Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the Enterprise Voice, Video, and Messaging Endpoint does not use the default PIN or password to access configuration settings. If the Enterprise Voice, Video, and Messaging Endpoint uses the default PIN or password to access configuration settings, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to not use the default PIN or password to access configuration settings.
Verify the Enterprise Voice, Video, and Messaging Endpoint is configured to prevent the configuration or display of configuration settings without the use of a PIN or password. If the Enterprise Voice, Video, and Messaging Endpoint does not prevent the configuration or display of configuration settings without the use of a PIN or password, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to prevent the configuration or display of configuration settings without the use of a PIN or password.
Verify the Enterprise Voice, Video, and Messaging Endpoint registers with an Enterprise Voice, Video, and Messaging Session Manager. If the Enterprise Voice, Video, and Messaging Endpoint does not register with an Enterprise Voice, Video, and Messaging Session Manager, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to register with an Enterprise Voice, Video, and Messaging Session Manager.
Verify the Enterprise Voice, Video, and Messaging Endpoint PC port is configured to maintain VLAN separation from the voice video VLAN or is disabled. If the Enterprise Voice, Video, and Messaging Endpoint PC port is disabled, this is not a finding. If the Enterprise Voice, Video, and Messaging Endpoint PC port does not maintain VLAN separation from the voice video VLAN, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint PC port to maintain VLAN separation from the voice video VLAN or be disabled.
Verify the Enterprise Voice, Video, and Messaging Endpoint is configured to integrate into the implemented 802.1x network access control system. If the Enterprise Voice, Video, and Messaging Endpoint does not integrate into the implemented 802.1x network access control system, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to integrate into the implemented 802.1x network access control system.
Verify the Enterprise Voice, Video, and Messaging Endpoint PC port is configured to connect to an 802.1x supplicant or is disabled. If the Enterprise Voice, Video, and Messaging Endpoint PC port is disabled, this is not a finding. If the Enterprise Voice, Video, and Messaging Endpoint PC port is not disabled and is not an 802.1x authenticator, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint PC port to connect to an 802.1x supplicant in the implemented 802.1x network access control system or be disabled.
Verify the Enterprise Voice, Video, and Messaging Endpoint not supporting 802.1x is configured to use MAB on the access switchport. If the Enterprise Voice, Video, and Messaging Endpoint not supporting 802.1x is not configured to use MAB on the access switchport, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint not supporting 802.1x to use MAB on the access switchport.
Verify the Enterprise Voice, Video, and Messaging Endpoint is configured to use a voice video VLAN separate from all other VLANs. For networks with both VoIP and videoconferencing, best practice is to have a separate voice VLAN and video VLAN. If the Enterprise Voice, Video, and Messaging Endpoint does not use a voice video VLAN separate from all other VLANs, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to use a voice video VLAN separate from all other VLANs.
Ensure far end camera control is disabled unless required to satisfy validated, approved, and documented mission requirements. Note: The documented and validated mission requirements along with their approval(s) are maintained by the ISSO for inspection by auditors. Such approval is obtained from the AO or ISSM responsible for the VTU(s) or system. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. i.e., far end camera control must be able to be disabled or the feature must not be supported. Determine if remote monitoring is required and approved to meet mission requirements. Have the ISSO or SA demonstrate compliance with the requirement.
Perform the following tasks: Configure the CODEC to disable far end camera control. OR Document and validate the mission requirements that require far end camera control to be enabled and obtain AO approval. Maintain the requirement and approval documentation for review by auditors.
Verify the Enterprise Voice, Video, and Messaging Endpoint is configured to apply 802.1Q VLAN tags to signaling and media traffic. If the Enterprise Voice, Video, and Messaging Endpoint does not apply 802.1Q VLAN tags to signaling and media traffic, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to apply 802.1Q VLAN tags to signaling and media traffic.
If the Enterprise Voice, Video, and Messaging Endpoint is not configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the network, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the network.
If the Enterprise Voice, Video, and Messaging Endpoint is not configured to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until users take explicit actions to log on for further access, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
Verify that the Enterprise Voice, Video, and Messaging Endpoint notifies the user, upon successful logon (access) to the network element, of the date and time of the last logon (access). If the Enterprise Voice, Video, and Messaging Endpoint does not notify the user, upon successful logon (access) to the network element, of the date and time of the last logon (access), this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to notify the user, upon successful logon (access) to the network element, of the date and time of the last logon (access).
Verify that the Enterprise Voice, Video, and Messaging Endpoint notifies the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). If the Enterprise Voice, Video, and Messaging Endpoint does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).
Verify the Enterprise Voice, Video, and Messaging Endpoint is configured to limit the number of concurrent sessions to an organizationally defined number. If the Enterprise Voice, Video, and Messaging Endpoint is not configured to limit the number of concurrent sessions to the limit set by local policy, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to limit the number of concurrent sessions to the limit set by local policy.
Verify the Enterprise Voice, Video, and Messaging Endpoint produces session records containing what type of connection occurred. The record must include the session type (voice/direct, voice/conference, video/direct, video/conference, etc.), the specific protocols used for control and media traffic (SIP/SRTP, H.323, etc.), and the type of endpoint (mobile, telephone, codec, etc.). If the Enterprise Voice, Video, and Messaging Endpoint does not produce session records containing what type of connection occurred, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to produce session records containing what type of connection occurred.
Verify the Enterprise Voice, Video, and Messaging Endpoint produces session records containing when the connection occurred. The record must include session start/join/leave/stop times. If the Enterprise Voice, Video, and Messaging Endpoint does not produce session records containing the date and time when the connection occurred, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to produce session records containing the date and time when the connection occurred.
Verify the Enterprise Voice, Video, and Messaging Endpoint produces session records containing where the connection occurred. The record must include IP addresses and port numbers. If the Enterprise Voice, Video, and Messaging Endpoint does not produce session records containing where the connection occurred, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to produce session records containing where the connection occurred.
Verify the Enterprise Voice, Video, and Messaging Endpoint produces session records containing the source of the connection. If the Enterprise Voice, Video, and Messaging Endpoint does not produce session records containing the source of the connection, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to produce session records containing the source of the connection.
Verify the Enterprise Voice, Video, and Messaging Endpoint produces session records containing the outcome of the connection. Outcomes of the connection would include call completed, conference completed, destination busy, network busy, etc. If the Enterprise Voice, Video, and Messaging Endpoint does not produce session records containing the outcome of the connection, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to produce session records containing the outcome of the connection.
Verify the Enterprise Voice, Video, and Messaging Endpoint produces session records containing the identity of all users on the call. If the Enterprise Voice, Video, and Messaging Endpoint does not produce session records containing the identity of all users on the call, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to produce session records containing the identity of all users on the call.
Verify the Enterprise Voice, Video, and Messaging Endpoint provides session record generation capability. If the Enterprise Voice, Video, and Messaging Endpoint does not provide session record generation capability, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to provide session record generation capability.
Verify the Enterprise Voice, Video, and Messaging Endpoint is configured to disable or remove nonessential capabilities. Nonessential capabilities would include peer services and other functions not directly pertaining to Enterprise Voice, Video, and Messaging Endpoint functionality. If the Enterprise Voice, Video, and Messaging Endpoint cannot be configured to disable or remove nonessential capabilities, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to disable or remove nonessential capabilities.
Verify the Enterprise Voice, Video, and Messaging Endpoint only uses ports, protocols, and services allowed per the PPSM CAL and VAs. If the Enterprise Voice, Video, and Messaging Endpoint uses ports, protocols, and services not allowed per the PPSM CAL and VAs, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to only use ports, protocols, and services allowed per the PPSM CAL and VAs.
Verify the Enterprise Voice, Video, and Messaging Endpoint uniquely identifies participating users. Identification must be visible and displayed locally. If the Enterprise Voice, Video, and Messaging Endpoint does not uniquely identify participating users, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to uniquely identify participating users.
Verify the Enterprise Voice, Video, and Messaging Endpoint uses multifactor authentication for network access to nonprivileged (nonadmin) accounts. If the Enterprise Voice, Video, and Messaging Endpoint does not use multifactor authentication for network access to nonprivileged (nonadmin) accounts, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to use multifactor authentication for network access to nonprivileged (nonadmin) accounts.
Verify the Enterprise Voice, Video, and Messaging Endpoint implements replay-resistant authentication mechanisms for network access. If the Enterprise Voice, Video, and Messaging Endpoint does not implement replay-resistant authentication mechanisms for network access, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to implement replay-resistant authentication mechanisms for network access.
Verify the Enterprise Voice, Video, and Messaging Endpoint terminates all network connections associated with a communications session at the end of the session. If the Enterprise Voice, Video, and Messaging Endpoint does not terminate all network connections associated with a communications session at the end of the session, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to terminate all network connections associated with a communications session at the end of the session.
Verify the Enterprise Voice, Video, and Messaging Endpoint is configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions. Note: The use of SHA-1 in accordance with SP800-131Ar2 will also meet this requirement. If the Enterprise Voice, Video, and Messaging Endpoint is not configured with SHA-2 or greater, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to use SHA-2 or greater to protect the authenticity of communications sessions.
Verify that in the event of device failure, the Enterprise Voice, Video, and Messaging Endpoint preserves any information necessary to determine cause of failure and return to operations with least disruption to service. If the Enterprise Voice, Video, and Messaging Endpoint does not preserve any information necessary to determine cause of failure, this is a finding. If the Enterprise Voice, Video, and Messaging Endpoint does not return to operations with least disruption to service after device failure, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint, in the event of device failure, to preserve any information necessary to determine cause of failure. Also configure the Enterprise Voice, Video, and Messaging Endpoint to return to operations with least disruption to service.
Verify the Enterprise Voice, Video, and Messaging Endpoint offloads audit records onto a different system or media. If the Enterprise Voice, Video, and Messaging Endpoint does not offload audit records to a different system or media, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to offload audit records to a different system or media.
Verify the Enterprise Voice, Video, and Messaging Endpoint processing classified information over public networks implements NSA-approved cryptography. If the Enterprise Voice, Video, and Messaging Endpoint processing classified information over public networks does not implement NSA-approved cryptography, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint processing classified information over public networks to implement NSA-approved cryptography.
Verify the Enterprise Voice, Video, and Messaging Endpoint provides an explicit indication of current participants in all VC-based and IP-based online meetings and conferences. This excludes audio-only teleconferences using traditional telephony. If the Enterprise Voice, Video, and Messaging Endpoint does not provide an explicit indication of current participants in all VC-based and IP-based online meetings and conferences, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint provides an explicit indication of current participants in all VC-based and IP-based online meetings and conferences.
Verify the Enterprise Voice, Video, and Messaging Endpoint uses encryption for network traffic. If the Enterprise Voice, Video, and Messaging Endpoint does not use encryption for network traffic, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to use encryption for network traffic.
Verify the Enterprise Voice, Video, and Messaging Endpoint, when using passwords or PINs for authentication or authorization, cryptographically protects the transmission. If the Enterprise Voice, Video, and Messaging Endpoint, when using passwords or PINs for authentication or authorization, does not cryptographically protect the transmission, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint, when using passwords or PINs for authentication or authorization, to cryptographically protect the transmission.
Verify the Enterprise Voice, Video, and Messaging Endpoint generates audit records when successful/unsuccessful logon attempts occur. If the Enterprise Voice, Video, and Messaging Endpoint does not generate audit records when successful/unsuccessful logon attempts occur, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to generate audit records when successful/unsuccessful logon attempts occur.
Verify the Enterprise Voice, Video, and Messaging Endpoint generates audit records for privileged activities or other system-level access. If the Enterprise Voice, Video, and Messaging Endpoint does not generate audit records for privileged activities or other system-level access, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to generate audit records for privileged activities or other system-level access.
Verify the Enterprise Voice, Video, and Messaging Endpoint generates audit records showing starting and ending time for user access to the system. If the Enterprise Voice, Video, and Messaging Endpoint does not generate audit records showing starting and ending time for user access, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to generate audit records showing starting and ending time for user access to the system.
Verify the Enterprise Voice, Video, and Messaging Endpoint offloads audit records in real time or weekly. If the Enterprise Voice, Video, and Messaging Endpoint does not offload audit records in real time or weekly, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to offload audit records in real time or weekly.
Verify that the Enterprise Voice, Video, and Messaging Endpoint is configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If the Enterprise Voice, Video, and Messaging Endpoint is not configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
Verify the firmware release installed on the Enterprise Voice, Video, and Messaging Endpoint is currently supported by the vendor. If the firmware release installed on the Enterprise Voice, Video, and Messaging Endpoint is not currently supported by the vendor, this is a finding.
Install a currently supported firmware release supplied by the vendor onto the Enterprise Voice, Video, and Messaging Endpoint.
Verify the Enterprise Voice, Video, and Messaging Endpoint dynamically implements configuration file changes. If the Enterprise Voice, Video, and Messaging Endpoint does not dynamically implement configuration file changes, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to dynamically implement configuration file changes.
Verify the Enterprise Voice, Video, and Messaging Endpoint is configured to disable any auto answer features. If the Enterprise Voice, Video, and Messaging Endpoint is not configured to disable auto answer features, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to disable auto answer features.
Verify the Enterprise Voice, Video, and Messaging Endpoint provides a logout capability for user-initiated communications sessions. If the Enterprise Voice, Video, and Messaging Endpoint does not provide a logout capability for user-initiated communications sessions, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to provide a logout capability for user-initiated communications sessions.
Verify the Enterprise Voice, Video, and Messaging Endpoint displays an explicit logout message to users indicating the termination of communications sessions. If the Enterprise Voice, Video, and Messaging Endpoint does not display an explicit logout message to users, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to display an explicit logout message to users indicating the termination of communications sessions.
Verify the Enterprise Voice, Video, and Messaging Endpoint, when using passwords or PINs for authentication, stores cryptographic representations of passwords. If the Enterprise Voice, Video, and Messaging Endpoint, when using passwords or PINs for authentication, does not store cryptographic representations of passwords, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint, when using passwords or PINs for authentication, to store cryptographic representations of passwords.
Verify the Enterprise Voice, Video, and Messaging Endpoint prohibits client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, and SSL 3.0. If the Enterprise Voice, Video, and Messaging Endpoint does not prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, and SSL 3.0, this is a finding.
Configure the Enterprise Voice, Video, and Messaging Endpoint to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.