under DODI 8100.3 for system software. NoneDenial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain. > The inability to restore operations swiftly following a system failure due to the application of untested code.Information Assurance OfficerDCAS-1, EBCR-1, ECSC-1
Checks: C-7374r1_chk

Review current configuration files of effected devices to confirm compliance

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
There is no system installed that can provide emergency life safety or security announcements
Unknown - V-8537 - SV-9034r1_rule
RMF Control
Severity
Unknown
CCI
Version
DSN08.02
Vuln IDs
  • V-8537
Rule IDs
  • SV-9034r1_rule
Requirement: The IAO should ensure that a system is installed to provide emergency announcements and messages in accordance with public law in response to 11 September 2001 and/or local building codes. Local building codes have for years required that certain facilities provide for emergency alert/evacuation announcement sound systems that are used for life safety. These types of systems are even more useful and may be required by federal or public law in the wake of 9/11/2001. In addition to life safety announcements about an evacuation or emergency condition within a facility, these systems may be used for security alerts that could, for example, instruct site personnel to be on the look out for an intruder or other unauthorized person. NoneReduced awareness by site personnel of potentially life threatening situations or security breaches. Loss of life, reduction of site security due to ignorance of emergencies and situations.Information Assurance OfficerECSC-1
Checks: C-7327r1_chk

Perform a walk through of the facility and confirm compliance via inspection of the effected devices or items

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
A policy is NOT in place and/or NOT enforced regarding the use of unclassified telephone/RTS instruments located in areas or rooms where classified meetings, conversations, or work normally occur.
Medium - V-8539 - SV-9036r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN08.03
Vuln IDs
  • V-8539
Rule IDs
  • SV-9036r1_rule
Requirement: The IAO will ensure that a policy is in place and enforced regarding the use of telephone instruments connected to unclassified telecommunications systems located in areas or rooms where classified meetings, conversations, or work normally occur. All unclassified voice/video/RTS terminals or instruments present a potential risk to the security of areas where classified conversations are conducted. This is due to the ability of some phones to pick up room audio and transmitting it or sending it down the wire even when the phone is on hook. This ability is usually caused by poor design or malfunction in the hook switch circuitry. Additionally speakerphones in such areas may be activated by accident or surreptitiously. These vulnerabilities can affect the security or confidentiality of any conversation at any classification level. Of particular concern are those areas or rooms used for classified meetings, conversations, or work.None> Loss of confidentiality> Unauthorized access to classified information for which the recipient does not either have the proper clearance or need-to-know. Information Assurance OfficerECSC-1
Checks: C-7649r2_chk

Or review the required “documents on file” that are necessary for compliance with the requirement.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
An OAM&P / NM or CTI network DOES NOT comply with the Enclave and/or Network Infrastructure STIGs.
Medium - V-8541 - SV-9038r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN04.10
Vuln IDs
  • V-8541
Rule IDs
  • SV-9038r1_rule
Requirement: The IAO will ensure that OAM&P / NM and CTI networks comply with the Enclave and Network Infrastructure STIGs. OAM&P / NM and CTI networks must comply with the requirements contained in the Enclave and Network Infrastructure STIGs so that the threats and/or vulnerabilities associated with all networks and enclaves are properly mitigated according to DoD policy.None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7701r1_chk

Obtain a copy of Network and Enclave SRRs or Self Assessment results and review for compliance OR perform Network and Enclave SRRs on the OAM&P / NM and/or CTI network. If there are a significant number of findings reported or if an applicable STIG was not applied, this is a finding. Note: Voice/Video/RTS and/or OAM&P / NM and/or CTI network systems and devices are required to be tested, certified, accredited by the DSAWG and listed on the DSN APL. Each specific Voice/Video/RTS system or device may be approved while having certain open findings that are approved in light of certain mitigations. Such open findings are not to be considered in the status determination of this requirement.

Fix: F-8041r1_fix

Configure all OAM&P / NM or CTI networks in accordance with the Enclave and Network Infrastructure STIGs while taking into account any DSAWG approved open findings and their mitigations for the given solution.

b
An OAM&P / NM and CTI network/LAN is connected to the local general use (base) LAN without appropriate boundary protection.
Medium - V-8542 - SV-9039r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN04.09
Vuln IDs
  • V-8542
Rule IDs
  • SV-9039r1_rule
Requirement: The IAO will ensure that OAM&P / NM and CTI networks are not connected to the local general use (base) WAN. The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from sources external to the solution. Connecting these dedicated LANs to a WAN negates this protection unless a proper boundary is created. Such a boundary should be a firewall. Access to the dedicated LAN and the devices on it from the WAN must be filtered by source and destination IP addresses as well as the specific ports and protocols that are required or permitted to cross the boundary. This is not a finding if there is a DAA approved and documented requirement where the connection is controlled through a dedicated firewall that only allows restricted access from specific devices or management stations. Additionally, this is not a finding of the “WAN” connection is actually a connection to a dedicated management WAN that is an extended enclave such as the ADIMSS. Boundary protection in the form of a firewall or router ACL to provide the appropriate filtering is still required > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerDCPA-1, DCID-1, EBCR-1, ECSC-1
Checks: C-7372r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-8033r1_fix

> Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
Voice/Video/RTS devices located in SCIFs do not prevent on-hook audio pick-up and/or do not have a speakerphone feature disabled or are not implemented in accordance with DCID 6/9 or TSG Standard 2.
Medium - V-8543 - SV-9040r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN08.04
Vuln IDs
  • V-8543
Rule IDs
  • SV-9040r1_rule
Requirement: In the event that a telephone instrument connected to an unclassified telecommunications system are placed within a Sensitive Compartmented Information Facility (SCIF), the IAO will ensure that the instrument is configured such that the instrument provides on-hook audio protection and that speakerphone audio pickup feature (microphone) is disabled or is nonexistent. (RE: Director of Central Intelligence Directive (DCID) 6/9 Annex G, Paragraphs 2.2.1, 2.2.1.1, 2.2.1.6, and Telecommunications Security Group (TSG) Standard 2) All voice/video/RTS terminals or instruments present a potential risk to the security of areas where classified conversations are conducted. This is due to the ability of some phones to pick up room audio and transmitting it or sending it down the wire even when the phone is on hook. This ability is usually caused by poor design or malfunction in the hook switch circuitry. This is covered in TSG Standard 2. Additionally speakerphones in such areas may be activated by accident or surreptitiously. These vulnerabilities can affect the security or confidentiality of any conversation at any classification level. Of particular concern are those areas or rooms used for classified meetings, conversations, or work such as SCIFs. Additionally, VoIP systems in which the central call manager controls the telephone instrument, there is the potential of hijacking control of the instrument from somewhere else on the network. This potential vulnerability means that audio pickup might be activated clandestinely without the knowledge of the people near it. Speakerphones and push to talk handsets are covered in DCID 6/9None> Loss of confidentiality> Unauthorized access to classified information for which the recipient does not either have the proper clearance or need-to-know.Information Assurance OfficerECSC-1
Checks: C-7649r2_chk

Or review the required “documents on file” that are necessary for compliance with the requirement.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
An OAM&P / NM and CTI network/LAN is connected to the local general use (base) LAN without appropriate boundary protection.
Medium - V-8544 - SV-9041r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN04.08
Vuln IDs
  • V-8544
Rule IDs
  • SV-9041r1_rule
Requirement: The IAO will ensure that OAM&P / NM and CTI networks are not connected to the local general use (base) LAN. The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from sources external to the solution. Connecting these dedicated LANs to another LAN negates this protection unless a proper boundary is created. Such a boundary should be a firewall but minimally must be a router ACL. Access to the dedicated LAN and the devices on it must be filtered by source and destination IP addresses as well as the specific ports and protocols that are required or permitted to cross the boundary. This is not a finding if there is a DAA approved and documented requirement where the connection is controlled through a dedicated firewall or router ACL that only allows restricted access from specific devices or management stations.> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerDCID-1, EBCR-1, ECSC-1, DCPA-1
Checks: C-7373r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
OAM&P / NM and CTI networks are NOT dedicated to the system that they serve in accordance with their separate DSN APL certifications.
Medium - V-8545 - SV-9042r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN04.07
Vuln IDs
  • V-8545
Rule IDs
  • SV-9042r1_rule
Requirement: The IAO will ensure that out-of-band OAM&P / NM and CTI networks are dedicated to the system that they serve in accordance with their separate DSN APL certifications. CTI networks may be combined taking into consideration the vulnerabilities of each system and with documented local DAA approval. > OAM&P/NM and CTI terminals must connect to the switch by using either a direct connection to the system administration port or through a dedicated, out of band network. Connections other than these, for example through a non-dedicated network connection, will introduce security risks. > The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from sources external to the solution. Connecting these dedicated LANs to another LAN negates this protection. > OAM&P/NM and CTI solutions are tested and approved for DSN APL listing based on a dedicated / OOB network for each solution. In keeping with the requirement that APL solutions be implemented in the same configuration as was tested, these systems must be implemented on a dedicated LAN for each solution. This is because there is no way of knowing what security risks will result from merging different solutions on a single LAN without testing the specific combination. One solution could affect the security of the other. This is not a finding if testing has determined that the combination of solutions does not degrade the security posture of either solution AND local DAA has approved the combination of solutions in writing. This testing must be documented and maintained for review by auditors along with the DAA approval. > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerDCPA-1, ECSC-1, DCID-1, EBCR-1
Checks: C-7372r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
The auditing process DOES NOT record security relevant actions such as the changing of security levels or categories of information
Medium - V-8546 - SV-9043r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN15.07
Vuln IDs
  • V-8546
Rule IDs
  • SV-9043r1_rule
Requirement: The IAO will ensure that the auditing process records security relevant actions (e.g., the changing of security levels or categories of information). Security relevant actions such as the following should be recorded to provide an effective security audit process: - Logons and logouts - Excessive logon attempts/failures - Remote system access - Change in privileges or security attributes - Change of security levels or categories of information - Failed attempts to access restricted system privilege levels or data files - Audit file access (if possible) - Password changes - Device configuration changes The information that each audit record should have is as follows: - Date and time of the event - Origin of the request (e.g., terminal ID) - Unique ID of the user who initiated the event - Type of event - Success or failure - Description of modification to configurationsNone> The inability to take administrative action or prosecute for inappropriate actions or system abuse. > The inability to effectively troubleshoot problems > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1, ECAR-1, ECAR-2, ECAR-3
Checks: C-7690r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
The available option of Command classes or command screening is NOT being used to limit system privileges
Low - V-8554 - SV-9051r1_rule
RMF Control
Severity
Low
CCI
Version
DSN06.07
Vuln IDs
  • V-8554
Rule IDs
  • SV-9051r1_rule
Requirement: The IAO will ensure that devices that are capable of command screening or command classes are configured to use this feature in conjunction with DAC. Input screening in telecommunications switches is the feature that permits an authorized individual to use one or more command classes. This feature supports DAC requirements and is used for both local and remote administration of the switches. Most switches utilize user password protection to access the operation and configuration of the switch. Most switch designs utilize levels of privileged access, each using password submission and validation at each level, to allow access to that particular function. The lowest privilege level would allow user access to perform various routine maintenance tasks or entry of subscriber data. A second level would give access to perform highly important routines, configuration changes, and change capability of first and second level passwords. Changing a second level password often requires a distinct identification or special password. Discretionary access control for system administration and maintenance access to the switch or peripheral system commands must be restricted based on the required functions or role of the user where technically feasible. Input command screening can be implemented in switches to further control user access and privileges. To do this, individual commands available in the switch are first assigned a specific command class. Each Administrative/Maintenance user is then assigned a primary function that is associated with a collection of input commands that the system accepts from that specific user.This is not a finding if the system does not support command screening> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECLP-1, ECSC-1
Checks: C-7690r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

a
All system administrative and maintenance user accounts are not documented.
Low - V-8556 - SV-9053r1_rule
RMF Control
Severity
Low
CCI
Version
DSN06.06
Vuln IDs
  • V-8556
Rule IDs
  • SV-9053r1_rule
Requirement: The IAO will document all system administrative and maintenance user accounts. It is imperative that the IAO and SA is aware of all administrative and maintenance accounts that are configured on the system. These accounts must be documented and validated against the roster of SAs and maintenance users that are approved for access to the system. Un-needed accounts provide a means of compromise.Additionally, for each user / allowable account, the privileges, roles, and allowable commands for the account must be documented. None> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-7690r1_chk

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
System administrative and maintenance users are assigned accounts with privileges that are not commensurate with their assigned responsibilities.
Medium - V-8558 - SV-9055r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN06.05
Vuln IDs
  • V-8558
Rule IDs
  • SV-9055r1_rule
Requirement: The IAO will ensure that all systems and devices employ a role-based Discretionary Access Control system used to control access to OAM&P / NM systems, the devices they manage, and their command classes for administrative and maintenance users commensurate with their assigned responsibilities. To ensure system security, all assigned administrator and maintenance user account privileges must be limited to perform their specific function. Furthermore, super user access is to be held to a minimum and assigned to only those most knowledgeable of the system.This finding can be closed if a specific device does not support DAC but another device or system provides the DAC function. This situation must be documented and accepted by the local DAA. Additionally, this finding can be closed if the device appears on the DSN APL and is installed in accordance with its certification requirements.> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECLP-1, ECSC-1
Checks: C-7372r1_chk

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
Strong two-factor authentication is NOT used to access all management system workstations and administrative / management ports on all devices or systems
Medium - V-8559 - SV-9056r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN13.17
Vuln IDs
  • V-8559
Rule IDs
  • SV-9056r1_rule
Requirement: The IAO will ensure strong two-factor authentication is required to access all management system workstations and administrative / management ports on any device or system. The term strong two-factor authentication refers to the use of two forms of identification. This is usually something you know and something you have. A username and password is not considered two-factor authentication. It is actually the something you know. This could also be a security code. The something you have is a typically physical token. An example of this is a bankcard and PIN. Additionally there are tokens associated with one-time password access control systems available such as RSA Security’s SecurID and Quest Software’s NC-Pass. These provide a constantly changing code that is used in conjunction with an additional PIN or password to generate a one time password. The code is generated by a RNG algorithm that is synchronized with a server application (e.g., RSA ACE). These and similar tokens are, and have been, widely used in DoD for access control to network elements, servers, and mainframes. These and similar one-time password tokens used in conjunction with their associated access control servers meet the intent of this requirement. NOTE: One-time password tokens and systems are older technology which is no longer mentioned in DoD policy even though the technology has been in previous DoD policy; has been in use for some time; and is currently being used in many instances for access control to legacy systems. Going forward, however, DoD policy only supports DoD’s token of choice which is the Common Access Card (CAC) or Personal Identity Verification (PIV) card which contain DoD Public Key Infrastructure (PKI) certificates. The CAC/PIV is the DoD’s token of choice. Meeting this requirement does not satisfy requirements that dictate the use of CAC/PKI tokens. The use of a one-time-password token and access control server can only (and may only) serve as a mitigation for not being able to meet CAC/PKI requirements. This is typical of older legacy systems such as mainframes. APL NOTE: New systems being developed for use by DoD and those being tested for inclusion on the DoD Approved Products List (APL) should support CAC/PKI tokens rather than one-time password token systems. This finding can be reduced to a CAT IIII where access to the non-compliant device (except management stations) is directly controlled by a device that is compliant such as an access router.> Loss of management control of the system and potential system abuse. > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerIAAC-1, ECSC-1
Checks: C-7374r1_chk

Review current configuration files of effected devices to confirm compliance

Fix: F-7968r1_fix

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

b
Access to all management system workstations and administrative / management ports is NOT remotely authenticated
Medium - V-8560 - SV-9057r1_rule
RMF Control
Severity
Medium
CCI
Version
DSN13.16
Vuln IDs
  • V-8560
Rule IDs
  • SV-9057r1_rule
Requirement: The IAO will ensure that remote authentication is used to control access to all management system workstations and administrative / management ports on any device or system. The term remote authentication refers to a system or device that communicates with a remote Authentication Authorization Accounting (AAA) server to validate the users account information before granting access. The remote server can also control user rights or permissions based on their defined roles. Systems such as RADIUS, DIAMETER, and TACACS+ typically provide this functionality for network elements. Systems such as domain controllers provide this functionality for network management workstations. The use of a centralized AAA server provides for centralized management of all network element SA’s accounts and privileges. This eliminates the need for an SA to have an individual account on each network element. This reduces the chance that an account will be compromised since the centralized server can be better protected than each network element. This also reduces the number of accounts in the network that can be easily accessed and compromised. A network consists of manu network elements that cannot be individually protected. An SA account on each multiplies the chance that an account can be compromised. Additionally, the use of a centralized AAA server supports proper password management when a SA is required to manage multiple devices. If the SA had to change his/her password on each device, the chance that a password is not changed (device missed) is greater. NOTE: This requirement supports, and is supported by, the Network Infrastructure STIG requirements that AAA servers are to be implemented in the enclave’s management network. In general the DSN system should integrate with the AAA service that already exists in the enclave’s management network if possible. This requirement is primarily focused on a group of distributed devices such as those that comprise a network (e.g., LAN switches, routers, backbone transport devices, distributed media gateways, endpoints, etc). While a system/device that is itself centralized (e.g., a telecom switch or VoIP controller); is capable of comprehensive role based AAA services such that it can stand on its own; which can protected from external access much as a centralized AAA server would be, It is still best practice to integrate such a device with a centralized AAA server particularly if multiple SAs must have access from multiple locations such as different local or remote NOCs. This finding can be reduced to a CAT III where access to the noncompliant device (except management workstations) is directly controlled by a device that is compliant such as an access router. This is a CAT III finding for a system/device that is itself centralized (e.g., a telecom switch or VoIP controller); that provides comprehensive role based AAA services on its own and is protected from external access much as a centralized AAA server would be. (NOTE: the finding cannot be eliminated since it is still beneficial and preferred that a centralized solution be used.) APL NOTE: the system/device should support the use of external AAA services particularly if it is normally deployed in a distributed manner (e.g., LAN switches, routers, backbone transport devices, distributed media gateways, endpoints, etc). If not, this is a CAT II finding. In the event the system/device is normally deployed in a centralized manner, AND it provides comprehensive role based AAA services such that it can stand on its own BUT it does not support remote AAA services, this is a CAT III finding. > Loss of management control of the system and potential system abuse. > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.System AdministratorInformation Assurance OfficerECSC-1, IAAC-1
Checks: C-7594r1_chk

Review current configuration files of effected devices to confirm compliance.

Fix: F-27800r1_fix

Configure the system to utilize the services of a centralized AAA server. Typically this server will be the same as is implemented in the network management network where there should be a primary and a backup server. Additionally configure the system to utilize these primary and backup AAA servers. NOTE: In the event the system/device cannot reach a centralized AAA server (such as in a tactical environment) configure the system to provide comprehensive AAA services locally.

b
Deficient Policy or SOP regarding VTC, PC, and speakerphone microphone operations regarding their ability to pickup and transmit sensitive or classified information in aural form.
Medium - V-16076 - SV-17063r1_rule
RMF Control
Severity
Medium
CCI
Version
VVT/VTC 1905 (GENERAL)
Vuln IDs
  • V-16076
Rule IDs
  • SV-17063r1_rule
Microphones used with VTC systems and devices are designed to be extremely sensitive such that people speaking anywhere within a conference room is picked up and amplified so they can be heard clearly and understood at the remote location(s) on the call. This same sensitivity is included in VTUs that are used in office spaces. This has one disadvantage. The microphones can pick up sidebar conversations that have no relationship to the conference or call in progress. Likewise, in an open area, received conference audio can be broadcast to others in the area that are not part of the conference, and possibly should not be exposed to the conference information for need-to-know reasons. Speakerphones exhibit a similar vulnerability. This is the same confidentiality vulnerability posed to audible sound information in the environment as discussed above with the added twist that the conference audio is vulnerable to others in the environment. While this is more of an issue in environments where classified conversations normally occur, it is also an issue in any environment. This is of particularly concern in open work areas or open offices where multiple people work in near proximity. Users or operators of VTC systems of any type must take care regarding who can hear what is being said during a conference call and what unrelated conversations can be picked up by the sensitive microphone(s). Where a VTU is used by a single person in an open area, a partial mitigation for this could be the use of a headset with earphones and a microphone. While this would limit the ability of others to hear audio from the conference and could also limit the audio pickup of unrelated conversations, it may not be fully effective. In some instances, such as when a VTU is located in a SCIF, a Push-to-Talk (PTT) handset/headset may be required Microphones embedded in or connected to a communications endpoint, PC, or PC monitor can be sensitive enough to pickup sound that is not related to a given communications session. They could pickup nearby conversations and other sounds. This capability could compromise sensitive or classified information that is not related to the communications in progress. Speakers embedded in or connected to a communications endpoint or PC can be made loud enough to be heard across a room or in the next workspace (e.g., cube). This capability could compromise sensitive or classified information that is being communicated during a session. Users must be aware of other conversations in the area and their sensitivity when using any communications endpoint, not only a PC based voice, video, or collaboration communications application. This awareness must then translate into protecting or eliminating these other conversations. A short range, reduced gain, or noise canceling microphone may be required. A push to talk microphone may also be required for classified areas. The microphone should be muted when the user is not speaking as both a mitigation for this issue, and for proper etiquette when participating in a conference. The muting function should be performed using a positively controlled disconnect, shorting switch, or mechanism instead of a software controlled mute function on the PC. Users must be aware of other people in the area that could hear what is being communicated. This is particularly an issue if the communicated information is sensitive or classified since the parties overhearing the information may not have proper clearance or a need-to-know. To mitigate this issue, a headset or speakers should be used and at a volume that only the user can hear. NONEThe inadvertent transmission of sensitive or classified information within the pickup range of a microphone or broadcast range of a speaker used for audio communications resulting in the improper disclosure of sensitive or classified information.Information Assurance OfficerInformation Assurance ManagerDCBP-1, ECSC-1, ECND-1
Checks: C-17118r1_chk

Interview the IAO to validate compliance with the following requirement: Ensure a policy and procedure is in place and enforced that addresses the placement and operation of hardware based voice and video communications devices and PC based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Operational policy and procedures are included in user training and guides. NOTE: This SOP should take into account the classification of the area where the VTU or PC supporting a PC based voice, video, UC, and collaboration communications applications is installed as well as the classification and need-to-know restraints of the information generally communicated via the facility or specific VTU. Along with those mentioned above, measures should be included such as closing office or conference room doors; muting of microphones before and after conference sessions, and during conference breaks; volume levels in open offices as well as muting the microphone when not speaking. Inspect the applicable SOP. Such an SOP should include policy on the use of headsets containing short range microphones and earphones in lieu of long range microphones and speakers in an open office environment. It should address the volume settings of speakers such that the session information is not heard by non-participants in a work area. It should also address the potential for the pickup of non-session related conversations in the work area. Inspect user training materials and discuss practices to determine if information regarding the SOP is conveyed. Interview a random sampling of users to confirm their awareness of the SOP and related information. This is a finding if the SOP or training is deficient.

Fix: F-16180r1_fix

Ensure a policy and procedure is in place and enforced that addresses the placement and operation of hardware based voice and video communications devices and PC based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Operational policy and procedures are included in user training and guides. Produce an SOP that addresses the operation of hardware based voice and video communications devices and PC based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Such an SOP could or should include policy on the use of headsets containing short range microphones and earphones in lieu of long range microphones and speakers in an open office environment. It could or should address the volume settings of speakers such that the session information is not heard by non-participants in a work area. It could or should also address the potential for the pickup of non-session related conversations in the work area. Provide appropriate training such that users follow the SOP. Enforce user compliance with the SOP.

a
DSN system components Standard Mandatory DoD Notice and Consent Banner must be acknowledged by the user prior to logon or initial access.
Low - V-55025 - SV-69271r1_rule
RMF Control
Severity
Low
CCI
Version
DSN19.02
Vuln IDs
  • V-55025
Rule IDs
  • SV-69271r1_rule
The operating system and remotely accessed information systems are required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. This ensures the legal requirements for auditing and monitoring are met. System use notification messages must be displayed when individuals log on to the information system. The approved DoD text must be used as specified in the DoD Instruction 8500.01 dated March 14, 2014.ECSC-1, ECWM-1
Checks: C-55647r2_chk

Interview the ISSO to validate compliance with the following requirement: Verify all DSN system components retain the Standard Mandatory DoD Notice and Consent Banner on the screen until acknowledgement of the usage conditions by taking explicit actions to log on for further access.

Fix: F-59891r1_fix

Configure all DSN system components to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until acknowledgement of the usage conditions by taking explicit actions to log on for further access.