Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify a policy and procedure is in place and enforced that addresses the operation of video/collaboration communications-related cameras (e.g., webcams or VTC cameras) regarding their ability to inadvertently capture and transmit sensitive or classified information such that: - Conference room and office users do not display sensitive or classified information on walls that are within the view of the camera(s). - Conference room and office users do not place sensitive or classified information on a table or desk within the view of the camera(s) without proper protection (e.g., a proper cover). - Conference room and office users do not read or view sensitive or classified information at such an angle that the camera(s) could focus on it. NOTE: While covering such information mitigates disclosure when a camera is to be used, if the camera is activated unexpectedly or without taking action to cover the information prior to activating, the information can be compromised. The best practice is to not display it in view of the camera at all. Inspect the applicable standard operating procedure (SOP). Inspect a random sampling of workspaces and conference rooms to determine compliance. Look for potentially sensitive information posted on the walls in view of the camera(s). Interview the ISSO to determine how the SOP is enforced. Inspect user training materials and discuss practices to determine if information regarding the SOP is conveyed. Interview a random sampling of users to confirm their awareness of the SOP and related information. If deficiencies are found in any of these areas, this is a finding. Note the deficiencies in the finding details.
Ensure a policy and procedure is in place and enforced that addresses the operation of video/collaboration communications-related cameras (e.g., webcams or VTC cameras) regarding their ability to inadvertently capture and transmit sensitive or classified information. Do not post potentially sensitive information on the walls in view of the camera(s). Produce an SOP that addresses the operation of video/collaboration communications-related cameras (e.g., webcams or VTC cameras) regarding their ability to inadvertently capture and transmit sensitive or classified information such that: - Conference room and office users do not display sensitive or classified information on walls that are within the view of the camera(s). - Conference room and office users do not place sensitive or classified information on a table or desk within the view of the camera(s) without proper protection. (e.g., a proper cover). - Conference room and office users do not read or view sensitive or classified information at such an angle that the camera(s) could focus on it. NOTE: While covering such information mitigates disclosure when a camera is to be used, if the camera is activated unexpectedly or without taking action to cover the information prior to activating, the information can be compromised. Best practice is to not display it in view of the camera at all. Provide appropriate training so users follow the SOP. Enforce user compliance with the SOP.
Verify a policy and procedure is in place and enforced that addresses the placement and operation of hardware-based voice and video communications devices and PC-based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Operational policy and procedures must be included in user training and guides. NOTE: This standard operating procedure (SOP) should take into account the classification of the area where the video teleconferencing unit (VTU) or PC supporting a PC-based voice, video, UC, and collaboration communications applications is installed as well as the classification and need-to-know restraints of the information generally communicated via the facility or specific VTU. Measures should also be included such as closing office or conference room doors, muting microphones before and after conference sessions and during conference breaks, volume levels in open offices, and muting the microphone when not speaking. Inspect the applicable SOP. Such an SOP should: - Include policy on the use of headsets containing short-range microphones and earphones in lieu of long-range microphones and speakers in an open office environment. - Address the volume settings of speakers so session information is not heard by nonparticipants in a work area. - Address the potential for the pickup of nonsession-related conversations in the work area. - Discuss Bluetooth, DECT/DECT 6.0, and other RF wireless technologies for accessories. Inspect user training materials and discuss practices to determine if information regarding the SOP is conveyed. Interview a random sampling of users to confirm their awareness of the SOP and related information. If the SOP or training is deficient, this is a finding.
Ensure a policy and procedure is in place and enforced that addresses the placement and operation of hardware-based voice and video communications devices and PC-based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Operational policy and procedures must be included in user training and guides. Produce an SOP that addresses the operation of hardware-based voice and video communications devices and PC-based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Such an SOP should: - Include policy on the use of headsets containing short-range microphones and earphones in lieu of long-range microphones and speakers in an open office environment. - Address the volume settings of speakers so session information is not heard by nonparticipants in a work area. - Address the potential for the pickup of nonsession-related conversations in the work area. Provide appropriate training so users follow the SOP. Enforce user compliance with the SOP.
Verify an automatic capability exists and review documentation to determine if this capability is being implemented before transitioning from one period/network to the next. If no automatic capability exists, review organizational documentation to determine if a manual procedure is specified and implemented before transitioning from one period/network to the next. Coordinate with the vendor/solutions provider and certifier to verify all residual information is sanitized based on equipment make and model. If an automatic capability exists and is being implemented, this is not a finding. If an automatic capability exists but is not being implemented, this is a finding unless a manual procedure is specified and is being implemented. If a manual procedure is specified and is being implemented, this is not a finding. If no procedure is specified or none is being implemented, this is a finding.
Obtain equipment that has an automatic capability to sanitize memory or implement and document a manual procedure. Implement the automatic capability or manual procedure to sanitize all information while transitioning from one period/network to the next.
Review the VTC system architecture to verify that an approved A/B, A/B/C, or A/B/C/D switch is present and properly cabled. Alternately, validate that the VTC CODEC is manually connected to one network at a time through the use of a single patch cord. If neither is in place, this is a finding.
Obtain and install an approved A/B, A/B/C, or A/B/C/D switch. Alternately, manually connect the VTC CODEC to one network at a time through the use of a single patch cord.
Observe the operation of the VTC system as it transitions between networks. Verify that the CODEC is powered off for a minimum of 60 seconds during the transition. If it is not, this is a finding.
Sanitize volatile memory by disconnection of all power for at least 60 seconds.
Verify the VTC system has an automated configuration management system configured to sanitize and reconfigure the CODEC when transitioning between networks. If it does, review documentation to determine if this capability is being implemented. If these conditions are met, this is not a finding. If the unit is not implementing an automated process, review documentation to determine if a manual procedure is specified and implemented when transitioning between networks. This will result in a CAT III finding if these conditions are met and a CAT II finding if they are not. If an automatic capability exists but is not being implemented, or an automated configuration management system is not being used, this is a CAT II finding unless a manual procedure is specified and is being implemented. I f a manual procedure is specified and is being implemented, this is a CAT III finding. If the unit is not being sanitized when transitioning between networks, this is a CAT II finding.
Obtain a VTC system that has an automated sanitization capability. Implement and document a procedure that uses this capability to sanitize the CODEC when transitioning between networks. As a last resort, implement and document a manual sanitization/reconfiguration procedure to perform this function.
Review A/B, A/B/C, or A/B/C/D switch vendor documentation to determine if optical technologies are used to maintain electrical isolation between the input port/connection and between all selectable output ports/connections. If this is not the case, this is a finding. Validate approved equipment is being used. DISN Video Services (DVS) maintains a list of A/B, A/B/C, or A/B/C/D switches that have been certified to meet the above requirements at https://disa.mil/Services/Network-Services/Video/~/media/Files/DISA/Services/DVS/red_black_peripherals.xls. If the A/B, A/B/C, or A/B/C/D switch is not on the list, this is a finding.
Obtain and install an approved A/B, A/B/C, or A/B/C/D switch.
Review the VTC system architecture documentation and observe system operation while transitioning between networks to verify one of the following: - The CODEC is switched to a disconnected/unused switch position while it is being purged/reconfigured. - The CODEC is purged while connected to one network, power cycled as it is switched to the next network, and then reconfigured for that network. Alternately, if a manual switching procedure is used, verify the CODEC is physically disconnected from any network while being reconfigured. If none of these procedures is being followed, this is a finding.
Do one of the following: - Architect, implement, and configure the system so the A/B, A/B/C, or A/B/C/D switch connects the CODEC to an unused switch position while it is being reconfigured during transition from one network to another. - Architect, implement, and configure the system so the CODEC configuration is purged before it is switched to the next network, the CODEC is power cycled for the required time period as the A/B, A/B/C, or A/B/C/D switch connects the CODEC to the next network, and then the CODEC is reconfigured for that network. - If a manual switching procedure is used, physically disconnect the CODEC from any network while it is reconfigured for the next network.
Review the NIAP Product Compliant List (PCL) at https://www.niap-ccevs.org to verify that a certification exists for the A/B, A/B/C, or A/B/C/D switch or review a vendor-provided letter from NIAP or the NIAP test report indicating satisfactory completion of testing and PCL listing. Validation of certification via the NIAP PCL can be more easily facilitated if the vendor has provided the certification number. If the product is not on the list or a NIAP letter or test report is not provided, this is a finding.
Obtain and install an A/B, A/B/C, or A/B/C/D switch that has obtained Common Criteria certification.
Review the documentation to determine if the A/B, A/B/C, or A/B/C/D switch is TEMPEST certified. Review TEMPEST certification documentation provided by a CTTA or the vendor to determine if the switch is TEMPEST certified. If the A/B, A/B/C, or A/B/C/D switch is not on the list, or satisfactory documentation is not provided, this is a finding.
Obtain and install a TEMPEST-certified A/B, A/B/C, or A/B/C/D switch.
Review the VTC system architecture to determine the method of network isolation used. Verify that only one CODEC or fiber optic media adaptor can be turned on at a time by attempting to turn on more than one CODEC concurrently. If more than one CODEC operates, this is a finding.
Obtain and implement a power control system that can support automatic mutually exclusive power control.
Review the documentation and based on the TEMPEST ZONE in the CNSSAM TEMPEST/01-13, RED/BLACK Installation Guidance, determine if the required separations between RED and BLACK equipment and cables have been met. This includes cable routing inside equipment cabinets. Depending on the TEMPEST ZONE, the separation requirements are: - Minimum equipment separation - 50 cm or 1 m. - Minimum cable separation - 5 cm or 15 cm. If the cables or equipment are closer than the minimum cable and equipment separation distances, this is a finding. If a CTTA has reviewed the system's installation and provided a favorable report or certification, this is not a finding.
Install cabling and equipment in accordance with the CNSSAM TEMPEST/01-13, RED/BLACK Installation Guidance. Depending on the TEMPEST ZONE, the separation requirements are: - Minimum equipment separation - 50 cm or 1 m. - Minimum cable separation - 5 cm or 15 cm.
Confirm a policy and supporting procedures are in place that address the placement and operation of video conferencing, UC soft client, and speakerphone speakers to prevent disclosure of sensitive or classified information over nonsecure systems. Operational policy and procedures must be included in user training and guides. The policy and supporting procedures should consider the classification of the area where the video conferencing equipment, the PC supporting a UC soft client, and Voice Video endpoints are placed, as well as the classification and need-to-know restraints of the information communicated within the area. They should include measures such as closing office or conference room doors, adjusting volume levels in open offices, and muting microphones when not directly in use. If a policy and supporting procedures governing video conferencing, UC soft client, and speakerphone speaker operations preventing disclosure of sensitive or classified information over nonsecure systems do not exist or are not enforced, this is a finding.
Document and enforce a policy and procedure for video conferencing, UC soft client, and speakerphone speaker operations to prevent disclosure of sensitive or classified information over nonsecure systems. Ensure appropriate training is provided for users. The policy and supporting procedures should consider the classification of the area where the video conferencing equipment, the PC supporting a UC soft client, and Voice Video endpoints are placed, as well as the classification and need-to-know restraints of the information communicated within the area. Include measures such as closing office or conference room doors, adjusting volume levels in open offices, and muting microphones when not directly in use.
Verify that an inventory of authorized instruments is documented and maintained. Inspect the authorized instrument inventory. NOTE: This inventory will be separate from the inventory created within the Local Session Controller (LSC) from the listing of registered instruments. Authorized instruments must be added to this inventory before configuration in the LSC and instrument registration. The inventory may be offline or online on a separate server or workstation from the LSC (for example, the LSC management workstation). If the inventory does not exist or does not appear to be up to date, this is a finding. Ask how this inventory is generated and where it is stored. If it is located on the LSC, this is a finding.
Ensure that an inventory of authorized instruments is documented and maintained. NOTE: This inventory will be separate from the inventory created within the LSC from the listing of registered instruments. Authorized instruments must be added to this inventory before configuration in the LSC and instrument registration. The inventory may be offline or online on a separate server or workstation from the LSC (for example, the LSC management workstation). Prepare and maintain an inventory/database of authorized VoIP instruments. Generate and store the inventory on a separate workstation or server from the LSC (for example, the LSC management workstation). Recommendation: Create the inventory in a format that can easily be compared through automation to the report of registered instruments from the LSC (if available). This will facilitate regular review of the inventory to detect unauthorized instruments and will make the IA review easier.
Verify customers of the DISN VoSIP service use IP addresses assigned to them by the DRSN/VoSIP PMO when defining the required dedicated address space for the VoIP controllers and endpoints within their secret C-LANs. NOTES: - This is similarly applicable to other classified DISN services and customer's C-LANs. - This is not a requirement if a VoIP-based VVoIP communications system operated in a secret C-LAN has no need or potential need to use the worldwide DISN VoSIP service or to access the DRSN and communicate with other enclaves that do use the DISN service or have access to the DRSN. They must use their own dedicated IP address space carved out of the address space assigned to their C-LANs by the SIPRNet PMO. - This requirement does not directly apply to dedicated hardware-based IP - VTC systems using the C-LAN and SIPRNet for transport, although there may be similar requirements to address this technology in the future. Determine the following: - Is the organization's secret C-LAN connected to SIPRNet? - Does the organization's secret C-LAN support VVoIP communications (not dedicated IP-based VTC)? - Does organization's secret C-LAN VVoIP system interconnect with other enclaves using the DISN VoSIP service? - What address blocks are dedicated to the VVoIP system on the C-LAN? - Is there documented evidence that the DRSN/VoSIP PMO assigned these addresses to the organization, or can such assignment be validated by other means? If the organization's secret C-LAN supports VVoIP communications (not dedicated IP-based VTC) AND is connected to SIPRNet AND uses the DISN VoSIP service BUT DOES NOT use the DRSN/VoSIP PMO assigned address blocks when addressing all of the VVoIP system components, this is a finding.
Ensure customers of the DISN VoSIP service use IP addresses assigned to them by the DRSN/VoSIP PMO when defining the required dedicated address space for the VoIP controllers and endpoints within their secret C-LANs. NOTES: - This is similarly applicable to other classified DISN services and customer's C-LANs. - This is not a requirement if a VoIP-based VVoIP communications system operated in a secret C-LAN has no need or potential need to use the worldwide DISN VoSIP service or to access the DRSN and communicate with other enclaves that do use the DISN service or have access to the DRSN. They must use their own dedicated IP address space carved out of the address space assigned to their C-LANs by the SIPRNet PMO. - This requirement does not directly apply to dedicated hardware-based IP - VTC systems using the C-LAN and SIPRNet for transport, although there may be similar requirements to address this technology in the future. Obtain and assign IP addresses as provided by the DRSN PMO-VoSIP department when defining the required dedicated address space on the LAN.
Determine if UC soft client accessories, including PPGs, ATAs, USB phones, and wireless headsets, that provide a network bridging capability to the PSTN are used on a DOD PC or network. If so, further determine if there is a validated and approved mission requirement for their use. Interview a random sampling of users regarding their use of this bridging capability. If these devices are used and there is no validated mission requirement, this is a finding. NOTE: This requirement applies to Bluetooth, DECT/DECT 6.0, and other RF wireless technologies for accessories. Prior to procurement and implementation of any wireless accessory, a risk analysis must be performed to ensure the technology uses acceptable encryption and does not interfere with existing technology use. This guidance is not intended to replace the existing guidance available for wireless headsets used in association with mobile devices.
Discontinue the use of UC soft client accessories, including PPGs, ATAs, USB phones, and wireless headsets that provide a network bridging capability unless there is a validated and approved mission requirement for their use.
Part 1: Determine if PC soft-phones and/or UC applications are implemented as the primary telephone endpoint in users' workspaces. If so, inspect users' work areas to determine if hardware-based telephone instruments are installed within a short distance (e.g., 30 to 50 feet) of every workspace to be used for backup and emergency communications. Cellphones, PDA/PEDs, or other wireless devices are not considered reliable enough to meet this requirement due to lack of reliable signal available everywhere and their inability to be used in certain DOD environments. If these conditions are not met, this is a finding. NOTE: This requirement is satisfied by the implementation of hard-wired hardware-based telephone instruments using any telephony technology. That is, traditional analog or digital instruments may be used, or VoIP-based instruments may be used. Such instruments may be part of the local site's PBX or VoIP system or may be served from the Local Exchange Carrier (LEC) or Competitive LEC (CLEC). Power is another concern when implementing backup/continuity of operations (COOP) or emergency telephones. Such phones should be remotely powered from a source that can provide backup power. Additionally, the dialing capabilities of backup/COOP or emergency telephones may be limited to internal and/or emergency calls. This means that minimally, emergency service numbers must be reachable from these phones. Part 2: Select a random sample if not all of the implemented hard-phones and test them to ensure they are functional. If nonfunctional phones are found, this is a finding.
If PC soft-phones and/or UC applications are implemented as the primary telephone endpoint in the user's workspace, ensure hardware-based telephone instruments are installed within a short distance (e.g., 30 to 50 feet) of every workspace to be used for backup and emergency communications. NOTE: This requirement is satisfied by the implementation of hard-wired hardware-based telephone instruments using any telephony technology. That is, traditional analog or digital instruments may be used, or VoIP-based instruments may be used. Such instruments may be part of the local site's PBX or VoIP system or may be served from the Local Exchange Carrier (LEC) or Competitive LEC (CLEC). Power is another concern when implementing backup/continuity of operations (COOP) or emergency telephones. Such phones should be remotely powered from a source that can provide backup power. Additionally, the dialing capabilities of backup/COOP or emergency telephones may be limited to internal and/or emergency calls. This means that minimally, emergency service numbers must be reachable from these phones.
Verify the Command and AO approves the implementation or transition to UC soft clients as the primary endpoints in writing. Verify the ISSO maintains approval documentation for inspection by IA reviewers or auditors. Review the written Command and AO approval for the implementation of a telephone system that primarily uses UC soft client applications for its endpoints. If no written Command and AO approval exists for UC soft client endpoints, this is a finding.
Obtain the Command and AO approval for the implementation or transition to UC soft clients as the primary endpoints in writing. Approval documentation must be maintained by the ISSO for future inspection by IA reviewers or auditors. If Command and AO written approval is not available, hardware endpoints must be used as the primary endpoints. NOTE: This requirement is in addition to AO approval for deploying UC soft clients on DOD networks. When UC soft clients are deployed as the primary endpoint, additional risks to availability exist.
Verify the responsible AO approves the use of limited numbers of UC soft clients in the strategic LAN along with the measures implemented to protect these UC soft clients and the local VoIP and data infrastructure. Verify that approval is provided in writing and maintained by the ISSO for inspection by IA reviewers or auditors. When limited numbers of UC soft clients associated with the local VoIP system are implemented in the strategic LAN, a separate VLAN structure must be implemented for them. Implementation of a VLAN must not provide a bridge between the VoIP and data VLANs. Traffic must be filtered such that the UC soft client's VoIP traffic is routed to the VoIP VLAN while all other traffic is routed to the data VLAN. A separate NIC is not required to support VLANs for voice and video segmentation under UC. NOTE: Limited numbers in this scenario means as few as possible but may mean 25 or 30 percent of the overall PCs on the LAN. Beyond this percentage, the protections afforded by this implementation become limited or negated because of the large number of PCs in the UC soft client VLAN. Determine if limited numbers of UC soft clients are permitted to operate or are implemented in the strategic LAN. If so, review the written AO approval for the implementation. If limited numbers of UC soft clients are to be implemented in the strategic LAN without written AO approval for the implementation, this is a finding.
Ensure the responsible AO approves the use of UC soft clients in the strategic LAN along with the measures implemented to protect UC soft clients and the local VoIP and data infrastructure. Ensure approval is provided in writing and maintained by the ISSO for inspection by IA reviewers or auditors. UC soft clients do not provide assured services and therefore cannot be used as the primary method of communications for personnel requiring assured services. When limited numbers of UC soft clients are to be implemented in the strategic LAN, obtain written approval from the responsible AO along with approval for the measures implemented to protect these UC soft clients and the local VoIP and data infrastructure. Alternately, remove the UC soft clients from the LAN.
Review the site documentation to confirm a Call Center or CTI system using soft clients must be segregated into a protected enclave and limit traffic traversing the boundary. When a Call Center/CTI system/application (e.g., call center, helpdesk, operators console, E911 system, etc.) using soft clients are approved for use in the strategic LAN, verify the following: - The supporting network is configured as a closed enclave or a segregated and access-controlled subenclave having appropriate boundary protection between it and the local general business LAN or external WAN. - If the CTI application accesses resources outside this enclave and the application could be compromised from external sources, the supporting network is configured to provide separate voice and data zones and maintains separation of voice and data traffic per the VoIP STIG if technically feasible (i.e., such separation does not break the CTI application or there is another compelling reason). - The supporting network enclave and boundary protection is configured in substantial compliance with the Enclave, Network Infrastructure, and VoIP STIGs. - The CTI application/enclave (e.g., a call center application) is supported by a dedicated VoIP controller. If a Call Center or CTI system using soft clients is not segregated into a protected enclave and limits traffic traversing the boundary, this is a finding.
Implement a Call Center or CTI system using soft clients to be segregated into a protected enclave and limit traffic traversing the boundary.
Review site documentation to confirm the local Enterprise Voice, Video, and Messaging system has the capability to place intrasite and local phone calls when network connectivity is severed from the remote centrally located session controller. If the local Enterprise Voice, Video, and Messaging system does not have the capability to place intrasite and local phone calls when network connectivity is severed, this is a finding. Reliance on government-furnished equipment or personal cellphones does not meet this requirement because signal strength and reliability are reduced inside buildings, and cellphones are not permitted in most DOD facilities. The minimum capability for placement of line-side precedence calls depends on the command and control (C2) requirements of the site and must be determined in conjunction with the local command authority. To satisfy this requirement, at a minimum, ROUTINE call placement capabilities must be maintained.
Implement and document the local Enterprise Voice, Video, and Messaging system with the capability to place intrasite and local phone calls when network connectivity is severed. The minimum capability for placement of line-side precedence calls depends on the C2 requirements of the site and must be determined in conjunction with the local command authority. To satisfy this requirement, at a minimum, ROUTINE call placement capabilities must be maintained.
If the system does not support a minimum of 96 instruments, this is not applicable. Review site documentation to confirm the LAN hardware supporting VVoIP services provide redundancy to support C2 assured services and FES communications. Verify the LAN hardware is redundant as follows: - Dual Power Supplies - Each platform must have a minimum of two power supplies, and the loss of a single power supply will not cause any loss of functions within the chassis. - Dual Processors (Control Supervisors) - Each chassis must support dual control processors, and failure of any one processor will not cause any loss of functions within the chassis. - Termination Sparing - Each chassis must support a (N + 1) sparing capability minimally for available Ethernet modules used to terminate to an IP subscriber. - Protocol Redundancy - Each routing device must support protocols allowing for dynamic rerouting. - Backplane Redundancy - Each switching platform must support a redundant (1 + 1) switching fabric or backplane, and the second fabric's backplane must be in active standby so that failure of the first does not cause loss of ongoing events within the switch. Alternately, a secondary product may be added to provide redundancy to the primary product when redundant protocols are implemented so the failover to the secondary product does not result in any lost calls. If the LAN hardware supporting VVoIP services does not provide redundancy to support C2 assured services and FES communications, this is a finding.
Implement and document that the LAN hardware supporting VVoIP services provides redundancy to support C2 assured services and FES communications. Mandatory redundancy includes the following: - Dual Power Supplies - Each platform must have a minimum of two power supplies, and the loss of a single power supply will not cause any loss of functions within the chassis. - Dual Processors (Control Supervisors) - Each chassis must support dual control processors, and failure of any one processor will not cause any loss of functions within the chassis. - Termination Sparing - Each chassis must support a (N + 1) sparing capability minimally for available Ethernet modules used to terminate to an IP subscriber. - Protocol Redundancy - Each routing device must support protocols allowing for dynamic rerouting. - Backplane Redundancy - Each switching platform must support a redundant (1 + 1) switching fabric or backplane, and the second fabric's backplane must be in active standby so that failure of the first does not cause loss of ongoing events within the switch. Alternately, a secondary product may be added to provide redundancy to the primary product when redundant protocols are implemented so the failover to the secondary product does not result in any lost calls. Redundancy may not be required for VVoIP systems supporting less than 96 users, but best practice is to provide redundancy or maintain spares so service can be restored in a timely manner in the event of a failure.
If the system does not support a minimum of 96 instruments, this is not applicable. Review site documentation to confirm the LAN hardware supporting VVoIP services provides physically diverse pathways for redundant links supporting C2 assured services and FES communications. The inspection of uplink pathways may require inspecting cable plant drawings or tracing the physical cable path through the building. If the LAN hardware supporting VVoIP services does not provides physically diverse pathways for redundant links supporting C2 assured services and FES communications, this is a finding.
Implement and document that the LAN hardware supporting VVoIP services provides physically diverse pathways for redundant links supporting C2 assured services and FES communications. Ensure each uplink supports the full bandwidth, and the appropriate routing protocol is configured for failover from one uplink to the other when a failure occurs. This applies to access layer elements connected to distribution layer elements and distribution elements connected to core layer elements. Run new cable, upgrade, or reroute as necessary.
If the site is small and has POTS lines terminated on individual phones, a dedicated key system, or a PBX, all of which are separate from the DOD VVoIP system, this is not applicable. If the site is subtended to an enclave with approved IP voice services providing commercial service, this is not applicable. Verify all VVoIP system access to/from commercial dialup services (voice, video, fax, data) is via a local MG using a PRI, CAS, or POTS analog trunk to a commercial service provider. If the site is not connected to the PSTN via a MG located within the local site enclave as described above, this is a finding. NOTE: Trunks that support SS7 signaling and SS7-based signaling between a DOD network and a non-DOD network are prohibited.
Ensure all VVoIP system access to/from commercial dialup services (voice, video, fax, data) is via a locally implemented MG using a PRI, CAS, or POTS analog trunk to a commercial service provider. NOTE: Trunks that support SS7 signaling and SS7-based signaling between a DOD network and a non DOD network are prohibited.
If the system does not support a minimum of 96 instruments, this is not applicable. If the site is in a tactical war zone where "friendly" service is not available, this is not applicable. Interview the ISSO to verify the site has local analog or TDM commercial phone service provided to support COOP and FES calls. The most common methods to implement TDM or VVoIP systems are as follows: - Connect local commercial service to the site's local phone system/switch (TDM or VVoIP) and program access to the local service from all Voice Video Endpoints. - Connect local commercial service to dedicated Voice Video Endpoints (separate from the site's local phone system) throughout the facility and accessible in all work areas. These dedicated Voice Video Endpoints may be standalone or part of a dedicated a key system, PBX, or VVoIP network separate from the site's local VVoIP or TDM phone system. - Sites may use mobile devices for COOP and FES calls in support of nonsensitive unclassified areas. NOTE: The IA premise of this requirement is "availability" and COOP. The purpose of this requirement is to provide local commercial service if the site is cut off from DISN service or the main site to which the local site is subtended and tethered. If the site does not have local analog or TDM commercial phone service provided to support COOP and FES calls, this is a finding. If the local commercial service is VoIP or VVoIP, this is a finding.
Implement local commercial phone service (analog or TDM) according to the size of the site and the following: Ensure local analog or TDM commercial phone service supports COOP and FES calls. This applies to TDM or VVoIP systems conditionally as follows: - Connect local commercial service to the site's local phone system/switch (TDM or VVoIP) and program access to the local service from all Voice Video Endpoints. - Connect local commercial service to dedicated Voice Video Endpoints (separate from the site's local phone system) throughout the facility and accessible in all work areas. These dedicated Voice Video Endpoints may be standalone or part of a dedicated a key system, PBX, or VVoIP network separate from the site's local VVoIP or TDM phone system. - Sites may use mobile devices for COOP and FES calls in support of nonsensitive unclassified areas.
Inspect the documentation showing how the enclave is connected to the DISN to determine compliance with the requirement. If the enclave is not dual homed, this is a finding.
If the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of C2 user (Special C2, C2, C2(R)), ensure the enclave is dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) routers. NOTES: - This means there are two DISN (or commercial) access circuits (many circuits will have a commercial component, typically the "last mile") from the site/enclave to the DISN SDNs. - This assumes the site/enclave is NOT collocated with a DISN SDN such that a direct Ethernet or optical connection can be made. - If a site is located at a DISN SDN and is able to directly connect to the SDN using Ethernet or optical connections, the site may be able to rely on the dual homing of the SDN into the core. However, the site must still be homed to two geographically diverse ARs. This depends on the size or type of the SDN. A large site directly connected to a smaller SDN will implement an access circuit to a geographically diverse SDN (i.e., another SDN in another location remote from the local SDN). This should not be one of the SDNs to which the local SDN is homed.
Inspect the documentation for the access circuits and the bandwidth engineering study to determine compliance with the requirement. If each circuit cannot handle the entire engineered load for the enclave, including surge capacity, this is a finding.
Ensure a bandwidth engineering study is performed to determine the WAN bandwidth needs for the site, including surge capacity. Ensure each redundant DISN Core access circuit has the same capacity so that one is able to support the entire engineered bandwidth needs of the enclave.
Inspect the documentation for the pathways taken by the access circuits to determine compliance with the requirement. Obtain the pathway documentation for the facilities on-site. Additionally, obtain information from the DISN core PMO and/or local carrier of the access circuits for the pathways off-site. Verify the ISSO maintains a copy for future inspections. Changes to the pathways must also be recorded and maintained. If the required dual-homed circuits follow the same path or are close enough anywhere along their length to be damaged by a single event, this is a finding.
Ensure dual-homed DISN Core or NIPRNet access circuits follow geographically diverse paths from the CER(s) along the entire route to the geographically diverse SDNs. Ensure each circuit uses different facilities such as cables, demarks, and digital cross connects in geographically diverse locations. Ensure geographic and facilities information is maintained on-site and off-site. Ensure the paths taken by the access circuits remain significantly separate along their entire length so that a single point of failure is not created.
Review site documentation to confirm critical network equipment is redundant and in geographically diverse locations for a site supporting C2 users. Verify redundant sets of CERs, SBCs, and session controllers are housed in geographically diverse facilities within the site so that if one location is lost or isolated from the network, communications service is maintained. Site facilities with a Soft Switch should have a session controller implemented in a geographically diverse location. If critical network equipment does not have redundant equipment, this is a finding. If redundant critical network equipment is not in a geographically diverse location, this is a finding. If it is determined, following a cost/benefit study and risk analysis, that redundant facilities containing dual sets of CERs, SBCs, and session controllers are not warranted for the given site, this requirement should be marked as a finding with a justification included in the POA&M stating the authorizing official (AO) is cognizant of and accepts the risk. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Implement and document critical network equipment as redundant and in geographically diverse locations for a site supporting C2 users. Critical network equipment includes CERs, SBCs, and session controllers (or Soft Switches in combination with session controllers). NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Inspect the VVoIP implementation system design for connections to commercial VoIP ITSP. If the ITSP is providing converged services or other services beyond SIP trunking, NET0160 applies. The use cases applicable to this requirement: - Use Case 1: ITSP connections providing direct connection to the enclave's DOD LAN. - Use Case 2: ITSP connections providing a SIP trunk terminating on a media gateway that provides TDM trunks or POTS lines to traditional non-VoIP PBX, key system, or individual end instrument. - Use Case 3: ITSP connections terminating on a separate LAN from the enclave's DOD LAN supporting a separate VoIP system. - Use Case 4: ITSP connections providing service over any approved ISP gateway. If any enclave connects with commercial VoIP provider (ITSP) and is not approved by the DODIN Waiver Panel, this is a finding. If the DOD CIO has not signed for a permanent "alternate connection" to the ITSP, this is a finding. NOTE: This connection will be a permanent connection and should be designated or recognized as such in the approval documentation since most such approvals are for temporary connections.
Obtain approval by the DODIN Waiver Panel and signature by the DOD CIO for a permanent "alternate connection" to the ITSP for any connection with a commercial VoIP provider (ITSP).
Inspect the telephone system configuration to determine compliance with the requirement. Verify the site's local DOD telephone system, VoIP or traditional, supports DOD Instruction 6055.06 telecommunication capabilities as follows: - The site implements support for DOD Instruction 6055.06 through local policies, procedures, staffing, and facilities or agreements/contracts with external providers. - The site's telephone system supports enhanced F&ES emergency communications. - The site's telephone system (VoIP or traditional), provides ANI information to the emergency services answering point and a PS-ALI database is established within the telephone system or externally, the information from which is accessible to the emergency services answering point. - The site maintains and keeps current the PS-ALI database with all telephone adds, moves, and changes. If the F&ES communications over a site's telephone system is not configured to support the DOD Instruction 6055.06 telecommunication capabilities, this is a finding. If the site does not provide F&ES telecommunications services (fire, police, medical, etc.), or support enhanced emergency communications, this is a finding.
Configure the F&ES communications over a site's DOD telephone system, VoIP or traditional, to support the DOD Instruction 6055.06 telecommunication capabilities as follows: - The site implements support for DOD Instruction 6055.06 through local policies, procedures, staffing, and facilities or agreements/contracts with external providers. - The site's telephone system supports enhanced F&ES emergency communications. - The site's telephone system (VoIP or traditional), provides ANI information to the emergency services answering point and a PS-ALI database is established within the telephone system or externally, the information from which is accessible to the emergency services answering point or call center. - The site maintains and keeps current the PS-ALI database with all telephone adds, moves, and changes.
Inspect the telephone system configuration to determine compliance with the requirement. Verity the local DOD telephone system, VoIP or traditional, is configured to provide the originating telephone number of an F&ES call to the emergency services answering point or call center through a transfer of ANI or ALI information. If the originating telephone number of an F&ES call is not available or is not provided to the emergency services answering point or call center, this is a finding.
Configure the local DOD telephone system, VoIP or traditional, to provide the originating telephone number of an F&ES call to the emergency services answering point or call center through a transfer of ANI or ALI information.
Inspect the telephone system configuration or external database to determine compliance with the requirement. Verify the local DOD telephone system, VoIP or traditional, is configured to provide the originating telephone number and the physical location of an F&ES caller to the emergency services answering point through a transfer of ANI and PS-ALI information or the emergency services answering point is provided automated access to the required PS-ALI database. If the location of an F&ES caller is not provided to, or is not accessible by, the emergency services answering point or call center, this is a finding. NOTE: These requirements also apply to key telephone systems and installations where a single number has multiple appearances (appears on multiple telephones) such that individual instruments in the system can be identified.
Configure the local DOD telephone system, VoIP or traditional, to provide the originating telephone number and the physical location of an F&ES caller to the emergency services answering point through a transfer of ANI and PS-ALI information or the emergency services answering point is provided automated access to the required PS-ALI database.
Inspect the telephone system configuration and routing tables to determine compliance with the requirement. Verify the local DOD telephone system, VoIP or traditional, routes calls to the designated local emergency services number at the public and private emergency services answering point (PSAP) as a priority call in a nonblocking manner. If an emergency services number is not designated to access an emergency services answering point or call center whether internal to the local site or to another local agency or municipality, this is a finding. If calls to this number are not treated as a priority call in a nonblocking manner, this is a finding. NOTE: If the F&ES calls are routed to a public entity outside the private telephone system, the call must route to an internal emergency number in parallel with the external call. Both calls should have the same priority. This is so the site can be aware of the emergency and assist the F&ES responders in reaching the location of the caller. F&ES calls may be routed to an internal on-site F&ES answering point providing the site maintains robust local police, fire, and medical services that can replace public services. If a public F&ES answering point is the primary answering point for the site, calls must be directly routed to it and not relayed via a local emergency answering point. A second call from the local emergency answering point should not be required to obtain emergency services from the public F&ES answering point unless the site maintains full and comparable police, fire, and medical services and its answering point is the primary. If a local private answering point is the primary answering point, and if this private answering point is not fully staffed on a 24/7 basis, the telephone system must route F&ES calls to the public answering point when the local answering point is not fully staffed (e.g., outside the normal working hours of the site).
Configure the local DOD telephone system, VoIP or traditional, to routes calls to the designated local emergency services number at the public or private emergency services answering point (PSAP) as a priority call in a nonblocking manner. Configure the telephone system to treat calls to the designated emergency services number as a priority call in a nonblocking manner.
Inspect the VVoIP system design for evidence of continuous backup power to the infrastructure and command and control users. Verify a UPS system is provided for all parts of the VVoIP infrastructure, including the core Local Session Controller (LSC)/Multifunction Soft Switch (MFSS), adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints as follows: - All VVoIP system devices including portions of the LAN that directly support one or more special-C2 users are provided at least eight hours of UPS. - All Special-C2 user VVoIP endpoints relying on Power over Ethernet (PoE) must have power sourcing equipment (PSE) sized to support the asset and endpoints by the UPS for a minimum of eight hours. - All Special-C2 user VVoIP endpoints without PoE must be provided a minimum of eight hours of UPS. - UPS systems (battery at a minimum, plus optional generator) supplying infrastructure power supporting Special-C2 and C2 users must also support environmental power (HVAC) to prevent equipment failures. - In no case should a UPS system immediately, or within a short time, drop power to the supported equipment when primary power is removed. This would indicate an undersized or defective UPS unit. Determine if the infrastructure assets being reviewed directly support one or more Special-C2 users. If no Special-C2 users are supported, this requirement is not applicable. If Special-C2 users are supported, determine if assets are provided with eight hours of backup power. If eight hours of backup power is not provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support Special-C2 users, this is a finding.
Ensure a UPS system is provided for all parts of the VVoIP infrastructure, including the core LSC/MFSS, adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints. All VVoIP system devices, including voice endpoints and portions of the LAN that directly support one or more Special-C2 users, must be provided at least eight hours of UPS. Document the VVoIP system design with UPS implementation. NOTE: UPS systems supplying power to infrastructure supporting Special-C2 and C2 users must also support environmental power to prevent equipment failures. This support must be commensurate with the users supported (eight or two hours as appropriate).
Inspect the VVoIP system design for evidence of continuous backup power to the infrastructure and command and control users. Verify a UPS system is provided for all parts of the VVoIP infrastructure, including the core Local Session Controller (LSC)/Multifunction Soft Switch (MFSS), adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints as follows: - All VVoIP system devices including portions of the LAN that directly support one or more C2 users are provided a minimum of two hours of UPS. - All C2 user VVoIP endpoints relying on Power over Ethernet (PoE) must have power sourcing equipment (PSE) sized to support the asset and endpoints by the UPS for a minimum of two hours. - All C2 user VVoIP endpoints without PoE must be provided with a minimum of two hours of UPS. - UPS systems (battery at a minimum, plus optional generator) supplying power to infrastructure that supports Special-C2 and C2 users must also support environmental power (HVAC) to prevent equipment failures. - In no case should a UPS system immediately, or within a short time, drop power to the supported equipment when primary power is removed. This would indicate an undersized or defective UPS unit. Determine if the infrastructure assets being reviewed directly support one or more C2 users. If no C2 users are supported, this requirement is not applicable. If C2 users are supported, determine if assets are provided with two hours of backup power. If two hours of backup power is not provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support C2 users, this is a finding.
Ensure a UPS system is provided for all parts of the VVoIP infrastructure, including the core LSC/MFSS, adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints. All VVoIP system devices, including voice endpoints and portions of the LAN that directly support one or more C2 users, must be provided at least two hours of UPS. Document the VVoIP system design with UPS implementation. NOTE: UPS systems supplying power to infrastructure supporting Special-C2 and C2 users must also support environmental power to prevent equipment failures. This support must be commensurate with the users supported (eight or two hours as appropriate).
Inspect the VVoIP system design for evidence of continuous backup power to the infrastructure and command and control users. Verify a UPS system is provided for all parts of the VVoIP infrastructure, including the core Local Session Controller (LSC)/Multifunction Soft Switch (MFSS), adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints as follows: - All VVoIP system devices, including portions of the LAN that supports non-C2 users, are provided 15 minutes of UPS in support of emergency life safety and security communications during a power failure. - In no case should a UPS system immediately, or within a short time, drop power to the supported equipment when primary power is removed. This would indicate an undersized or defective UPS unit. Determine if the infrastructure assets being reviewed support non-C2 users. If non-C2 users are supported and 15 minutes of backup power is not provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints for emergency life safety and security calls, this is a finding. NOTE: The requirement for UPS support to non-C2 user communications is negated when these users have an alternate reliable means of communicating in such situations. A suitable alternative would be a policy and standard operating procedure in effect requiring users to evacuate the facility to a location where mobile communications capability is available and acceptable.
Ensure a UPS system is provided for all parts of the VVoIP infrastructure, including the core LSC/MFSS, adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints. All VVoIP system devices, including portions of the LAN supporting non-C2 users, are provided at least 15 minutes of UPS in support of emergency life safety and security communications during a power failure. NOTE: The 15 minutes of UPS mandated by this requirement is a minimum. Backup times of 30 to 60 minutes are preferred. UPS systems supplying power to infrastructure supporting non-C2 users should also support environmental power to prevent equipment failures.
Verify the DISN NIPRNet IPVS SBC is configured to only communicate as follows: - Within the enclave, verify the SBC only establishes SIP and AS-SIP sessions with the primary or backup LSC or the MFSS and its backup LSC within the enclave. - If the SBC is at a site without a MFSS: External to the enclave (across the WAN), verify the SBC only establishes SIP and AS-SIP sessions with the SBC at the enclave's assigned primary and secondary (backup) MFSS sites. - If the SBC is at a MFSS site: External to the enclave (across the WAN), verify the SBC only establishes SIP and AS-SIP sessions with SBCs located at other MFSS sites and the LSC sites assigned to it. Determine the following: - If the enclave contains LSCs, determine the IP address of SBCs fronting the primary and backup MFSSs to which the enclave is assigned or with which the LSC is to exchange signaling messages. - If the enclave contains a MFSS, determine the IP addresses of the SBCs fronting the LSCs with which it is to signal. Also determine the IP addresses of the SBCs fronting the other MFSSs. If the SBC does not filter inbound SIP and AS-SIP traffic based on the IP addresses of the SBCs fronting authorized ESCs, LSCs, and MFSSs, this is a finding. Alternatively, if the SBC does not filter SIP and AS-SIP traffic based on the IP addresses of the ESCs and LSCs within the enclave, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Ensure the DISN NIPRNet IPVS SBC is configured to only communicate as follows: - Within the enclave, ensure the SBC only establishes SIP and AS-SIP sessions with the primary or backup LSC or the MFSS and its backup LSC within the enclave. - If the SBC is at a site without a MFSS: External to the enclave (across the WAN), ensure the SBC only establishes SIP and AS-SIP sessions with the SBC at the enclave's assigned primary and secondary (backup) MFSS sites. - If the SBC is at a MFSS site: External to the enclave (across the WAN), ensure the SBC only establishes SIP and AS-SIP sessions with SBCs located at other MFSS sites and the LSC sites assigned to it. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Verify the DISN NIPRNet IPVS SBC is configured to terminate inbound and outbound SIP and AS-SIP sessions (messages) and decrypt the packets to determine the information needed to properly manage the transition of SRTP/SRTCP streams across the boundary. Verify the SBC establishes a new SIP or AS-SIP session for the "next hop" to the internal Local Session Controller (LSC) or the far end SBC that fronts the destination Multifunction Soft Switch (MFSS). Inspect the configuration of the EBC to determine compliance with the requirement. If SIP or AS-SIP messages are passed through the SBC without termination and decryption, this is a finding. If the SBC is not configured to, or is not capable of, terminating and decrypting the SIP or AS-SIP messages, this is a finding. If the SBC is not configured to, or is not capable of, understanding the contents of the decrypted SIP or AS-SIP messages, this is a finding. If the SBC is not configured to establish a new SIP or AS-SIP session with the far end SBC that fronts the destination LSC or MFSS, this is a finding. If the SBC is not configured to establish a new SIP or AS-SIP session with the LSC inside the enclave, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Ensure the DISN NIPRNet IPVS SBC is configured to terminate inbound and outbound SIP and AS-SIP sessions (messages). The SBC must be configured to decrypt the packets to determine the information needed to properly manage the transition of SRTP/SRTCP streams across the boundary. Also ensure the SBC establishes a new SIP or AS-SIP session for the "next hop" to the internal LSC or the far end SBC that fronts the destination LSC or MFSS. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Verify the DISN NIPRNet IPVS SBC is configured to only process packets authenticated from an authorized source as follows: - Authenticate outbound SIP and AS-SIP messages as being from the primary or backup Local Session Controller (LSC) (or the site's Multifunction Soft Switch [MFSS] and its backup LSC within the enclave. - Authenticate inbound SIP and AS-SIP messages as being from the SBC at the enclave's assigned primary and secondary (backup) MFSS sites. Inspect the configurations of the EBC to determine compliance with the requirement. If the SBC does not use DOD PKI to authenticate the source of SIP and AS-SIP packets, this is a finding. If the SBC is not configured to validate sending the appliance's public PKI certificate against the DOD PKI registry and CRLs, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Ensure the DISN NIPRNet IPVS SBC is configured to only process packets authenticated from an authorized source as follows: - Authenticate outbound SIP and AS-SIP messages as being from the primary or backup LSC (or the site's MFSS and is backup LSC) within the enclave. - Authenticate inbound SIP and AS-SIP messages as being from the SBC at the enclave's assigned primary and secondary (backup) MFSS sites. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Verify the DISN NIPRNet IPVS SBC is configured to only process signaling packets whose integrity is validated. Inspect the configurations of the EBC to determine compliance with the requirement. If the SBC does not validate the integrity of the received signaling packets, this is a finding. If the SBC is not configured to drop packets whose integrity is not validated, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Ensure the DISN NIPRNet IPVS SBC is configured to only process signaling packets whose integrity is validated. The current UCR document specifies the hashing algorithm to be used during transmission. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Verify the DISN NIPRNet IPVS SBC is configured to validate the structure and validity of SIP and AS-SIP messages so that malformed messages or messages containing errors are dropped before action is taken on the contents. If the SBC does not validate the correct format of the received AS-SIP message, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Ensure the DISN NIPRNet IPVS SBC is configured to validate the structure and validity of SIP and AS-SIP messages so that malformed messages or messages containing errors are dropped before action is taken on its contents. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Verify the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets: - SIP packets arriving on IP port 5060 or 5061. - SIP packets arriving on IP port 443 not secured with TLS. - AS-SIP packets arriving on IP port 5060. - AS-SIP packets arriving on IP port 5061 not secured with TLS. If all SIP and AS-SIP packets are not dropped, except AS-SIP packets secured with TLS arriving on IP Port 5061 and SIP packets secured with TLS arriving on IP Port 443 secured with TLS, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Ensure the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets: - SIP packets arriving on IP port 5060 or 5061. - SIP packets arriving on IP port 443 not secured with TLS. - AS-SIP packets arriving on IP port 5060. - AS-SIP packets arriving on IP port 5061 not secured with TLS. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud service providers.
Verify the DISN NIPRNet IPVS SBC is configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the SIP and AS-SIP messages as follows: - Opens specific IP port pinholes on a per session basis for the SRTP/SRTCP bearer streams as negotiated by the communicating endpoints through the Local Session Controller (LSC) and Multifunction Soft Switch (MFSS). - Closes the specifically opened IP port pinholes when the session is to be torn down. Inspect the configurations of the EBC to determine compliance with the requirement. If the SBC is not configured to open the specifically negotiated IP ports for the SRTP/SRTCP bearer streams on an individual session basis, this is a finding. If the SBC is not configured to close specifically negotiated IP ports for the SRTP/SRTCP bearer streams on an individual session basis, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Ensure the DISN NIPRNet IPVS SBC is configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the SIP and AS-SIP messages as follows: - Opens specific IP port pinholes on a per session basis for the SRTP/SRTCP bearer streams as negotiated by the communicating endpoints through the LSC and MFSS. - Closes the specifically opened IP port pinholes when the session is to be torn down. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Verify the DISN NIPRNet boundary SBC is configured to deny all packets attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions that are not validated as being part of an established session. This requires a stateful inspection of the packets passed through the IP port pinholes or the authentication of the source of those packets. If packets that are not part of an established session can pass through the SBC, this is a finding. If stateful packet inspection or SRTP/SRTCP packet authentication is not configured, this is a finding. If stateful packet inspection is not configured but the source of the SRTP/SRTCP packets is authenticated from an authorized source, such as an internal endpoint or a remote DISN SBC, this is not a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Configure the DISN NIPRNet SBC to deny all packets attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes opened for known sessions, except those validated as being part of an established session. This requires a stateful inspection of the packets passed through the IP port pinholes or the authentication of the source of those packets. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Verify the DISN NIPRNet boundary SBC is configured to deny all packets attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions that are not an approved protocol. The allowed protocols are RTP/RTCP, SRTP/SRTCP, and other approved protocols/flows established by signaling messages. This requires filtering on protocol type. If the DISN NIPRNet boundary SBC does not deny all packets traversing the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions, except approved protocols, this is a finding. If packets that are not RTP/RTCP or SRTP/SRTCP (or other approved packet type as established in the signaling messages) protocol packets can pass through the boundary SBC, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Configure the DISN NIPRNet boundary SBC to drop any packet attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions that is not an RTP/RTCP or SRTP/SRTCP packet or other approved protocol/flow established by the signaling messages. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Verify the DISN NIPRNet IPVS SBC is configured to notify system administrators and the ISSO when the following conditions occur: - Any number of malformed SIP, AS-SIP, or SRTP/SRTCP messages are received that could indicate an attempt to compromise the SBC. - Excessive numbers of SIP or AS-SIP messages are received from any given IP address that could indicate an attempt to cause a DoS. - Excessive numbers of messages are dropped due to authentication or integrity check failures, potentially indicating an attempt to cause a DoS or effect a man-in-the-middle attack. If the SBC does not notify system administrators and the ISSO when attempts to cause a DoS or other suspicious events are detected, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Ensure the DISN NIPRNet IPVS SBC is configured to notify system administrators and the ISSO when the following conditions occur: - Any number of malformed SIP, AS-SIP, or SRTP/SRTCP messages are received that could indicate an attempt to compromise the SBC. - Excessive numbers of SIP or AS-SIP messages are received from any given IP address that could indicate an attempt to cause a DoS. - Excessive numbers of messages are dropped due to authentication or integrity check failures, potentially indicating an attempt to cause a DoS or an attempt to effect a man-in-the-middle attack. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Inspect the configurations of the LSC(s) to determine compliance with the requirement. If the LSC(s) are not configured to signal with a backup MFSS (or SS) in the event the primary cannot be reached, this is a finding.
If the Enterprise Voice, Video, and Messaging system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of command control (C2) user (Special-C2, C2, C2(R)), ensure each enclave containing one or more LSCs is assigned to, associated with, or serviced by two DISN IPVS core backbone systems as follows: - For DISN NIPRNet IPVS, each enclave will be serviced by at least one primary and one secondary (backup) MFSS. - For DISN SIPRNet IPVS, each enclave will be serviced by at least one primary and one secondary SS at the SIPRNet tier 0 routers.
Inspect the configuration of the MFSS to determine compliance with the requirement. If the event the MFSS is not configured to synchronize its LSC and associated traffic information with a paired MFSS and vice versa, this is a finding. NOTE: There is a possibility that any given MFSS may pair with more than one other MFSS depending on the geographic orientation of the MFSSs and LSCs in the region.
Ensure each MFSS is configured to synchronize with a paired MFSS so that each may serve as a backup for the other when signaling with its assigned LSCs and regarding the overall operation of the DISN IPVS network and the negotiation of call establishment between enclaves.
Verify a policy and procedure is in place and enforced that addresses the operation of MAC Authentication Bypass exceptions to 802.1x requirements. If a MAC Authentication Bypass policy is not in place and enforced, this is a finding.
Ensure a policy and procedure is in place and enforced that addresses the operation of MAC Authentication Bypass exceptions to 802.1x requirements.