Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the Unified Communications Session Manager automatically disables Voice Video Endpoint user access after a 35-day period of account inactivity. This requirement refers to users rather than endpoints. If the Unified Communications Session Manager does not automatically disable Voice Video Endpoint user access after a 35-day period of account inactivity, this is a finding.
Configure the Unified Communications Session Manager to automatically disable Voice Video Endpoint user access after a 35-day period of account inactivity.
Verify the Unified Communications Session Manager displays the Standard Mandatory DOD Notice and Consent Banner before granting access to management sessions. If the Unified Communications Session Manager does not display the Standard Mandatory DOD Notice and Consent Banner before granting access to management sessions, this is a finding.
Configure the Unified Communications Session Manager to display the Standard Mandatory DOD Notice and Consent Banner before granting access to management sessions.
Verify the Unified Communications Session Manager retains the Standard Mandatory DOD Notice and Consent Banner for management sessions until the admins acknowledge the conditions. If the Unified Communications Session Manager does not retain the Standard Mandatory DOD Notice and Consent Banner until the admins acknowledge the conditions, this is a finding.
Configure the Unified Communications Session Manager to retain the Standard Mandatory DOD Notice and Consent Banner for management sessions until the admins acknowledge the conditions.
Verify the Unified Communications Session Manager limits the number of concurrent management sessions. If the Unified Communications Session Manager does not limit the number of concurrent management sessions, this is a finding.
Configure the Unified Communications Session Manager to limit the number of concurrent management sessions.
Verify the Unified Communications Session Manager uses TLS 1.2 or greater to protect the confidentiality of remote access. If the Unified Communications Session Manager does not use TLS 1.2 or greater, this is a finding.
Configure the Unified Communications Session Manager to use TLS 1.2 or greater to protect the confidentiality of remote access.
Verify the Unified Communications Session Manager produces session records containing the type of session connection. If the Unified Communications Session Manager does not produce session records containing the type of session connection, this is a finding.
Configure the Unified Communications Session Manager to produce session records containing the type of session connection.
Verify the Unified Communications Session Manager produces session records containing when (date and time) the connection was established and terminated. If the Unified Communications Session Manager does not produce session records containing timestamps (date and time) for all session connections, this is a finding.
Configure the Unified Communications Session Manager to produce session records containing when (date and time) the connection was established and terminated.
Verify the Unified Communications Session Manager produces session records containing where (location) the connection originated. If the Unified Communications Session Manager does not produce session records containing where (location) the connection originated, this is a finding.
Configure the Unified Communications Session Manager to produce session records containing where (location) the connection originated.
Verify the Unified Communications Session Manager produces session records containing the identity of the initiator of the call. The identity of the initiator of the call in this context would be the device ID or the address of the MAC or IP. For Unified Communications Session Managers that have the concept of a user rather than device, this requirement is not applicable. If the Unified Communications Session Manager does not produce session records containing the identity of the initiator of the call, this is a finding.
Configure the Unified Communications Session Manager to produce session records containing the identity of the initiator of the call.
Verify the Unified Communications Session Manager produces session records containing the outcome (status) of the connection. The outcome or status of a call includes call completed normally, busy endpoint, busy network, preempted, or other pertinent description. If the Unified Communications Session Manager does not produce session records containing the outcome (status) of the connection, this is a finding.
Configure the Unified Communications Session Manager to produce session records containing the outcome (status) of the connection.
Verify the Unified Communications Session Manager alerts the ISSO and SA (at a minimum) in the event of a session record system failure. If the Unified Communications Session Manager does not alert the ISSO and SA (at a minimum) in the event of a session record system failure, this is a finding.
Configure the Unified Communications Session Manager to alert the ISSO and SA (at a minimum) in the event of a session record system failure.
Verify the Unified Communications Session Manager protects session records from unauthorized read access. If the Unified Communications Session Manager does not protect session records from unauthorized read access, this is a finding.
Configure the Unified Communications Session Manager to protect session records from unauthorized read access.
Verify the Unified Communications Session Manager protects session records from unauthorized modification. If the Unified Communications Session Manager does not protect session records from unauthorized modification, this is a finding.
Configure the Unified Communications Session Manager to protect session records from unauthorized modification.
Verify the Unified Communications Session Manager protects session records from unauthorized deletion. If the Unified Communications Session Manager does not protect session records from unauthorized deletion, this is a finding.
Configure the Unified Communications Session Manager to protect session records from unauthorized deletion.
Verify the Unified Communications Session Manager produces session records for events determined to be significant and relevant by local policy. If the Unified Communications Session Manager does not produce session records for events determined to be significant and relevant by local policy, this is a finding.
Configure the Unified Communications Session Manager to produce session records for events determined to be significant and relevant by local policy.
Verify the Unified Communications Session Manager is configured to generate session (call) records when concurrent logons from multiple endpoints occur. If the Unified Communications Session Manager is not configured to generate session (call) records when concurrent logons from multiple endpoints occur, this is a finding.
Configure the Unified Communications Session Manager to generate session (call) records when concurrent logons from multiple endpoints occur.
Verify the Unified Communications Session Manager, when using locally stored user accounts, is configured to generate audit records for all account creation, modification, disabling, and termination events. If the Unified Communications Session Manager is not configured to generate audit records for all account creation, modification, disabling, and termination events, this is a finding.
When using locally stored user accounts, configure the Unified Communications Session Manager to generate audit records for all account creation, modification, disabling, and termination events.
Verify the Unified Communications Session Manager, when using PKI, is configured to validate certificates using RFC 5280 path validation. If the Unified Communications Session Manager is not configured to validate certificates using RFC 5280 path validation, this is a finding.
Configure the Unified Communications Session Manager, when using PKI, to validate certificates using RFC 5280 path validation.
Verify the Unified Communications Session Manager, when using locally stored user accounts, is configured to only store cryptographic representations of passwords. If the Unified Communications Session Manager is not configured to only store cryptographic representations of passwords, this is a finding.
Configure the Unified Communications Session Manager, when using locally stored user accounts, to only store cryptographic representations of passwords.
Verify the Unified Communications Session Manager, for accounts using password authentication, is configured to SHA-2 or greater to protect the integrity of the password authentication process. If the Unified Communications Session Manager is not configured to use SHA-2 or greater to protect the password authentication process, this is a finding.
For accounts using password authentication, configure the Unified Communications Session Manager to use SHA-2 or greater to protect the integrity of the password authentication process.
Verify the Unified Communications Session Manager prevents auto-registration of Voice Video Endpoints. If the Unified Communications Session Manager does not disable auto-registration of Voice Video Endpoints outside of these conditions, this is a finding.
Configure the Unified Communications Session Manager to disable auto-registration of Voice Video Endpoints.
Verify the Unified Communications Session Manager is configured to use the organization authoritative time source (NTP). If the Unified Communications Session Manager is not configured to use the organization authoritative time source, this is a finding.
Configure the Unified Communications Session Manager to use the organization authoritative time source.
Verify the Unified Communications Session Manager is configured to disable non-essential capabilities. If the Unified Communications Session Manager is not configured to disable non-essential capabilities, this is a finding.
Configure the Unified Communications Session Manager to be configured to disable non-essential capabilities.
Verify the Unified Communications Session Manager only uses ports, protocols, and services allowed per the PPSM CAL and VAs. If the Verify the Unified Communications Session Manager uses ports, protocols, and services other than those permitted by the PPSM CAL and VAs, this is a finding.
Configure the Unified Communications Session Manager to only use of ports, protocols, and services allowed per the PPSM CAL and VAs.
Verify the Unified Communications Session Manager uniquely identifies all users. If the Unified Communications Session Manager does not uniquely identify all users, then is a finding.
Configure the Unified Communications Session Manager to uniquely identify all users.
Verify the Unified Communications Session Manager is configured to use an organizational level user account management system. If the Unified Communications Session Manager is not configured to use an organizational level user account management system, then is a finding.
Configure the Unified Communications Session Manager to use an organizational level user account management system.
Verify the Unified Communications Session Manager uniquely identifies all Voice Video Endpoint devices before registration. If the Unified Communications Session Manager does not uniquely identify all Voice Video Endpoint devices before registration, this is a finding.
Configure the Unified Communications Session Manager to uniquely identify all Voice Video Endpoint devices before registering those devices.
Verify the Unified Communications Session Manager terminates all network connections associated with a communications session at the end of the session. If the Unified Communications Session Manager does not terminate all network connections associated with a communications session at the end of the session, this is a finding.
Configure the Unified Communications Session Manager to terminate all network connections associated with a communications session at the end of the session.
Verify the Unified Communications Session Manager supporting C2 communications associates MLPP attributes when exchanged between UC systems. If the Unified Communications Session Manager supporting C2 communications does not associate MLPP attributes when exchanged between UC systems, this is a finding.
Configure the Unified Communications Session Manager supporting C2 communications to associate MLPP attributes when exchanged between UC systems.
Verify the Unified Communications Session Manager supporting C2 communications validates the integrity of transmitted MLPP attributes. If the Unified Communications Session Manager supporting C2 communications does not validate the integrity of transmitted MLPP attributes, this is a finding.
Configure the Unified Communications Session Manager supporting C2 communications to validate the integrity of transmitted MLPP attributes.
Verify the Unified Communications Session Manager is configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions. If the Unified Communications Session Manager is not configured to use FIPS-validated SHA-2 or higher, this is a finding.
Configure the Unified Communications Session Manager to use FIPS-validated SHA-2 or higher to protect communications sessions.
Verify the Unified Communications Session Manager fails to a secure state when system initialization fails, shutdown fails, or aborts fail. If the Unified Communications Session Manager does not fail to a secure state if system initialization fails, shutdown fails, or aborts fail, this is a finding.
Configure the Unified Communications Session Manager to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
Verify the Unified Communications Session Manager generates session records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information. If the Unified Communications Session Manager does not generate session records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information, this is a finding.
Configure the Unified Communications Session Manager to generate session records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information.
Verify the configuration for the extension mobility feature is only available when enabled per user. Confirm the following specific security features are configured: - The feature is enabled/disabled on a per user basis. - Feature activation requires user authentication minimally using a user unique PIN (preferably including a unique user ID) - Feature is not activated using a common activation code, or feature button on the phone. - The user (or system administrator) can manually disable the feature at their discretion. - The user may have the capability to set duration when activating the feature. (Optional) - The feature automatically deactivates based on a period of inactivity or the time of day. If the extension mobility feature is enabled and does not meet the above specific security features, this is a finding.
Configure the extension mobility feature only when enabled per user. Confirm the following specific security features are configured: - The feature is enabled/disabled on a per user basis. - Feature activation requires user authentication minimally using a user unique PIN (preferably including a unique user ID) - Feature is not activated using a common activation code, or feature button on the phone. - The user (or system administrator) can manually disable the feature at their discretion. - The user may have the capability to set duration when activating the feature. (Optional) - The feature automatically deactivates based on a period of inactivity or the time of day.
Verify the configuration for the extension mobility feature is globally disabled. If the extension mobility feature is not globally disabled, this is a finding.
Configure the extension mobility feature to be globally disabled on the VVoIP system.
Examine the configurations of the DNS server(s) serving the VVoIP system and those outside the system. Attempt to use a system specific URL that should not be published outside the system to see if an IP address is returned. This is a finding in the event restricted URLs are reachable from outside the restriction zone.
Consider not using DNS for the VVoIP system unless it is required. In the event DNS is used in the VVoIP system, ensure the DNS server serving the VVoIP system is dedicated to the VVoIP system and that any DNS server interaction with other DNS servers is limited. Additionally ensure internal system URLs and information is not published to the enterprise WAN or the internet. NOTE: In the event a DNS server is implemented within the VVoIP system, the DNS STIG must be applied to the server.
Verify the Unified Communications Session Manager is configured to only use TLS 1.2 or greater for all TLS and SSL communications. If the Voice Video Session is not configured to only use TLS 1.2 or greater for all TLS and SSL communications, this is a finding.
Configure the Unified Communications Session Manager to only use TLS 1.2 or greater for all TLS and SSL communications.
Verify the Unified Communications Session Manager produces session records containing the identity of the users and identifiers associated with the session. The identity of the users and identifiers of the call in this context would be the user ID or user name. For Unified Communications Session Managers that have the concept of a device rather than users and identifiers, this requirement is not applicable. If the Unified Communications Session Manager does not produce session records containing the identity of the users and identifiers associated with the session, this is a finding.
Configure the Unified Communications Session Manager to produce session records containing the identity of the users and identifiers associated with the session.
Verify that in the event of a system failure, the Unified Communications Session Managers preserves any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. If the Unified Communications Session Managers does not preserve all information necessary to determine cause of failure, this is a finding. If the Unified Communications Session Managers does not preserve all information necessary to return to operations with least disruption to mission processes, this is a finding.
Configure the Unified Communications Session Manager, in the event of a system failure, to preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
Verify the Unified Communications Session Manager provides centralized management of session records. Centralized management of session records may be a function of the Unified Communications Session Manager or offloaded to an ancillary device. When records are offloaded, the Unified Communications Session Manager must provide configuration settings to connect to the ancillary device. If the Unified Communications Session Manager does not provide centralized management of session records, this is a finding.
Configure the Unified Communications Session Manager to provide centralized management of session records.
Verify the Unified Communications Session Manager offloads session records to a central log server. If the Unified Communications Session Manager does not offload session records to a central log server, this is a finding.
Configure the Unified Communications Session Manager to offload session records to a central log server.
Verify the Unified Communications Session Manager offloads session records to a central log server. If the Unified Communications Session Manager does not offload session records to a central log server, this is a finding.
Configure the Unified Communications Session Manager to offload session records to a central log server.
Verify the Unified Communications Session Manager implements attack-resistant mechanisms for Voice Video Endpoint registration. If the Unified Communications Session Manager does not implement attack-resistant mechanisms for Voice Video Endpoint registration, this is a finding.
Configure the Unified Communications Session Manager to implement attack-resistant mechanisms for Voice Video Endpoint registration.
Verify the Unified Communications Session Manager authenticates all Voice Video Endpoint devices before establishing any connection. If the Unified Communications Session Manager does not authenticate all Voice Video Endpoint devices before establishing any connection, this is a finding.
Configure the Unified Communications Session Manager to authenticate all Voice Video Endpoint devices before registering those devices.
Verify the Unified Communications Session Manager authenticates all Voice Video peers (trunks) before establishing any connection. If the Unified Communications Session Manager does not authenticate all Voice Video peers (trunks) before establishing any connection, this is a finding.
Configure the Unified Communications Session Manager to authenticate all Voice Video peers (trunks) before registration.
Verify the Unified Communications Session Manager requires Voice Video Endpoints to re-register at least every three hours. If the Unified Communications Session Manager does not require Voice Video Endpoints to re-register or does not enforce re-registration at least every three hours, this is a finding.
Configure the Unified Communications Session Manager to re-register Voice Video Endpoints at least every three hours.
Verify the Unified Communications Session Manager requires Voice Video peers to re-register (reauthenticate) at least every hour. If the Unified Communications Session Manager does not require Voice Video peers to re-register (reauthenticate) at least every hour, this is a finding.
Configure the Unified Communications Session Manager to re-register (reauthenticate) Voice Video peers at least every hour.
Verify the Unified Communications Session Manager provides the capability to restrict Unified Communications Session Manager access outside of operational hours to allow only essential connection capability. Areas requiring extended service times may be identified as exceptions. If the Unified Communications Session Manager does not restrict Unified Communications Session Manager access outside of operational hours allowing for exceptions, this is a finding.
Configure the Unified Communications Session Manager to restrict Unified Communications Session Manager access outside of operational hours to only essential connections.
Verify the Unified Communications Session Manager enforces change to privileges of Voice Video Endpoint user access. Privileges include access to outside connections, precedence, and preemption capabilities. If the Unified Communications Session Manager does not enforce changes to privileges of Voice Video Endpoint user access, this is a finding.
Configure the Unified Communications Session Manager to enforce changes to privileges of Voice Video Endpoint user access.
Verify the Unified Communications Session Manager enforces change to privileges of Voice Video Endpoint device access. Privileges include access to outside connections, precedence, and preemption capabilities. If the Unified Communications Session Manager does not enforce changes to privileges of Voice Video Endpoint device access, this is a finding.
Configure the Unified Communications Session Manager to enforce changes to privileges of Voice Video Endpoint device access.
Verify the Unified Communications Session Manager, when using locally stored user accounts, automatically locks the account until released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded. If the Unified Communications Session Manager, when using locally stored user accounts, does not automatically lock the account until released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded, this is a finding.
Configure the Unified Communications Session Manager, when using locally stored user accounts, to automatically lock the account until released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
Verify the Unified Communications Session Manager applies 802.1Q VLAN tags to signaling and media traffic. If the Unified Communications Session Manager does not apply 802.1Q VLAN tags to signaling and media traffic, this is a finding.
Configure the Unified Communications Session Manager to apply 802.1Q VLAN tags to signaling and media traffic or be in a private subnet.
Verify the Unified Communications Session Manager uses a voice or video VLAN separate from all other VLANs. If the Unified Communications Session Manager uses a voice or video VLAN that is not separate from all other VLANs, this is a finding.
Configure the Unified Communications Session Manager to use a voice or video VLAN, separate from all other VLANs.
Verify the Unified Communications Session Manager requiring user access authentication provides a logout capability for user-initiated communications sessions. If the Unified Communications Session Manager requiring user access authentication does not provide a logout capability for user-initiated communications sessions, this is a finding.
Configure the Unified Communications Session Manager requiring user access authentication to provide a logout capability for user-initiated communications sessions.
Verify the Unified Communications Session Manager is configured to protect against or limit all types of DoS attacks. If the Unified Communications Session Manager is not configured to protect against or limit all types of denial-of-service (DoS) attacks, this is a finding.
Configure the Unified Communications Session Manager to protect against or limit all types of DoS attacks.
Verify the Unified Communications Session Manager limits and reserves bandwidth based on priority of the traffic type. If the Unified Communications Session Manager does not limit and reserve bandwidth based on priority of the traffic type, this is a finding.
Configure the Unified Communications Session Manager to limit and reserve bandwidth based on priority of the traffic type.
Verify the Unified Communications Session Manager protects the confidentiality and integrity of transmitted configuration files, signaling, and media streams. If the Unified Communications Session Manager does not protect the confidentiality and integrity of transmitted configuration files, signaling, and media streams, this is a finding.
Configure the Unified Communications Session Manager to protect the confidentiality and integrity of transmitted configuration files, signaling, and media streams.
Verify the Unified Communications Session Manager implements NIST FIPS-validated cryptography for communications sessions. If the Unified Communications Session Manager does not implements NIST FIPS-validated cryptography for communications sessions, this is a finding.
Configure the Unified Communications Session Manager to implement NIST FIPS-validated cryptography for communications sessions.
Verify the Unified Communications Session Manager provides an indication of current participants in all calls, meetings, and conferences. If the Unified Communications Session Manager does not provide an indication of current participants in all calls, meetings and conferences, this is a finding.
Configure the Unified Communications Session Manager to provide an indication of current participants in all calls, meetings, and conferences.
Verify the Unified Communications Session Manager supporting C2 communications associates MLPP attributes when exchanged between UC system components. If the Unified Communications Session Manager supporting C2 communications does not associate MLPP attributes when exchanged between UC system components, this is a finding.
Configure the Unified Communications Session Manager supporting C2 communications to associate MLPP attributes when exchanged between UC system components.
Verify the Unified Communications Session Manager, when using PKI, only uses DOD approved certificate authorities. If the Unified Communications Session Manager, when using PKI, does not use DOD approved certificate authorities, this is a finding.
Configure the Unified Communications Session Manager to only use DOD approved certificate authorities when using PKI.