Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the Unified Communications Endpoint is configured to apply 802.1Q VLAN tags to signaling and media traffic. If the Unified Communications Endpoint does not apply 802.1Q VLAN tags to signaling and media traffic, this is a finding.
Configure the Unified Communications Endpoint to apply 802.1Q VLAN tags to signaling and media traffic.
If the Unified Communications Endpoint is not configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the network, this is a finding.
Configure the Unified Communications Endpoint to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the network.
If the Unified Communications Endpoint is not configured to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until users take explicit actions to log on for further access, this is a finding.
Configure the Unified Communications Endpoint to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
Verify that the Unified Communications Endpoint notifies the user, upon successful logon (access) to the network element, of the date and time of the last logon (access). If the Unified Communications Endpoint does not notify the user, upon successful logon (access) to the network element, of the date and time of the last logon (access), this is a finding.
Configure the Unified Communications Endpoint to notify the user, upon successful logon (access) to the network element, of the date and time of the last logon (access).
Verify that the Unified Communications Endpoint notifies the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). If the Unified Communications Endpoint does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding.
Configure the Unified Communications Endpoint to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).
Verify the Unified Communications Endpoint is configured to limit the number of concurrent sessions to an organizationally defined number. If the Unified Communications Endpoint is not configured to limit the number of concurrent sessions to the limit set by local policy, this is a finding.
Configure the Unified Communications Endpoint to limit the number of concurrent sessions to the limit set by local policy.
Verify the Unified Communications Endpoint produces session records containing what type of connection occurred. The record must include the session type (voice/direct, voice/conference, video/direct, video/conference, etc.), the specific protocols used for control and media traffic (SIP/SRTP, H.323, etc.), and the type of endpoint (mobile, telephone, codec, etc.). If the Unified Communications Endpoint does not produce session records containing what type of connection occurred, this is a finding.
Configure the Unified Communications Endpoint to produce session records containing what type of connection occurred.
Verify the Unified Communications Endpoint produces session records containing when the connection occurred. The record must include session start/join/leave/stop times. If the Unified Communications Endpoint does not produce session records containing the date and time when the connection occurred, this is a finding.
Configure the Unified Communications Endpoint to produce session records containing the date and time when the connection occurred.
Verify the Unified Communications Endpoint produces session records containing where the connection occurred. The record must include IP addresses and port numbers. If the Unified Communications Endpoint does not produce session records containing where the connection occurred, this is a finding.
Configure the Unified Communications Endpoint to produce session records containing where the connection occurred.
Verify the Unified Communications Endpoint produces session records containing the source of the connection. If the Unified Communications Endpoint does not produce session records containing the source of the connection, this is a finding.
Configure the Unified Communications Endpoint to produce session records containing the source of the connection.
Verify the Unified Communications Endpoint produces session records containing the outcome of the connection. Outcomes of the connection would include call completed, conference completed, destination busy, network busy, etc. If the Unified Communications Endpoint does not produce session records containing the outcome of the connection, this is a finding.
Configure the Unified Communications Endpoint to produce session records containing the outcome of the connection.
Verify the Unified Communications Endpoint provides session record generation capability. If the Unified Communications Endpoint does not provide session record generation capability, this is a finding.
Configure the Unified Communications Endpoint to provide session record generation capability.
Verify the Unified Communications Endpoint generates audit records when successful/unsuccessful logon attempts occur. If the Unified Communications Endpoint does not generate audit records when successful/unsuccessful logon attempts occur, this is a finding.
Configure the Unified Communications Endpoint to generate audit records when successful/unsuccessful logon attempts occur.
Verify the Unified Communications Endpoint generates audit records for privileged activities or other system-level access. If the Unified Communications Endpoint does not generate audit records for privileged activities or other system-level access, this is a finding.
Configure the Unified Communications Endpoint to generate audit records for privileged activities or other system-level access.
Verify the Unified Communications Endpoint generates audit records showing starting and ending time for user access to the system. If the Unified Communications Endpoint does not generate audit records showing starting and ending time for user access, this is a finding.
Configure the Unified Communications Endpoint to generate audit records showing starting and ending time for user access to the system.
Verify the Unified Communications Endpoint, when using passwords or PINs for authentication, stores cryptographic representations of passwords. If the Unified Communications Endpoint, when using passwords or PINs for authentication, does not store cryptographic representations of passwords, this is a finding.
Configure the Unified Communications Endpoint, when using passwords or PINs for authentication, to store cryptographic representations of passwords.
Verify the Unified Communications Endpoint, when using passwords or PINs for authentication or authorization, cryptographically protects the transmission. If the Unified Communications Endpoint, when using passwords or PINs for authentication or authorization, does not cryptographically protect the transmission, this is a finding.
Configure the Unified Communications Endpoint, when using passwords or PINs for authentication or authorization, to cryptographically protect the transmission.
Verify the Unified Communications Endpoint is configured to prevent the configuration or display of configuration settings without the use of a PIN or password. If the Unified Communications Endpoint does not prevent the configuration or display of configuration settings without the use of a PIN or password, this is a finding.
Configure the Unified Communications Endpoint to prevent the configuration or display of configuration settings without the use of a PIN or password.
Verify the Unified Communications Endpoint registers with a Unified Communications Session Manager. If the Unified Communications Endpoint does not register with a Unified Communications Session Manager, this is a finding.
Configure the Unified Communications Endpoint to register with a Unified Communications Session Manager.
Verify the Unified Communications Endpoint does not use the default PIN or password to access configuration settings. If the Unified Communications Endpoint uses the default PIN or password to access configuration settings, this is a finding.
Configure the Unified Communications Endpoint to not use the default PIN or password to access configuration settings.
Verify that the Unified Communications Endpoint is configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If the Unified Communications Endpoint is not configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs, this is a finding.
Configure the Unified Communications Endpoint in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
Verify the Unified Communications Endpoint is configured to disable any auto answer features. If the Unified Communications Endpoint is not configured to disable auto answer features, this is a finding.
Configure the Unified Communications Endpoint to disable auto answer features.
Verify the Unified Communications Endpoint dynamically implements configuration file changes. If the Unified Communications Endpoint does not dynamically implement configuration file changes, this is a finding.
Configure the Unified Communications Endpoint to dynamically implement configuration file changes.
Verify the firmware release installed on the Unified Communications Endpoint is currently supported by the vendor. If the firmware release installed on the Unified Communications Endpoint is not currently supported by the vendor, this is a finding.
Install a currently supported firmware release supplied by the vendor onto the Unified Communications Endpoint.
Verify the Unified Communications Endpoint is configured to disable or remove nonessential capabilities. Nonessential capabilities would include peer services and other functions not directly pertaining to Unified Communications Endpoint functionality. If the Unified Communications Endpoint cannot be configured to disable or remove nonessential capabilities, this is a finding.
Configure the Unified Communications Endpoint to disable or remove nonessential capabilities.
Verify the Unified Communications Endpoint only uses ports, protocols, and services allowed per the PPSM CAL and VAs. If the Unified Communications Endpoint uses ports, protocols, and services not allowed per the PPSM CAL and VAs, this is a finding.
Configure the Unified Communications Endpoint to only use ports, protocols, and services allowed per the PPSM CAL and VAs.
Verify the Unified Communications Endpoint uniquely identifies participating users. Identification must be visible and displayed locally. If the Unified Communications Endpoint does not uniquely identify participating users, this is a finding.
Configure the Unified Communications Endpoint to uniquely identify participating users.
Verify the Unified Communications Endpoint uses multifactor authentication for network access to nonprivileged accounts. If the Unified Communications Endpoint does not use multifactor authentication for network access to nonprivileged accounts, this is a finding.
Configure the Unified Communications Endpoint to use multifactor authentication for network access to nonprivileged accounts.
Verify the Unified Communications Endpoint terminates all network connections associated with a communications session at the end of the session. If the Unified Communications Endpoint does not terminate all network connections associated with a communications session at the end of the session, this is a finding.
Configure the Unified Communications Endpoint to terminate all network connections associated with a communications session at the end of the session.
Verify the Unified Communications Endpoint is configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions. If the Unified Communications Endpoint is not configured with SHA-2 or greater, this is a finding.
Configure the Unified Communications Endpoint to use SHA-2 or greater to protect the authenticity of communications sessions.
Ensure far end camera control is disabled unless required to satisfy validated, approved, and documented mission requirements. Note: The documented and validated mission requirements along with their approval(s) are maintained by the ISSO for inspection by auditors. Such approval is obtained from the AO or ISSM responsible for the VTU(s) or system. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. i.e., far end camera control must be able to be disabled or the feature must not be supported. Determine if remote monitoring is required and approved to meet mission requirements. Have the ISSO or SA demonstrate compliance with the requirement.
Perform the following tasks: Configure the CODEC to disable far end camera control. OR Document and validate the mission requirements that require far end camera control to be enabled and obtain AO approval. Maintain the requirement and approval documentation for review by auditors.
Verify the Unified Communications Endpoint is configured to integrate into the implemented 802.1x network access control system. If the Unified Communications Endpoint does not integrate into the implemented 802.1x network access control system, this is a finding.
Configure the Unified Communications Endpoint to integrate into the implemented 802.1x network access control system.
Verify the Unified Communications Endpoint is configured to use a voice video VLAN separate from all other VLANs. For networks with both VoIP and videoconferencing, best practice is to have a separate voice VLAN and video VLAN. If the Unified Communications Endpoint does not use a voice video VLAN separate from all other VLANs, this is a finding.
Configure the Unified Communications Endpoint to use a voice video VLAN separate from all other VLANs.
Verify the Unified Communications Endpoint not supporting 802.1x is configured to use MAB on the access switchport. If the Unified Communications Endpoint not supporting 802.1x is not configured to use MAB on the access switchport, this is a finding.
Configure the Unified Communications Endpoint not supporting 802.1x to use MAB on the access switchport.
Verify the Unified Communications Endpoint PC port is configured to connect to an 802.1x supplicant or is disabled. If the Unified Communications Endpoint PC port is disabled, this is not a finding. If the Unified Communications Endpoint PC port is not disabled and is not an 802.1x authenticator, this is a finding.
Configure the Unified Communications Endpoint PC port to connect to an 802.1x supplicant in the implemented 802.1x network access control system or be disabled.
Verify the Unified Communications Endpoint PC port is configured to maintain VLAN separation from the voice video VLAN or is disabled. For networks with both VoIP and videoconferencing, best practice is to have a separate voice VLAN and video VLAN. If the Unified Communications Endpoint PC port is disabled, this is not a finding. If the Unified Communications Endpoint PC port does not maintain VLAN separation from the voice video VLAN, this is a finding.
Configure the Unified Communications Endpoint PC port to maintain VLAN separation from the voice video VLAN or be disabled.
Verify the Unified Communications Endpoint prohibits client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, and SSL 3.0. If the Unified Communications Endpoint does not prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, and SSL 3.0, this is a finding.
Configure the Unified Communications Endpoint to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.
Verify the Unified Communications Endpoint produces session records containing the identity of all users on the call. If the Unified Communications Endpoint does not produce session records containing the identity of all users on the call, this is a finding.
Configure the Unified Communications Endpoint to produce session records containing the identity of all users on the call.
Verify that in the event of device failure, the Unified Communications Endpoint preserves any information necessary to determine cause of failure and return to operations with least disruption to service. If the Unified Communications Endpoint does not preserve any information necessary to determine cause of failure, this is a finding. If the Unified Communications Endpoint does not return to operations with least disruption to service after device failure, this is a finding.
Configure the Unified Communications Endpoint, in the event of device failure, to preserve any information necessary to determine cause of failure. Also configure the Unified Communications Endpoint to return to operations with least disruption to service.
Verify the Unified Communications Endpoint offloads audit records onto a different system or media. If the Unified Communications Endpoint does not offload audit records to a different system or media, this is a finding.
Configure the Unified Communications Endpoint to offload audit records to a different system or media.
Verify the Unified Communications Endpoint offloads audit records in real time or weekly. If the Unified Communications Endpoint does not offload audit records in real time or weekly, this is a finding.
Configure the Unified Communications Endpoint to offload audit records in real time or weekly.
Verify the Unified Communications Endpoint implements replay-resistant authentication mechanisms for network access. If the Unified Communications Endpoint does not implement replay-resistant authentication mechanisms for network access, this is a finding.
Configure the Unified Communications Endpoint to implement replay-resistant authentication mechanisms for network access.
Verify the Unified Communications Endpoint provides a logout capability for user-initiated communications sessions. If the Unified Communications Endpoint does not provide a logout capability for user-initiated communications sessions, this is a finding.
Configure the Unified Communications Endpoint to provide a logout capability for user-initiated communications sessions.
Verify the Unified Communications Endpoint displays an explicit logout message to users indicating the termination of communications sessions. If the Unified Communications Endpoint does not display an explicit logout message to users, this is a finding.
Configure the Unified Communications Endpoint to display an explicit logout message to users indicating the termination of communications sessions.
Verify the Unified Communications Endpoint uses encryption for network traffic. If the Unified Communications Endpoint does not use encryption for network traffic, this is a finding.
Configure the Unified Communications Endpoint to use encryption for network traffic.
Verify the Unified Communications Endpoint processing classified information over public networks implements NSA-approved cryptography. If the Unified Communications Endpoint processing classified information over public networks does not implement NSA-approved cryptography, this is a finding.
Configure the Unified Communications Endpoint processing classified information over public networks to implement NSA-approved cryptography.
Verify the Unified Communications Endpoint provides an explicit indication of current participants in all VC-based and IP-based online meetings and conferences. This excludes audio-only teleconferences using traditional telephony. If the Unified Communications Endpoint does not provide an explicit indication of current participants in all VC-based and IP-based online meetings and conferences, this is a finding.
Configure the Unified Communications Endpoint provides an explicit indication of current participants in all VC-based and IP-based online meetings and conferences.