Defense Switched Network (DSN) STIG

The Defense Switched Network (DSN) Security Technical Implementation Guide (STIG) provides the policy and architectual guidance for applying security concepts to DoD telecommunications systems. These policies ensure conformance to DoD requirements that govern DSN voice services deployment and operations, to include special-C2, C2, and non-C2 services. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V2R7

Published: 2015-08-11

Updated At: 2018-09-23 02:25:15

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-8407r1_rule DSN01.01 LOW The IAO does not conduct and document self-inspections of the DSN components at least semi-annually for security risks. Requirement: The IAO will ensure that self-inspections of the telephone components, are conducted and documented for security risks at least semi annually. If periodic security self-inspections are not conducted, vulnerabilities could go unnoticed duri
    SV-8408r1_rule DSN01.02 LOW The sites telephone switch is not frequently monitored for changing calling patterns and system uses for possible security concerns. Requirement: The IAO will ensure that the site’s telephone switch is frequently monitored for changing calling patterns and system uses for possible security concerns. Changing calling patterns and system uses can be an indication of telephone misuse,
    SV-8409r1_rule DSN01.03 MEDIUM The ISSO/IAO does not ensure that administration and maintenance personnel have proper access to the facilities, functions, commands, and calling privileges required to perform their job. Requirement: The IAO will ensure that internal and external administrator/maintenance personnel have appropriate but limited access to the facilities, functions, commands, and calling privileges in accordance with their role as required when performing th
    SV-8410r1_rule DSN02.01 LOW DSN systems are not registered in the DISA VMS Requirement: The IAO will ensure that all DISA owned and operated DSN critical assets are registered with the DISA/DoD VMS as follows: - All backbone switches (TSs, STPs, MFSs) - All other switches (EOs, SMEOs, PBX1s, PBX2s and RSUs) owned by DISA - All
    SV-8411r1_rule DSN02.02 LOW System Administrators (SAs) responsible for DSN information systems are not registered with the DISA VMS. Requirement: The IAO will ensure that all Switch and System Administrators (SAs) responsible for VMS registered DSN critical assets will also be registered with the VMS. This includes non DISA personnel responsible for TSs or MFSs owned and operated by Do
    SV-8412r1_rule DSN02.03 MEDIUM The ISSO/IAO and ISSM/IAM, in coordination with the SA, will be responsible for ensuring that all IAVM notices are responded to within the specified time period. Requirement: The IAO will ensure that all IAVM notices are responded to within the time period specified within the notice. The JTF-GNO (DoD CERT) automatically sends out IAVM notices that affect various systems. If appropriate actions are not taken, sys
    SV-8416r1_rule DSN04.01 MEDIUM Switch administration, ADIMSS, or other Network Management terminals are not located on a dedicated LAN. All Network Management and switch administration terminals connecting to the DSN are to be through a dedicated DSN network segment. Only authorized systems will be connected to this LAN. No other networks may interface with components that are connected
    SV-8417r1_rule DSN04.02 MEDIUM Network Management routers located at switch sites are not configured to provide IP and packet level filtering/protection. Requirement: The IAO will ensure that routers that provide remote connectivity to out-of-band management networks located at switch sites provide IP and packet level filtering/protection. All routers connected to a DSN Switch are to be configured to cont
    SV-8418r1_rule DSN04.03 MEDIUM Administration terminals are used for other day-to-day functions (i.e. email, web browsing, etc). Requirement: The IAO will ensure that OAM&P / NM and CTI system workstations are not used for other day-to-day functions (i.e., e-mail, web browsing, etc). Dedicating DSN administration terminals to their intended purpose a
    SV-8419r1_rule DSN04.04 MEDIUM Switch Administration terminals do not connect directly to the switch administration port or connect via a controlled, dedicated, out of band network used for switch administration support. Requirement: The IAO will ensure that switch/device administration terminals are connected directly to the administration port of the switch/device or are connected via an out-of-band network used only for administration support.
    SV-8420r1_rule DSN04.05 LOW Attendant console ports are available to unauthorized users by not allowing any instrument other than the Attendant console to connect to the Attendant console port. Requirement: The IAO will ensure that attendant console ports will not be available to unauthorized users by not allowing any instrument other than the attendant console to connect to the attendant console port. Additionally the attendant console shall
    SV-8421r1_rule DSN04.06 LOW The ISSO/IAO has not established Standard Operating Procedures. Requirement: The IAO will establish a standard operating procedure (SOP) or other form of record that will accomplish the following: - Identify and document all users, administrators, maintainers, managers, and their associated training requirements. - Id
    SV-8422r1_rule DSN05.01 MEDIUM Applicable security packages have not been installed on the system. Requirement: The IAO will ensure that all applicable security feature packages have been installed on the system to enable the required security features. In order for the requirements of this STIG to be met, a number of specific security software packag
    SV-8423r1_rule DSN06.01 MEDIUM The IAO DOES NOT ensure that all temporary Foreign/Local National personnel given access to DSN switches and subsystems for the purpose of installation and maintenance, are controlled and provided direct supervision and oversight (e.g., escort) by a knowledgeable and appropriately cleared U.S. citizen. Requirement: The IAO will ensure that all temporary Foreign/Local National personnel given access to DSN switches and subsystems for the purpose of installation and maintenance, is controlled and provided direct supervision and oversight (e.g. escort) by
    SV-8426r2_rule DSN06.04 LOW DSN capability to restrict user access based on duty hours must be used when available. User access should be restricted based on duty hours, where technically feasible. The restriction of user access by limiting access to the DSN associated to the users work hours and workweek will mitigate security vulnerabilities if a user account is comp
    SV-8427r1_rule DSN07.01 LOW The Direct Inward System Access feature and/or access to Voice Mail is not controlled by either class of service, special authorization code, or PIN. Requirement: The IAO will ensure that either class of service, special authorization code or PIN controls access to Voice Mail services. If used, the Direct Inward System Access feature provides subscriber access to the DSN from outside facilities. Users
    SV-8428r1_rule DSN07.02 LOW Direct Inward System Access and Voice Mail access codes are not changed semi-annually. Requirement: The IAO will ensure that if Voice Mail services are controlled by special authorization code, this code will be controlled and changed semi-annually. The special access code used by all subscribers to control access to the Direct Inward Syst
    SV-8429r1_rule DSN07.03 LOW Personal Identification Numbers (PIN) assigned to special subscribers used to control Direct Inward System Access and Voice Mail services are not being controlled like passwords and deactivated when no longer required. The PIN used to control access to the DISA feature should be controlled much like a special access code or password. If this PIN is not changed periodically and deactivated when no longer required, the DISA feature is more likely to be compromised, thus
    SV-8430r1_rule DSN07.04 LOW Privilege authorization, Direct Inward System Access and/or Voice Mail special authorization codes or individually assigned PINS are not changed when compromised. Requirement: The IAO will ensure that all Voice Mail (and/or Privilege authorization, Direct Inward System Access) special authorization codes or individually assigned PINs are changed immediately if it is determined that they are compromised. If special
    SV-8431r2_rule DSN08.01 LOW Equipment, cabling, and terminations providing Fire and Emergency Services (FES) or evacuation paging systems must be clearly identified and marked. All equipment providing emergency life safety services, such as 911 services, must be clearly identified. The availability of Fire and Emergency Services (FES) supporting emergency life safety services such as 911 (or European 112) and emergency evacuatio
    SV-8436r1_rule DSN09.05 MEDIUM Links within the SS7 network are not encrypted. Requirement: The IAO will ensure that all SS7 links leaving a base/post/camp/station are encrypted. The examination of traffic patterns and statistics can reveal compromising information. Such information may include call source, destination, duration,
    SV-8438r1_rule DSN10.02 MEDIUM A DoD VoIP system, device, or network is NOT configured in compliance with all applicable STIGs or the appropriate STIGs have not been applied to the fullest extent possible. Requirement: Voice Over IP systems and networks will comply with the DSN, VoIP, and all other applicable STIGs as well as other applicable DOD Component guides. The applicable STIGs define threat and vulnerability mitigations that must be applied to reso
    SV-8439r1_rule DSN11.01 MEDIUM Transport circuits are not encrypted. Requirement: The IAO will ensure that all circuits leaving the B/C/P/S are bulk encrypted. The transport system is responsible for the delivery of voice and data circuits from one switch node to another. Though not classified, this type of information i
    SV-8440r1_rule DSN11.02 LOW Physical access to commercial Add/Drop Multiplexers (ADMs) is not restricted. Requirement: The IAO or other responsible party will ensure that the physical access to commercial Add/Drop Multiplexers (ADMs) is limited. Transport equipment to include ADMs may be located in isolated areas with no personnel assigned to work in these f
    SV-8441r2_rule DSN12.01 LOW An IA policy and information library must be maintained. The site ISSO will ensure an up-to-date IA policy and information library is maintained to ensure current DoD guidance is available for reference. The library must include current network, voice, and policy documents published by the Chairman of the Joint
    SV-8442r1_rule DSN13.01 MEDIUM Users are not required to change their password during their first session. Requirement: The IAO will ensure that user passwords are assigned with the requirement for the user to change their password at first logon. The ISSO/IAO will assign passwords (typically a default) to new users of DSN
    SV-8443r1_rule DSN13.02 HIGH Default passwords and user names have not been changed. Requirement: The IAO will ensure that all system default passwords and user names are changed prior to connection to the DSN. Systems not protected with strong password schemes provide the opportunity for anyone to crack th
    SV-8444r1_rule DSN13.03 MEDIUM Shared user accounts are used and not documented by the ISSO/IAO. Requirement: The IAO will ensure that shared user accounts will not be used. Unless the use of shared user accounts is operationally essential and/or the device in question does not support multiple accounts. The identity of users of DSN components nee
    SV-8445r1_rule DSN13.04 LOW The option to disable user accounts after 30 days of inactivity is not being used. Requirement: The IAO will ensure that user accounts are disabled after 30 days of inactivity. User accounts that are inactive for more than 30 days should be disabled by the system. Outdated or unused user accounts provide p
    SV-8446r1_rule DSN13.05 HIGH Management access points (i.e. administrative/maintenance ports, system access, etc.) are not protected by requiring a valid username and a valid password for access. A valid username and a valid password are required to access all management system workstations and administrative / management ports on any device or system. All system management access points must be password protected to ensure t
    SV-8447r1_rule DSN13.06 LOW Passwords do not meet complexity requirements. Requirement: The IAO will ensure that passwords are required and contain at a minimum, a case sensitive, eight-character mix of upper-case letters, lower-case letters, numbers, and special characters, including at least one of each (e.g., emPagd2!
    SV-8448r1_rule DSN13.07 MEDIUM Maximum password age does not meet minimum requirements. Requirement: The IAO will ensure that all user passwords are changed at intervals of 90 days or less. The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords.
    SV-8449r1_rule DSN13.08 MEDIUM Users are permitted to change their passwords at an interval of less than 24 hours without ISSO/IAO intervention. Requirement: The IAO will ensure that NO user passwords will be changed at an interval of less than 24 hours without IAO intervention. Permitting passwords to be changed in immediate succession within the same day,
    SV-8450r1_rule DSN13.09 LOW Password reuse is not set to 8 or greater. Requirement: The IAO will ensure that user passwords are not reused within eight of the previous passwords used. As a minimum. A system is more vulnerable to unauthorized access when system users recycle the same password
    SV-8451r1_rule DSN13.14 MEDIUM The ISSO/IAO has not recorded the passwords of high level users (ADMIN) used on DSN components and stored them in a secure or controlled manner. Requirement: The IAO will ensure that no user (to include Administrator) is permitted to retrieve the password of any user in clear text. Passwords should be recorded and stored in a secure location for emergency use. This helps pr
    SV-8452r1_rule DSN13.10 MEDIUM User passwords can be retrieved and viewed in clear text by another user. Requirement: The IAO will ensure that users’ passwords are not displayed in the clear when logging into the system. Password integrity is non existent if passwords are stored or displayed in clear text. Many attacks on DOD c
    SV-8453r1_rule DSN13.11 MEDIUM User passwords are displayed in the clear when logging into the system. Requirement: The IAO will ensure that users’ passwords are not displayed in the clear when logging into the system. When passwords are displayed (echoed) during logon, the risk of password compromise is increased and passw
    SV-8455r1_rule DSN13.13 MEDIUM The system is not configured to disable a users account after three notifications of password expiration. Requirement: The IAO will ensure that users will be prompted by the system three times to change their passwords before or after the password has reached the maximum password lifetime. If the user fails to change their password, their account will be dis
    SV-8456r1_rule DSN13.15 MEDIUM Crash-restart vulnerabilities are present on the DSN system component. Requirement: The IAO will ensure that tests are performed for crash-restart vulnerabilities and develop procedures to eliminate vulnerabilities found (i.e., ensure ENHANCED_PASSWORD_CONTROL is active to prevent system logons after restart on Nortel switch
    SV-8457r1_rule DSN14.01 MEDIUM The DSN system component is not installed in a controlled space with visitor access controls applied. Requirement: The IAO will ensure that DSN switches, peripheral, and OAM&P systems are installed in a controlled space with personnel and visitor access controls applied. Controlling access to the DSN site is critical to determine accountability for audit
    SV-8458r1_rule DSN14.02 MEDIUM Documented procedures do not exist that will prepare for a suspected compromise of a DSN component. Requirement: The IAO will ensure that compromise recovery procedures are documented that will accomplish the following: - Verify the integrity of the hardware, software, and communication lines configuration.- Verify the integrity of the switch tables (da
    SV-8459r1_rule DSN15.01 MEDIUM Audit records are NOT stored in an unalterable file and can be accessed by individuals not authorized to analyze switch access activity. Requirement: The IAO will ensure that auditing records are placed in an unalterable audit or history file that is available only to those individuals authorized to analyze switch access and configuration activity. Audit files must be a
    SV-8460r1_rule DSN15.02 MEDIUM Audit records do not record the identity of each person and terminal device having access to switch software or databases. Requirement: The IAO will ensure that the auditing process records the identity of each person and terminal device having access to switch software or databases The identity of the individual user and the terminal used during their s
    SV-8461r1_rule DSN15.03 MEDIUM Audit records do not record the time of the access. Requirement: The IAO will ensure that the auditing process records the time of the access. The time of access needs to be recorded in the audit files to determine accountability of personnel if an issue arises that requires analysi
    SV-8462r1_rule DSN15.04 MEDIUM The auditing records do not record activities that may change, bypass, or negate safeguards built into the software. Requirement: The IAO will ensure that the auditing process records commands, actions, and activities executed during each session that might change, bypass, or negate safeguards built into the software. Actions that have the
    SV-8463r1_rule DSN15.05 MEDIUM Audit record archive and storage do not meet minimum requirements. Requirement: The IAO will ensure that audit records (files) are stored on-line for 90 days and off-line for an additional 12 months. Audit records provide the means for the ISSO/IAO or other designated person to investigate any suspicious activity and t
    SV-8464r1_rule DSN15.06 MEDIUM Audit records are not being reviewed by the ISSO/IAO weekly. Requirement: The IAO will ensure that audit records (files) are stored on-line for 90 days and off-line for an additional 12 months. By reviewing audit records on a weekly schedule, the ISSO/IAO ensures that any suspicious acti
    SV-8465r2_rule DSN16.01 MEDIUM An Information System Security Officer (ISSO) must be appointed in writing for each site. The PMO or local site command will document and ensure that an ISSO is designated to oversee the IA posture and security of each site, system, and facility. The ISSO will have the proper training and clearance level. The PMO will maintain documentation re
    SV-8466r1_rule DSN16.02 MEDIUM Site personnel have not received the proper security training and/or are not familiar with the documents located in the security library. Requirement: The IAO will ensure that personnel are familiar with the security practices outlined by applicable documents found in the site’s library and have received the appropriate security training.A personnel security program, combined with other p
    SV-8467r1_rule DSN16.03 LOW The ISSO/IAO does not maintain a DSN Personnel Security Certification letter on file for each person involved in DSN A/NM duties. A DSN Personnel Security Certification letter will provide documented proof that site personnel have attended and successfully passed a security training and awareness program. This program will provide training appropriate to the security needs of each
    SV-8468r1_rule DSN16.04 MEDIUM System administrators are NOT appropriately cleared. Requirement: The IAO will ensure that all System Administrators are appropriately cleared. In order to maintain positive control over personnel access to DSN system components, all who are provided physical and administrative access to the components must
    SV-8469r2_rule DSN17.01 MEDIUM The identity of maintenance personnel installing or modifying a device or software must be verified and recorded. The identity of maintenance personnel performing software load upgrades or maintenance of a DSN component must be recorded. This will make a particular person or vendor representative accountable for all actions performed, giving the ISSO and site personn
    SV-8470r2_rule DSN17.02 MEDIUM The DSN local system must be backed up weekly on a removable device or media and stored off-site. System backups must be taken frequently (weekly at a minimum) and stored in such a way that a current copy can be obtained if needed. By storing a copy on the local system and a copy on removable media, in most instances, a copy can be used to restore the
    SV-8471r2_rule DSN17.03 MEDIUM The DSN local system backup media must be available and up-to-date prior to any software modification. Site staff must ensure backup media is available and up-to-date prior to software modification that could cause a significant disruption to service if the new software is corrupted. Backup media will be available to site personnel prior to any software up
    SV-8472r1_rule DSN18.01 MEDIUM Modems are not physically protected to prevent unauthorized device changes. Requirement: The IAO will ensure that all modems are physically protected to prevent unauthorized device changes. Controlling physical access to modems supporting the DSN will limit the chance of unauthorized access to DSN system components. Failure t
    SV-8473r1_rule DSN18.02 MEDIUM A detailed listing of all modems is not being maintained. Requirement: The IAO will maintain a listing of all modems by model number, serial number, associated phone number, and location. Ensure an accurate listing of all modems supporting the DSN is maintained. Maintaining a list of all approved modems will e
    SV-8474r1_rule DSN18.03 MEDIUM Unauthorized modems are installed. Modems that are not provided by the Government for access to the DSN will not be allowed to connect to the DSN for access. No personally provided modems are permitted. This measure will assist the ISSO/IAO in the task of controlling remote access to the
    SV-8475r1_rule DSN18.04 MEDIUM Modem phone lines are not restricted and configured to their mission required purpose (i.e. inward/outward dial only). Requirement: The IAO will ensure that all modem phone lines are restricted and configured to their mission required purpose (inward dial only or outward dial only). Ubiquitous phone lines open major security holes in a network. The more tightly they can
    SV-8476r1_rule DSN18.05 MEDIUM Modem phone lines are not restricted to single-line operation. Requirement: The IAO will ensure that all modem phone lines are restricted to single-line operation without any special features such as the call forwarding capability. By restricting modem phone lines to single-line operation, the risk of unauthorized a
    SV-8477r2_rule DSN18.06 LOW Automatic Number Identification (ANI) must be enabled when available. ANI must be enabled on modem lines to record access to remote access ports when this function is available. The logs will be maintained and reviewed. ANI logs should be kept for the previous twelve months. ANI logs are ideal for auditing unauthorized acce
    SV-8478r1_rule DSN18.07 MEDIUM Authentication is not required for every session requested. Requirement: The IAO will ensure that identification and authentication is required for every session requested in accordance with I&A / password policy. Authentication is a measure used to verify the eligibility of a subject and the ability of that subj
    SV-8479r1_rule DSN18.08 LOW The option to use the “callback” feature for remote access is not being used. Requirement: The IAO will ensure that modem access to remote management ports incorporates the “callback” feature where technically feasible. The callback feature ensures that pre-authorized user directory numbers are being used to access the DSN com
    SV-8480r2_rule DSN18.09 LOW FIPS 140-2 validated link encryption must be used end-to-end for all data streams connecting to remote access ports of the telephone switch. FIPS 140-2 validated encryption mechanism is used to provide security of all data streams between the management port of the DSN component and a remote management station whether connected via a modem or network. The most secure authenticated session to a
    SV-8481r2_rule DSN18.10 LOW Two-factor authentication must be used for remote access ports. Remote access ports must require two-factor authentication. This is defined as requiring something along the lines of a token in addition to a User ID and password combination. The use of two-factor authentication will help prevent unauthorized persons fr
    SV-8482r1_rule DSN18.11 MEDIUM Administrative/maintenance ports are not being controlled by deactivating or physically disconnecting remote access devices when not in use. Requirement: The IAO will ensure that serial management ports are controlled by deactivating or physically disconnecting access devices (i.e. modems or terminals) that are not in use. The disconnection of remote access devices when not being used will gr
    SV-8483r1_rule DSN18.12 MEDIUM Idle connections DO NOT disconnect in 15 min. Requirement: The IAO will ensure that a timeout feature, set to 15 minutes, is used to disconnect idle connections. Unattended systems are susceptible to unauthorized use. The system should be locked when unattended. The user idle timeout should be set
    SV-8484r1_rule DSN18.13 MEDIUM The DSN component is not configured to be unavailable for 60 seconds after 3 consecutive failed logon attempts. Requirement: The IAO will ensure that management ports that receive three consecutive failed logon attempts will be unavailable for at least 60 seconds. After three failed logon attempts the system should be configured to force the user to wait for 60 se
    SV-8485r1_rule DSN18.14 LOW Serial management/maintenance ports are not configured to “force out” or drop any interrupted user session. Requirement: The IAO will ensure that serial management ports immediately drop any connection that is interrupted for any reason. Reasons include modem power failure, link disconnection, loss of carrier, etc. Serial ports that are interrupted due to link
    SV-8486r2_rule DSN19.01 LOW DSN system components must display the Standard Mandatory DoD Notice and Consent Banner exactly as specified prior to logon or initial access. The operating system and remotely accessed information systems are required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable fe
    SV-8711r1_rule VVT/VTC 1000 (GENERAL) MEDIUM Voice/Video Telecommunications infrastructure components (traditional TDM, VVoIP, or VTC) are not housed in secured or “controlled access” facilities with appropriate classification level or appropriate documented access control methods. Controlling physical access to telecommunications infrastructure components is critical to assuring the reliability of the voice network and service delivery. Documenting or logging physical access to these components is critical to determine accountabili
    SV-8833r1_rule DSN02.04 MEDIUM IAVMs are not addressed using RTS system vendor approved or provided patches. Requirement: The IAO will ensure that all IAVM notices relating to the installation of security or other patches for general-purpose operating systems and software on devices other than workstations is vetted through the system vendor and approved by the
    SV-8834r1_rule DSN02.05 LOW DoD voice/video/RTS information system assets and vulnerabilities are not tracked and managed using any vulnerability management system as required by DoD policy. Requirement: The IAO will ensure that all systems including switches, OAM&P systems, auxiliary/adjunct, and peripheral systems connected to the DSN along with their SAs are registered and tracked with an asset and vulnerability management system similar t
    SV-8835r1_rule DSN03.01 LOW A DoD Voice/Video/RTS system or device is NOT configured in compliance with all applicable STIGs or the appropriate STIGs have not been applied to the fullest extent possible. Requirement: The IAO will ensure that all systems connected to DOD telecommunications systems that use technologies covered by a DISA/DOD STIG, is secured in compliance with the applicable STIG(s) The applicable STIGs define threat and vulnerability miti
    SV-8836r1_rule DSN03.02 LOW The purchase / maintenance contract, or specification, for the Voice/Video/RTS system under review does not contain verbiage requiring compliance and validation measures for all applicable STIGs. Requirement: The DSN PMO and/or site command/management will ensure that “compliance with all applicable STIGs” requirements and validation measures are added to specifications and contracts for commercially leased or procured telecommunications servi
    SV-8837r2_rule DSN03.03 LOW Contract requirements for STIG compliance and validation must be enforced. The ISSO must ensure that commercially contracted systems and services supporting the DSN comply with all applicable STIGs in accordance with contract requirements. STIG compliance is DoD policy and must be accomplished to the greatest extent possible so
    SV-8840r1_rule DSN03.04 MEDIUM A Voice/Video/RTS system is in operation but is not listed on the DSN APL nor is it in the process of being tested. Requirement: The IAO will ensure that all installed systems and associated software releases for which he/she is responsible appear on the DSN APL in accordance with DODI 8100.3 requirements. This applies to previously installed, new, and upgraded systems
    SV-8841r1_rule DSN03.05 LOW A Voice/Video/RTS system or device is NOT installed according to the deployment restrictions and/or mitigations contained in the IA test report, Certifying Authority’s recommendation and/or DSAWG approval documentation. Requirement: The IAO will ensure that products or software releases are installed and maintained in accordance with all applicable STIGs AND the installation restrictions and vulnerability mitigations presented in the Security Assessment Report and Certif
    SV-8842r2_rule DSN03.06 LOW DSN voice and video systems and devices must be used with the same configuration and intended purpose as listed in the APL. Systems must be implemented using the configuration that was approved and for the approved purpose. Alternate configurations and purposes must be resubmitted for certification to approval authorities. DSN APL listed systems are submitted for testing in co
    SV-8843r2_rule DSN03.07 LOW DSN site procurement, installation, connection, or upgrade to voice video infrastructure must consider the APL. The DSN PMO, DoD Component command, and site command must ensure that products being considered for procurement, installation, connection, or upgrade to the DSN are certified and appear on the DSN APL, OR are in the process of being certified, OR will spo
    SV-8847r1_rule DSN03.08 LOW The voice or video system certification and accreditation must be maintained to reflect the installation or modification of the system configuration. The DSN system is certified and accredited per the DoD Risk Management Framework (RMF) either separately or as part of a larger site accreditation. Previous to the DoD RMF, the DoD Information Assurance Certification and Accreditation Process (DIACAP) or
    SV-9007r1_rule DSN20.04 MEDIUM The SMU management port or management workstations is improperly connected to a network that is not dedicated to management of the SMU. Requirement: The IAO at the SMU site will ensure that the SMU management port or stations are not connected to any network other than one dedicated to management of the SMU.The system design and architecture of the SMU provides for no security configurati
    SV-9008r1_rule DSN20.03 MEDIUM The ADIMSS server connected to the SMU is NOT dedicated to ADIMSS functions. Requirement: The IAO at the SMU site will ensure that the ADIMSS server connected to the SMU is dedicated to ADIMSS functions.ADIMSS servers represent mission critical equipment that contain potentially sensitive information that needs to be secured and t
    SV-9009r1_rule DSN20.02 LOW The SMU ADIMSS connection is NOT dedicated to the ADIMSS network Requirement: The IAO at the SMU site will ensure that the SMU ADIMSS connection is dedicated to the ADIMSS network.In addition to the administrator terminal connection, a secondary connection is also provided for the ADIMSS network. This connection is us
    SV-9010r1_rule DSN20.01 HIGH A SMU component is not installed in a controlled space with visitor access controls applied. Requirement: The IAO at the SMU site will ensure that the SMU has adequate physical security protection. The system design and architecture of the SMU provides for no security configuration capability (i.e., user account, password, privileged user, or au
    SV-9011r1_rule DSN18.17 MEDIUM Network management/maintenance ports are not configured to “force out” or drop any user session that is interrupted for more than 15 seconds. Requirement: The IAO will ensure that network connected management ports drop a connection that is interrupted for any reason within 15 seconds. Network ports that are interrupted due to link disconnection, power failure or other reasons must end any ses
    SV-9012r1_rule DSN18.16 MEDIUM OOB management network are NOT dedicated to management of like or associated systems Requirement: The IAO will ensure that network connected switch and device management ports are connected to a network dedicated to management of the device only and/or that of other associated devices, i.e. an out-of-band management network. Management n
    SV-9013r1_rule DSN18.15 MEDIUM An OOB Management DOES NOT comply with the Enclave and/or Network Infrastructure STIGs. Requirement: The IAO will ensure that out-of-band management networks comply with the Enclave and Network Infrastructure STIGs. out-of-band management networks must comply with the requirements contained in the Enclave and Network Infrastructure STIGs so
    SV-9016r1_rule DSN06.02 MEDIUM Foreign/Local National personnel hired by a base/post/camp/station for the purpose of operating or performing OAM&P / NM functions on DSN switches and subsystems have not been vetted through the normal process for providing SA clearance as dictated by the local Status of Forces Agreement (SOFA). Requirement: The IAO and IAM will ensure that all Foreign/Local National personnel hired by a base/post/camp/station for the purpose of operating or performing OAM&P / NM functions on DSN switches and subsystems shall be vetted through the normal process
    SV-9017r2_rule DSN06.03 MEDIUM Foreign national personnel access to DRSN systems must be limited as directed by applicable DoD policy. Foreign national personnel must be limited in their access to DoD Information Systems (ISs) to prevent the unauthorized disclosure of classified information. Access to DoD ISs must be authorized by the DoD Component head in accordance with DoD, Department
    SV-9028r2_rule DSN17.04 MEDIUM The DSN local system must have the current software updates and patches applied to all components. Many vendors provide patches or new versions of software to incorporate mitigations for newly discovered security vulnerabilities. In some cases, this is the only way to mitigate a threat to the system. Administrators are required to use the latest vendor
    SV-9029r2_rule DSN17.05 MEDIUM The DSN local system must use approved software updates and patches for all components. All patches and new system software must be tested on non-production systems and hardware prior to use to determine the effects the new software will have on systems operations and security. Approved products are listed on the DoD Approved Products list (
    SV-9032r2_rule DSN17.06 MEDIUM The DSN system major software version releases must be tested, certified, and placed on the DoD Approved Product List (APL) prior to installation. All DSN system major software releases must be tested on non-production systems and hardware prior to use to determine the effects the new software will have on systems operations and security. DoD policy mandates testing on non-production configurations.
    SV-9034r2_rule DSN08.02 LOW A Fire and Emergency Services (FES) or evacuation paging system must be installed and implemented for life safety or security announcements. A Fire and Emergency Services (FES) or evacuation paging system must be installed to provide emergency announcements and messages in accordance with public law in response to 11 September 2001 and local building codes. Local building codes have for years
    SV-9036r1_rule DSN08.03 MEDIUM A policy is NOT in place and/or NOT enforced regarding the use of unclassified telephone/RTS instruments located in areas or rooms where classified meetings, conversations, or work normally occur. Requirement: The IAO will ensure that a policy is in place and enforced regarding the use of telephone instruments connected to unclassified telecommunications systems located in areas or rooms where classified meetings, conversations, or work normally oc
    SV-9038r1_rule DSN04.10 MEDIUM An OAM&P / NM or CTI network DOES NOT comply with the Enclave and/or Network Infrastructure STIGs. Requirement: The IAO will ensure that OAM&P / NM and CTI networks comply with the Enclave and Network Infrastructure STIGs. OAM&P / NM and CTI networks must comply with the requirements contained in the Enclave and Network Infrastructure STIGs so that
    SV-9039r1_rule DSN04.09 MEDIUM An OAM&P / NM and CTI network/LAN is connected to the local general use (base) LAN without appropriate boundary protection. Requirement: The IAO will ensure that OAM&P / NM and CTI networks are not connected to the local general use (base) WAN. The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from source
    SV-9040r1_rule DSN08.04 MEDIUM Voice/Video/RTS devices located in SCIFs do not prevent on-hook audio pick-up and/or do not have a speakerphone feature disabled or are not implemented in accordance with DCID 6/9 or TSG Standard 2. Requirement: In the event that a telephone instrument connected to an unclassified telecommunications system are placed within a Sensitive Compartmented Information Facility (SCIF), the IAO will ensure that the instrument is configured such that the instr
    SV-9041r1_rule DSN04.08 MEDIUM An OAM&P / NM and CTI network/LAN is connected to the local general use (base) LAN without appropriate boundary protection. Requirement: The IAO will ensure that OAM&P / NM and CTI networks are not connected to the local general use (base) LAN. The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from sources exte
    SV-9042r1_rule DSN04.07 MEDIUM OAM&P / NM and CTI networks are NOT dedicated to the system that they serve in accordance with their separate DSN APL certifications. Requirement: The IAO will ensure that out-of-band OAM&P / NM and CTI networks are dedicated to the system that they serve in accordance with their separate DSN APL certifications. CTI networks may be combined taking into consideration the vulnerabilities
    SV-9043r1_rule DSN15.07 MEDIUM The auditing process DOES NOT record security relevant actions such as the changing of security levels or categories of information Requirement: The IAO will ensure that the auditing process records security relevant actions (e.g., the changing of security levels or categories of information). Security relevant actions such as the following should be recorded to provi
    SV-9051r1_rule DSN06.07 LOW The available option of Command classes or command screening is NOT being used to limit system privileges Requirement: The IAO will ensure that devices that are capable of command screening or command classes are configured to use this feature in conjunction with DAC. Input screening in telecommunications switches is the feature that
    SV-9053r1_rule DSN06.06 LOW All system administrative and maintenance user accounts are not documented. Requirement: The IAO will document all system administrative and maintenance user accounts. It is imperative that the IAO and SA is aware of all administrative and maintenance accounts that are configured on the system. These accounts mu
    SV-9055r1_rule DSN06.05 MEDIUM System administrative and maintenance users are assigned accounts with privileges that are not commensurate with their assigned responsibilities. Requirement: The IAO will ensure that all systems and devices employ a role-based Discretionary Access Control system used to control access to OAM&P / NM systems, the devices they manage, and their command classes for administrative and maintenance users
    SV-9056r1_rule DSN13.17 MEDIUM Strong two-factor authentication is NOT used to access all management system workstations and administrative / management ports on all devices or systems Requirement: The IAO will ensure strong two-factor authentication is required to access all management system workstations and administrative / management ports on any device or system. The term strong two-factor authentication refers to the use of two fo
    SV-9057r1_rule DSN13.16 MEDIUM Access to all management system workstations and administrative / management ports is NOT remotely authenticated Requirement: The IAO will ensure that remote authentication is used to control access to all management system workstations and administrative / management ports on any device or system. The term remote authentication refers to a system or device that c
    SV-17063r2_rule VVT/VTC 1905 MEDIUM VTC, Unified Capability (UC) soft client, and speakerphone microphone operations policy must prevent the pickup and transmission of sensitive or classified information over non-secure systems. Microphones used with VTC systems and devices are designed to be extremely sensitive such that people speaking anywhere within a conference room is picked up and amplified so they can be heard clearly and understood at the remote location on the call. Thi
    SV-69271r1_rule DSN19.02 LOW DSN system components Standard Mandatory DoD Notice and Consent Banner must be acknowledged by the user prior to logon or initial access. The operating system and remotely accessed information systems are required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable fe