Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide

  • Version/Release: V1R1
  • Published: 2024-03-06
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The Enterprise Voice, Video, and Messaging Endpoint must not be configured with any vendor default accounts, PINs, or passwords to access configuration settings.
AC-3 - Medium - CCI-000213 - V-259940 - SV-259940r948789_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
SRG-NET-000015-VVEP-00100
Vuln IDs
  • V-259940
Rule IDs
  • SV-259940r948789_rule
Many Enterprise Voice, Video, and Messaging Endpoints can set or display configuration settings in the instrument itself. This presents a risk if a user obtains information such as the IP addresses and URLs of system components. This obtained information could be used to facilitate an attack on the system. Therefore, these devices should be considered a target to be defended against individuals that would collect voice network information for illicit purposes. To mitigate information gathering by the adversaries, measures must be taken to protect this information.
Checks: C-63671r948787_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint does not use the default PIN or password to access configuration settings. If the Enterprise Voice, Video, and Messaging Endpoint uses the default PIN or password to access configuration settings, this is a finding.

Fix: F-63578r948788_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to not use the default PIN or password to access configuration settings.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to prevent the configuration or display of configuration settings without the use of a PIN or password.
AC-3 - Medium - CCI-000213 - V-259941 - SV-259941r948792_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
SRG-NET-000015-VVEP-00101
Vuln IDs
  • V-259941
Rule IDs
  • SV-259941r948792_rule
Many Enterprise Voice, Video, and Messaging Endpoints can set or display configuration settings in the instrument itself. This presents a risk if a user obtains information such as the IP addresses and URLs of system components. This obtained information could be used to facilitate an attack on the system. Therefore, these devices should be considered a target to be defended against such individuals that would collect voice network information for illicit purposes. To mitigate information gathering by the adversaries, measures must be taken to protect this information.
Checks: C-63672r948790_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint is configured to prevent the configuration or display of configuration settings without the use of a PIN or password. If the Enterprise Voice, Video, and Messaging Endpoint does not prevent the configuration or display of configuration settings without the use of a PIN or password, this is a finding.

Fix: F-63579r948791_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to prevent the configuration or display of configuration settings without the use of a PIN or password.

c
The Enterprise Voice, Video, and Messaging Endpoint must be configured to register with an Enterprise Voice, Video, and Messaging Session Manager.
AC-3 - High - CCI-000213 - V-259942 - SV-259942r956070_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
SRG-NET-000015-VVEP-00102
Vuln IDs
  • V-259942
Rule IDs
  • SV-259942r956070_rule
For most VoIP systems, registration is the process of centrally recording the user ID, endpoint MAC address, service/policy profile with two-stage authentication prior to authorizing the establishment of the session and user service. The event of successful registration creates the session record immediately. VC systems register using a similar process with a gatekeeper. Without enforcing registration, an adversary could impersonate a legitimate device on the Voice Video network.
Checks: C-63673r956068_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint registers with an Enterprise Voice, Video, and Messaging Session Manager. If the Enterprise Voice, Video, and Messaging Endpoint does not register with an Enterprise Voice, Video, and Messaging Session Manager, this is a finding.

Fix: F-63580r956069_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to register with an Enterprise Voice, Video, and Messaging Session Manager.

b
The Enterprise Voice, Video, and Messaging Endpoint PC port must be configured to maintain VLAN separation from the voice video VLAN, or be disabled.
AC-4 - Medium - CCI-001368 - V-259943 - SV-259943r948798_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001368
Version
SRG-NET-000018-VVEP-00101
Vuln IDs
  • V-259943
Rule IDs
  • SV-259943r948798_rule
Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3 and works with Multiprotocol Label Switching (MPLS) for enterprise and WAN environments. When VRF is used without MPLS, it is referred to as VRF lite. For Voice Video systems, subnets, VLANs, and VRFs are used to separate media and signaling streams from all other traffic.
Checks: C-63674r948796_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint PC port is configured to maintain VLAN separation from the voice video VLAN or is disabled. If the Enterprise Voice, Video, and Messaging Endpoint PC port is disabled, this is not a finding. If the Enterprise Voice, Video, and Messaging Endpoint PC port does not maintain VLAN separation from the voice video VLAN, this is a finding.

Fix: F-63581r948797_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint PC port to maintain VLAN separation from the voice video VLAN or be disabled.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to integrate into the implemented 802.1x network access control system.
AC-4 - Medium - CCI-001368 - V-259944 - SV-259944r948801_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001368
Version
SRG-NET-000018-VVEP-00102
Vuln IDs
  • V-259944
Rule IDs
  • SV-259944r948801_rule
IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before accessing the network. This standard is used to activate the network access switchport limiting traffic to a specific VLAN or install traffic filters. Implementing 802.1x port security on each access switchport denies all other MAC users, which eliminates the security risk of additional users attaching to a switch to bypass authentication. The hardware Enterprise Voice, Video, and Messaging Endpoint must be an 802.1x supplicant and integrate into the 802.1x access control system. When 802.1x is used, all devices connecting to the LAN are required to use 802.1x. MAC Authentication Bypass is permitted by the Enterprise Voice, Video, and Messaging Requirements Guide when the endpoint does not support 802.1x or required by mission continuity of operation requirements.
Checks: C-63675r948799_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint is configured to integrate into the implemented 802.1x network access control system. If the Enterprise Voice, Video, and Messaging Endpoint does not integrate into the implemented 802.1x network access control system, this is a finding.

Fix: F-63582r948800_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to integrate into the implemented 802.1x network access control system.

b
The Enterprise Voice, Video, and Messaging Endpoint PC port must be configured to connect to an 802.1x supplicant or the PC port must be disabled.
AC-4 - Medium - CCI-001368 - V-259945 - SV-259945r956071_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001368
Version
SRG-NET-000018-VVEP-00104
Vuln IDs
  • V-259945
Rule IDs
  • SV-259945r956071_rule
IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before accessing the network. This standard is used to activate the network access switchport limiting traffic to a specific VLAN or install traffic filters. Implementing 802.1x port security on each access switchport denies all other MAC users, which eliminates the security risk of additional users attaching to a switch to bypass authentication. The hardware Enterprise Voice, Video, and Messaging Endpoint must be an 802.1x supplicant and integrate into the 802.1x access control system. When 802.1x is used, all devices connecting to the LAN are required to use 802.1x. An Enterprise Voice, Video, and Messaging Endpoint with a PC port may break 802.1x LAN access control mechanisms when the network access switchport is authorized during the Enterprise Voice, Video, and Messaging Endpoint authentication to the network. This condition may permit devices connected to the PC port to access the LAN. The access switchport can be configured in one of the following modes: single-host, multi-host, or multi-domain. Single-host allows only one device to authenticate, and only packets from this devices MAC address will be allowed, dropping all other packets. Multi-host mode requires one host to authenticate but once this is done, all packets regardless of source MAC address will be allowed. For both the PC attached to the PC port and the Enterprise Voice, Video, and Messaging Endpoint to authenticate separately, multi-domain authentication on the access switchport must be configured. This divides the switchport into a data and a voice domain. In this case if more than one device attempts authorization on either the voice or the data domain of a port, the switchport goes into an error disable state. Disabling the PC port requires the network access switchports are configured with the appropriate VLAN for the VVoIP or VTC traffic and placing the disabled PC port traffic on the unused VLAN. MAC Address Bypass (MAB) is a possible mitigation for this vulnerability.
Checks: C-63676r948802_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint PC port is configured to connect to an 802.1x supplicant or is disabled. If the Enterprise Voice, Video, and Messaging Endpoint PC port is disabled, this is not a finding. If the Enterprise Voice, Video, and Messaging Endpoint PC port is not disabled and is not an 802.1x authenticator, this is a finding.

Fix: F-63583r948803_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint PC port to connect to an 802.1x supplicant in the implemented 802.1x network access control system or be disabled.

b
The Enterprise Voice, Video, and Messaging Endpoint not supporting 802.1x must be configured to use MAC Authentication Bypass (MAB) on the access switchport.
AC-4 - Medium - CCI-001368 - V-259946 - SV-259946r956072_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001368
Version
SRG-NET-000018-VVEP-00106
Vuln IDs
  • V-259946
Rule IDs
  • SV-259946r956072_rule
IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before accessing the network. This standard is used to activate the network access switchport limiting traffic to a specific VLAN or install traffic filters. Implementing 802.1x port security on each access switchport denies all other MAC users, which eliminates the security risk of additional users attaching to a switch to bypass authentication. The hardware Enterprise Voice, Video, and Messaging Endpoint must be an 802.1x supplicant and integrate into the 802.1x access control system. When 802.1x is used, all devices connecting to the LAN are required to use 802.1x. An Enterprise Voice, Video, and Messaging Endpoint with a PC port may break 802.1x LAN access control mechanisms when the network access switchport is authorized during the Enterprise Voice, Video, and Messaging Endpoint authentication to the network. This condition may permit devices connected to the PC port to access the LAN. Daisy chaining devices on a single LAN drop protected by 802.1x must be prohibited unless the PC port is an 802.1x authenticator and configured to work with an approved authentication server. Disabling the PC port requires the network access switchports are configured with the appropriate VLAN for the VVoIP or VTC traffic and placing the disabled PC port traffic on the unused VLAN. MAC Address Bypass (MAB) is a possible mitigation for this vulnerability.
Checks: C-63677r948805_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint not supporting 802.1x is configured to use MAB on the access switchport. If the Enterprise Voice, Video, and Messaging Endpoint not supporting 802.1x is not configured to use MAB on the access switchport, this is a finding.

Fix: F-63584r948806_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint not supporting 802.1x to use MAB on the access switchport.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use a voice video VLAN, separate from all other VLANs.
AC-4 - Medium - CCI-001368 - V-259947 - SV-259947r948810_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001368
Version
SRG-NET-000018-VVEP-00107
Vuln IDs
  • V-259947
Rule IDs
  • SV-259947r948810_rule
Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3 and works with Multiprotocol Label Switching (MPLS) for enterprise and WAN environments. When VRF is used without MPLS, it is referred to as VRF lite. For Voice Video systems, subnets, VLANs, and VRFs are used to separate media and signaling streams from all other traffic.
Checks: C-63678r948808_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint is configured to use a voice video VLAN separate from all other VLANs. For networks with both VoIP and videoconferencing, best practice is to have a separate voice VLAN and video VLAN. If the Enterprise Voice, Video, and Messaging Endpoint does not use a voice video VLAN separate from all other VLANs, this is a finding.

Fix: F-63585r948809_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to use a voice video VLAN separate from all other VLANs.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to disable the Far End Camera Control feature if supported.
AC-4 - Medium - CCI-001368 - V-259948 - SV-259948r948811_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001368
Version
SRG-NET-000018-VVEP-00108
Vuln IDs
  • V-259948
Rule IDs
  • SV-259948r948811_rule
Many VTC endpoints support Far End Camera Control (FECC). This feature uses H.281 protocol, which must be supported by both VTUs. Typically, this is only available during an active VTC session but could be available if the VTU is compromised or if a call is automatically answered. Allowing another conference attendee to take control of the camera can place the confidentiality of nonconference-related information at risk. FECC should be disabled to prevent the control of the near end camera by the far end unless required to satisfy validated mission requirements.
Checks: C-63679r946811_chk

Ensure far end camera control is disabled unless required to satisfy validated, approved, and documented mission requirements. Note: The documented and validated mission requirements along with their approval(s) are maintained by the ISSO for inspection by auditors. Such approval is obtained from the AO or ISSM responsible for the VTU(s) or system. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. i.e., far end camera control must be able to be disabled or the feature must not be supported. Determine if remote monitoring is required and approved to meet mission requirements. Have the ISSO or SA demonstrate compliance with the requirement.

Fix: F-63586r946812_fix

Perform the following tasks: Configure the CODEC to disable far end camera control. OR Document and validate the mission requirements that require far end camera control to be enabled and obtain AO approval. Maintain the requirement and approval documentation for review by auditors.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to apply 802.1Q VLAN tags to signaling and media traffic.
AC-4 - Medium - CCI-000027 - V-259949 - SV-259949r948814_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-000027
Version
SRG-NET-000029-VVEP-00010
Vuln IDs
  • V-259949
Rule IDs
  • SV-259949r948814_rule
When Enterprise Voice, Video, and Messaging Endpoints do not dynamically assign 802.1Q VLAN tags as data is created and combined, it is possible the VLAN tags will not correctly reflect the data type with which they are associated. VLAN tags are used as security attributes. These attributes are typically associated with signaling and media streams within the application and are used to enable the implementation of access control and flow control policies. Security labels for packets may include traffic flow information (e.g., source, destination, protocol combination), traffic classification based on QoS markings for preferred treatment, and VLAN identification. Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3 and works with Multiprotocol Label Switching (MPLS) for enterprise and WAN environments. When VRF is used without MPLS, it is referred to as VRF lite. For Voice Video systems, subnets, VLANs, and VRFs are used to separate media and signaling streams from all other traffic.
Checks: C-63680r948812_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint is configured to apply 802.1Q VLAN tags to signaling and media traffic. If the Enterprise Voice, Video, and Messaging Endpoint does not apply 802.1Q VLAN tags to signaling and media traffic, this is a finding.

Fix: F-63587r948813_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to apply 802.1Q VLAN tags to signaling and media traffic.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the network.
AC-8 - Medium - CCI-000048 - V-259950 - SV-259950r948817_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
SRG-NET-000041-VVEP-00020
Vuln IDs
  • V-259950
Rule IDs
  • SV-259950r948817_rule
Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to network elements that have the concept of a user account and have the logon function residing on the network element. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."
Checks: C-63681r948815_chk

If the Enterprise Voice, Video, and Messaging Endpoint is not configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the network, this is a finding.

Fix: F-63588r948816_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the network.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
AC-8 - Medium - CCI-000050 - V-259951 - SV-259951r948820_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000050
Version
SRG-NET-000042-VVEP-00021
Vuln IDs
  • V-259951
Rule IDs
  • SV-259951r948820_rule
The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DOD will not be in compliance with system use notifications required by law. To establish acceptance of the application usage policy, a click-through banner at application logon is required. The network element must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". This requirement applies to network elements that have the concept of a user account and have the logon function residing on the network element.
Checks: C-63682r948818_chk

If the Enterprise Voice, Video, and Messaging Endpoint is not configured to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until users take explicit actions to log on for further access, this is a finding.

Fix: F-63589r948819_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.

b
The Enterprise Voice, Video, and Messaging Endpoint must notify the user, upon successful logon (access) to the network element, of the date and time of the last logon (access).
AC-9 - Medium - CCI-000052 - V-259952 - SV-259952r948823_rule
RMF Control
AC-9
Severity
Medium
CCI
CCI-000052
Version
SRG-NET-000048-VVEP-00100
Vuln IDs
  • V-259952
Rule IDs
  • SV-259952r948823_rule
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. This applies to network elements that have the concept of a user account and have the login function residing on the network element.
Checks: C-63683r948821_chk

Verify that the Enterprise Voice, Video, and Messaging Endpoint notifies the user, upon successful logon (access) to the network element, of the date and time of the last logon (access). If the Enterprise Voice, Video, and Messaging Endpoint does not notify the user, upon successful logon (access) to the network element, of the date and time of the last logon (access), this is a finding.

Fix: F-63590r948822_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to notify the user, upon successful logon (access) to the network element, of the date and time of the last logon (access).

b
The Enterprise Voice, Video, and Messaging Endpoint must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).
AC-9 - Medium - CCI-000053 - V-259953 - SV-259953r948826_rule
RMF Control
AC-9
Severity
Medium
CCI
CCI-000053
Version
SRG-NET-000049-VVEP-00100
Vuln IDs
  • V-259953
Rule IDs
  • SV-259953r948826_rule
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. This applies to network elements that have the concept of a user account and have the login function residing on the network element.
Checks: C-63684r948824_chk

Verify that the Enterprise Voice, Video, and Messaging Endpoint notifies the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). If the Enterprise Voice, Video, and Messaging Endpoint does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding.

Fix: F-63591r948825_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to limit the number of concurrent sessions to an organizationally defined number.
AC-10 - Medium - CCI-000054 - V-259954 - SV-259954r948829_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
SRG-NET-000053-VVEP-00009
Vuln IDs
  • V-259954
Rule IDs
  • SV-259954r948829_rule
Enterprise Voice, Video, and Messaging Endpoint management includes the ability to control the number of user sessions and limiting the number of allowed user sessions helps limit risk related to DoS attacks. Enterprise Voice, Video, and Messaging Endpoint sessions occur peer-to-peer for media streams and client-server with session managers. For those endpoints that conference together multiple streams, the limit may be increased according to policy but a limit must still exist.
Checks: C-63685r948827_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint is configured to limit the number of concurrent sessions to an organizationally defined number. If the Enterprise Voice, Video, and Messaging Endpoint is not configured to limit the number of concurrent sessions to the limit set by local policy, this is a finding.

Fix: F-63592r948828_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to limit the number of concurrent sessions to the limit set by local policy.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing what type of connection occurred.
AU-3 - Medium - CCI-000130 - V-259955 - SV-259955r948832_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SRG-NET-000074-VVEP-00022
Vuln IDs
  • V-259955
Rule IDs
  • SV-259955r948832_rule
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing session records provide supplemental confirmation of monitored events. Enterprise Voice, Video, and Messaging Endpoints that communicate beyond these defined environments must generate session records. Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records. Detailed records are typically produced by the session manager but can be augmented by nontelephone endpoint records.
Checks: C-63686r948830_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint produces session records containing what type of connection occurred. The record must include the session type (voice/direct, voice/conference, video/direct, video/conference, etc.), the specific protocols used for control and media traffic (SIP/SRTP, H.323, etc.), and the type of endpoint (mobile, telephone, codec, etc.). If the Enterprise Voice, Video, and Messaging Endpoint does not produce session records containing what type of connection occurred, this is a finding.

Fix: F-63593r948831_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to produce session records containing what type of connection occurred.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing when (date and time) the connection occurred.
AU-3 - Medium - CCI-000131 - V-259956 - SV-259956r948835_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000131
Version
SRG-NET-000075-VVEP-00023
Vuln IDs
  • V-259956
Rule IDs
  • SV-259956r948835_rule
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing session records provide supplemental confirmation of monitored events. Enterprise Voice, Video, and Messaging Endpoints that communicate beyond these defined environments must generate session records. Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records. Detailed records are typically produced by the session manager but can be augmented by nontelephone endpoint records.
Checks: C-63687r948833_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint produces session records containing when the connection occurred. The record must include session start/join/leave/stop times. If the Enterprise Voice, Video, and Messaging Endpoint does not produce session records containing the date and time when the connection occurred, this is a finding.

Fix: F-63594r948834_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to produce session records containing the date and time when the connection occurred.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing where the connection occurred.
AU-3 - Medium - CCI-000132 - V-259957 - SV-259957r948838_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000132
Version
SRG-NET-000076-VVEP-00024
Vuln IDs
  • V-259957
Rule IDs
  • SV-259957r948838_rule
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing session records provide supplemental confirmation of monitored events. Enterprise Voice, Video, and Messaging Endpoints that communicate beyond these defined environments must generate session records. Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records. Detailed records are typically produced by the session manager but can be augmented by nontelephone endpoint records.
Checks: C-63688r948836_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint produces session records containing where the connection occurred. The record must include IP addresses and port numbers. If the Enterprise Voice, Video, and Messaging Endpoint does not produce session records containing where the connection occurred, this is a finding.

Fix: F-63595r948837_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to produce session records containing where the connection occurred.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing the source of the connection.
AU-3 - Medium - CCI-000133 - V-259958 - SV-259958r948841_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000133
Version
SRG-NET-000077-VVEP-00025
Vuln IDs
  • V-259958
Rule IDs
  • SV-259958r948841_rule
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing session records provide supplemental confirmation of monitored events. Enterprise Voice, Video, and Messaging Endpoints that communicate beyond these defined environments must generate session records. Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records. Detailed records are typically produced by the session manager but can be augmented by nontelephone endpoint records.
Checks: C-63689r948839_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint produces session records containing the source of the connection. If the Enterprise Voice, Video, and Messaging Endpoint does not produce session records containing the source of the connection, this is a finding.

Fix: F-63596r948840_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to produce session records containing the source of the connection.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing the outcome of the connection.
AU-3 - Medium - CCI-000134 - V-259959 - SV-259959r948844_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000134
Version
SRG-NET-000078-VVEP-00025
Vuln IDs
  • V-259959
Rule IDs
  • SV-259959r948844_rule
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing session records provide supplemental confirmation of monitored events. Enterprise Voice, Video, and Messaging Endpoints that communicate beyond these defined environments must generate session records. Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records. Detailed records are typically produced by the session manager but can be augmented by nontelephone endpoint records.
Checks: C-63690r948842_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint produces session records containing the outcome of the connection. Outcomes of the connection would include call completed, conference completed, destination busy, network busy, etc. If the Enterprise Voice, Video, and Messaging Endpoint does not produce session records containing the outcome of the connection, this is a finding.

Fix: F-63597r948843_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to produce session records containing the outcome of the connection.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing the identity of all users.
AU-3 - Medium - CCI-001487 - V-259960 - SV-259960r948847_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001487
Version
SRG-NET-000079-VVEP-00026
Vuln IDs
  • V-259960
Rule IDs
  • SV-259960r948847_rule
Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event. Audit records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing audit records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing audit records provide supplemental confirmation of monitored events. Enterprise Voice, Video, and Messaging Endpoints that communicate beyond these defined environments must generate audit records.
Checks: C-63691r948845_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint produces session records containing the identity of all users on the call. If the Enterprise Voice, Video, and Messaging Endpoint does not produce session records containing the identity of all users on the call, this is a finding.

Fix: F-63598r948846_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to produce session records containing the identity of all users on the call.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to provide session (call detail) record generation capability.
AU-12 - Medium - CCI-000169 - V-259961 - SV-259961r948850_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
SRG-NET-000113-VVEP-00027
Vuln IDs
  • V-259961
Rule IDs
  • SV-259961r948850_rule
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing session records provide supplemental confirmation of monitored events. Enterprise Voice, Video, and Messaging Endpoints that communicate beyond these defined environments must generate session records. Session records for Voice Video systems are generally handled in a similar fashion to audit records for other systems and are used for billing, usage analysis, and record support for actions taken. Detailed records are typically produced by the session manager but can be augmented by nontelephone endpoint records.
Checks: C-63692r948848_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint provides session record generation capability. If the Enterprise Voice, Video, and Messaging Endpoint does not provide session record generation capability, this is a finding.

Fix: F-63599r948849_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to provide session record generation capability.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to disable or remove nonessential capabilities.
CM-7 - Medium - CCI-000381 - V-259962 - SV-259962r948853_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
SRG-NET-000131-VVEP-00056
Vuln IDs
  • V-259962
Rule IDs
  • SV-259962r948853_rule
It is detrimental for Enterprise Voice, Video, and Messaging Endpoints when unnecessary features are enabled by default. Often these features are enabled by default with functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Network elements are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Checks: C-63693r948851_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint is configured to disable or remove nonessential capabilities. Nonessential capabilities would include peer services and other functions not directly pertaining to Enterprise Voice, Video, and Messaging Endpoint functionality. If the Enterprise Voice, Video, and Messaging Endpoint cannot be configured to disable or remove nonessential capabilities, this is a finding.

Fix: F-63600r948852_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to disable or remove nonessential capabilities.

c
The Enterprise Voice, Video, and Messaging Endpoint must be configured to only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).
CM-7 - High - CCI-000382 - V-259963 - SV-259963r948856_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000382
Version
SRG-NET-000132-VVEP-00059
Vuln IDs
  • V-259963
Rule IDs
  • SV-259963r948856_rule
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Network elements are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network element must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
Checks: C-63694r948854_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint only uses ports, protocols, and services allowed per the PPSM CAL and VAs. If the Enterprise Voice, Video, and Messaging Endpoint uses ports, protocols, and services not allowed per the PPSM CAL and VAs, this is a finding.

Fix: F-63601r948855_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to only use ports, protocols, and services allowed per the PPSM CAL and VAs.

c
The Enterprise Voice, Video, and Messaging Endpoint must be configured to uniquely identify participating users.
IA-2 - High - CCI-000764 - V-259964 - SV-259964r948859_rule
RMF Control
IA-2
Severity
High
CCI
CCI-000764
Version
SRG-NET-000138-VVEP-00029
Vuln IDs
  • V-259964
Rule IDs
  • SV-259964r948859_rule
To ensure accountability and prevent unauthenticated access, users must be identified to prevent potential misuse and compromise of the system. The Enterprise Voice, Video, and Messaging Endpoint must display the source of an incoming call and the participant's identity to aid the user in deciding whether to answer a call. The information potentially at risk is that which can be seen in the physical area of the Enterprise Voice, Video, and Messaging Endpoint or carried by the conference in which it is participating. This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).
Checks: C-63695r948857_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint uniquely identifies participating users. Identification must be visible and displayed locally. If the Enterprise Voice, Video, and Messaging Endpoint does not uniquely identify participating users, this is a finding.

Fix: F-63602r948858_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to uniquely identify participating users.

b
The Enterprise Voice, Video, and Messaging Endpoint must use multifactor authentication for network access to nonprivileged (nonadmin) accounts.
IA-2 - Medium - CCI-000766 - V-259965 - SV-259965r956067_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000766
Version
SRG-NET-000140-VVEP-00010
Vuln IDs
  • V-259965
Rule IDs
  • SV-259965r956067_rule
To ensure accountability and prevent unauthenticated access, nonprivileged users must use multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication is implemented most often with software type endpoints, as this can be implemented at the operating system level. More recent advances in hardware may allow implementation at the hardware endpoint. Multifactor authentication uses two or more factors to achieve authentication. Factors include: (i) Something you know (e.g., password/PIN); (ii) Something you have (e.g., cryptographic identification device, token); or (iii) Something you are (e.g., biometric). The DOD CAC with DOD-approved PKI is an example of multifactor authentication.
Checks: C-63696r956066_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint uses multifactor authentication for network access to nonprivileged (nonadmin) accounts. If the Enterprise Voice, Video, and Messaging Endpoint does not use multifactor authentication for network access to nonprivileged (nonadmin) accounts, this is a finding.

Fix: F-63603r956067_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to use multifactor authentication for network access to nonprivileged (nonadmin) accounts.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to implement replay-resistant authentication mechanisms for network access.
IA-2 - Medium - CCI-001942 - V-259966 - SV-259966r953940_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-001942
Version
SRG-NET-000147-VVEP-00101
Vuln IDs
  • V-259966
Rule IDs
  • SV-259966r953940_rule
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A nonprivileged account is any operating system account with authorizations of a nonprivileged user. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).
Checks: C-63697r948863_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint implements replay-resistant authentication mechanisms for network access. If the Enterprise Voice, Video, and Messaging Endpoint does not implement replay-resistant authentication mechanisms for network access, this is a finding.

Fix: F-63604r948864_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to implement replay-resistant authentication mechanisms for network access.

c
The Enterprise Voice, Video, and Messaging Endpoint must be configured to terminate all network connections associated with a communications session at the end of the session.
SC-10 - High - CCI-001133 - V-259967 - SV-259967r948868_rule
RMF Control
SC-10
Severity
High
CCI
CCI-001133
Version
SRG-NET-000213-VVEP-00028
Vuln IDs
  • V-259967
Rule IDs
  • SV-259967r948868_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection. This requirement applies to any network element that tracks individual sessions (e.g., stateful inspection firewall, ALG, or VPN).
Checks: C-63698r948866_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint terminates all network connections associated with a communications session at the end of the session. If the Enterprise Voice, Video, and Messaging Endpoint does not terminate all network connections associated with a communications session at the end of the session, this is a finding.

Fix: F-63605r948867_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to terminate all network connections associated with a communications session at the end of the session.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions.
SC-23 - Medium - CCI-001184 - V-259968 - SV-259968r948871_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001184
Version
SRG-NET-000230-VVEP-00101
Vuln IDs
  • V-259968
Rule IDs
  • SV-259968r948871_rule
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DOD systems should not be configured to use SHA-1 for integrity of remote access sessions. This requirement focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of mutual authentication (two-way/bidirectional). This requirement applies only to network elements that act as an intermediary for individual sessions (e.g., proxy, ALG, or SSL VPN).
Checks: C-63699r948869_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint is configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions. Note: The use of SHA-1 in accordance with SP800-131Ar2 will also meet this requirement. If the Enterprise Voice, Video, and Messaging Endpoint is not configured with SHA-2 or greater, this is a finding.

Fix: F-63606r948870_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to use SHA-2 or greater to protect the authenticity of communications sessions.

b
In the event of a device failure, Enterprise Voice, Video, and Messaging Endpoints must preserve any information necessary to determine cause of failure and return to operations with least disruption to service.
SC-24 - Medium - CCI-001665 - V-259969 - SV-259969r948874_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001665
Version
SRG-NET-000236-VVEP-00043
Vuln IDs
  • V-259969
Rule IDs
  • SV-259969r948874_rule
Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving network element state information helps to facilitate network element restart and return to the operational mode of the organization with less disruption to mission-essential processes.
Checks: C-63700r948872_chk

Verify that in the event of device failure, the Enterprise Voice, Video, and Messaging Endpoint preserves any information necessary to determine cause of failure and return to operations with least disruption to service. If the Enterprise Voice, Video, and Messaging Endpoint does not preserve any information necessary to determine cause of failure, this is a finding. If the Enterprise Voice, Video, and Messaging Endpoint does not return to operations with least disruption to service after device failure, this is a finding.

Fix: F-63607r948873_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint, in the event of device failure, to preserve any information necessary to determine cause of failure. Also configure the Enterprise Voice, Video, and Messaging Endpoint to return to operations with least disruption to service.

b
The Enterprise Voice, Video, and Messaging Endpoint must offload audit records onto a different system or media than the system being audited.
AU-4 - Medium - CCI-001851 - V-259970 - SV-259970r948877_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
SRG-NET-000334-VVEP-00010
Vuln IDs
  • V-259970
Rule IDs
  • SV-259970r948877_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. Audit records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing audit records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing audit records provide supplemental confirmation of monitored events. Enterprise Voice, Video, and Messaging Endpoints that support audit records must support offloading.
Checks: C-63701r948875_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint offloads audit records onto a different system or media. If the Enterprise Voice, Video, and Messaging Endpoint does not offload audit records to a different system or media, this is a finding.

Fix: F-63608r948876_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to offload audit records to a different system or media.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.
SC-13 - Medium - CCI-002450 - V-259971 - SV-259971r948880_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-002450
Version
SRG-NET-000352-VVEP-00038
Vuln IDs
  • V-259971
Rule IDs
  • SV-259971r948880_rule
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. NIST cryptographic algorithms are approved by NSA to protect NSS. Based on an analysis of the impact of quantum computing, cryptographic algorithms specified by CNSSP-15 and approved for use in products in the CSfC program have been changed to more stringent protocols and configured with increased bit sizes and other secure characteristics to protect against quantum computing threats. The Commercial National Security Algorithm Suite (CNSA Suite) replaces Suite B.
Checks: C-63702r948878_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint processing classified information over public networks implements NSA-approved cryptography. If the Enterprise Voice, Video, and Messaging Endpoint processing classified information over public networks does not implement NSA-approved cryptography, this is a finding.

Fix: F-63609r948879_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint processing classified information over public networks to implement NSA-approved cryptography.

b
The Enterprise Voice, Video, and Messaging Endpoint must provide an explicit indication of current participants in all Videoconference (VC)-based and IP-based online meetings and conferences.
CM-6 - Medium - CCI-000366 - V-259972 - SV-259972r948883_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SRG-NET-000353-VVEP-00042
Vuln IDs
  • V-259972
Rule IDs
  • SV-259972r948883_rule
Providing an explicit indication of current participants in teleconferences helps to prevent unauthorized individuals from participating in collaborative teleconference sessions without the explicit knowledge of other participants. Teleconferences allow groups of users to collaborate and exchange information. Without knowing who is in attendance, information could be compromised. Network elements that provide a teleconference capability must provide a clear indication of who is attending the meeting, thus providing all attendees with the capability to clearly identify users who are in attendance.
Checks: C-63703r948881_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint provides an explicit indication of current participants in all VC-based and IP-based online meetings and conferences. This excludes audio-only teleconferences using traditional telephony. If the Enterprise Voice, Video, and Messaging Endpoint does not provide an explicit indication of current participants in all VC-based and IP-based online meetings and conferences, this is a finding.

Fix: F-63610r948882_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint provides an explicit indication of current participants in all VC-based and IP-based online meetings and conferences.

c
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use FIPS-compliant algorithms for network traffic.
SC-8 - High - CCI-002418 - V-259973 - SV-259973r948886_rule
RMF Control
SC-8
Severity
High
CCI
CCI-002418
Version
SRG-NET-000371-VVEP-00037
Vuln IDs
  • V-259973
Rule IDs
  • SV-259973r948886_rule
Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. TLS can be used to secure SIP and SCCP signaling by configuring the session manager in a secure mode. DOD-to-DOD voice communications are generally considered to contain sensitive information and therefore DOD voice and data traffic crossing the unclassified DISN must be encrypted. Cryptographic mechanisms such as Media Access Control Security (MACsec) implemented to protect information include cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes.
Checks: C-63704r948884_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint uses encryption for network traffic. If the Enterprise Voice, Video, and Messaging Endpoint does not use encryption for network traffic, this is a finding.

Fix: F-63611r948885_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to use encryption for network traffic.

c
The Enterprise Voice, Video, and Messaging Endpoint, when using passwords or PINs for authentication or authorization, must be configured to cryptographically protect the PIN or password.
IA-5 - High - CCI-000197 - V-259974 - SV-259974r948889_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000197
Version
SRG-NET-000400-VVEP-00033
Vuln IDs
  • V-259974
Rule IDs
  • SV-259974r948889_rule
Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. This does not apply to authentication for the purpose of configuring the device itself (management).
Checks: C-63705r948887_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint, when using passwords or PINs for authentication or authorization, cryptographically protects the transmission. If the Enterprise Voice, Video, and Messaging Endpoint, when using passwords or PINs for authentication or authorization, does not cryptographically protect the transmission, this is a finding.

Fix: F-63612r948888_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint, when using passwords or PINs for authentication or authorization, to cryptographically protect the transmission.

b
The Enterprise Voice, Video, and Messaging Endpoint must generate audit records when successful/unsuccessful logon attempts occur.
AU-12 - Medium - CCI-000172 - V-259975 - SV-259975r948892_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-NET-000503-VVEP-00010
Vuln IDs
  • V-259975
Rule IDs
  • SV-259975r948892_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing audit records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing audit records provide supplemental confirmation of monitored events. Enterprise Voice, Video, and Messaging Endpoints that communicate beyond these defined environments must generate audit records.
Checks: C-63706r948890_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint generates audit records when successful/unsuccessful logon attempts occur. If the Enterprise Voice, Video, and Messaging Endpoint does not generate audit records when successful/unsuccessful logon attempts occur, this is a finding.

Fix: F-63613r948891_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to generate audit records when successful/unsuccessful logon attempts occur.

b
The Enterprise Voice, Video, and Messaging Endpoint must generate audit records for privileged activities or other system-level access.
AU-12 - Medium - CCI-000172 - V-259976 - SV-259976r948895_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-NET-000504-VVEP-00010
Vuln IDs
  • V-259976
Rule IDs
  • SV-259976r948895_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing audit records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing audit records provide supplemental confirmation of monitored events. Enterprise Voice, Video, and Messaging Endpoints that communicate beyond these defined environments must generate audit records.
Checks: C-63707r948893_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint generates audit records for privileged activities or other system-level access. If the Enterprise Voice, Video, and Messaging Endpoint does not generate audit records for privileged activities or other system-level access, this is a finding.

Fix: F-63614r948894_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to generate audit records for privileged activities or other system-level access.

b
The Enterprise Voice, Video, and Messaging Endpoint must generate audit records showing starting and ending time for user access to the system.
AU-12 - Medium - CCI-000172 - V-259977 - SV-259977r948898_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-NET-000505-VVEP-00010
Vuln IDs
  • V-259977
Rule IDs
  • SV-259977r948898_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing audit records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing audit records provide supplemental confirmation of monitored events. Enterprise Voice, Video, and Messaging Endpoints that communicate beyond these defined environments must generate audit records.
Checks: C-63708r948896_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint generates audit records showing starting and ending time for user access to the system. If the Enterprise Voice, Video, and Messaging Endpoint does not generate audit records showing starting and ending time for user access, this is a finding.

Fix: F-63615r948897_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to generate audit records showing starting and ending time for user access to the system.

b
The Enterprise Voice, Video, and Messaging Endpoint must, at a minimum, offload interconnected systems in real-time and offload standalone systems weekly.
AU-4 - Medium - CCI-001851 - V-259978 - SV-259978r948901_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
SRG-NET-000511-VVEP-00010
Vuln IDs
  • V-259978
Rule IDs
  • SV-259978r948901_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. Audit records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing audit records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing audit records provide supplemental confirmation of monitored events. Enterprise Voice, Video, and Messaging Endpoints that support audit records must support offloading.
Checks: C-63709r948899_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint offloads audit records in real time or weekly. If the Enterprise Voice, Video, and Messaging Endpoint does not offload audit records in real time or weekly, this is a finding.

Fix: F-63616r948900_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to offload audit records in real time or weekly.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
CM-6 - Medium - CCI-000366 - V-259979 - SV-259979r948904_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SRG-NET-000512-VVEP-00100
Vuln IDs
  • V-259979
Rule IDs
  • SV-259979r948904_rule
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.
Checks: C-63710r948902_chk

Verify that the Enterprise Voice, Video, and Messaging Endpoint is configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If the Enterprise Voice, Video, and Messaging Endpoint is not configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs, this is a finding.

Fix: F-63617r948903_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.

c
The Enterprise Voice, Video, and Messaging Endpoint must be configured with a firmware release supported by the vendor.
CM-6 - High - CCI-000366 - V-259980 - SV-259980r948907_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
SRG-NET-000512-VVEP-00101
Vuln IDs
  • V-259980
Rule IDs
  • SV-259980r948907_rule
Operating a device with outdated firmware may leave the device with unmitigated security vulnerabilities. Vendors routinely update and patch firmware to address vulnerabilities. Operating with current supported firmware mitigates the vulnerabilities known by the vendor.
Checks: C-63711r948905_chk

Verify the firmware release installed on the Enterprise Voice, Video, and Messaging Endpoint is currently supported by the vendor. If the firmware release installed on the Enterprise Voice, Video, and Messaging Endpoint is not currently supported by the vendor, this is a finding.

Fix: F-63618r948906_fix

Install a currently supported firmware release supplied by the vendor onto the Enterprise Voice, Video, and Messaging Endpoint.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to dynamically implement configuration file changes.
CM-6 - Medium - CCI-000366 - V-259981 - SV-259981r948910_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SRG-NET-000512-VVEP-00102
Vuln IDs
  • V-259981
Rule IDs
  • SV-259981r948910_rule
Configuration management includes the management of security features and assurances through control of changes made to device hardware, software, and firmware throughout the life cycle of a product. Secure configuration management relies on performance and functional attributes of products to determine the appropriate security features and assurances used to measure a system configuration state. When configuration changes are made, it is critical for those changes to be implemented by the Enterprise Voice, Video, and Messaging Endpoint as quickly as possible. This ensures that Enterprise Voice, Video, and Messaging Endpoints communicate using the correct address books, session managers, gateways, and border elements.
Checks: C-63712r948908_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint dynamically implements configuration file changes. If the Enterprise Voice, Video, and Messaging Endpoint does not dynamically implement configuration file changes, this is a finding.

Fix: F-63619r948909_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to dynamically implement configuration file changes.

b
The Enterprise Voice, Video, and Messaging Endpoint must be configured to disable any auto answer features.
CM-6 - Medium - CCI-000366 - V-259982 - SV-259982r956073_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SRG-NET-000512-VVEP-00103
Vuln IDs
  • V-259982
Rule IDs
  • SV-259982r956073_rule
An Enterprise Voice, Video, and Messaging Endpoint set to automatically answer a call with audio or video capabilities enabled risks transmitting information not intended for the caller. In the event an Enterprise Voice, Video, and Messaging Endpoint automatically answered a call during a classified meeting or discussion, potentially sensitive or classified information could be transmitted. The auto-answer feature must not be activated by a user unless the feature is required to satisfy mission requirements.
Checks: C-63713r948911_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint is configured to disable any auto answer features. If the Enterprise Voice, Video, and Messaging Endpoint is not configured to disable auto answer features, this is a finding.

Fix: F-63620r948912_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to disable auto answer features.

b
The Enterprise Voice, Video, and Messaging Endpoint must provide a logout capability for user-initiated communications sessions.
AC-12 - Medium - CCI-002363 - V-259983 - SV-259983r948916_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002363
Version
SRG-NET-000518-VVEP-00101
Vuln IDs
  • V-259983
Rule IDs
  • SV-259983r948916_rule
If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. However, for some types of interactive sessions including, for example, remote login, information systems typically send logout messages as final messages prior to terminating sessions. This applies to network elements that have the concept of a user account and have the login function residing on the network element.
Checks: C-63714r948914_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint provides a logout capability for user-initiated communications sessions. If the Enterprise Voice, Video, and Messaging Endpoint does not provide a logout capability for user-initiated communications sessions, this is a finding.

Fix: F-63621r948915_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to provide a logout capability for user-initiated communications sessions.

b
The Enterprise Voice, Video, and Messaging Endpoint must display an explicit logout message to users indicating the reliable termination of communications sessions.
AC-12 - Medium - CCI-002364 - V-259984 - SV-259984r948919_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002364
Version
SRG-NET-000519-VVEP-00101
Vuln IDs
  • V-259984
Rule IDs
  • SV-259984r948919_rule
If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated. Logout messages for access, for example, can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions including, for example, remote login, information systems typically send logout messages as final messages prior to terminating sessions. This applies to network elements that have the concept of a user account and have the login function residing on the network element.
Checks: C-63715r948917_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint displays an explicit logout message to users indicating the termination of communications sessions. If the Enterprise Voice, Video, and Messaging Endpoint does not display an explicit logout message to users, this is a finding.

Fix: F-63622r948918_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to display an explicit logout message to users indicating the termination of communications sessions.

b
For accounts using password or PINs for authentication, the Enterprise Voice, Video, and Messaging Endpoint must store only cryptographic representations of passwords.
IA-5 - Medium - CCI-000196 - V-259985 - SV-259985r953950_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000196
Version
SRG-NET-000522-VVEP-00010
Vuln IDs
  • V-259985
Rule IDs
  • SV-259985r953950_rule
If passwords and PINs are not encrypted when stored, they may be read if the storage location is compromised. Note that DOD requires the use two-factor, CAC-enabled authentication and the use of passwords incurs a permanent finding. Passwords should be used only in limited situations. Examples of situations where a user ID and password might be used include: - When the user does not use a CAC and is not a current DOD employee, member of the military, or DOD contractor. - When a user has been officially designated as temporarily unable to present a CAC for some reason (lost, damaged, not yet issued, broken card reader) (i.e., Temporary Exception User) and to satisfy urgent organizational needs must be temporarily permitted to use user ID/password authentication until the problem with CAC use has been remedied. - When the application is publicly available and/or hosting publicly releasable data requiring some degree of need-to-know protection. If the password is already encrypted and not a plaintext password, this meets this requirement. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. This method uses a one-way hashing encryption algorithm with a salt value to validate a user's password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security. Verify the user knows a password is performed using a password verifier. In its simplest form, a password verifier is a computational function that is capable of creating a hash of a password and determining if the value provided by the user matches the hash. A more secure version of verifying a user knowing a password is to store the result of an iterating hash function and a large random salt value as follows: H0 = H(pwd, H(salt)) Hn = H(Hn-1,H(salt)) In the above, "n" is a cryptographically strong random [*3] number. "Hn" is stored along with the salt. When the application wishes to verify that the user knows a password, it simply repeats the process and compares "Hn" with the stored "Hn". A salt is essentially a fixed-length cryptographically strong random value. Another method is using a keyed hash message authentication code (HMAC). HMAC calculates a message authentication code via a cryptographic hash function used in conjunction with an encryption key. The key must be protected as with any private key. This requirement applies to all accounts including authentication server; Authentication, Authorization, and Accounting (AAA), and local accounts, including the root account, and the account of last resort.
Checks: C-63716r948920_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint, when using passwords or PINs for authentication, stores cryptographic representations of passwords. If the Enterprise Voice, Video, and Messaging Endpoint, when using passwords or PINs for authentication, does not store cryptographic representations of passwords, this is a finding.

Fix: F-63623r948921_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint, when using passwords or PINs for authentication, to store cryptographic representations of passwords.

c
The Enterprise Voice, Video, and Messaging Endpoint must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.
AC-17 - High - CCI-001453 - V-259986 - SV-259986r948925_rule
RMF Control
AC-17
Severity
High
CCI
CCI-001453
Version
SRG-NET-000530-VVEP-00101
Vuln IDs
  • V-259986
Rule IDs
  • SV-259986r948925_rule
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to TLS gateways (also known as SSL gateways), web servers, and web applications. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DOD-only or public-facing servers.
Checks: C-63717r948923_chk

Verify the Enterprise Voice, Video, and Messaging Endpoint prohibits client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, and SSL 3.0. If the Enterprise Voice, Video, and Messaging Endpoint does not prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, and SSL 3.0, this is a finding.

Fix: F-63624r948924_fix

Configure the Enterprise Voice, Video, and Messaging Endpoint to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.