Voice Video Endpoint Security Requirements Guide

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R9

Published: 2019-03-15

Updated At: 2019-05-03 21:27:41

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-81173r1_rule SRG-NET-000512-VVEP-00001 CCI-000366 MEDIUM The hardware Voice Video Endpoint must integrate into the implemented 802.1x network access control system. IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before acces
    SV-81175r1_rule SRG-NET-000512-VVEP-00002 CCI-000366 MEDIUM The hardware Voice Video Endpoint must be an 802.1x supplicant. IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before acces
    SV-81177r1_rule SRG-NET-000512-VVEP-00003 CCI-000366 MEDIUM The hardware Voice Video Endpoint PC port must connect to an 802.1x supplicant, or the PC port must be disabled. IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before acces
    SV-81179r1_rule SRG-NET-000512-VVEP-00004 CCI-000366 MEDIUM The unused hardware Voice Video Endpoint PC port must be disabled. IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before acces
    SV-81181r1_rule SRG-NET-000512-VVEP-00005 CCI-000366 MEDIUM The hardware Voice Video Endpoint with a PC port must have the switchport configured as single-host or enable 802.1x multi-domain authentication. IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before acces
    SV-81183r1_rule SRG-NET-000512-VVEP-00006 CCI-000366 MEDIUM The hardware Voice Video Endpoint not supporting 802.1x must be configured to use MAC Authentication Bypass (MAB) on the access switchport. IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before acces
    SV-81189r1_rule SRG-NET-000053-VVEP-00009 CCI-000054 MEDIUM The Voice Video Endpoint must limit the number of concurrent sessions to two (2) users. Voice video endpoint management includes the ability to control the number of user sessions and limiting the number of allowed user sessions helps limit risk related to DoS attacks. Voice video endpoint sessions occur peer-to-peer for media streams and cl
    SV-81191r3_rule SRG-NET-000520-VVEP-00010 CCI-000366 MEDIUM The hardware Voice Video Endpoint must apply 802.1Q VLAN tags to signaling and media traffic. When Voice Video Endpoints do not dynamically assign 802.1Q VLAN tags as data is created and combined, it is possible the VLAN tags will not correctly reflect the data type with which they are associated. VLAN tags are used as security attributes. These a
    SV-81193r3_rule SRG-NET-000520-VVEP-00011 CCI-000366 MEDIUM The hardware Voice Video Endpoint must use a voice video VLAN, separate from all other VLANs. Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3, an
    SV-81195r3_rule SRG-NET-000057-VVEP-00012 CCI-000366 MEDIUM The hardware Voice Video Endpoint PC port must maintain VLAN separation from the voice video VLAN, or be disabled. Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3, an
    SV-81197r1_rule SRG-NET-000366-VVEP-00014 CCI-000366 MEDIUM The Voice Video Endpoint must block both inbound and outbound communications traffic between Unified Capability (UC) and Videoconferencing (VC) clients independently configured by end users and external service providers for voice and video. Various communication services such as public VoIP and Instant Messaging services route traffic over their own networks and are stored on their own servers; therefore, that traffic can be accessed at any time by the provider and potentially intercepted.
    SV-81199r1_rule SRG-NET-000147-VVEP-00015 CCI-001942 MEDIUM The Voice Video Endpoint must implement replay-resistant authentication mechanisms for network access. A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process r
    SV-81201r1_rule SRG-NET-000147-VVEP-00016 CCI-001942 MEDIUM The hardware Voice Video Endpoint using SIP or AS-SIP signaling must prevent cross-site scripting attacks caused by improper filtering or validation of the content of SIP invitation fields. A cross-site scripting vulnerability has been demonstrated by adding scripting code to the "From:" field in the SIP invite. Upon receiving the invite, the embedded code can be executed by a vulnerable embedded web server to download additional malicious c
    SV-81203r3_rule SRG-NET-000371-VVEP-00017 CCI-002418 HIGH The Voice Video Endpoint must protect the integrity of transmitted configuration files from the Voice Video Session Manager. Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. When Voice Video Endpoint configuration files traverse a network without encry
    SV-81205r3_rule SRG-NET-000371-VVEP-00018 CCI-002418 HIGH The Voice Video Endpoint must protect the confidentiality of transmitted configuration files from the Voice Video Session Manager. Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. When Voice Video Endpoint configuration files traverse a network without encry
    SV-81207r2_rule SRG-NET-000015-VVEP-00019 CCI-000213 HIGH The Voice Video Endpoint must dynamically implement configuration file changes. Configuration management includes the management of security features and assurances through control of changes made to device hardware, software, and firmware throughout the life cycle of a product. Secure configuration management relies on performance a
    SV-81209r2_rule SRG-NET-000041-VVEP-00020 CCI-000048 MEDIUM The Voice Video Endpoint must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the network. Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standard
    SV-81215r2_rule SRG-NET-000042-VVEP-00021 CCI-000050 MEDIUM The Voice Video Endpoint must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD wil
    SV-81217r1_rule SRG-NET-000074-VVEP-00022 CCI-000130 MEDIUM The Voice Video Endpoint must produce session (call detail) records containing what type of connection occurred. Session records are commonly produced by session management and border elements. Many Voice Video Endpoints are not capable of providing session records and instead rely on session management and border elements. Voice video endpoints capable of producing
    SV-81219r1_rule SRG-NET-000075-VVEP-00023 CCI-000131 MEDIUM The Voice Video Endpoint must produce session (call detail) records containing when (date and time) the connection occurred. Session records are commonly produced by session management and border elements. Many Voice Video Endpoints are not capable of providing session records and instead rely on session management and border elements. Voice video endpoints capable of producing
    SV-81221r1_rule SRG-NET-000076-VVEP-00024 CCI-000132 MEDIUM The Voice Video Endpoint must produce session (call detail) records containing where the connection occurred. Session records are commonly produced by session management and border elements. Many Voice Video Endpoints are not capable of providing session records and instead rely on session management and border elements. Voice video endpoints capable of producing
    SV-81223r1_rule SRG-NET-000078-VVEP-00025 CCI-000134 MEDIUM The Voice Video Endpoint must produce session (call detail) records containing the outcome of the connection. Session records are commonly produced by session management and border elements. Many Voice Video Endpoints are not capable of providing session records and instead rely on session management and border elements. Voice video endpoints capable of producing
    SV-81225r1_rule SRG-NET-000079-VVEP-00026 CCI-001487 MEDIUM The Voice Video Endpoint must produce session (call detail) records containing the identity of all users. Session records are commonly produced by session management and border elements. Many Voice Video Endpoints are not capable of providing session records and instead rely on session management and border elements. Voice video endpoints capable of producing
    SV-81227r1_rule SRG-NET-000113-VVEP-00027 CCI-000169 MEDIUM The Voice Video Endpoint must provide session (call detail) record generation capability. Session records are commonly produced by session management and border elements. Many Voice Video Endpoints are not capable of providing session records and instead rely on session management and border elements. Voice video endpoints capable of producing
    SV-81229r2_rule SRG-NET-000213-VVEP-00028 CCI-001133 HIGH The Voice Video Endpoint must terminate all network connections associated with a communications session at the end of the session. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-81231r2_rule SRG-NET-000138-VVEP-00029 CCI-000764 HIGH The Voice Video Endpoint used for videoconferencing must uniquely identify participating users. To assure accountability and prevent unauthenticated access, users must be identified to prevent potential misuse and compromise of the system. The Voice Video Endpoint must display the source of an incoming call and the participant's identity to aid the
    SV-81233r1_rule SRG-NET-000341-VVEP-00030 CCI-001953 MEDIUM The Voice Video Endpoint used for videoconferencing must accept a Common Access Card (CAC) or derived credentials. The use of CAC or derived credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a p
    SV-81235r1_rule SRG-NET-000342-VVEP-00031 CCI-001954 MEDIUM The Voice Video Endpoint used for videoconferencing must electronically verify the Common Access Card (CAC) or derived credentials. The use of CAC or derived credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a p
    SV-81237r1_rule SRG-NET-000140-VVEP-00032 CCI-000766 MEDIUM The Voice Video Endpoint used for videoconferencing must use multifactor authentication for network access. To assure accountability and prevent unauthenticated access, users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors i
    SV-81239r2_rule SRG-NET-000400-VVEP-00033 CCI-000197 HIGH The Voice Video Endpoint, when using passwords or PINs for authentication or authorization, must cryptographically-protect the transmission. Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. This does not apply to authentication for the
    SV-81241r2_rule SRG-NET-000165-VVEP-00034 CCI-000186 HIGH When using PKI-based authentication, the Voice Video Endpoint must enforce authorized access to the corresponding private key. If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private
    SV-81243r2_rule SRG-NET-000164-VVEP-00035 CCI-000185 HIGH When using PKI-based authentication, the Voice Video Endpoint used for videoconferencing must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, th
    SV-81245r1_rule SRG-NET-000345-VVEP-00036 CCI-001991 MEDIUM When using PKI-based authentication, the Voice Video Endpoint used for videoconferencing must implement a local cache of revocation data to support path discovery and validation in the event the network path becomes unavailable. Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). This does not apply to authentication for the purpose of configuring the device itself
    SV-81247r3_rule SRG-NET-000371-VVEP-00037 CCI-002418 HIGH The Voice Video Endpoint must use encryption for signaling and media traffic. Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. TLS can be utilized to secure SIP and SCCP signaling by configuring the sessio
    SV-81249r2_rule SRG-NET-000352-VVEP-00038 CCI-002450 HIGH The Voice Video Endpoint processing classified information over public networks must implement NSA-approved cryptography. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides
    SV-81251r2_rule SRG-NET-000510-VVEP-00039 CCI-002450 HIGH The Voice Video Endpoint processing unclassified information must implement NIST FIPS-validated cryptography. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides
    SV-81253r2_rule SRG-NET-000510-VVEP-00041 CCI-002450 HIGH The Voice Video Endpoint processing unclassified information must implement NIST FIPS-validated cryptography to generate cryptographic hashes. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides
    SV-81255r1_rule SRG-NET-000353-VVEP-00042 CCI-000366 MEDIUM The Voice Video Endpoint must provide an explicit indication of current participants in all Videoconference (VC)-based and IP-based online meetings and conferences. Providing an explicit indication of current participants in teleconferences helps to prevent unauthorized individuals from participating in collaborative teleconference sessions without the explicit knowledge of other participants. Teleconferences allow g
    SV-81257r1_rule SRG-NET-000236-VVEP-00043 CCI-001665 MEDIUM In the event of a device failure, hardware Voice Video Endpoints must preserve any information necessary to determine cause of failure and return to operations with least disruption to service. Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the informat
    SV-81259r1_rule SRG-NET-000190-VVEP-00044 CCI-001090 MEDIUM The Voice Video Endpoint must prevent unauthorized and unintended information transfer via shared system resources. Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from bein
    SV-81261r1_rule SRG-NET-000512-VVEP-00045 CCI-000366 MEDIUM The Voice Video Endpoint supporting Command and Control (C2) communications must implement Multilevel Precedence and Preemption (MLPP) dialing to enable Routine, Priority, Immediate, Flash, and Flash Override. Configuring the C2 Voice Video Endpoint to implement MLPP ensures vital high-level communications occurs regardless of environmental, geographical, and political conditions. When conditions require immediate discussion among high-level officials, the C2 c
    SV-81263r1_rule SRG-NET-000512-VVEP-00046 CCI-000366 MEDIUM The Voice Video Endpoint supporting Command and Control (C2) communications must implement Multilevel Precedence and Preemption (MLPP) call disconnect to enable Routine, Priority, Immediate, Flash, and Flash Override. Configuring the C2 Voice Video Endpoint to implement MLPP ensures vital high-level communication occurs regardless of environmental, geographical, and political conditions. When conditions require immediate discussion among high-level officials, the C2 co
    SV-81265r1_rule SRG-NET-000512-VVEP-00047 CCI-000366 MEDIUM The Voice Video Endpoint supporting Command and Control (C2) communications must implement Assured Service Session Initiation Protocol (AS-SIP). Configuring the C2 Voice Video Endpoint to implement MLPP ensures vital high-level communication occurs regardless of environmental, geographical, and political conditions. When conditions require immediate discussion among high-level officials, the C2 co
    SV-81267r2_rule SRG-NET-000512-VVEP-00048 CCI-000366 MEDIUM The Voice Video Endpoint microphone must provide hardware mechanisms, such as push-to-talk (PTT) handset switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks. Microphones used with videoconferencing are designed to be extremely sensitive, designed to pick up audio from anywhere within a conference room. The microphones may pick up sidebar conversations with no relationship to the conference or call in progress.
    SV-81269r2_rule SRG-NET-000512-VVEP-00049 CCI-000366 MEDIUM The Voice Video Endpoint camera must provide hardware mechanisms, such as push-to-see (PTS) camera switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks. Cameras used with Voice Video Endpoints may reveal sensitive or classified information. This is especially at risk when unclassified conversations are conducted in classified spaces. Users or operators of videoconferencing systems must take care regarding
    SV-81271r1_rule SRG-NET-000512-VVEP-00050 CCI-000366 MEDIUM The Voice Video Endpoint auto-answer feature must be disabled. A Voice Video Endpoint set to automatically answer a call with audio or video capabilities enabled risks transmitting information not intended for the caller. In the event a Voice Video Endpoint automatically answered a call during a classified meeting or
    SV-81273r1_rule SRG-NET-000512-VVEP-00051 CCI-000366 MEDIUM The hardware Voice Video Endpoint must disable or restrict web browser capabilities permitting the endpoint to browse the internet or intranet. Permitting hardware Voice Video Endpoints to browse the internet or enterprise intranet freely opens the endpoint to the possibility of inadvertently downloading malicious code to the endpoint for which it may have no protection. Voice Video Endpoints typ
    SV-81275r1_rule SRG-NET-000512-VVEP-00052 CCI-000366 MEDIUM The hardware Voice Video Endpoint must disable or restrict built-in web servers. Hardware Voice Video Endpoints sometimes contain a web server for the implementation of various functions and features. In many cases these are used to configure the network settings or user preferences on the device. In some Voice Video Endpoints, a user
    SV-81277r1_rule SRG-NET-000512-VVEP-00053 CCI-000366 MEDIUM The hardware Voice Video Endpoint must prevent the configuration of network IP settings without the use of a PIN or password. Many Voice Video Endpoints can set or display configuration settings in the instrument itself. This presents a risk if a user obtains information such as the IP addresses and URLs of system components. This obtained information could be used to facilitate
    SV-81279r1_rule SRG-NET-000512-VVEP-00054 CCI-000366 MEDIUM The hardware Voice Video Endpoint must prevent the display of network IP settings without the use of a PIN or password. Many Voice Video Endpoints can set or display configuration settings in the instrument itself. This presents a risk if a user obtains information such as the IP addresses and URLs of system components. This obtained information could be used to facilitate
    SV-81281r1_rule SRG-NET-000512-VVEP-00055 CCI-000366 MEDIUM The hardware Voice Video Endpoint must not use the default PIN or password to access configuration and display of network IP settings. Many Voice Video Endpoints can set or display configuration settings in the instrument itself. This presents a risk if a user obtains information such as the IP addresses and URLs of system components. This obtained information could be used to facilitate
    SV-81283r1_rule SRG-NET-000131-VVEP-00056 CCI-000381 MEDIUM The Voice Video Endpoint must be configured to disable or remove non-essential capabilities. It is detrimental for Voice Video Endpoints when unnecessary features are enabled by default. Often these features are enabled by default with functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often
    SV-81285r1_rule SRG-NET-000512-VVEP-00057 CCI-000366 MEDIUM The Voice Video Endpoint must prevent the user from installing third-party software. Unauthorized third-party software is challenging the security posture of DoD. Most established vendors have developed patch management process that prevents risk, resulting in an estimated 80 percent of threats arise from third-party software. Preventing
    SV-81287r1_rule SRG-NET-000512-VVEP-00058 CCI-000366 MEDIUM The Voice Video Endpoint must prevent installation of untrusted third-party software. Unauthorized third-party software is challenging the security posture of DoD. Most established vendors have developed a patch management process that prevents risk, resulting in an estimated 80 percent of threats arising from third-party software. Prevent
    SV-81289r2_rule SRG-NET-000132-VVEP-00059 CCI-000382 HIGH The Voice Video Endpoint must only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs). In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-81291r1_rule SRG-NET-000512-VVEP-00060 CCI-000366 MEDIUM The Voice Video Endpoint must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. Configuring the Voice Video Endpoint to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive s
    SV-81293r2_rule SRG-NET-000510-VVEP-00040 CCI-002450 HIGH The Voice Video Endpoint processing unclassified information must implement NIST FIPS-validated cryptography to provision digital signatures. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides
    SV-82475r2_rule SRG-NET-000015-VVEP-00013 CCI-000213 HIGH The Voice Video Endpoint must register with a Voice Video Session Manager. Authentication must not automatically give an entity access to an asset. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determin
    SV-86295r4_rule SRG-NET-000512-VVEP-00065 CCI-000366 MEDIUM The Voice Video Endpoint used for unclassified communication within a Sensitive Compartmented Information Facility (SCIF) or Special Access Program Facility (SAPF) must be National Telecommunications Security Working Group (NTSWG)-approved device in accordance with the Committee on National Security Systems Instruction (CNSSI) 5000. Configuring the Voice Video Endpoint to implement CNSSI 5000 for unclassified communication within SCIFs and SAPF ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security p
    SV-91973r1_rule SRG-NET-000494-VVEP-00061 CCI-000172 MEDIUM The Voice Video Endpoint processing classified calls must produce session (call detail) records containing classification level and Security Access Level (SAL). Session records are commonly produced by session management and border elements. Many Voice Video Endpoints are not capable of providing session records and instead rely on session management and border elements. Voice video endpoints capable of producing
    SV-91977r1_rule SRG-NET-000311-VVEP-00062 CCI-002263 MEDIUM The Voice Video Endpoint processing classified calls must be properly marked with the highest security level of the information being processed. Without the association of security attributes to information, there is no basis for the network element to make security related access-control and flow-control decisions. Security attributes includes marking data as classified or FOUO. These security at
    SV-91979r1_rule SRG-NET-000311-VVEP-00063 CCI-002263 MEDIUM The Voice Video Endpoint processing classified calls must display the classification level and Security Access Level (SAL) for the call or conference in progress. Without the association of security attributes to information, there is no basis for the network element to make security related access-control and flow-control decisions. Security attributes includes marking data as classified or FOUO. These security at
    SV-93761r1_rule SRG-NET-000041-VVEP-00064 MEDIUM The hardware Voice Video Endpoint must have a physical DD 2056 affixed, or display a digital representation. Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standard