Enterprise Voice, Video, and Messaging Policy Security Requirements Guide

  • Version/Release: V1R1
  • Published: 2024-03-12
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
c
The Enterprise Voice, Video, and Messaging Policy must define operations for VTC and endpoint cameras regarding the ability to pick up and transmit sensitive information.
AC-4 - High - CCI-002213 - V-259890 - SV-259890r948734_rule
RMF Control
AC-4
Severity
High
CCI
CCI-002213
Version
SRG-VOIP-000100
Vuln IDs
  • V-259890
Rule IDs
  • SV-259890r948734_rule
Users of conference room or office-based VTC systems and PC-based communications applications that employ a camera must not inadvertently display sensitive or classified information that is not part of the communications session while the camera is active. This can happen if information in the form of charts, pictures, or maps are displayed on a wall within the viewing or capture range of a camera. Any pan, tilt, and zoom (PTZ) capabilities of the camera must be considered. One may consider visual information out of range, but it may be in range considering camera capabilities such as high definition, PTZ, and video enhancement possibilities for captured frames. Inadvertent display of classified information could also happen if the information is lying on a desk or table unprotected. NOTES: - Vulnerability awareness and operational training will be provided to users of VTC and video/collaboration communications-related cameras regarding these requirements. - This requirement is relevant no matter what the classification level of the session. In an IP environment, the classification of VTC or PC communications depends on the classification of the network to which the VTU or PC is attached and the classification of the facility in which it is located. While classified communications can occur at the same level of classification as the network and facility, communications having a lower or no classification (e.g., unclassified or CUI) may also occur in the same environment. Therefore, sensitive or classified information that is not part of the communications session might be improperly disclosed without proper controls in place.
Checks: C-63621r946589_chk

Verify a policy and procedure is in place and enforced that addresses the operation of video/collaboration communications-related cameras (e.g., webcams or VTC cameras) regarding their ability to inadvertently capture and transmit sensitive or classified information such that: - Conference room and office users do not display sensitive or classified information on walls that are within the view of the camera(s). - Conference room and office users do not place sensitive or classified information on a table or desk within the view of the camera(s) without proper protection (e.g., a proper cover). - Conference room and office users do not read or view sensitive or classified information at such an angle that the camera(s) could focus on it. NOTE: While covering such information mitigates disclosure when a camera is to be used, if the camera is activated unexpectedly or without taking action to cover the information prior to activating, the information can be compromised. The best practice is to not display it in view of the camera at all. Inspect the applicable standard operating procedure (SOP). Inspect a random sampling of workspaces and conference rooms to determine compliance. Look for potentially sensitive information posted on the walls in view of the camera(s). Interview the ISSO to determine how the SOP is enforced. Inspect user training materials and discuss practices to determine if information regarding the SOP is conveyed. Interview a random sampling of users to confirm their awareness of the SOP and related information. If deficiencies are found in any of these areas, this is a finding. Note the deficiencies in the finding details.

Fix: F-63528r946590_fix

Ensure a policy and procedure is in place and enforced that addresses the operation of video/collaboration communications-related cameras (e.g., webcams or VTC cameras) regarding their ability to inadvertently capture and transmit sensitive or classified information. Do not post potentially sensitive information on the walls in view of the camera(s). Produce an SOP that addresses the operation of video/collaboration communications-related cameras (e.g., webcams or VTC cameras) regarding their ability to inadvertently capture and transmit sensitive or classified information such that: - Conference room and office users do not display sensitive or classified information on walls that are within the view of the camera(s). - Conference room and office users do not place sensitive or classified information on a table or desk within the view of the camera(s) without proper protection. (e.g., a proper cover). - Conference room and office users do not read or view sensitive or classified information at such an angle that the camera(s) could focus on it. NOTE: While covering such information mitigates disclosure when a camera is to be used, if the camera is activated unexpectedly or without taking action to cover the information prior to activating, the information can be compromised. Best practice is to not display it in view of the camera at all. Provide appropriate training so users follow the SOP. Enforce user compliance with the SOP.

b
The Enterprise Voice, Video, and Messaging Policy must define operations for endpoint microphones regarding the ability to pick up and transmit sensitive information.
AC-4 - Medium - CCI-002213 - V-259891 - SV-259891r948735_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-002213
Version
SRG-VOIP-000110
Vuln IDs
  • V-259891
Rule IDs
  • SV-259891r948735_rule
Microphones used with VTC systems and devices are designed to be extremely sensitive so the voice of anyone speaking anywhere within a conference room is picked up and amplified so they can be heard clearly and understood at the remote location on the call. This same sensitivity is included in VTUs that are used in office spaces. This has one disadvantage. The microphones can pick up sidebar conversations that have no relationship to the conference or call in progress. Likewise, in an open area, received conference audio can be broadcast to others in the area that are not part of the conference and possibly should not be exposed to the conference information for need-to-know reasons. Speakerphones exhibit a similar vulnerability. This is the same confidentiality vulnerability posed to audible sound information in the environment as discussed above, with the added twist that the conference audio is vulnerable to others in the environment. While this is more of an issue in environments where classified conversations normally occur, it is also an issue in any environment. This is of particularly concern in open work areas or open offices where multiple people work in near proximity. Users or operators of VTC systems of any type must take care regarding who can hear what is being said during a conference call and what unrelated conversations can be picked up by the sensitive microphone. Where a VTU is used by a single person in an open area, a partial mitigation for this could be the use of a headset with earphones and a microphone. While this would limit the ability of others to hear audio from the conference and could also limit the audio pickup of unrelated conversations, it may not be fully effective. In some instances, such as when a VTU is located in a SCIF, a Push-to-Talk (PTT) handset/headset may be required Microphones embedded in or connected to a communications endpoint, PC, or PC monitor can be sensitive enough to pick up sound that is not related to a given communications session. They could pick up nearby conversations and other sounds. This capability could compromise sensitive or classified information that is not related to the communications in progress. Speakers embedded in or connected to a communications endpoint or PC can be made loud enough to be heard across a room or in the next workspace. This capability could compromise sensitive or classified information that is being communicated during a session. Users must be aware of other conversations in the area and their sensitivity when using any communications endpoint (not only a PC-based voice, video, or collaboration communications application). This awareness must then translate into protecting or eliminating these other conversations. A short-range, reduced-gain, or noise-cancelling microphone may be required. A PTT microphone may also be required for classified areas. The microphone should be muted when the user is not speaking as both mitigation for this issue and proper etiquette when participating in a conference. The muting function should be performed using a positively controlled disconnect, shorting switch, or mechanism instead of a software-controlled mute function on the PC. Users must be aware of other people in the area that could hear what is being communicated. This is particularly an issue if the communicated information is sensitive or classified because the parties overhearing the information may not have proper clearance or a need-to-know. To mitigate this issue, a headset or speakers should be used and at a volume that only the user can hear.
Checks: C-63622r946592_chk

Verify a policy and procedure is in place and enforced that addresses the placement and operation of hardware-based voice and video communications devices and PC-based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Operational policy and procedures must be included in user training and guides. NOTE: This standard operating procedure (SOP) should take into account the classification of the area where the video teleconferencing unit (VTU) or PC supporting a PC-based voice, video, UC, and collaboration communications applications is installed as well as the classification and need-to-know restraints of the information generally communicated via the facility or specific VTU. Measures should also be included such as closing office or conference room doors, muting microphones before and after conference sessions and during conference breaks, volume levels in open offices, and muting the microphone when not speaking. Inspect the applicable SOP. Such an SOP should: - Include policy on the use of headsets containing short-range microphones and earphones in lieu of long-range microphones and speakers in an open office environment. - Address the volume settings of speakers so session information is not heard by nonparticipants in a work area. - Address the potential for the pickup of nonsession-related conversations in the work area. - Discuss Bluetooth, DECT/DECT 6.0, and other RF wireless technologies for accessories. Inspect user training materials and discuss practices to determine if information regarding the SOP is conveyed. Interview a random sampling of users to confirm their awareness of the SOP and related information. If the SOP or training is deficient, this is a finding.

Fix: F-63529r946593_fix

Ensure a policy and procedure is in place and enforced that addresses the placement and operation of hardware-based voice and video communications devices and PC-based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Operational policy and procedures must be included in user training and guides. Produce an SOP that addresses the operation of hardware-based voice and video communications devices and PC-based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Such an SOP should: - Include policy on the use of headsets containing short-range microphones and earphones in lieu of long-range microphones and speakers in an open office environment. - Address the volume settings of speakers so session information is not heard by nonparticipants in a work area. - Address the potential for the pickup of nonsession-related conversations in the work area. Provide appropriate training so users follow the SOP. Enforce user compliance with the SOP.

b
An IP-based VTC system implementing a single CODEC that supports conferences on multiple networks with different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing by being sanitized of all information while transitioning from one period/network to the next.
AC-4 - Medium - CCI-002204 - V-259892 - SV-259892r948736_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-002204
Version
SRG-VOIP-000120
Vuln IDs
  • V-259892
Rule IDs
  • SV-259892r948736_rule
All residual data (data unintentionally left behind on computer media) must be cleared before transitioning from one period/network to the next. Because the equipment is reused, nondestructive techniques are used. According to NIST Special Publication 800-88: Clearing information is a level of media sanitization that would protect the confidentiality of information against a robust keyboard attack. Simple deletion of items would not suffice for clearing. Clearing must not allow information to be retrieved by data, disk, or file recovery utilities. It must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. For example, overwriting is an acceptable method for clearing media.
Checks: C-63623r946595_chk

Verify an automatic capability exists and review documentation to determine if this capability is being implemented before transitioning from one period/network to the next. If no automatic capability exists, review organizational documentation to determine if a manual procedure is specified and implemented before transitioning from one period/network to the next. Coordinate with the vendor/solutions provider and certifier to verify all residual information is sanitized based on equipment make and model. If an automatic capability exists and is being implemented, this is not a finding. If an automatic capability exists but is not being implemented, this is a finding unless a manual procedure is specified and is being implemented. If a manual procedure is specified and is being implemented, this is not a finding. If no procedure is specified or none is being implemented, this is a finding.

Fix: F-63530r946596_fix

Obtain equipment that has an automatic capability to sanitize memory or implement and document a manual procedure. Implement the automatic capability or manual procedure to sanitize all information while transitioning from one period/network to the next.

c
An IP-based VTC system implementing a single CODEC that supports conferences on multiple networks with different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing by connecting the CODEC to one network at a time, matching the classification level of the session to the classification level of the network.
AC-4 - High - CCI-002212 - V-259893 - SV-259893r948737_rule
RMF Control
AC-4
Severity
High
CCI
CCI-002212
Version
SRG-VOIP-000130
Vuln IDs
  • V-259893
Rule IDs
  • SV-259893r948737_rule
Connecting to networks of different classifications simultaneously incurs the risk of data from a higher classification being released to a network of a lower classification, referred to as a "spill". It is imperative that networks of differing classification levels or with differing handling caveats not be interconnected at any time. Separation in a multinetwork VTC system is maintained by the use of an A/B, A/B/C, or A/B/C/D switch that meets requirements for channel isolation or by manual connection of the CODEC to one network at a time.
Checks: C-63624r946598_chk

Review the VTC system architecture to verify that an approved A/B, A/B/C, or A/B/C/D switch is present and properly cabled. Alternately, validate that the VTC CODEC is manually connected to one network at a time through the use of a single patch cord. If neither is in place, this is a finding.

Fix: F-63531r946599_fix

Obtain and install an approved A/B, A/B/C, or A/B/C/D switch. Alternately, manually connect the VTC CODEC to one network at a time through the use of a single patch cord.

b
An IP-based VTC system implementing a single CODEC that supports conferences on multiple networks with different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing sanitization by purging/clearing volatile memory within the CODEC by powering the CODEC off for a minimum of 60 seconds.
AC-4 - Medium - CCI-002204 - V-259894 - SV-259894r948738_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-002204
Version
SRG-VOIP-000140
Vuln IDs
  • V-259894
Rule IDs
  • SV-259894r948738_rule
Volatile memory requires power to maintain the stored information. It retains its contents while powered, but when power is interrupted, stored data is immediately lost. Dynamic random-access memory (DRAM) is a type of random-access memory that stores each bit of data in a separate capacitor within an integrated circuit. Because capacitors leak charge, data fades unless the capacitor charge is refreshed periodically. Static random-access memory (SRAM) has a different configuration from DRAM, which allows it to retain data longer when power is no longer applied (data remanence). Powering off the CODEC for 60 seconds is sufficient to discharge the capacitors and erase all data.
Checks: C-63625r946601_chk

Observe the operation of the VTC system as it transitions between networks. Verify that the CODEC is powered off for a minimum of 60 seconds during the transition. If it is not, this is a finding.

Fix: F-63532r946602_fix

Sanitize volatile memory by disconnection of all power for at least 60 seconds.

b
IP-based VTC systems implementing a single CODEC that support conferences on multiple networks with different classification levels must sanitize nonvolatile memory while transitioning between networks by overwriting all configurable parameters with null settings before reconfiguring the CODEC for connection to the next network.
AC-4 - Medium - CCI-002217 - V-259895 - SV-259895r956913_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-002217
Version
SRG-VOIP-000150
Vuln IDs
  • V-259895
Rule IDs
  • SV-259895r956913_rule
A factory reset is the software restoration of an electronic device to its original system state by erasing all information stored on the device to restore the device to its original factory or unconfigured settings. This erases all data, settings, and applications that were previously on the device. Factory reset may be used as part of the sanitization process. This requirement is satisfied by the use of either a properly configured automated configuration management system or an inherent sanitization capability of the unit. However, this requirement results in a CAT III finding if a manual procedure is used.
Checks: C-63626r946604_chk

Verify the VTC system has an automated configuration management system configured to sanitize and reconfigure the CODEC when transitioning between networks. If it does, review documentation to determine if this capability is being implemented. If these conditions are met, this is not a finding. If the unit is not implementing an automated process, review documentation to determine if a manual procedure is specified and implemented when transitioning between networks. This will result in a CAT III finding if these conditions are met and a CAT II finding if they are not. If an automatic capability exists but is not being implemented, or an automated configuration management system is not being used, this is a CAT II finding unless a manual procedure is specified and is being implemented. I f a manual procedure is specified and is being implemented, this is a CAT III finding. If the unit is not being sanitized when transitioning between networks, this is a CAT II finding.

Fix: F-63533r946605_fix

Obtain a VTC system that has an automated sanitization capability. Implement and document a procedure that uses this capability to sanitize the CODEC when transitioning between networks. As a last resort, implement and document a manual sanitization/reconfiguration procedure to perform this function.

b
The A/B, A/B/C, or A/B/C/D switch within an IP-based VTC system that supports conferences on multiple networks with different classification levels must be based on optical technologies to maintain electrical isolation between the various networks to which it connects.
AC-4 - Medium - CCI-002212 - V-259896 - SV-259896r956910_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-002212
Version
SRG-VOIP-000160
Vuln IDs
  • V-259896
Rule IDs
  • SV-259896r956910_rule
The A/B, A/B/C, or A/B/C/D switch is physically connected to multiple networks that have different classification levels. Copper-based switches provide minimal or no electrical isolation due to capacitance between the wires in the switch box and the switch contacts. This can permit information on one network to bleed or leak over to the other network, which can lead to the disclosure of classified information on a classified network to a network of lower classification. This must be prevented. Optical fiber is an insulator; thus, it carries no electrical current and generates no electromagnetic field, eliminating the capacitance issue. Therefore, it provides excellent electrical isolation between the networks to which it connects.
Checks: C-63627r946607_chk

Review A/B, A/B/C, or A/B/C/D switch vendor documentation to determine if optical technologies are used to maintain electrical isolation between the input port/connection and between all selectable output ports/connections. If this is not the case, this is a finding. Validate approved equipment is being used. DISN Video Services (DVS) maintains a list of A/B, A/B/C, or A/B/C/D switches that have been certified to meet the above requirements at https://disa.mil/Services/Network-Services/Video/~/media/Files/DISA/Services/DVS/red_black_peripherals.xls. If the A/B, A/B/C, or A/B/C/D switch is not on the list, this is a finding.

Fix: F-63534r946608_fix

Obtain and install an approved A/B, A/B/C, or A/B/C/D switch.

b
An IP-based VTC system implementing a single CODEC that supports conferences on multiple networks with different classification levels must be implemented in such a way that configuration information for a network having a higher classification level is not disclosed to a network having a lower classification level.
AC-4 - Medium - CCI-002204 - V-259897 - SV-259897r956911_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-002204
Version
SRG-VOIP-000170
Vuln IDs
  • V-259897
Rule IDs
  • SV-259897r956911_rule
Connecting the CODEC to a network while it is being reconfigured could lead to the disclosure of sensitive configuration information for a network having a higher classification level to a network having a lower classification level. Ideally, the CODEC will be disconnected from any network while it is being reconfigured. However, the requirement can be met by using a procedure that purges the configuration for the currently connected network, power cycling the CODEC as required (for a minimum of 60 seconds per SRG-VOIP-000140) as the CODEC is switched to the next network, and then reconfiguring the CODEC for the next session.
Checks: C-63628r946610_chk

Review the VTC system architecture documentation and observe system operation while transitioning between networks to verify one of the following: - The CODEC is switched to a disconnected/unused switch position while it is being purged/reconfigured. - The CODEC is purged while connected to one network, power cycled as it is switched to the next network, and then reconfigured for that network. Alternately, if a manual switching procedure is used, verify the CODEC is physically disconnected from any network while being reconfigured. If none of these procedures is being followed, this is a finding.

Fix: F-63535r946611_fix

Do one of the following: - Architect, implement, and configure the system so the A/B, A/B/C, or A/B/C/D switch connects the CODEC to an unused switch position while it is being reconfigured during transition from one network to another. - Architect, implement, and configure the system so the CODEC configuration is purged before it is switched to the next network, the CODEC is power cycled for the required time period as the A/B, A/B/C, or A/B/C/D switch connects the CODEC to the next network, and then the CODEC is reconfigured for that network. - If a manual switching procedure is used, physically disconnect the CODEC from any network while it is reconfigured for the next network.

b
The A/B, A/B/C, or A/B/C/D switch used for network switching in IP-based VTC systems implementing a single CODEC that supports conferences on multiple networks with different classification levels must be Common Criteria certified.
AC-4 - Medium - CCI-002204 - V-259898 - SV-259898r948742_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-002204
Version
SRG-VOIP-000180
Vuln IDs
  • V-259898
Rule IDs
  • SV-259898r948742_rule
Common Criteria provides assurance that the process of specification, implementation, and evaluation of a computer security product has been conducted in a rigorous, standard, and repeatable manner at a level commensurate with the target environment for use. The Defense Security/Cybersecurity Authorization Working Group (DSAWG) mandated that the A/B, A/B/C, or A/B/C/D switches used in VTC systems implementing a single CODEC that supports conferences on multiple networks with different classification levels, where these networks are simultaneously and permanently connected to these networks, must receive NIAP approval in accordance with CNSSP #11. This was primarily due to the potential interconnection of separate networks designated as National Security Systems through the switch. This was a prerequisite to their approval of the multinetwork VTC system architecture. Therefore, the A/B, A/B/C, or A/B/C/D switch must be satisfactorily evaluated and validated in accordance with the provisions of the NIAP Common Criteria Evaluation and Validation Scheme.
Checks: C-63629r946613_chk

Review the NIAP Product Compliant List (PCL) at https://www.niap-ccevs.org to verify that a certification exists for the A/B, A/B/C, or A/B/C/D switch or review a vendor-provided letter from NIAP or the NIAP test report indicating satisfactory completion of testing and PCL listing. Validation of certification via the NIAP PCL can be more easily facilitated if the vendor has provided the certification number. If the product is not on the list or a NIAP letter or test report is not provided, this is a finding.

Fix: F-63536r946614_fix

Obtain and install an A/B, A/B/C, or A/B/C/D switch that has obtained Common Criteria certification.

a
The A/B, A/B/C, or A/B/C/D switch used for network switching in IP-based VTC systems implementing a single CODEC that supports conferences on multiple networks with different classification levels must be TEMPEST certified.
AC-4 - Low - CCI-002212 - V-259899 - SV-259899r948743_rule
RMF Control
AC-4
Severity
Low
CCI
CCI-002212
Version
SRG-VOIP-000190
Vuln IDs
  • V-259899
Rule IDs
  • SV-259899r948743_rule
Committee on National Security Systems Advisory Memorandum (CNSSAM) TEMPEST/01-13, RED/BLACK Installation Guidance, provides criteria for the installation of electronic equipment, cabling, and facility support for the processing of secure information. National policy requires that systems and facilities processing NSI must be reviewed by a Certified TEMPEST Technical Authority (CTTA) to achieve TEMPEST security. The RED/BLACK guidance contained in TEMPEST/01-13 will be considered by the CTTA along with other measures (e.g., TEMPEST Zoning, TEMPEST-suppressed equipment and shielding) to determine the most cost-effective countermeasures to achieve TEMPEST security. Only those RED/BLACK criteria specifically identified by the CTTA will be implemented.
Checks: C-63630r946616_chk

Review the documentation to determine if the A/B, A/B/C, or A/B/C/D switch is TEMPEST certified. Review TEMPEST certification documentation provided by a CTTA or the vendor to determine if the switch is TEMPEST certified. If the A/B, A/B/C, or A/B/C/D switch is not on the list, or satisfactory documentation is not provided, this is a finding.

Fix: F-63537r946617_fix

Obtain and install a TEMPEST-certified A/B, A/B/C, or A/B/C/D switch.

b
An IP-based VTC system implementing a single set of input/output devices (cameras, microphones, speakers, control system), an A/V switcher, and multiple CODECs connected to multiple IP networks with different classification levels must provide automatic mutually exclusive power control for the CODECs or their network connections so only one CODEC is powered on or one CODEC is connected to any network at any given time.
AC-4 - Medium - CCI-002213 - V-259900 - SV-259900r948744_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-002213
Version
SRG-VOIP-000200
Vuln IDs
  • V-259900
Rule IDs
  • SV-259900r948744_rule
If a VTC system is implemented using multiple CODECs, each connected to a network with a different classification level, along with an A/V switcher, a potential path exists through the CODECs and A/V switcher that could permit classified information to be exposed/released from one classified network to a network with a lower classification. Powering off the CODEC, at a minimum, will provide a level of isolation that will prevent active passage of data. However, the above solution could still provide an electrical leakage path between the networks whereby classified information could leak onto another network. To improve on the electrical isolation between networks and as an alternative to powering off the CODECs, an optical link using fiber optic to Ethernet media adaptors/converters/modems between the CODEC and each of the networks it serves could be implemented. In this case, the fiber optic media adaptors would be powered in a mutually exclusive manner. Mutually exclusive power means that only one CODEC or fiber optic adaptor can be powered at a time. Turning on one CODEC or fiber optic adaptor turns off power for all others.
Checks: C-63631r946619_chk

Review the VTC system architecture to determine the method of network isolation used. Verify that only one CODEC or fiber optic media adaptor can be turned on at a time by attempting to turn on more than one CODEC concurrently. If more than one CODEC operates, this is a finding.

Fix: F-63538r946620_fix

Obtain and implement a power control system that can support automatic mutually exclusive power control.

b
The implementation of an IP-based VTC system that supports conferences on multiple networks with different classification levels must maintain isolation between the networks to which it connects by implementing separation of equipment and cabling between the various networks with differing classification levels in accordance with CNSSAM TEMPEST/01-13, RED/BLACK Installation Guidance.
AC-4 - Medium - CCI-002204 - V-259901 - SV-259901r948745_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-002204
Version
SRG-VOIP-000210
Vuln IDs
  • V-259901
Rule IDs
  • SV-259901r948745_rule
Information leakage is the intentional or unintentional release of information to an untrusted environment from electromagnetic signals emanations. Security categories or classifications of information systems (with respect to confidentiality) and organizational security policies guide the selection of security controls employed to protect systems against information leakage due to electromagnetic signals emanations. The Committee on National Security Systems Advisory Memorandum (CNSSAM) TEMPEST/01-13, RED/BLACK Installation Guidance, provides criteria for the installation of electronic equipment, cabling, and facility support for the processing of secure information. The TEMPEST/01-13 requires that the facility housing the secure VTC equipment (i.e., the secure conference room) must meet the TEMPEST requirements for such rooms. The appropriate and required separations between RED and BLACK equipment and cables must be met. This includes cable routing inside equipment cabinets. Depending on the TEMPEST ZONE, the separation requirements are: - Minimum equipment separation - 50 cm or 1 m. - Minimum cable separation - 5 cm or 15 cm. National policy requires that systems and facilities processing NSI must be reviewed by a Certified TEMPEST Technical Authority (CTTA) to achieve TEMPEST security. The CTTA may require separate power sources for RED equipment and BLACK equipment.
Checks: C-63632r946622_chk

Review the documentation and based on the TEMPEST ZONE in the CNSSAM TEMPEST/01-13, RED/BLACK Installation Guidance, determine if the required separations between RED and BLACK equipment and cables have been met. This includes cable routing inside equipment cabinets. Depending on the TEMPEST ZONE, the separation requirements are: - Minimum equipment separation - 50 cm or 1 m. - Minimum cable separation - 5 cm or 15 cm. If the cables or equipment are closer than the minimum cable and equipment separation distances, this is a finding. If a CTTA has reviewed the system's installation and provided a favorable report or certification, this is not a finding.

Fix: F-63539r946623_fix

Install cabling and equipment in accordance with the CNSSAM TEMPEST/01-13, RED/BLACK Installation Guidance. Depending on the TEMPEST ZONE, the separation requirements are: - Minimum equipment separation - 50 cm or 1 m. - Minimum cable separation - 5 cm or 15 cm.

b
Video conferencing, Unified Capability (UC) soft client, and speakerphone speaker operations policy must prevent disclosure of sensitive or classified information over nonsecure systems.
AC-4 - Medium - CCI-002213 - V-259902 - SV-259902r948746_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-002213
Version
SRG-VOIP-000220
Vuln IDs
  • V-259902
Rule IDs
  • SV-259902r948746_rule
Speakers used with Voice Video systems and devices may be heard by people and microphones with no relationship to the conference or call in progress. In open areas, conference audio may be overheard by others in the area without a need-to-know. A policy must be in place and enforced regarding the placement and use of speakers connected to secure Voice Video systems (video conferencing, EVoIP, ECVoIP, etc.) and secure Voice Video endpoints (STU-III, STE, etc.) located in areas or rooms where classified meetings, conversations, or work normally occur. The policy must be in accordance with NSA and DCI guidance and address, at a minimum, the following: - Location if instruments must be limited to sole-use offices, conference rooms, and similar areas that afford sound attenuation. - Notification to all room occupants of the use of the speaker. - Notification to all room occupants for awareness of the classification of conversations taking place. - The room occupant assuming responsibility for taking the necessary precautions to ensure the classified discussion is not overheard. - Secure Voice Video endpoints must be configured to prevent speaker enablement in the nonsecure mode. Speakerphone use on secure telecommunications systems requires special consideration regarding placement and operating policy. NSA S412 approves the installation/enablement of speakerphones on National Secure Telephone Systems (NSTS) and STU-III/STE instruments. The intent of speakerphone approval rests with the room occupant assuming responsibility for taking the necessary precautions to ensure the classified discussion is not overheard by individuals outside the conversation who may not have a need-to-know for the information discussed and/or that the speakerphone will not pick up and transmit other classified conversations in the area that are not part of the call in progress.
Checks: C-63633r946625_chk

Confirm a policy and supporting procedures are in place that address the placement and operation of video conferencing, UC soft client, and speakerphone speakers to prevent disclosure of sensitive or classified information over nonsecure systems. Operational policy and procedures must be included in user training and guides. The policy and supporting procedures should consider the classification of the area where the video conferencing equipment, the PC supporting a UC soft client, and Voice Video endpoints are placed, as well as the classification and need-to-know restraints of the information communicated within the area. They should include measures such as closing office or conference room doors, adjusting volume levels in open offices, and muting microphones when not directly in use. If a policy and supporting procedures governing video conferencing, UC soft client, and speakerphone speaker operations preventing disclosure of sensitive or classified information over nonsecure systems do not exist or are not enforced, this is a finding.

Fix: F-63540r946626_fix

Document and enforce a policy and procedure for video conferencing, UC soft client, and speakerphone speaker operations to prevent disclosure of sensitive or classified information over nonsecure systems. Ensure appropriate training is provided for users. The policy and supporting procedures should consider the classification of the area where the video conferencing equipment, the PC supporting a UC soft client, and Voice Video endpoints are placed, as well as the classification and need-to-know restraints of the information communicated within the area. Include measures such as closing office or conference room doors, adjusting volume levels in open offices, and muting microphones when not directly in use.

b
An inventory of authorized instruments must be documented and maintained in support of the detection of unauthorized instruments connected to the Enterprise Voice, Video, and Messaging system.
PM-1 - Medium - CCI-000073 - V-259903 - SV-259903r948747_rule
RMF Control
PM-1
Severity
Medium
CCI
CCI-000073
Version
SRG-VOIP-000230
Vuln IDs
  • V-259903
Rule IDs
  • SV-259903r948747_rule
Traditional telephone systems require physical wiring and/or switch configuration changes to add an instrument to the system. This makes it difficult for someone to add unauthorized digital instruments to the system. However, this could be done more easily with older analog systems by tapping an existing analog line. With Enterprise Voice, Video, and Messaging, this is no longer the case. Most IPT/VoIP systems employ an automatic means of detecting and registering a new instrument on the network with the call management server and then downloading its configuration to the instrument. This presents a vulnerability whereby unauthorized instruments could be added to the system or instruments could be moved without authorization. Such activity can happen anywhere there is an active network port or outlet. This is not only a configuration management problem. It could also allow theft of services or some other malicious attack. It is recognized however, that auto-registration is necessary during large deployments of VoIP terminals, and for a short time thereafter, to facilitate additions and troubleshooting. This applies to initial system setup and any subsequent large redeployments or additions. Normal, day-to-day moves, adds, and changes will require manual registration. Because it may be possible for an unauthorized VoIP terminal to be added to the system easily during auto-registration, the registration logs must be compared to the authorized terminal inventory. Alternately, the system could have a method of automatically registering only preauthorized terminals. This feature would support VoIP terminals that are AO approved for connection from multiple local or remote locations. It is critical to the security of the system that all IPT/VoIP end instruments be authorized to connect to and use the system. Only authorized instruments should be configured in the system controller and therefore allowed to operate. Unauthorized instruments could lead to system compromise or abuse. A manual inventory of authorized end instruments will aid in the detection of unauthorized instruments registered to the system, particularly during the period when autodetection/registration is permitted. This will also aid in certification and accreditation efforts.
Checks: C-63634r946628_chk

Verify that an inventory of authorized instruments is documented and maintained. Inspect the authorized instrument inventory. NOTE: This inventory will be separate from the inventory created within the Local Session Controller (LSC) from the listing of registered instruments. Authorized instruments must be added to this inventory before configuration in the LSC and instrument registration. The inventory may be offline or online on a separate server or workstation from the LSC (for example, the LSC management workstation). If the inventory does not exist or does not appear to be up to date, this is a finding. Ask how this inventory is generated and where it is stored. If it is located on the LSC, this is a finding.

Fix: F-63541r946629_fix

Ensure that an inventory of authorized instruments is documented and maintained. NOTE: This inventory will be separate from the inventory created within the LSC from the listing of registered instruments. Authorized instruments must be added to this inventory before configuration in the LSC and instrument registration. The inventory may be offline or online on a separate server or workstation from the LSC (for example, the LSC management workstation). Prepare and maintain an inventory/database of authorized VoIP instruments. Generate and store the inventory on a separate workstation or server from the LSC (for example, the LSC management workstation). Recommendation: Create the inventory in a format that can easily be compared through automation to the report of registered instruments from the LSC (if available). This will facilitate regular review of the inventory to detect unauthorized instruments and will make the IA review easier.

a
Customers of the DISN VoSIP service must use address blocks assigned by the DRSN/VoSIP PMO.
PM-1 - Low - CCI-000073 - V-259904 - SV-259904r948748_rule
RMF Control
PM-1
Severity
Low
CCI
CCI-000073
Version
SRG-VOIP-000240
Vuln IDs
  • V-259904
Rule IDs
  • SV-259904r948748_rule
Ensure different, dedicated, address blocks or ranges are defined for the VVoIP system within the LAN (Enclave) that are separate from the address blocks/ranges used by the rest of the LAN for non-VVoIP system devices, thus allowing traffic and access control using firewalls and router ACLs. NOTE: This is applicable to a classified LAN connected to a classified WAN (such as the SIPRNet). In the case of a classified WAN where networkwide address-based accountability or traceability is required by the network PMO, the PMO must provide segregated, networkwide address block(s) so the attached classified LANs can meet this requirement. DISA provides a worldwide VoIP-based voice communications service called the DISN Voice over Secret IP (VoSIP). This service is managed by the DRSN PMO. This service also provides gateways into the DRSN. In support of the above requirement, the SIPRNet PMO has designated specific dedicated address ranges for use by the DISN VoSIP service and assigned these address blocks to the DRSN/VoSIP PMO for VoSIP address management and assignment. The VoSIP service provides VoIP-based communications between VoIP systems within the customer's classified LANs (C-LANs) operating at the secret level while using the SIPRNet WAN for the inter-enclave (inter-LAN) transport. Additionally, the SIPRNet PMO requires networkwide address-based accountability or traceability based on assigned IP address. The customer's SIPRNet-connected secret C-LANs use addresses assigned by the SIPRNet PMO. Therefore, customers of the DISN VoSIP service must use IP addresses assigned to them by the DRSN/VoSIP PMO when addressing the VoIP controllers and endpoints within their C-LANs. This is to maintain the segregation of the voice and data environments on the customer's secret C-LANs as required by this SRG. This also facilitates proper routing and flow control over the traffic between VoSIP addresses. The DISN service is designated DISN Voice over Secret IP but uses an acronym (VoSIP), which also means Voice over Secure IP. Voice over Secure IP relates to any VoIP-based service on a secure or classified IP network. While the DISN VoSIP service is the preferred means to interconnect SIPRNet-connected secret C-LANs for VoIP service, there may be a need for an organization to implement a VoIP-based voice or video communications system within their organization or with close partners. If such a system has no need or potential need to communicate with other enclaves that use the DISN VoSIP service, they must use their own dedicated IP address space carved out of the address space assigned to their C-LANs by the SIPRNet PMO.
Checks: C-63635r946631_chk

Verify customers of the DISN VoSIP service use IP addresses assigned to them by the DRSN/VoSIP PMO when defining the required dedicated address space for the VoIP controllers and endpoints within their secret C-LANs. NOTES: - This is similarly applicable to other classified DISN services and customer's C-LANs. - This is not a requirement if a VoIP-based VVoIP communications system operated in a secret C-LAN has no need or potential need to use the worldwide DISN VoSIP service or to access the DRSN and communicate with other enclaves that do use the DISN service or have access to the DRSN. They must use their own dedicated IP address space carved out of the address space assigned to their C-LANs by the SIPRNet PMO. - This requirement does not directly apply to dedicated hardware-based IP - VTC systems using the C-LAN and SIPRNet for transport, although there may be similar requirements to address this technology in the future. Determine the following: - Is the organization's secret C-LAN connected to SIPRNet? - Does the organization's secret C-LAN support VVoIP communications (not dedicated IP-based VTC)? - Does organization's secret C-LAN VVoIP system interconnect with other enclaves using the DISN VoSIP service? - What address blocks are dedicated to the VVoIP system on the C-LAN? - Is there documented evidence that the DRSN/VoSIP PMO assigned these addresses to the organization, or can such assignment be validated by other means? If the organization's secret C-LAN supports VVoIP communications (not dedicated IP-based VTC) AND is connected to SIPRNet AND uses the DISN VoSIP service BUT DOES NOT use the DRSN/VoSIP PMO assigned address blocks when addressing all of the VVoIP system components, this is a finding.

Fix: F-63542r946632_fix

Ensure customers of the DISN VoSIP service use IP addresses assigned to them by the DRSN/VoSIP PMO when defining the required dedicated address space for the VoIP controllers and endpoints within their secret C-LANs. NOTES: - This is similarly applicable to other classified DISN services and customer's C-LANs. - This is not a requirement if a VoIP-based VVoIP communications system operated in a secret C-LAN has no need or potential need to use the worldwide DISN VoSIP service or to access the DRSN and communicate with other enclaves that do use the DISN service or have access to the DRSN. They must use their own dedicated IP address space carved out of the address space assigned to their C-LANs by the SIPRNet PMO. - This requirement does not directly apply to dedicated hardware-based IP - VTC systems using the C-LAN and SIPRNet for transport, although there may be similar requirements to address this technology in the future. Obtain and assign IP addresses as provided by the DRSN PMO-VoSIP department when defining the required dedicated address space on the LAN.

b
Voice networks must not be bridged via a Unified Capability (UC) soft client accessory.
PM-1 - Medium - CCI-000073 - V-259905 - SV-259905r948749_rule
RMF Control
PM-1
Severity
Medium
CCI
CCI-000073
Version
SRG-VOIP-000250
Vuln IDs
  • V-259905
Rule IDs
  • SV-259905r948749_rule
While a headset, microphone, or webcam can be considered to be UC soft client accessories, these are also accessories for other collaboration and communications applications. This discussion relates to UC soft client-specific accessories, which consist of USB phones, USB ATAs, and PPGs. A USB phone is a physical USB-connected telephone instrument that associates itself with the UC soft client application running on the PC. It minimally provides a handset that includes both the mouthpiece and receiver and may provide a dial pad, a speakerphone function, or other functions. They should be operated accordingly. A USB ATA is a USB-connected device that associates itself with the UC soft client application and provides the ability to use a standard analog telephone or speakerphone. Some USB ATAs also provide a port to which an analog phone line can be connected. This allows a single analog phone to be used with the UC soft client while also answering and placing calls via the analog phone line. This line could be connected to a local PBX or to the PSTN. Some USB phones contain a port to which an analog phone line can be connected so the USB phone can be used with it to place and receive calls. There is little risk in the operation of this kind of USB ATA or USB phone, providing it operates only as described and there is no direct bridging of networks as described next. A PPG (USB connected or internal card) is a type of ATA that is a gateway intended to bridge the UC soft client application and supporting VVoIP network to an analog phone line from a local PBX or the PSTN. PPGs pose legal and fraud threats to a DOD network due to this bridging of networks. They can be used for toll fraud, toll avoidance, or placing or receiving unauthorized calls. Some USB phones can contain a PPG. While these devices might be used to meet a specific mission requirement, their use may be illegal in certain countries and instances when connected between a DOD IP voice and data network and a public dial-up voice network. The use of any UC soft client accessory that provides a network bridging function poses both a legal and an IA threat to the DOD voice communications network. PPGs must not be used except to fulfill a validated and approved mission requirement. DECT 6.0 headsets provide wireless microphone and earphone use to a telephone device.
Checks: C-63636r946634_chk

Determine if UC soft client accessories, including PPGs, ATAs, USB phones, and wireless headsets, that provide a network bridging capability to the PSTN are used on a DOD PC or network. If so, further determine if there is a validated and approved mission requirement for their use. Interview a random sampling of users regarding their use of this bridging capability. If these devices are used and there is no validated mission requirement, this is a finding. NOTE: This requirement applies to Bluetooth, DECT/DECT 6.0, and other RF wireless technologies for accessories. Prior to procurement and implementation of any wireless accessory, a risk analysis must be performed to ensure the technology uses acceptable encryption and does not interfere with existing technology use. This guidance is not intended to replace the existing guidance available for wireless headsets used in association with mobile devices.

Fix: F-63543r946635_fix

Discontinue the use of UC soft client accessories, including PPGs, ATAs, USB phones, and wireless headsets that provide a network bridging capability unless there is a validated and approved mission requirement for their use.

b
When soft-phones are implemented as the primary voice endpoint in the user's workspace, a policy must be defined to supplement with physical hardware-based phones near all such workspaces.
PM-1 - Medium - CCI-000073 - V-259906 - SV-259906r948750_rule
RMF Control
PM-1
Severity
Medium
CCI
CCI-000073
Version
SRG-VOIP-000260
Vuln IDs
  • V-259906
Rule IDs
  • SV-259906r948750_rule
This and several other requirements discuss the implementation of PC soft-phones or UC applications as the primary and only communications device in the user's workspace. While this degrades the protections afforded a hardware-based system, the trend is to use more and more PC-based communications applications due to their advanced features, collaborative benefits, and perceived reduced cost. This soft-phone use case results in the elimination of hardware-based telephones on users' desks in the workplace. This can be seen as, or result in, trading down (from a hardware-based system) with regard to availability, reliability, and quality of service because the data network is generally more susceptible to compromise from many sources inside and outside the local LAN, making the soft-phones more exposed to attack. This also means no telephone will be available in the workspace if the PC is not powered on, the application is not loaded, or the PC is not fully functional. While this is undesirable from an IA standpoint, a business case can be developed to support it. NOTE: The recommended relationship between PC soft-phone/UC applications and hardware-based endpoints in the normal work area is that the PC application should augment the functionality of, or be a backup to, the hardware-based instrument in the user's workspace. The implementation of PC soft-phones or UC applications in the user workspace as their only endpoint has several ramifications that must be considered. These include: - The PC becomes a single point of failure for communications services provided to a user in their workspace. A widespread problem, which affects many PCs or the network infrastructure, may disable all communications for many users at one time. Users may not have a means to report the failure without using an alternate communications system. A fast-spreading worm or power outage could create such a situation. While some may argue that "users can call on their cell phones", service may not be available, or their use may not be permitted in the facility. This translates into the loss of functionality and efficiency, as in lost time, due to the inability to communicate when the PC or soft-phone application is not running or functioning properly. - The protections afforded hardware-based endpoints by the use of the voice protection zone, such as VoIP VLAN(s) and others, are missing for soft-phones in a widespread use/implementation scenario and, depending on the implementation on the PC, may degrade the protections afforded hardware-based endpoints. Such is the case for all software-based communications endpoints because they are typically implemented on all PCs and therefore will be connected to the data VLANs. Assured service for voice traffic will be degraded from that obtained with hardware-based instruments connected in the voice protection zone. This translates into the following additional IA measures required to protect the VoIP infrastructure (e.g., a firewall between the VoIP and data VLANs): - The hardware-based endpoint is not available for use in parallel with, or in place of, the PC. This can be a problem if the PC is having performance or operational issues, is turned off, or is unavailable. Accessing help desk services requiring logging on to the PC to use the voice services and work on a problem could be a real challenge. Rebooting the PC to clear a problem would disconnect the call to the helpdesk. Accessing voice mail or answering the phone while the PC is booting is made impossible, reducing efficiency, particularly when the user starts their day. If the user has command and control (C2) responsibilities, the IP equivalent of MLPP cannot function properly if an application or PC is unavailable. Precedence calls will not be received by the user but will be transferred to their designated alternate answering point. - Emergency communications could be unavailable if the PC is not booted, the communications application is not running, or either is otherwise compromised. Voice communications must be readily available for life safety and medical reasons, as well as other facility security emergencies. A partial mitigation for this in a "soft-phone world" is to place common use hardware telephones within a short distance (e.g., 30 to 50 feet) of every workspace, which is an additional cost. This additional distance, however, could be an issue in a medical emergency where a worker might be alone in their workspace and their PC or voice communications application is not functioning properly. They may not be able to reach the common use instrument depending on the nature of the medical emergency. If the worker was suffering a heart attack or diabetic emergency, they could die. Business cases therefore need to include the cost of insurance and/or lawsuits for this eventuality. The previous two items translate into the following the addition of common-use hardware-based instruments placed around the facility (for backup and emergency use) along with the additionally required LAN cabling and access switch ports. While some may believe this is not an IA issue, it is because the discussion is about availability, which is one of the prime tenets of IA. Additionally, the VoIP controllers (i.e., the equipment that controls the telephone system) must be able to be accessed by the PC soft-phones while being protected as they would be in a normal VoIP system using hardware-based instruments. NOTE: Methods for permitting the necessary PC traffic to, from, and between the voice and data zones while protecting the voice zone will be discussed later in this document.
Checks: C-63637r946637_chk

Part 1: Determine if PC soft-phones and/or UC applications are implemented as the primary telephone endpoint in users' workspaces. If so, inspect users' work areas to determine if hardware-based telephone instruments are installed within a short distance (e.g., 30 to 50 feet) of every workspace to be used for backup and emergency communications. Cellphones, PDA/PEDs, or other wireless devices are not considered reliable enough to meet this requirement due to lack of reliable signal available everywhere and their inability to be used in certain DOD environments. If these conditions are not met, this is a finding. NOTE: This requirement is satisfied by the implementation of hard-wired hardware-based telephone instruments using any telephony technology. That is, traditional analog or digital instruments may be used, or VoIP-based instruments may be used. Such instruments may be part of the local site's PBX or VoIP system or may be served from the Local Exchange Carrier (LEC) or Competitive LEC (CLEC). Power is another concern when implementing backup/continuity of operations (COOP) or emergency telephones. Such phones should be remotely powered from a source that can provide backup power. Additionally, the dialing capabilities of backup/COOP or emergency telephones may be limited to internal and/or emergency calls. This means that minimally, emergency service numbers must be reachable from these phones. Part 2: Select a random sample if not all of the implemented hard-phones and test them to ensure they are functional. If nonfunctional phones are found, this is a finding.

Fix: F-63544r946638_fix

If PC soft-phones and/or UC applications are implemented as the primary telephone endpoint in the user's workspace, ensure hardware-based telephone instruments are installed within a short distance (e.g., 30 to 50 feet) of every workspace to be used for backup and emergency communications. NOTE: This requirement is satisfied by the implementation of hard-wired hardware-based telephone instruments using any telephony technology. That is, traditional analog or digital instruments may be used, or VoIP-based instruments may be used. Such instruments may be part of the local site's PBX or VoIP system or may be served from the Local Exchange Carrier (LEC) or Competitive LEC (CLEC). Power is another concern when implementing backup/continuity of operations (COOP) or emergency telephones. Such phones should be remotely powered from a source that can provide backup power. Additionally, the dialing capabilities of backup/COOP or emergency telephones may be limited to internal and/or emergency calls. This means that minimally, emergency service numbers must be reachable from these phones.

b
Implementing Unified Capabilities (UC) soft clients as the primary voice endpoint must have authorizing official (AO) approval.
PM-1 - Medium - CCI-000073 - V-259907 - SV-259907r948751_rule
RMF Control
PM-1
Severity
Medium
CCI
CCI-000073
Version
SRG-VOIP-000270
Vuln IDs
  • V-259907
Rule IDs
  • SV-259907r948751_rule
The AO responsible for the implementation of a voice system that uses UC soft clients for its endpoints must be made aware of the risks and benefits. In addition, the commander of an organization whose mission depends on such a telephone system must also be made aware and provide approval. When UC soft clients are fielded as the primary endpoint, the risk of unavailability is high compared to dedicated instruments. Another major difficulty for UC soft clients deployed on laptops is providing accurate location information for emergency services. When emergency services are called from the laptop, if it is not at the location entered in the Automated Location Identification (ALI) database, emergency services may be dispatched to the wrong place.
Checks: C-63638r946640_chk

Verify the Command and AO approves the implementation or transition to UC soft clients as the primary endpoints in writing. Verify the ISSO maintains approval documentation for inspection by IA reviewers or auditors. Review the written Command and AO approval for the implementation of a telephone system that primarily uses UC soft client applications for its endpoints. If no written Command and AO approval exists for UC soft client endpoints, this is a finding.

Fix: F-63545r946641_fix

Obtain the Command and AO approval for the implementation or transition to UC soft clients as the primary endpoints in writing. Approval documentation must be maintained by the ISSO for future inspection by IA reviewers or auditors. If Command and AO written approval is not available, hardware endpoints must be used as the primary endpoints. NOTE: This requirement is in addition to AO approval for deploying UC soft clients on DOD networks. When UC soft clients are deployed as the primary endpoint, additional risks to availability exist.

b
Deploying Unified Capabilities (UC) soft clients on DOD networks must have authorizing official (AO) approval.
PM-1 - Medium - CCI-000073 - V-259908 - SV-259908r948752_rule
RMF Control
PM-1
Severity
Medium
CCI
CCI-000073
Version
SRG-VOIP-000280
Vuln IDs
  • V-259908
Rule IDs
  • SV-259908r948752_rule
This use case addresses situations in which UC soft client applications on workstations are not the primary voice communications device in the work area. This means there is a validated mission need and the number of UC soft clients permitted to operate inside the LAN will be less than the number of hardware-based phones in the LAN. This number should be limited to UC soft clients required to meet specific mission requirements. There are scenarios for the use of limited numbers of UC soft clients in the strategic LAN. The first of these scenarios is providing support for UC soft clients associated with a VoIP system in another enclave. This is a remote access scenario and must operate as they would in a normal remote access use case. If this scenario is approved, special accommodations must be made in the local LAN to support users from a remote LAN and permit them to connect to their home enclave. This could include segregating them on a separate dedicated LAN with its own boundary protection or by implementing a dedicated VLAN protection zone while opening the enclave boundary to permit the remote connection. Voice/video and data must reside on separate VLANs for the protection of the voice infrastructure. However, recognizing that requiring a NIC to be configured to support voice/video and data VLANs is not a viable solution, voice and data traffic can coexist in the data VLAN when leaving the workstation. Based on the Unified Capabilities Requirements (UCR) that UC application tag its signaling and media traffic with the proper UCR-defined Differentiated Service Code Point (DSCP), the LAN access switch port can route the UC traffic to the voice/video VLAN. If the LAN access switch is not capable, then routing upstream must perform this. A separate NIC is not required to support VLANs for voice and video segmentation under UC.
Checks: C-63639r946643_chk

Verify the responsible AO approves the use of limited numbers of UC soft clients in the strategic LAN along with the measures implemented to protect these UC soft clients and the local VoIP and data infrastructure. Verify that approval is provided in writing and maintained by the ISSO for inspection by IA reviewers or auditors. When limited numbers of UC soft clients associated with the local VoIP system are implemented in the strategic LAN, a separate VLAN structure must be implemented for them. Implementation of a VLAN must not provide a bridge between the VoIP and data VLANs. Traffic must be filtered such that the UC soft client's VoIP traffic is routed to the VoIP VLAN while all other traffic is routed to the data VLAN. A separate NIC is not required to support VLANs for voice and video segmentation under UC. NOTE: Limited numbers in this scenario means as few as possible but may mean 25 or 30 percent of the overall PCs on the LAN. Beyond this percentage, the protections afforded by this implementation become limited or negated because of the large number of PCs in the UC soft client VLAN. Determine if limited numbers of UC soft clients are permitted to operate or are implemented in the strategic LAN. If so, review the written AO approval for the implementation. If limited numbers of UC soft clients are to be implemented in the strategic LAN without written AO approval for the implementation, this is a finding.

Fix: F-63546r946644_fix

Ensure the responsible AO approves the use of UC soft clients in the strategic LAN along with the measures implemented to protect UC soft clients and the local VoIP and data infrastructure. Ensure approval is provided in writing and maintained by the ISSO for inspection by IA reviewers or auditors. UC soft clients do not provide assured services and therefore cannot be used as the primary method of communications for personnel requiring assured services. When limited numbers of UC soft clients are to be implemented in the strategic LAN, obtain written approval from the responsible AO along with approval for the measures implemented to protect these UC soft clients and the local VoIP and data infrastructure. Alternately, remove the UC soft clients from the LAN.

b
A Call Center or Computer Telephony Integration (CTI) system using soft clients must be segregated into a protected enclave and limit traffic traversing the boundary.
AC-4 - Medium - CCI-001548 - V-259909 - SV-259909r948753_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001548
Version
SRG-VOIP-000290
Vuln IDs
  • V-259909
Rule IDs
  • SV-259909r948753_rule
UC soft clients may be used on a strategic LAN when associated with or part of a CTI application. Traditional computer telephony integration CTI encompasses the control of a telephone or telecommunications switch by a computer application. Interfaces have been developed to provide connection between the computer, typically a workstation, and the telephone or other terminal attached to the telephone switch, and possibly a special analog or TDM line going directly to the telephone switch. Applications are also developed to use these interfaces to integrate a data application with the telephone system. Sometimes the integration is as simple as being able to dial a number from the computer application, or it could provide full control of the switch as in the case of an operator's console. In these traditional scenarios, the voice stayed in a traditional telephone set and the data stayed on the computer with the exception of the control information. If the voice does enter the computer, it is sent directly to the sound card or converted to a sound file for storage and possible file transfer. The voice communication is not transmitted in real time via IP protocols. In contrast, modern-day CTI is changing in that today the voice communications and control is being transmitted using IP protocols, and the hardware interfaces and telephones are being replaced by computer applications. NOTE: The CTI systems discussed here are not Enterprise Voice, Video, and Messaging applications, although some of the features are similar. CTI systems generally have a special function and are not a general user application. These are typically Call Center or Help Desk applications. This type of CTI typically involves integration with a database application. In this scenario, where soft-phones are an integral part of the CTI system/application, implementation of separate voice and data zones could be detrimental to the proper functioning of the application. While separation requirements should be enforced if possible, they could be relaxed providing the general CTI requirement of treating the CTI system as an enclave is followed. A system such as this should have its own VoIP controller. If the system needs to communicate with systems outside the CTI system enclave, proper boundary protection must be provided. For example, because IP soft-phones are prevalent in today's call center/helpdesk systems, such a system would require the ability to place and receive phone calls from outside the CTI enclave. Calls might leave and enter the enclave via VoIP or a TDM media gateway. The workstations and call center agents may also need to email and access the web. NOTE: A network supporting a CTI application must be segregated from the enclave. This can be accomplished by maintaining a closed network or a segregated and access-controlled subenclave having appropriate boundary protection.
Checks: C-63640r946646_chk

Review the site documentation to confirm a Call Center or CTI system using soft clients must be segregated into a protected enclave and limit traffic traversing the boundary. When a Call Center/CTI system/application (e.g., call center, helpdesk, operators console, E911 system, etc.) using soft clients are approved for use in the strategic LAN, verify the following: - The supporting network is configured as a closed enclave or a segregated and access-controlled subenclave having appropriate boundary protection between it and the local general business LAN or external WAN. - If the CTI application accesses resources outside this enclave and the application could be compromised from external sources, the supporting network is configured to provide separate voice and data zones and maintains separation of voice and data traffic per the VoIP STIG if technically feasible (i.e., such separation does not break the CTI application or there is another compelling reason). - The supporting network enclave and boundary protection is configured in substantial compliance with the Enclave, Network Infrastructure, and VoIP STIGs. - The CTI application/enclave (e.g., a call center application) is supported by a dedicated VoIP controller. If a Call Center or CTI system using soft clients is not segregated into a protected enclave and limits traffic traversing the boundary, this is a finding.

Fix: F-63547r946647_fix

Implement a Call Center or CTI system using soft clients to be segregated into a protected enclave and limit traffic traversing the boundary.

b
The local Enterprise Voice, Video, and Messaging system must have the capability to place intrasite and local phone calls when network connectivity is severed from the remote centrally located session controller.
AC-4 - Medium - CCI-001548 - V-259910 - SV-259910r948756_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001548
Version
SRG-VOIP-000300
Vuln IDs
  • V-259910
Rule IDs
  • SV-259910r948756_rule
Voice phone services are critical to the effective operation of a business, an office, or in support or control of a DOD mission. It is critical that phone service is available in the event of an emergency situation, such as a security breach or life safety event. The ability to place calls to emergency services must be maintained. DOD voice networks are designed to be extremely reliable and provide continuity of operations (COOP) support. However, the potential exists that a site may become severed from the DOD network. Some site's DOD VoIP phone systems are implemented without a local session controller. The session controller may be located remotely and serve several sites by providing long local service. This implementation scenario provides for central management of the overall phone system, saves in initial implementation cost, and saves in operating costs. Therefore, this scenario has many benefits. Unfortunately, to place a call between two endpoints within the local site or to place a call via the local commercial service connection, the initiating end instrument has to send its signal messages to the remote session controller over the DISN WAN connection, and then the session controller has to signal the called instrument or media gateway over the same WAN connection. Several messages are sent (back and forth) over the WAN connection before the two local endpoints can send their media streams directly between themselves. While the need to signal over the WAN connection can cause longer call setup time, which can be extended if there is congestion in the network, no call can be placed anywhere from the local site if it is cut off from its session controller. Based on this fact, and in support of maintaining viable local voice services in the event the site is cut off from its remote session controller, each physical site must maintain minimal local call control as a backup so that local intrasite and local commercial network calls can be placed. While this works to maintain local emergency service availability for security and life safety emergencies, it also provides the capability to make calls between DOD sites using the commercial network.
Checks: C-63641r948754_chk

Review site documentation to confirm the local Enterprise Voice, Video, and Messaging system has the capability to place intrasite and local phone calls when network connectivity is severed from the remote centrally located session controller. If the local Enterprise Voice, Video, and Messaging system does not have the capability to place intrasite and local phone calls when network connectivity is severed, this is a finding. Reliance on government-furnished equipment or personal cellphones does not meet this requirement because signal strength and reliability are reduced inside buildings, and cellphones are not permitted in most DOD facilities. The minimum capability for placement of line-side precedence calls depends on the command and control (C2) requirements of the site and must be determined in conjunction with the local command authority. To satisfy this requirement, at a minimum, ROUTINE call placement capabilities must be maintained.

Fix: F-63548r948755_fix

Implement and document the local Enterprise Voice, Video, and Messaging system with the capability to place intrasite and local phone calls when network connectivity is severed. The minimum capability for placement of line-side precedence calls depends on the C2 requirements of the site and must be determined in conjunction with the local command authority. To satisfy this requirement, at a minimum, ROUTINE call placement capabilities must be maintained.

b
The LAN hardware supporting VVoIP services must provide redundancy to support command and control (C2) assured services and Fire and Emergency Services (FES) communications.
CP-7 - Medium - CCI-001606 - V-259911 - SV-259911r948757_rule
RMF Control
CP-7
Severity
Medium
CCI
CCI-001606
Version
SRG-VOIP-000310
Vuln IDs
  • V-259911
Rule IDs
  • SV-259911r948757_rule
Voice services in support of high-priority military command and control precedence must meet minimum requirements for reliability and survivability of the supporting infrastructure. Design requirements for networks supporting DOD VVoIP implementations are in the Unified Capabilities Requirements (UCR), specifying assured services supporting DOD IP-based voice services. The UCR defines LAN design requirements for redundancy of equipment and interconnections, minimum requirements for bandwidth, specifications for backup power, and the maximum number of endpoints tolerable by a single point of failure. Policy sets the minimum requirements for the availability and reliability of VVoIP systems: Special-C2 users is 99.999 percent, C2 users is 99.997 percent, and C2Routine only users (C2R) and non-C2 users are 99.9 percent. Similar availability and reliability through redundancy is needed to support routine user FES life-safety and security-related communications.
Checks: C-63642r946652_chk

If the system does not support a minimum of 96 instruments, this is not applicable. Review site documentation to confirm the LAN hardware supporting VVoIP services provide redundancy to support C2 assured services and FES communications. Verify the LAN hardware is redundant as follows: - Dual Power Supplies - Each platform must have a minimum of two power supplies, and the loss of a single power supply will not cause any loss of functions within the chassis. - Dual Processors (Control Supervisors) - Each chassis must support dual control processors, and failure of any one processor will not cause any loss of functions within the chassis. - Termination Sparing - Each chassis must support a (N + 1) sparing capability minimally for available Ethernet modules used to terminate to an IP subscriber. - Protocol Redundancy - Each routing device must support protocols allowing for dynamic rerouting. - Backplane Redundancy - Each switching platform must support a redundant (1 + 1) switching fabric or backplane, and the second fabric's backplane must be in active standby so that failure of the first does not cause loss of ongoing events within the switch. Alternately, a secondary product may be added to provide redundancy to the primary product when redundant protocols are implemented so the failover to the secondary product does not result in any lost calls. If the LAN hardware supporting VVoIP services does not provide redundancy to support C2 assured services and FES communications, this is a finding.

Fix: F-63549r946653_fix

Implement and document that the LAN hardware supporting VVoIP services provides redundancy to support C2 assured services and FES communications. Mandatory redundancy includes the following: - Dual Power Supplies - Each platform must have a minimum of two power supplies, and the loss of a single power supply will not cause any loss of functions within the chassis. - Dual Processors (Control Supervisors) - Each chassis must support dual control processors, and failure of any one processor will not cause any loss of functions within the chassis. - Termination Sparing - Each chassis must support a (N + 1) sparing capability minimally for available Ethernet modules used to terminate to an IP subscriber. - Protocol Redundancy - Each routing device must support protocols allowing for dynamic rerouting. - Backplane Redundancy - Each switching platform must support a redundant (1 + 1) switching fabric or backplane, and the second fabric's backplane must be in active standby so that failure of the first does not cause loss of ongoing events within the switch. Alternately, a secondary product may be added to provide redundancy to the primary product when redundant protocols are implemented so the failover to the secondary product does not result in any lost calls. Redundancy may not be required for VVoIP systems supporting less than 96 users, but best practice is to provide redundancy or maintain spares so service can be restored in a timely manner in the event of a failure.

b
The LAN hardware supporting VVoIP services must provide physically diverse pathways for redundant links supporting command and control (C2) assured services and Fire and Emergency Services (FES) communications.
CP-7 - Medium - CCI-001606 - V-259912 - SV-259912r948758_rule
RMF Control
CP-7
Severity
Medium
CCI
CCI-001606
Version
SRG-VOIP-000320
Vuln IDs
  • V-259912
Rule IDs
  • SV-259912r948758_rule
Voice services in support of high-priority military command and control precedence must meet minimum requirements for reliability and survivability of the supporting infrastructure. Design requirements for networks supporting DOD VVoIP implementations are in the Unified Capabilities Requirements (UCR), specifying assured services supporting DOD IP-based voice services. Network survivability refers to the capability of the network to maintain service continuity in the presence of faults within the network. This can be accomplished by recovering quickly from network failures and maintaining the required QoS for existing services. Policy sets the minimum requirements for the availability and reliability of VVoIP systems: Special-C2 users is 99.999 percent, C2 users is 99.997 percent, and C2Routine only users (C2R) and non-C2 users are 99.9 percent. The physical paths that uplinks take should be physically diverse and optimally terminate in physically diverse locations. The best practices should support all VVoIP users but are required for Special-C2 and C2 users.
Checks: C-63643r946655_chk

If the system does not support a minimum of 96 instruments, this is not applicable. Review site documentation to confirm the LAN hardware supporting VVoIP services provides physically diverse pathways for redundant links supporting C2 assured services and FES communications. The inspection of uplink pathways may require inspecting cable plant drawings or tracing the physical cable path through the building. If the LAN hardware supporting VVoIP services does not provides physically diverse pathways for redundant links supporting C2 assured services and FES communications, this is a finding.

Fix: F-63550r946656_fix

Implement and document that the LAN hardware supporting VVoIP services provides physically diverse pathways for redundant links supporting C2 assured services and FES communications. Ensure each uplink supports the full bandwidth, and the appropriate routing protocol is configured for failover from one uplink to the other when a failure occurs. This applies to access layer elements connected to distribution layer elements and distribution elements connected to core layer elements. Run new cable, upgrade, or reroute as necessary.

b
The site's enclave boundary protection must route commercial VoIP traffic via a local Media Gateway (MG) connected to a commercial service provider using PRI, CAS, or POTS analog trunks.
CP-7 - Medium - CCI-001606 - V-259913 - SV-259913r948759_rule
RMF Control
CP-7
Severity
Medium
CCI
CCI-001606
Version
SRG-VOIP-000330
Vuln IDs
  • V-259913
Rule IDs
  • SV-259913r948759_rule
There are several reasons VVoIP system access to local voice services must use a locally implemented MG connected to commercial voice services, including: - The implementation or receipt of commercial VoIP service provides a path to the Internet. These "back doors" into the local network place the DISN at risk from exploitation. Such connections must be specifically approved under CJCSI 6211.02C and DODI 4640.14. Such connections must also meet the requirements in the Network Infrastructure STIG for an "Approved Gateway". This generally means that a full boundary architecture must be implemented. - A PRI or CAS trunk is required because the DSN is not permitted to exchange SS7 signaling with the PSTN. Doing so would place the DOD's SS7 network at risk. - Local access is necessary to support Fire and Emergency Services (FES) calls.
Checks: C-63644r946658_chk

If the site is small and has POTS lines terminated on individual phones, a dedicated key system, or a PBX, all of which are separate from the DOD VVoIP system, this is not applicable. If the site is subtended to an enclave with approved IP voice services providing commercial service, this is not applicable. Verify all VVoIP system access to/from commercial dialup services (voice, video, fax, data) is via a local MG using a PRI, CAS, or POTS analog trunk to a commercial service provider. If the site is not connected to the PSTN via a MG located within the local site enclave as described above, this is a finding. NOTE: Trunks that support SS7 signaling and SS7-based signaling between a DOD network and a non-DOD network are prohibited.

Fix: F-63551r946659_fix

Ensure all VVoIP system access to/from commercial dialup services (voice, video, fax, data) is via a locally implemented MG using a PRI, CAS, or POTS analog trunk to a commercial service provider. NOTE: Trunks that support SS7 signaling and SS7-based signaling between a DOD network and a non DOD network are prohibited.

b
Local commercial phone service must be provided in support of continuity of operations (COOP) and Fire and Emergency Services (FES) communications.
CP-7 - Medium - CCI-001606 - V-259914 - SV-259914r948760_rule
RMF Control
CP-7
Severity
Medium
CCI
CCI-001606
Version
SRG-VOIP-000340
Vuln IDs
  • V-259914
Rule IDs
  • SV-259914r948760_rule
Voice phone services are critical to the effective operation of the DOD mission. Phone service must be available an emergency, such as a security breach or life safety event. The ability to place calls to emergency services must be maintained. While the DOD voice networks are designed to be extremely reliable to support COOP, a site could be cut off from the DOD network. Therefore, each physical site must maintain local commercial phone service. While this works to maintain local emergency service availability for security and life safety emergencies, it also provides the capability to make calls between DOD sites using the commercial network. An additional, non-IA benefit is that this supports the ability to make local calls without having to pay toll charges to call a local number via some distant regional access point. Local phone service can be delivered in a number of ways, all of which meet this requirement, while some of them must meet additional requirements to secure them. Delivery options are as follows: - PRI or CAS TDM trunks. - Analog phone lines. The following are some examples: - A large site may use PRI, CAS, or POTS analog trunks connected to the site's PBX. - A small site or office attached to a large site. - May have a PBX and be served similar to a large site. - May be served by several analog phone lines terminated on Voice Video Endpoints.
Checks: C-63645r946661_chk

If the system does not support a minimum of 96 instruments, this is not applicable. If the site is in a tactical war zone where "friendly" service is not available, this is not applicable. Interview the ISSO to verify the site has local analog or TDM commercial phone service provided to support COOP and FES calls. The most common methods to implement TDM or VVoIP systems are as follows: - Connect local commercial service to the site's local phone system/switch (TDM or VVoIP) and program access to the local service from all Voice Video Endpoints. - Connect local commercial service to dedicated Voice Video Endpoints (separate from the site's local phone system) throughout the facility and accessible in all work areas. These dedicated Voice Video Endpoints may be standalone or part of a dedicated a key system, PBX, or VVoIP network separate from the site's local VVoIP or TDM phone system. - Sites may use mobile devices for COOP and FES calls in support of nonsensitive unclassified areas. NOTE: The IA premise of this requirement is "availability" and COOP. The purpose of this requirement is to provide local commercial service if the site is cut off from DISN service or the main site to which the local site is subtended and tethered. If the site does not have local analog or TDM commercial phone service provided to support COOP and FES calls, this is a finding. If the local commercial service is VoIP or VVoIP, this is a finding.

Fix: F-63552r946662_fix

Implement local commercial phone service (analog or TDM) according to the size of the site and the following: Ensure local analog or TDM commercial phone service supports COOP and FES calls. This applies to TDM or VVoIP systems conditionally as follows: - Connect local commercial service to the site's local phone system/switch (TDM or VVoIP) and program access to the local service from all Voice Video Endpoints. - Connect local commercial service to dedicated Voice Video Endpoints (separate from the site's local phone system) throughout the facility and accessible in all work areas. These dedicated Voice Video Endpoints may be standalone or part of a dedicated a key system, PBX, or VVoIP network separate from the site's local VVoIP or TDM phone system. - Sites may use mobile devices for COOP and FES calls in support of nonsensitive unclassified areas.

b
The enclave must be dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) Aggregation Routers (AR) or DISN Provider Edge (PE) routers.
AC-4 - Medium - CCI-001548 - V-259915 - SV-259915r948761_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001548
Version
SRG-VOIP-000350
Vuln IDs
  • V-259915
Rule IDs
  • SV-259915r948761_rule
Redundancy and dual homing is used within the DISN core to provide for continuity of operations (COOP) if a piece of equipment, circuit path, or an entire service delivery node is lost. DOD policy also requires DOD enclaves that support command and control (C2) users for data services to be dual homed to the DISN core SDNs. This means there will be two physically separate access circuits from the enclave to two geographically diverse DISN SDNs. Once the access circuits arrive at the SDNs, the circuits must be connected to two geographically diverse DISN WAN Service (NIPRNet or SIPRNet) Aggregation Routers (AR) or DISN Provider Edge (PE) routers. Depending on the size of the SDN, one or both of the access circuits must be extended to another SDN containing the AR or PE. ARs are also dual homed to geographically diverse DISN PE routers. A single circuit provides far less redundancy and reliability than dual circuits This redundancy is required to increase the availability of the access to the DISN core to provide a greater chance of achieving assured service. This need extends to assured service C2 VVoIP communications and is why it is checked here.
Checks: C-63646r946664_chk

Inspect the documentation showing how the enclave is connected to the DISN to determine compliance with the requirement. If the enclave is not dual homed, this is a finding.

Fix: F-63553r946665_fix

If the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of C2 user (Special C2, C2, C2(R)), ensure the enclave is dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) routers. NOTES: - This means there are two DISN (or commercial) access circuits (many circuits will have a commercial component, typically the "last mile") from the site/enclave to the DISN SDNs. - This assumes the site/enclave is NOT collocated with a DISN SDN such that a direct Ethernet or optical connection can be made. - If a site is located at a DISN SDN and is able to directly connect to the SDN using Ethernet or optical connections, the site may be able to rely on the dual homing of the SDN into the core. However, the site must still be homed to two geographically diverse ARs. This depends on the size or type of the SDN. A large site directly connected to a smaller SDN will implement an access circuit to a geographically diverse SDN (i.e., another SDN in another location remote from the local SDN). This should not be one of the SDNs to which the local SDN is homed.

b
The dual homed DISN core access circuits must be implemented so that each one can support the full bandwidth engineered for the enclave plus additional bandwidth to support surge conditions in time of crisis.
AC-4 - Medium - CCI-001548 - V-259916 - SV-259916r948762_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001548
Version
SRG-VOIP-000360
Vuln IDs
  • V-259916
Rule IDs
  • SV-259916r948762_rule
Providing dual-homed access circuits from a command and control (C2) enclave to the DISN core is useless unless both circuits provide the same capacity to include enough overhead to support surge conditions. If one circuit is lost due to equipment failure or facility damage, the other circuit must be able to carry the entire engineered load for a single circuit servicing the site. Additionally, the engineered capacity must take additional bandwidth into account to support higher levels of both data and VVoIP communications in time of crisis.
Checks: C-63647r946667_chk

Inspect the documentation for the access circuits and the bandwidth engineering study to determine compliance with the requirement. If each circuit cannot handle the entire engineered load for the enclave, including surge capacity, this is a finding.

Fix: F-63554r946668_fix

Ensure a bandwidth engineering study is performed to determine the WAN bandwidth needs for the site, including surge capacity. Ensure each redundant DISN Core access circuit has the same capacity so that one is able to support the entire engineered bandwidth needs of the enclave.

b
The required dua- homed DISN Core or NIPRNet access circuits must follow geographically diverse paths from the CER(s) along the entire route to the geographically diverse SDNs.
AC-4 - Medium - CCI-001548 - V-259917 - SV-259917r948763_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001548
Version
SRG-VOIP-000370
Vuln IDs
  • V-259917
Rule IDs
  • SV-259917r948763_rule
One way to provide the greatest reliability and availability for DISN services is to provide redundancy in the network pathways between the customer site and the redundant DISN SDNs. The DISN core network is designed to be highly reliable and available in support of the DOD mission. The most vulnerable part of the network is the access circuit from the enclave to the core and the path it takes from the SDN to the customer's site. Therefore, redundant access circuits should be provisioned. Physical pathways for communications network access circuits are vulnerable to physical disruption from a variety of threats, both natural and manmade. These threats range from storm damage (falling trees, floods) to being damaged through digging, downed utility poles, or malicious acts, including war and terrorism. To overcome the physical threat, the redundant circuits should follow geographically diverse paths.
Checks: C-63648r946670_chk

Inspect the documentation for the pathways taken by the access circuits to determine compliance with the requirement. Obtain the pathway documentation for the facilities on-site. Additionally, obtain information from the DISN core PMO and/or local carrier of the access circuits for the pathways off-site. Verify the ISSO maintains a copy for future inspections. Changes to the pathways must also be recorded and maintained. If the required dual-homed circuits follow the same path or are close enough anywhere along their length to be damaged by a single event, this is a finding.

Fix: F-63555r946671_fix

Ensure dual-homed DISN Core or NIPRNet access circuits follow geographically diverse paths from the CER(s) along the entire route to the geographically diverse SDNs. Ensure each circuit uses different facilities such as cables, demarks, and digital cross connects in geographically diverse locations. Ensure geographic and facilities information is maintained on-site and off-site. Ensure the paths taken by the access circuits remain significantly separate along their entire length so that a single point of failure is not created.

a
Critical network equipment must be redundant and in geographically diverse locations for a site supporting command and control (C2) users.
CP-7 - Low - CCI-001606 - V-259918 - SV-259918r948764_rule
RMF Control
CP-7
Severity
Low
CCI
CCI-001606
Version
SRG-VOIP-000380
Vuln IDs
  • V-259918
Rule IDs
  • SV-259918r948764_rule
The enhanced reliability and availability achieved by the implementation of redundancy and geographic diversity throughout the DISN Core, along with the implementation of dual-homed circuits via geographically diverse pathways and facilities, is negated if both access circuits enter the enclave via the same facility containing a single Customer Edge Router (CER) connected to a single Session Border Controller (SBC). The reliability, redundancy, and robustness of the CER, SBC, and power source are subverted when the facility represents a single point of failure. For a small number of C2 users this may be less concerning, but with more C2 users supported by the system, the greater the issue. Even less severe eventualities may limit the capability of the system to support reliable communications. The mitigation for this systemwide vulnerability is to implement redundant facilities to which the geographically diverse pathways containing the dual-homed access circuits can run and terminate on redundant, geographically separated sets of CERs, SBCs, and core LAN equipment. Session controllers can also be separated in this manner. This mitigation is costly, and facilities housing critical communications infrastructure are not lost very often. However, the cost of mitigating this vulnerability must be weighed against the loss of critical communications, particularly in time of crisis. If the site supports large numbers of high-level C2 users or Special-C2 users, the cost of losing communications may outweigh the cost of providing redundant facilities. Another consideration should be that access to emergency services via the communications system would also be lost. The threat to strategic facilities is greater from natural causes than from damage due to acts of war or terrorism. However, all threats must be considered. Tactical facilities have a higher vulnerability to acts of war, on a par with or exceeding the vulnerability posed by natural events.
Checks: C-63649r946673_chk

Review site documentation to confirm critical network equipment is redundant and in geographically diverse locations for a site supporting C2 users. Verify redundant sets of CERs, SBCs, and session controllers are housed in geographically diverse facilities within the site so that if one location is lost or isolated from the network, communications service is maintained. Site facilities with a Soft Switch should have a session controller implemented in a geographically diverse location. If critical network equipment does not have redundant equipment, this is a finding. If redundant critical network equipment is not in a geographically diverse location, this is a finding. If it is determined, following a cost/benefit study and risk analysis, that redundant facilities containing dual sets of CERs, SBCs, and session controllers are not warranted for the given site, this requirement should be marked as a finding with a justification included in the POA&M stating the authorizing official (AO) is cognizant of and accepts the risk. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

Fix: F-63556r946674_fix

Implement and document critical network equipment as redundant and in geographically diverse locations for a site supporting C2 users. Critical network equipment includes CERs, SBCs, and session controllers (or Soft Switches in combination with session controllers). NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

b
Enclaves with commercial VoIP connections must be approved by the DODIN Waiver Panel and signed by DOD CIO for a permanent alternate connection to the Internet Telephony Service Provider (ITSP).
CP-7 - Medium - CCI-001606 - V-259919 - SV-259919r948765_rule
RMF Control
CP-7
Severity
Medium
CCI
CCI-001606
Version
SRG-VOIP-000390
Vuln IDs
  • V-259919
Rule IDs
  • SV-259919r948765_rule
The DOD requires the use of DISN services as the first choice to meet core communications needs. When additional services for SIP trunks are necessary, an ITSP may provide an "alternate connection", but this requires approval by the DODIN Waiver Panel and signature by the DOD CIO. Local ISP connections provide an internet pathway into the DISN, placing the DODIN directly at risk for exploitation. A local ISP connection can circumnavigate DOD protections of the DISN at its boundaries with the internet. Using commercial VoIP service from an ITSP requires the implementation of an internet service provider (ISP) connection, potentially providing a path to the internet. These types of connections must be approved and must meet the requirements in the Network Infrastructure STIG (NET0160) for an Internet Access Point (IAP). ITSP connections may provide SIP trunks terminating on a media gateway, which then provides TDM trunks or POTS lines to traditional non-VoIP PBX, key system, or individual end instrument. ITSP connections terminating in a separate LAN from the enclave's DOD LAN may support a separate VoIP system. This connection type might be used for a small site having a small VoIP system or a few discrete phones dedicated to commercial network calling. Additional guidance for the selection and procurement of telecommunications services is discussed in the DODI 8100.4 "DOD Unified Capabilities (UC)" dated 9 Dec 2010 and the DOD Unified Capabilities Requirements 2013 (UCR 2013) documents.
Checks: C-63650r946676_chk

Inspect the VVoIP implementation system design for connections to commercial VoIP ITSP. If the ITSP is providing converged services or other services beyond SIP trunking, NET0160 applies. The use cases applicable to this requirement: - Use Case 1: ITSP connections providing direct connection to the enclave's DOD LAN. - Use Case 2: ITSP connections providing a SIP trunk terminating on a media gateway that provides TDM trunks or POTS lines to traditional non-VoIP PBX, key system, or individual end instrument. - Use Case 3: ITSP connections terminating on a separate LAN from the enclave's DOD LAN supporting a separate VoIP system. - Use Case 4: ITSP connections providing service over any approved ISP gateway. If any enclave connects with commercial VoIP provider (ITSP) and is not approved by the DODIN Waiver Panel, this is a finding. If the DOD CIO has not signed for a permanent "alternate connection" to the ITSP, this is a finding. NOTE: This connection will be a permanent connection and should be designated or recognized as such in the approval documentation since most such approvals are for temporary connections.

Fix: F-63557r946677_fix

Obtain approval by the DODIN Waiver Panel and signature by the DOD CIO for a permanent "alternate connection" to the ITSP for any connection with a commercial VoIP provider (ITSP).

b
The Fire and Emergency Services (FES) communications over a site's telephone system must be configured to support the Department of Defense Instruction (DODI) 6055.06 telecommunication capabilities.
CP-7 - Medium - CCI-001606 - V-259920 - SV-259920r948766_rule
RMF Control
CP-7
Severity
Medium
CCI
CCI-001606
Version
SRG-VOIP-000400
Vuln IDs
  • V-259920
Rule IDs
  • SV-259920r948766_rule
Emergency communications must include requests for fire, police, and medical assistance. In DOD, these communications can also include requests for Aircraft Rescue and Fire Fighting (ARFF), explosive ordnance disposal, and similar emergency situations specific to the military. The inability of first responders to automatically locate the caller threatens life safety and facility protection or security. Contacting emergency services via the public telephone system has been mandated for many years in the United States and other countries around the world. In the United States, the Federal Communications Commission (FCC) has mandated various aspects of providing enhanced FES communications and also relies on state legislation to extend these rules. The FCC rules primarily address public communications service providers, including traditional LEC and CLECs, mobile communications providers, and VoIP communications providers. DOD Instruction 6055.06, DOD Fire and Emergency Services (F&ES) Program, provides DOD policy regarding emergency services and emergency services communications. The document primarily discusses fire protection, with specific provisions for telecommunications support for fire, medical, and security emergencies. Private telephone systems, in general, provide a large portion of the required telecommunication capability. All DOD private telephone systems, VoIP or traditional, must support enhanced emergency services communications for the completion of emergency calls. Per DOD Instruction 6055.06, all sites must support, provide for, and implement F&ES telecommunications services. When implementing basic F&ES telecommunications services, each country or region designates a specific standard telephone number or prefix code to be dialed that can be easily remembered by the public. In some instances, while not best practice, organizations might designate an internal emergency number for use within their telephone system. Examples of such numbers are as follows: - 911 in North America. - 112 in the EU and UK. - 000 in Australia. Issues may arise when an emergency call is originated through a private telephone system, such as a traditional PBX or a VVoIP system. While the LEC or CLEC may properly route the call in a priority manner, the same may not be true for the private system unless specifically addressed in the systems call routing tables and potentially other system features. Therefore, the private system must be configured to properly handle emergency communications. Enhanced F&ES communications permits the answering station to automatically locate the caller. This is particularly helpful when the caller cannot provide their location. Enhanced F&ES communications are mandated by the FCC and state legislation. Current implementation is a best practice. The enhanced F&ES communications capability is enabled using Automatic Number Identification (ANI) and Phone Switch Automatic Location Identification (PS-ALI) information. ANI provides the telephone number of the calling party and is generated by the telephone system. PS-ALI associates the calling party's number (ANI information) with their location or registered address of the phone being used. PS-ALI is provided by a database maintained within the telephone system or externally. In many cases, the F&ES answering service system will use the PS-ALI information to map the location of the calling phone. VoIP phones, on the other hand, can be connected anywhere in the world and function. This is an issue for commercial VoIP services that is being addressed by the FCC. ALI information in the private sector must be handled by the owners/operators of private telephone system. When a private telephone system supports enhanced F&ES telecommunications, a PS-ALI database must be instituted, maintained, and kept current as endpoints and numbers move at a site. NOTE: For fire and emergency services, the requirements are for the site. The requirement must be met through the unclassified system. Classified systems at the site, because they only operate in secure areas without connection to public services, do not need to implement this requirement. References: DOD Instruction No. 6055.06, DOD Fire and Emergency Services (F&ES) Program, dated 21 Dec 2006
Checks: C-63651r946679_chk

Inspect the telephone system configuration to determine compliance with the requirement. Verify the site's local DOD telephone system, VoIP or traditional, supports DOD Instruction 6055.06 telecommunication capabilities as follows: - The site implements support for DOD Instruction 6055.06 through local policies, procedures, staffing, and facilities or agreements/contracts with external providers. - The site's telephone system supports enhanced F&ES emergency communications. - The site's telephone system (VoIP or traditional), provides ANI information to the emergency services answering point and a PS-ALI database is established within the telephone system or externally, the information from which is accessible to the emergency services answering point. - The site maintains and keeps current the PS-ALI database with all telephone adds, moves, and changes. If the F&ES communications over a site's telephone system is not configured to support the DOD Instruction 6055.06 telecommunication capabilities, this is a finding. If the site does not provide F&ES telecommunications services (fire, police, medical, etc.), or support enhanced emergency communications, this is a finding.

Fix: F-63558r946680_fix

Configure the F&ES communications over a site's DOD telephone system, VoIP or traditional, to support the DOD Instruction 6055.06 telecommunication capabilities as follows: - The site implements support for DOD Instruction 6055.06 through local policies, procedures, staffing, and facilities or agreements/contracts with external providers. - The site's telephone system supports enhanced F&ES emergency communications. - The site's telephone system (VoIP or traditional), provides ANI information to the emergency services answering point and a PS-ALI database is established within the telephone system or externally, the information from which is accessible to the emergency services answering point or call center. - The site maintains and keeps current the PS-ALI database with all telephone adds, moves, and changes.

b
The Fire and Emergency Services (F&ES) communications over a site's private telephone system must provide the originating telephone number to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) or Automatic Location Identification (ALI) information.
CP-7 - Medium - CCI-001606 - V-259921 - SV-259921r948767_rule
RMF Control
CP-7
Severity
Medium
CCI
CCI-001606
Version
SRG-VOIP-000410
Vuln IDs
  • V-259921
Rule IDs
  • SV-259921r948767_rule
The implementation of Enhanced F&ES telecommunications services requires that the emergency services answering point or call center be able to automatically locate the calling party in the event they cannot provide their location. This is a two-part process. First the telephone system must be able to provide the answering station with the telephone number from which the emergency call originated. This is ANI information. Second, this phone number must be correlated to a physical address or location. This is called ALI information. ANI information comes from the telephone system controller. ALI information may come from an external database that associates the ANI information to the ALI information, or the telephone system controller may maintain the ALI database internally. If the ALI database is internal to the telephone system controller, emergency services answering point or call center only needs to receive ALI information, providing it contains the originating telephone number. For enterprise systems, the support for E911 by the enterprise Local Session Controller (LSC) (or any remote LSC construct) is governed by Federal Communications Commission (FCC) rules, as well as other federal, state, and local law. The design and implementation of all telephone system systems must include reasonable efforts to provide E911, even when the access connection to the Enterprise LSC is severed.
Checks: C-63652r946682_chk

Inspect the telephone system configuration to determine compliance with the requirement. Verity the local DOD telephone system, VoIP or traditional, is configured to provide the originating telephone number of an F&ES call to the emergency services answering point or call center through a transfer of ANI or ALI information. If the originating telephone number of an F&ES call is not available or is not provided to the emergency services answering point or call center, this is a finding.

Fix: F-63559r946683_fix

Configure the local DOD telephone system, VoIP or traditional, to provide the originating telephone number of an F&ES call to the emergency services answering point or call center through a transfer of ANI or ALI information.

b
The Fire and Emergency Services (F&ES) communications over a site's private telephone system must provide a direct callback telephone number and physical location of an F&ES caller to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) and extended Automatic Location Identification (ALI) information or access to an extended ALI database.
CP-7 - Medium - CCI-001606 - V-259922 - SV-259922r948768_rule
RMF Control
CP-7
Severity
Medium
CCI
CCI-001606
Version
SRG-VOIP-000420
Vuln IDs
  • V-259922
Rule IDs
  • SV-259922r948768_rule
Under Federal Communication Commission (FCC) rules and the laws of some states, the implementation of Enhanced F&ES telecommunications services requires that the emergency services answering point or call center must be automatically provided with enough location information so that emergency services personnel can locate the calling party within a specified radius at their exact location in the event they are unable to provide their location. This is a two-part process that is exacerbated if the call originates from a DOD telephone system. Some of the FCC rules and state laws address the telephone system issue. For enterprise systems, the support for E911 by the enterprise Local Session Controller (LSC) (or any remote LSC construct) is governed by FCC rules, as well as other federal, state, and local law. The design and implementation of all telephone system systems must include reasonable efforts to provide E911, even when the access connection to the Enterprise LSC is severed. Public enhanced F&ES systems are implemented in conjunction with the local exchange carrier (LEC) using their central office switch (CO). When the designated F&ES number is dialed, the CO routes the call to the public F&ES answering point (PSAP) over special trunks that can provide the PSAP with the telephone number from which the emergency call originated and the geographic location of the originating telephone. The originating telephone number is provided as ANI information. The geographic location of the originating telephone is provided as ALI information. The ALI is generated from the ANI by looking up the ANI in a database. Typically, this function is performed by the LEC, and the ALI provided is the service delivery address for the telephone number. In some cases, the ALI information is housed in a database at the PSAP or a at a third-party provider such that the PSAP must make the "database dip" to identify the location of the caller. The information is regularly updated by the LEC based on new service deliveries and disconnections. This process does not go far enough if the originating telephone is behind (part of) a DOD telephone system. A DOD telephone system may serve a large building or multiple buildings in a campus setting. It may also serve small or large remote sites that are geographically distant from the main telephone system switch. As discussed above, the normal process provides the address where the LEC delivers its phone service for the calling number. While this address will serve to get emergency services personnel to the lobby of a building or the front gate of a campus, it will not provide the exact location of the caller. This is where the federal and state telephone system related requirements come in. Under these rules, a telephone system operator and the system itself must provide complete ANI and ALI information to the answering point such that emergency services personnel can easily locate the caller. The telephone system must provide the exact location of the originating telephone minimally within a reasonably small area of it. The location information provided for telephones behind a telephone system is called Phone Switch-ALI (PS-ALI). To implement this, the telephone system must first be able to provide the F&ES answering station with the telephone number from which the emergency call originated via ANI. If the answering point is outside the telephone system, the number provided must be the exact Direct Inward Dialing (DID) number of the telephone placing the call so the answering point can dial it directly. The number provided must not be that of an outbound trunk. This phone number must be correlated to its physical address or location within the facility via PS-ALI. To implement PS-ALI, the owner/operator of a telephone system is responsible for maintaining an up-to-date database containing the telephone number (DID number and/or extension number) and physical location of each telephone attached to the telephone system. This database is then used to provide the PS-ALI information to the ALI database(s) accessed by the F&ES answering point. In association with each telephone and telephone number in the telephone system, the PS-ALI information contained in the database includes the following: - The address of the site containing the telephone system unless provided to the answering point by the LEC as part of its ANI/ALI information. - The name (or number) of the building in which the telephone is located. - The address of the building in which the telephone is located. - The floor in the building on which the telephone is located. - The area or quadrant of the floor where the telephone is located. - The room or cubicle number where the telephone is located. Additional information should be provided to the F&ES answering point and emergency services personnel in the form of up-to-date facility maps and floor plans. The maintenance of facility maps, floor plans, and PS-ALI information to keep them up to date is critical to life safety and facility protection and security. This can be an onerous process in light of changes in the facility and moves, adds, and changes within the telephone system. Maintaining accurate location information is exacerbated in a VoIP telephone system due to the ability of an IP phone to change its physical location within the LAN (and possibly beyond) while keeping its telephone number without specific intervention from, or knowledge of, the telephone system operator. The PS_ALI database can quickly become inaccurate, which is a situation that could be life threatening. Automated systems can be used with a VoIP system and LAN to identify the general location of an IP phone within the facility based on the LAN switch and port to which the phone is connected. Once this information is obtained from the LAN, it is correlated with the documented location of the LAN switch and documented location of the outlet served by the switchport.
Checks: C-63653r946685_chk

Inspect the telephone system configuration or external database to determine compliance with the requirement. Verify the local DOD telephone system, VoIP or traditional, is configured to provide the originating telephone number and the physical location of an F&ES caller to the emergency services answering point through a transfer of ANI and PS-ALI information or the emergency services answering point is provided automated access to the required PS-ALI database. If the location of an F&ES caller is not provided to, or is not accessible by, the emergency services answering point or call center, this is a finding. NOTE: These requirements also apply to key telephone systems and installations where a single number has multiple appearances (appears on multiple telephones) such that individual instruments in the system can be identified.

Fix: F-63560r946686_fix

Configure the local DOD telephone system, VoIP or traditional, to provide the originating telephone number and the physical location of an F&ES caller to the emergency services answering point through a transfer of ANI and PS-ALI information or the emergency services answering point is provided automated access to the required PS-ALI database.

b
The Fire and Emergency Services (F&ES) communications over a site's private telephone system must route emergency calls as a priority call in a nonblocking manner.
CP-7 - Medium - CCI-001606 - V-259923 - SV-259923r948769_rule
RMF Control
CP-7
Severity
Medium
CCI
CCI-001606
Version
SRG-VOIP-000430
Vuln IDs
  • V-259923
Rule IDs
  • SV-259923r948769_rule
When calling the designated F&ES telephone number, the call must go through regardless of the state of other calls in the system. Emergency calls must be treated as a priority call by the system. For enterprise systems, the support for E911 by the Enterprise Local Session Controller (LSC) (or any remote LSC construct) is governed by Federal Communication Commission (FCC) rules, as well as other federal, state, and local law. The design and implementation of all telephone systems must include reasonable efforts to provide E911, even when the access connection to the Enterprise LSC is severed.
Checks: C-63654r946688_chk

Inspect the telephone system configuration and routing tables to determine compliance with the requirement. Verify the local DOD telephone system, VoIP or traditional, routes calls to the designated local emergency services number at the public and private emergency services answering point (PSAP) as a priority call in a nonblocking manner. If an emergency services number is not designated to access an emergency services answering point or call center whether internal to the local site or to another local agency or municipality, this is a finding. If calls to this number are not treated as a priority call in a nonblocking manner, this is a finding. NOTE: If the F&ES calls are routed to a public entity outside the private telephone system, the call must route to an internal emergency number in parallel with the external call. Both calls should have the same priority. This is so the site can be aware of the emergency and assist the F&ES responders in reaching the location of the caller. F&ES calls may be routed to an internal on-site F&ES answering point providing the site maintains robust local police, fire, and medical services that can replace public services. If a public F&ES answering point is the primary answering point for the site, calls must be directly routed to it and not relayed via a local emergency answering point. A second call from the local emergency answering point should not be required to obtain emergency services from the public F&ES answering point unless the site maintains full and comparable police, fire, and medical services and its answering point is the primary. If a local private answering point is the primary answering point, and if this private answering point is not fully staffed on a 24/7 basis, the telephone system must route F&ES calls to the public answering point when the local answering point is not fully staffed (e.g., outside the normal working hours of the site).

Fix: F-63561r946689_fix

Configure the local DOD telephone system, VoIP or traditional, to routes calls to the designated local emergency services number at the public or private emergency services answering point (PSAP) as a priority call in a nonblocking manner. Configure the telephone system to treat calls to the designated emergency services number as a priority call in a nonblocking manner.

b
Eight hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support Special-C2 users.
AC-4 - Medium - CCI-001548 - V-259924 - SV-259924r948770_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001548
Version
SRG-VOIP-000440
Vuln IDs
  • V-259924
Rule IDs
  • SV-259924r948770_rule
Unified Capabilities (UC) users require different levels of capability depending on command and control needs. Special-C2 decision makers requiring Flash or Flash Override precedence must have eight hours of continuous backup power at all times. C2 users requiring Immediate or Priority precedence must have two hours of continuous backup power. Interrupting any of the routing or switching infrastructures will disrupt VVoIP service. If the infrastructure is interrupted, command and control communications are disrupted, preventing critical communications from occurring. When implementing a VVoIP system without considering uninterruptible power supply (UPS) needs for the VVoIP controllers and endpoints as well as the entire LAN, and supporting those needs with UPS systems, communications availability is reduced. All elements of the LAN infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints directly supporting users with precedence needs must be provided with sufficient backup power to meet availability requirements. This reduction in availability threatens facility and personal security and safety as well as life safety during a power failure.
Checks: C-63655r946691_chk

Inspect the VVoIP system design for evidence of continuous backup power to the infrastructure and command and control users. Verify a UPS system is provided for all parts of the VVoIP infrastructure, including the core Local Session Controller (LSC)/Multifunction Soft Switch (MFSS), adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints as follows: - All VVoIP system devices including portions of the LAN that directly support one or more special-C2 users are provided at least eight hours of UPS. - All Special-C2 user VVoIP endpoints relying on Power over Ethernet (PoE) must have power sourcing equipment (PSE) sized to support the asset and endpoints by the UPS for a minimum of eight hours. - All Special-C2 user VVoIP endpoints without PoE must be provided a minimum of eight hours of UPS. - UPS systems (battery at a minimum, plus optional generator) supplying infrastructure power supporting Special-C2 and C2 users must also support environmental power (HVAC) to prevent equipment failures. - In no case should a UPS system immediately, or within a short time, drop power to the supported equipment when primary power is removed. This would indicate an undersized or defective UPS unit. Determine if the infrastructure assets being reviewed directly support one or more Special-C2 users. If no Special-C2 users are supported, this requirement is not applicable. If Special-C2 users are supported, determine if assets are provided with eight hours of backup power. If eight hours of backup power is not provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support Special-C2 users, this is a finding.

Fix: F-63562r946692_fix

Ensure a UPS system is provided for all parts of the VVoIP infrastructure, including the core LSC/MFSS, adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints. All VVoIP system devices, including voice endpoints and portions of the LAN that directly support one or more Special-C2 users, must be provided at least eight hours of UPS. Document the VVoIP system design with UPS implementation. NOTE: UPS systems supplying power to infrastructure supporting Special-C2 and C2 users must also support environmental power to prevent equipment failures. This support must be commensurate with the users supported (eight or two hours as appropriate).

b
Two hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support Immediate or Priority precedence C2 users.
CP-7 - Medium - CCI-001606 - V-259925 - SV-259925r948771_rule
RMF Control
CP-7
Severity
Medium
CCI
CCI-001606
Version
SRG-VOIP-000450
Vuln IDs
  • V-259925
Rule IDs
  • SV-259925r948771_rule
Unified Capabilities (UC) users require different levels of capability depending upon command and control (C2) needs. Special-C2 decision makers requiring Flash or Flash Override precedence must have eight hours of continuous backup power at all times. C2 users requiring Immediate or Priority precedence must have two hours of continuous backup power. Interrupting any of the routing or switching infrastructures will disrupt VVoIP service. If the infrastructure is interrupted, command and control communications are disrupted, preventing critical communications from occurring. When implementing a VVoIP system without considering uninterruptible power supply (UPS) needs for the VVoIP controllers and endpoints as well as the entire LAN, and supporting those needs with UPS systems, communications availability is reduced. All elements of the LAN infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints directly supporting users with precedence needs must be provided with sufficient backup power to meet availability requirements. This reduction in availability threatens facility and personal security and safety as well as life safety during a power failure.
Checks: C-63656r946694_chk

Inspect the VVoIP system design for evidence of continuous backup power to the infrastructure and command and control users. Verify a UPS system is provided for all parts of the VVoIP infrastructure, including the core Local Session Controller (LSC)/Multifunction Soft Switch (MFSS), adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints as follows: - All VVoIP system devices including portions of the LAN that directly support one or more C2 users are provided a minimum of two hours of UPS. - All C2 user VVoIP endpoints relying on Power over Ethernet (PoE) must have power sourcing equipment (PSE) sized to support the asset and endpoints by the UPS for a minimum of two hours. - All C2 user VVoIP endpoints without PoE must be provided with a minimum of two hours of UPS. - UPS systems (battery at a minimum, plus optional generator) supplying power to infrastructure that supports Special-C2 and C2 users must also support environmental power (HVAC) to prevent equipment failures. - In no case should a UPS system immediately, or within a short time, drop power to the supported equipment when primary power is removed. This would indicate an undersized or defective UPS unit. Determine if the infrastructure assets being reviewed directly support one or more C2 users. If no C2 users are supported, this requirement is not applicable. If C2 users are supported, determine if assets are provided with two hours of backup power. If two hours of backup power is not provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support C2 users, this is a finding.

Fix: F-63563r946695_fix

Ensure a UPS system is provided for all parts of the VVoIP infrastructure, including the core LSC/MFSS, adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints. All VVoIP system devices, including voice endpoints and portions of the LAN that directly support one or more C2 users, must be provided at least two hours of UPS. Document the VVoIP system design with UPS implementation. NOTE: UPS systems supplying power to infrastructure supporting Special-C2 and C2 users must also support environmental power to prevent equipment failures. This support must be commensurate with the users supported (eight or two hours as appropriate).

a
Sufficient backup power must be provided for LAN infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support non-command and control (C2) user accessible endpoints for emergency life safety and security calls.
CP-7 - Low - CCI-001606 - V-259926 - SV-259926r948772_rule
RMF Control
CP-7
Severity
Low
CCI
CCI-001606
Version
SRG-VOIP-000460
Vuln IDs
  • V-259926
Rule IDs
  • SV-259926r948772_rule
Unified Capabilities (UC) users require different levels of capability depending on command and control needs. Special-C2 decision makers requiring Flash or Flash Override precedence must have eight hours of continuous backup power at all times. C2 users requiring Immediate or Priority precedence must have two hours of continuous backup power. Interrupting any of the routing or switching infrastructures will disrupt VVoIP service. If the infrastructure is interrupted, command and control communications are disrupted, preventing critical communications from occurring. When implementing a VVoIP system without considering uninterruptible power supply (UPS) system power needs for the VVoIP controllers and endpoints as well as the entire LAN, and supporting those needs with UPSs, communications availability is reduced. All elements of the LAN infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints directly supporting users with precedence needs must be provided with sufficient backup power to meet availability requirements. This reduction in availability threatens facility and personal security and safety as well as life safety during a power failure.
Checks: C-63657r946697_chk

Inspect the VVoIP system design for evidence of continuous backup power to the infrastructure and command and control users. Verify a UPS system is provided for all parts of the VVoIP infrastructure, including the core Local Session Controller (LSC)/Multifunction Soft Switch (MFSS), adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints as follows: - All VVoIP system devices, including portions of the LAN that supports non-C2 users, are provided 15 minutes of UPS in support of emergency life safety and security communications during a power failure. - In no case should a UPS system immediately, or within a short time, drop power to the supported equipment when primary power is removed. This would indicate an undersized or defective UPS unit. Determine if the infrastructure assets being reviewed support non-C2 users. If non-C2 users are supported and 15 minutes of backup power is not provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints for emergency life safety and security calls, this is a finding. NOTE: The requirement for UPS support to non-C2 user communications is negated when these users have an alternate reliable means of communicating in such situations. A suitable alternative would be a policy and standard operating procedure in effect requiring users to evacuate the facility to a location where mobile communications capability is available and acceptable.

Fix: F-63564r946698_fix

Ensure a UPS system is provided for all parts of the VVoIP infrastructure, including the core LSC/MFSS, adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints. All VVoIP system devices, including portions of the LAN supporting non-C2 users, are provided at least 15 minutes of UPS in support of emergency life safety and security communications during a power failure. NOTE: The 15 minutes of UPS mandated by this requirement is a minimum. Backup times of 30 to 60 minutes are preferred. UPS systems supplying power to infrastructure supporting non-C2 users should also support environmental power to prevent equipment failures.

b
The Session Border Controller (SBC) must filter inbound SIP and AS-SIP traffic based on the IP addresses of the internal Enterprise Session Controller (ESC), Local Session Controller (LSC), or Multifunction Soft Switch (MFSS).
AC-4 - Medium - CCI-001548 - V-259927 - SV-259927r948773_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001548
Version
SRG-VOIP-000470
Vuln IDs
  • V-259927
Rule IDs
  • SV-259927r948773_rule
The SBC is in the VVoIP signaling between the LSC and MFSS. To limit exposure to compromise and denial of service, the SBC must only exchange signaling messages using the designated protocol (AS-SIP-TLS) with the LSC(s) within the enclave and the SBC fronting the MFSS (and its backup) to which the LSC is assigned. Similarly, an SBC fronting an MFSS must only exchange signaling messages with the MFSS and LSC(s) within the enclave and the SBCs fronting other MFSSs and the LSCs assigned to it. While the SBC is also required to authenticate the source and integrity of the signaling packets it receives, filtering on source IP address adds a layer of protection for the MFSS. This is also a backup measure in the event this filtering is not done on the CE-R. Internal to the enclave, filtering signaling traffic based on the IP address(es) of the LSC(s) within the enclave limits the ability of rogue Voice Video Endpoints attempting to establish calls or cause a denial of service.
Checks: C-63658r946700_chk

Verify the DISN NIPRNet IPVS SBC is configured to only communicate as follows: - Within the enclave, verify the SBC only establishes SIP and AS-SIP sessions with the primary or backup LSC or the MFSS and its backup LSC within the enclave. - If the SBC is at a site without a MFSS: External to the enclave (across the WAN), verify the SBC only establishes SIP and AS-SIP sessions with the SBC at the enclave's assigned primary and secondary (backup) MFSS sites. - If the SBC is at a MFSS site: External to the enclave (across the WAN), verify the SBC only establishes SIP and AS-SIP sessions with SBCs located at other MFSS sites and the LSC sites assigned to it. Determine the following: - If the enclave contains LSCs, determine the IP address of SBCs fronting the primary and backup MFSSs to which the enclave is assigned or with which the LSC is to exchange signaling messages. - If the enclave contains a MFSS, determine the IP addresses of the SBCs fronting the LSCs with which it is to signal. Also determine the IP addresses of the SBCs fronting the other MFSSs. If the SBC does not filter inbound SIP and AS-SIP traffic based on the IP addresses of the SBCs fronting authorized ESCs, LSCs, and MFSSs, this is a finding. Alternatively, if the SBC does not filter SIP and AS-SIP traffic based on the IP addresses of the ESCs and LSCs within the enclave, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

Fix: F-63565r946701_fix

Ensure the DISN NIPRNet IPVS SBC is configured to only communicate as follows: - Within the enclave, ensure the SBC only establishes SIP and AS-SIP sessions with the primary or backup LSC or the MFSS and its backup LSC within the enclave. - If the SBC is at a site without a MFSS: External to the enclave (across the WAN), ensure the SBC only establishes SIP and AS-SIP sessions with the SBC at the enclave's assigned primary and secondary (backup) MFSS sites. - If the SBC is at a MFSS site: External to the enclave (across the WAN), ensure the SBC only establishes SIP and AS-SIP sessions with SBCs located at other MFSS sites and the LSC sites assigned to it. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

b
The Session Border Controller (SBC) must be configured to terminate and decrypt inbound and outbound SIP and AS-SIP sessions to ensure proper management for the transition of the SRTP/SRTCP streams.
AC-4 - Medium - CCI-001548 - V-259928 - SV-259928r948774_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001548
Version
SRG-VOIP-000480
Vuln IDs
  • V-259928
Rule IDs
  • SV-259928r948774_rule
The function of the SBC is to manage SIP and AS-SIP signaling messages. To perform its proper function in the enclave boundary, the SBC must decrypt and decode or understand the contents of SIP and AS-SIP messages. Additionally, the SBC can perform message validity checks and determine of an attack is being attempted. The SBC acts as an application-level proxy and firewall for the SIP and AS-SIP signaling messages.
Checks: C-63659r946703_chk

Verify the DISN NIPRNet IPVS SBC is configured to terminate inbound and outbound SIP and AS-SIP sessions (messages) and decrypt the packets to determine the information needed to properly manage the transition of SRTP/SRTCP streams across the boundary. Verify the SBC establishes a new SIP or AS-SIP session for the "next hop" to the internal Local Session Controller (LSC) or the far end SBC that fronts the destination Multifunction Soft Switch (MFSS). Inspect the configuration of the EBC to determine compliance with the requirement. If SIP or AS-SIP messages are passed through the SBC without termination and decryption, this is a finding. If the SBC is not configured to, or is not capable of, terminating and decrypting the SIP or AS-SIP messages, this is a finding. If the SBC is not configured to, or is not capable of, understanding the contents of the decrypted SIP or AS-SIP messages, this is a finding. If the SBC is not configured to establish a new SIP or AS-SIP session with the far end SBC that fronts the destination LSC or MFSS, this is a finding. If the SBC is not configured to establish a new SIP or AS-SIP session with the LSC inside the enclave, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

Fix: F-63566r946704_fix

Ensure the DISN NIPRNet IPVS SBC is configured to terminate inbound and outbound SIP and AS-SIP sessions (messages). The SBC must be configured to decrypt the packets to determine the information needed to properly manage the transition of SRTP/SRTCP streams across the boundary. Also ensure the SBC establishes a new SIP or AS-SIP session for the "next hop" to the internal LSC or the far end SBC that fronts the destination LSC or MFSS. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

b
The Session Border Controller (SBC) must be configured to only process packets authenticated from an authorized source within the DISN IPVS network.
AC-4 - Medium - CCI-001548 - V-259929 - SV-259929r948775_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001548
Version
SRG-VOIP-000490
Vuln IDs
  • V-259929
Rule IDs
  • SV-259929r948775_rule
The function of the SBC is to manage SIP and AS-SIP signaling messages. The SBC also authenticates SIP and AS-SIP signaling messages, ensuring they are from an authorized source. DOD policy dictates that authentication be performed using DOD PKI certificates. This also applies to network hosts and elements. SIP and AS-SIP are not secure protocols. The information passed during a call session is in human-readable plain text. To secure SIP and AS-SIP, TLS is used. TLS is PKI certificate-based and is used for AS-SIP message encryption, authentication, and integrity validation. NOTE: Authentication is provided by validating the sending appliance's public PKI certificate used to establish the TLS session. AS-SIP messages are not sent until the authenticated TLS session is established.
Checks: C-63660r946706_chk

Verify the DISN NIPRNet IPVS SBC is configured to only process packets authenticated from an authorized source as follows: - Authenticate outbound SIP and AS-SIP messages as being from the primary or backup Local Session Controller (LSC) (or the site's Multifunction Soft Switch [MFSS] and its backup LSC within the enclave. - Authenticate inbound SIP and AS-SIP messages as being from the SBC at the enclave's assigned primary and secondary (backup) MFSS sites. Inspect the configurations of the EBC to determine compliance with the requirement. If the SBC does not use DOD PKI to authenticate the source of SIP and AS-SIP packets, this is a finding. If the SBC is not configured to validate sending the appliance's public PKI certificate against the DOD PKI registry and CRLs, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

Fix: F-63567r946707_fix

Ensure the DISN NIPRNet IPVS SBC is configured to only process packets authenticated from an authorized source as follows: - Authenticate outbound SIP and AS-SIP messages as being from the primary or backup LSC (or the site's MFSS and is backup LSC) within the enclave. - Authenticate inbound SIP and AS-SIP messages as being from the SBC at the enclave's assigned primary and secondary (backup) MFSS sites. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

b
The Session Border Controller (SBC) must be configured to only process signaling packets whose integrity is validated.
AC-4 - Medium - CCI-001548 - V-259930 - SV-259930r948776_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001548
Version
SRG-VOIP-000500
Vuln IDs
  • V-259930
Rule IDs
  • SV-259930r948776_rule
The validation of signaling packet integrity is required to ensure the packet has not been altered in transit. Packets can be altered during uncontrollable network events, such as bit errors and packet truncation that would cause the packet to contain erroneous information. Packets containing detectable errors must not be processed. Packets can also be modified by a man-in-the-middle attack. The current Unified Capabilities Requirements (UCR) document specifies the hashing algorithm to be used during transmission.
Checks: C-63661r946709_chk

Verify the DISN NIPRNet IPVS SBC is configured to only process signaling packets whose integrity is validated. Inspect the configurations of the EBC to determine compliance with the requirement. If the SBC does not validate the integrity of the received signaling packets, this is a finding. If the SBC is not configured to drop packets whose integrity is not validated, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

Fix: F-63568r946710_fix

Ensure the DISN NIPRNet IPVS SBC is configured to only process signaling packets whose integrity is validated. The current UCR document specifies the hashing algorithm to be used during transmission. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

a
The Session Border Controller (SBC) must be configured to validate the structure and validity of SIP and AS-SIP messages so that malformed messages or messages containing errors are dropped before action is taken on the contents.
AC-4 - Low - CCI-001548 - V-259931 - SV-259931r948777_rule
RMF Control
AC-4
Severity
Low
CCI
CCI-001548
Version
SRG-VOIP-000510
Vuln IDs
  • V-259931
Rule IDs
  • SV-259931r948777_rule
Malformed SIP and AS_SIP messages, as well as messages containing errors, could be an indication that an adversary is attempting some form of attack or denial of service. Such an attack is called fuzzing. Fuzzing is the deliberate sending of signaling messages that contain errors in an attempt to cause the target device to react in an inappropriate manner, such as failure that causes a denial of service or permitting traffic to pass that it would not normally permit. In some cases, a target can be flooded with fuzzed messages. The SBC must not act on any portion of a signaling message that contains errors. A malformed or erroneous message could be sent by the signaling partner and be properly hashed for integrity.
Checks: C-63662r946712_chk

Verify the DISN NIPRNet IPVS SBC is configured to validate the structure and validity of SIP and AS-SIP messages so that malformed messages or messages containing errors are dropped before action is taken on the contents. If the SBC does not validate the correct format of the received AS-SIP message, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

Fix: F-63569r946713_fix

Ensure the DISN NIPRNet IPVS SBC is configured to validate the structure and validity of SIP and AS-SIP messages so that malformed messages or messages containing errors are dropped before action is taken on its contents. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

b
The Session Border Controller (SBC) must drop all SIP and AS-SIP packets except those secured with TLS.
AC-4 - Medium - CCI-001548 - V-259932 - SV-259932r948778_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001548
Version
SRG-VOIP-000520
Vuln IDs
  • V-259932
Rule IDs
  • SV-259932r948778_rule
DISN NIPRNet IPVS PMO and the Unified Capabilities Requirements (UCR) require all session signaling across the DISN WAN and between the Local Session Controller (LSC) and EBC to be secured with TLS. The standard IANA assigned IP port for SIP protected by TLS (SIP-TLS) is 5061. DOD PPSM requires that protocols traversing the DISN and DOD enclave boundaries use the standard IP ports for the specific protocol. Because AS-SIP is a standardized extension of the SIP protocol and AS-SIP must be protected by TLS, AS-SIP-TLS must use IP port 5061. The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated using TLS on port 443 from cloud service providers.
Checks: C-63663r946715_chk

Verify the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets: - SIP packets arriving on IP port 5060 or 5061. - SIP packets arriving on IP port 443 not secured with TLS. - AS-SIP packets arriving on IP port 5060. - AS-SIP packets arriving on IP port 5061 not secured with TLS. If all SIP and AS-SIP packets are not dropped, except AS-SIP packets secured with TLS arriving on IP Port 5061 and SIP packets secured with TLS arriving on IP Port 443 secured with TLS, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

Fix: F-63570r946716_fix

Ensure the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets: - SIP packets arriving on IP port 5060 or 5061. - SIP packets arriving on IP port 443 not secured with TLS. - AS-SIP packets arriving on IP port 5060. - AS-SIP packets arriving on IP port 5061 not secured with TLS. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud service providers.

b
The Session Border Controller (SBC) must be configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the SIP and AS-SIP messages.
AC-4 - Medium - CCI-001548 - V-259933 - SV-259933r948779_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001548
Version
SRG-VOIP-000530
Vuln IDs
  • V-259933
Rule IDs
  • SV-259933r948779_rule
The function of the SBC is to manage SIP and AS-SIP signaling messages. The SBC also manages the SRTP/SRTCP bearer streams. The DISN IPVS PMO has determined that the SBC will pass the negotiated and encrypted SRTP/SRTCP bearer streams without decryption and inspection. This is because doing so will not provide a significant security benefit but would cause a significant delay with a resulting decrease in the quality of the communications. Encoded audio and video is difficult to impossible to determine if an attack is being perpetrated or if sensitive information is being improperly disclosed without reconstituting the analog audio and video signals and having a person listen and watch each communication. Due to the volume of communications, to do so would be nearly impossible.
Checks: C-63664r946718_chk

Verify the DISN NIPRNet IPVS SBC is configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the SIP and AS-SIP messages as follows: - Opens specific IP port pinholes on a per session basis for the SRTP/SRTCP bearer streams as negotiated by the communicating endpoints through the Local Session Controller (LSC) and Multifunction Soft Switch (MFSS). - Closes the specifically opened IP port pinholes when the session is to be torn down. Inspect the configurations of the EBC to determine compliance with the requirement. If the SBC is not configured to open the specifically negotiated IP ports for the SRTP/SRTCP bearer streams on an individual session basis, this is a finding. If the SBC is not configured to close specifically negotiated IP ports for the SRTP/SRTCP bearer streams on an individual session basis, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

Fix: F-63571r946719_fix

Ensure the DISN NIPRNet IPVS SBC is configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the SIP and AS-SIP messages as follows: - Opens specific IP port pinholes on a per session basis for the SRTP/SRTCP bearer streams as negotiated by the communicating endpoints through the LSC and MFSS. - Closes the specifically opened IP port pinholes when the session is to be torn down. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

c
The Session Border Controller (SBC) (or similar firewall type device) must perform stateful inspection and packet authentication for all VVoIP traffic (inbound and outbound) and deny all other packets.
AC-4 - High - CCI-001548 - V-259934 - SV-259934r948780_rule
RMF Control
AC-4
Severity
High
CCI
CCI-001548
Version
SRG-VOIP-000540
Vuln IDs
  • V-259934
Rule IDs
  • SV-259934r948780_rule
Once a pinhole is opened in the enclave boundary for a known session, the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known session could traverse the pinhole, thereby giving unauthorized access to the enclave's LAN or connected hosts. One method for managing these packets is stateful packet inspection. This inspection minimally validates that the permitted packets are part of a known session. This is a relatively weak but somewhat effective firewall function. A better method is to authenticate the source of the packet as coming from a known and authorized source.
Checks: C-63665r946721_chk

Verify the DISN NIPRNet boundary SBC is configured to deny all packets attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions that are not validated as being part of an established session. This requires a stateful inspection of the packets passed through the IP port pinholes or the authentication of the source of those packets. If packets that are not part of an established session can pass through the SBC, this is a finding. If stateful packet inspection or SRTP/SRTCP packet authentication is not configured, this is a finding. If stateful packet inspection is not configured but the source of the SRTP/SRTCP packets is authenticated from an authorized source, such as an internal endpoint or a remote DISN SBC, this is not a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

Fix: F-63572r946722_fix

Configure the DISN NIPRNet SBC to deny all packets attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes opened for known sessions, except those validated as being part of an established session. This requires a stateful inspection of the packets passed through the IP port pinholes or the authentication of the source of those packets. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

c
The Session Border Controller (SBC) (or similar firewall type device) must deny all packets traversing the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions, except RTP/RTCP, SRTP/SRTCP, or other protocol/flow established by signaling messages.
AC-4 - High - CCI-001548 - V-259935 - SV-259935r948781_rule
RMF Control
AC-4
Severity
High
CCI
CCI-001548
Version
SRG-VOIP-000550
Vuln IDs
  • V-259935
Rule IDs
  • SV-259935r948781_rule
Once a pinhole is opened in the enclave boundary for a known session, the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known session may traverse a pinhole, giving unauthorized access to the enclave's LAN or connected hosts. Another method for managing packets through a pinhole opened for a VVoIP session is to only permit packets to pass matching the expected protocol type, such as RTP/RTCP or SRTP/SRTCP. If only RTP/RTCP or SRTP/SRTCP packets are permitted to pass, this reduces the exposure presented to the enclave by the open pinhole. Additional flows or protocols may be permitted if specifically required for an approved function and establishment is signaled or controlled by the signaling protocol in use by the system. An example of this is the transmission of H.281 far end camera control messages for a video conferencing session. Using AS-SIP for signaling, a UDP-based 6.4kbps H.224 over RTP control channel over which the H.281 far end camera control messages are transmitted might be established along with the media streams. This additional flow would require additional pinholes.
Checks: C-63666r946724_chk

Verify the DISN NIPRNet boundary SBC is configured to deny all packets attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions that are not an approved protocol. The allowed protocols are RTP/RTCP, SRTP/SRTCP, and other approved protocols/flows established by signaling messages. This requires filtering on protocol type. If the DISN NIPRNet boundary SBC does not deny all packets traversing the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions, except approved protocols, this is a finding. If packets that are not RTP/RTCP or SRTP/SRTCP (or other approved packet type as established in the signaling messages) protocol packets can pass through the boundary SBC, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

Fix: F-63573r946725_fix

Configure the DISN NIPRNet boundary SBC to drop any packet attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions that is not an RTP/RTCP or SRTP/SRTCP packet or other approved protocol/flow established by the signaling messages. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

b
The Session Border Controller (SBC) must be configured to notify system administrators and the information system security officer (ISSO) when attempts to cause a denial of service (DoS) or other suspicious events are detected.
AC-4 - Medium - CCI-001548 - V-259936 - SV-259936r948782_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001548
Version
SRG-VOIP-000560
Vuln IDs
  • V-259936
Rule IDs
  • SV-259936r948782_rule
Action cannot be taken to thwart an attempted DOS or compromise if the system administrators responsible for the operation of the SBC and/or the network defense operators are not alerted to the occurrence in real time.
Checks: C-63667r946727_chk

Verify the DISN NIPRNet IPVS SBC is configured to notify system administrators and the ISSO when the following conditions occur: - Any number of malformed SIP, AS-SIP, or SRTP/SRTCP messages are received that could indicate an attempt to compromise the SBC. - Excessive numbers of SIP or AS-SIP messages are received from any given IP address that could indicate an attempt to cause a DoS. - Excessive numbers of messages are dropped due to authentication or integrity check failures, potentially indicating an attempt to cause a DoS or effect a man-in-the-middle attack. If the SBC does not notify system administrators and the ISSO when attempts to cause a DoS or other suspicious events are detected, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

Fix: F-63574r946728_fix

Ensure the DISN NIPRNet IPVS SBC is configured to notify system administrators and the ISSO when the following conditions occur: - Any number of malformed SIP, AS-SIP, or SRTP/SRTCP messages are received that could indicate an attempt to compromise the SBC. - Excessive numbers of SIP or AS-SIP messages are received from any given IP address that could indicate an attempt to cause a DoS. - Excessive numbers of messages are dropped due to authentication or integrity check failures, potentially indicating an attempt to cause a DoS or an attempt to effect a man-in-the-middle attack. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

b
The Enterprise Voice, Video, and Messaging system connecting with a DISN IPVS must be configured to signal with a backup Multifunction Soft Switch (MFSS) (or SS) if the primary cannot be reached.
AC-4 - Medium - CCI-001548 - V-259937 - SV-259937r948784_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001548
Version
SRG-VOIP-000570
Vuln IDs
  • V-259937
Rule IDs
  • SV-259937r948784_rule
Redundancy of equipment and associations is used in an IP network to increase the availability of a system. Multiple MFSSs in the DISN NIPRNet IPVS network and multiple SSs in the DISN SIPRNet IPVS network have been implemented to provide networkwide redundancy of their functions. They are intended to work in pairs so that one can provide its backbone services to multiple LSCs that are configured to use one as a primary and the other as a backup. This is necessary to the maintenance of backbone functionality in the event there is a circuit (network path) failure, an MFSS or SS failure, or one of the sites housing an MFSS or SS is lost or the MFSS or SS becomes unavailable. Based on this, when establishing a call on the WAN, each LSC must be configured to signal with a backup MFSS or SS in the event it cannot reach its primary.
Checks: C-63668r946730_chk

Inspect the configurations of the LSC(s) to determine compliance with the requirement. If the LSC(s) are not configured to signal with a backup MFSS (or SS) in the event the primary cannot be reached, this is a finding.

Fix: F-63575r948783_fix

If the Enterprise Voice, Video, and Messaging system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of command control (C2) user (Special-C2, C2, C2(R)), ensure each enclave containing one or more LSCs is assigned to, associated with, or serviced by two DISN IPVS core backbone systems as follows: - For DISN NIPRNet IPVS, each enclave will be serviced by at least one primary and one secondary (backup) MFSS. - For DISN SIPRNet IPVS, each enclave will be serviced by at least one primary and one secondary SS at the SIPRNet tier 0 routers.

b
The Multifunction Soft Switch (MFSS) must be configured to synchronize with at minimum a paired MFSS and/or others so that each may serve as a backup for the other when signaling with its assigned Local Session Controller (LSC), thus improving the reliability and survivability of the DISN IPVS network.
AC-4 - Medium - CCI-001548 - V-259938 - SV-259938r948785_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001548
Version
SRG-VOIP-000580
Vuln IDs
  • V-259938
Rule IDs
  • SV-259938r948785_rule
MFSSs are critical to the operation of the DISN NIPRNet IPVS network. They broker the establishment of calls between enclaves. An MFSS provides the following functions: - Receives AS-SIP-TLS messages from other MFSSs and a specific set of regionally associated LSCs to act as a call routing manager across the backbone. - Sends AS-SIP-TLS messages to interrogate the ability of another MFSS or an LSC to receive a call, whether routine or priority. - Sends AS-SIP-TLS messages to manage the establishment of priority calls and the preemption of lower priority calls to LSCs and other MFSSs. - Once a "trunk side" session request is received, the MFSS determines if the destination is one of its assigned LSCs. If so, it interrogates that LSC to determine if it can receive the call. If so, it signals to establish the call. If the destination is not one of its LSCs, it signals with other MFSSs to locate the destination LSC and then the remote MFSS negotiates with its LSC. - Acts as a backup MFSS for LSCs assigned to other MFSSs as primary. An LSC must be able to signal with an MFSS to establish any call across the DISN WAN. LSCs do not interact directly with LSCs. This hierarchical arrangement is required in order to manage and establish priority calls and manage access circuit budgets. Each LSC must have a backup MFSS. In support of this function, MFSSs must be operated in pairs with all the information about its assigned LSCs replicated across the pair.
Checks: C-63669r946733_chk

Inspect the configuration of the MFSS to determine compliance with the requirement. If the event the MFSS is not configured to synchronize its LSC and associated traffic information with a paired MFSS and vice versa, this is a finding. NOTE: There is a possibility that any given MFSS may pair with more than one other MFSS depending on the geographic orientation of the MFSSs and LSCs in the region.

Fix: F-63576r946734_fix

Ensure each MFSS is configured to synchronize with a paired MFSS so that each may serve as a backup for the other when signaling with its assigned LSCs and regarding the overall operation of the DISN IPVS network and the negotiation of call establishment between enclaves.

b
A MAC Authentication Bypass policy must be implemented for 802.1x unsupported devices that connect to the Enterprise Voice, Video, and Messaging system.
AC-4 - Medium - CCI-001548 - V-259939 - SV-259939r948786_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001548
Version
SRG-VOIP-000590
Vuln IDs
  • V-259939
Rule IDs
  • SV-259939r948786_rule
MAC Authentication Bypass (MAB) is not a sufficient stand-alone authentication mechanism for non-802.1x supplicant endpoints. Additional policy-based validation techniques must be developed to ensure that 802.1x exempted devices are properly tracked and controlled to prevent compromise of the underlying 802.1x system and allow unapproved devices to access the Enterprise Voice, Video, and Messaging system.
Checks: C-63670r946736_chk

Verify a policy and procedure is in place and enforced that addresses the operation of MAC Authentication Bypass exceptions to 802.1x requirements. If a MAC Authentication Bypass policy is not in place and enforced, this is a finding.

Fix: F-63577r946737_fix

Ensure a policy and procedure is in place and enforced that addresses the operation of MAC Authentication Bypass exceptions to 802.1x requirements.