Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Interview the IAO to validate compliance with the following requirement: Ensure the VVoIP and/or IP connected VTC system and its components as well as their upgrades and changes are included in the site’s enclave / LAN C&A documentation (e.g., the DIACAP Implementation Plan (DIP), System Identification Profile (SIP), Scorecard, etc.). NOTE: This requirement applies to or includes the existence or implementation of soft-phone applications or wireless VoIP (Wi-Fi or WiMAX) endpoints. > Review the baseline documentation and/or C&A documentation to verify that all VVoIP installations and/or modifications are included. Verify there is a procedure for approving changes to configuration. > Determine if soft-phone applications or wireless VoIP (Wi-Fi or WiMAX) endpoints are used or implemented within the network. Look for the appearance of these in the required documentation noted above.
Add all VoIP installations and/or modifications to the SSAA. Obtain DAA approval for the updated SSAA. Submit to the SRR team lead for validation and finding closure.
Interview the IAO and review/inspect site network/facilities diagrams and documentation to confirm compliance with the following requirement: In the event MGCP or MEGACO/H.248 is used to control Media Gateways (MGs) or other devices (e.g., endpoints), ensure the following: > The LSC/MGC and MG are located in the same protected LSC VLAN and ACLs are established on all VLAN egress points to block the MGCP or MEGACO/H.248 from exiting the VLAN; OR > the LSC/MGC and MG are located in adjacent protected VLANs and ACLs are established to permit MGCP or MEGACO/H.248 between the LSC/MGC and MG but block the MGCP or MEGACO/H.248 from exiting these VLANs; AND > In the event MGCP or MEGACO/H.248 is used to control a MG or a distributed set of MGs across a WAN, ensure an encrypted VPN is used to protect the MGCP traffic. > Additionally, ensure the source of MGCP or MEGACO/H.248 packets is authenticated to originate from a valid source and/or minimally filter acceptance on source IP address.
In the event MGCP or MEGACO/H.248 is used to control Media Gateways (MGs) or other devices (e.g., endpoints), ensure the following: > the LSC/MGC and MG are located in the same protected LSC VLAN and ACLs are established on all VLAN egress points to block the MGCP or MEGACO/H.248 from exiting the VLAN; OR > the LSC/MGC and MG are located in adjacent protected VLANs and ACLs are established to permit MGCP or MEGACO/H.248 between the LSC/MGC and MG but block the MGCP or MEGACO/H.248 from exiting these VLANs; AND > In the event MGCP or MEGACO/H.248 is used to control a MG or a distributed set of MGs across a WAN, ensure an encrypted VPN is used to protect the MGCP traffic. > Additionally, ensure the source of MGCP or MEGACO/H.248 packets is authenticated to originate from a valid source and/or minimally filter acceptance on source IP address.
Ensure a dedicated address block is defined for the VVoIP system within the LAN separate from the address blocks used by non-VVoIP system devices thus allowing traffic and access control using firewalls and router ACLs. If the LAN under review is a closed unclassified LAN, an unclassified LAN connected to an unclassified WAN (such as the NIPRNet or Internet), a closed classified LAN, or a classified LAN connected to a classified WAN (such as the SIPRNet), this requirement is applicable. In the case of a classified WAN where network wide address based accountability or traceability is required by the network PMO, the PMO must provide segregated, network wide address blocks so that the attached classified LANs meet this requirement. Affected devices include VVoIP session controllers, adjunct UC systems, session border controller (SBC) internal and external interfaces, customer edge (premise) router internal interface to the VVoIP VLANs, and VVoIP hardware endpoints. NOTE: VVoIP Core components must be statically addressed. DHCP may only be used for endpoint address assignment/configuration. If a dedicated LAN address space has not been designated for the VVoIP system that is segregated from the address space used for the general LAN and management VLANs, this is a finding. Note the defined address ranges for use when reviewing the devices themselves.
Implement VVoIP systems and components on a logically segregated and dedicated VVoIP network. Ensure dedicated address blocks or ranges are defined for the VVoIP system within the LAN separate from the address blocks used for non-VVoIP system devices thus allowing traffic and access control using firewalls and router ACLs. This requirement applies to the following: - A closed unclassified LAN. - An unclassified LAN connected to an unclassified WAN (such as the NIPRNet or Internet). - A closed classified LAN. - A classified LAN connected to a classified WAN (such as the SIPRNet).
Interview the ISSO to confirm compliance with the following requirement: Ensure the VVoIP system and the supporting LAN are designed and implemented using multiple VLANs to segregate the VVoIP core equipment and endpoints and services from all other hosts and services (such as data and dedicated VTC) running on the LAN such that the security, QoS, and reliability of the VVoIP system/service is enhanced thus allowing VVoIP system traffic and access control using router ACLs. VLANs and subnets will be provided and equipment separated, for those devices that are implemented in the system, as follows: > Hardware Endpoints: multiple VLANs generally in parallel with data LAN VLANs the number of which is dependent on the size of the LAN and as required for the reduction of broadcast domains per good LAN design. For small networks there will be a minimum of one. > Software endpoints on workstations: multiples as with hardware endpoints. Voice and data traffic may coexist on the data VLAN when leaving the workstation. Based on the Unified Capabilities Requirements (UCR) requirement that the Unified Capabilities (UC) application tag its signaling and media traffic with the proper UCR defined Differentiated Service Code Point (DSCP), the LAN access switch port must route the UC traffic to the voice/video VLAN. If the LAN access switch is not capable, then routing upstream must perform this. A separate NIC is not required for UC VLANs. > VVoIP system core control equipment containing the LSC, endpoint configuration server, and DHCP server if used, etc. > Media gateways (MG) to the DSN and PSTN. > Signaling gateways (SG) to the DSN. > DoD WAN access VVoIP firewall (SBC or other). > Voicemail / Unified Messaging Servers. These may need to be accessible from both the voice and data VLANs. > UC servers such as those supporting unified messaging, IM/presence, “web” browser based conferencing, and directory services. These may need to be accessible from both the voice and data VLANs. NOTE: Hardware based VTC endpoints that utilize LSC services for session control may reside in the VoIP endpoint VLANs. These may include desktop and “executive” or office based units. All other Hardware based VTC endpoints require their own dedicated network or VLAN. NOTE: Separate VLANs work in conjunction with the dedicated address space discussed earlier to provide the required effect. Each VLAN is configured with a subset of addresses (valid IP subnet) from the designated VVoIP address space NOTE: Per NI STIG requirements the NE’s default VLAN (VLAN 0 or 1) will not be used for any of the required VVoIP, data, or VTC VLANs. NOTE: ACLs are required between the various VLANs that will filter traffic between them based on what protocols and IP addresses are permitted to access or control the devices residing in the VLAN. Therefore it is expected that the LAN / VVoIP system design will include one or more routers or layer-3 switches as the intersection of all of these VLANs to access and traffic flow between them. This routing device will be configured with ACLs to only permit the functionally necessary traffic to flow between the various VLANs and the equipment they contain. NOTE: These VLANs may be replaced by direct connections to the VVoIP core routing devices so that the ACLs may be implemented on the physical interface to the device. This requires that such direct physical connections be given a discrete subnet. NOTE: The VLAN/subnets and associated ACLs need only to be assigned / applied for devices that exist in the VVoIP system. The VLAN / ACL design may change depending upon the location and physical makeup of the VVoIP core equipment. An example of this is if a MG and SG reside on the same platform and both use the same Ethernet LAN connections (and potentially the same or different IP address), then separate VLANs are not needed for the MG and SG but the ACL protecting them may need to be adjusted accordingly. This is a finding in the event the design or implementation of the VVoIP system and supporting LAN does not include the required VLANs and subnets based upon the equipment and services provided by or included in the VVoIP system. Size of the system or the number of users supported has no effect on the need for this segmentation. However under some circumstances such as in the case of a small deployable package the number of VLANs can be reduced based upon a benefit vs. risk assessment, AO approval, and package C&A. NOTE: The existence of the required VLANs will be validated in subsequent computing checks. The purpose of this check is to determine if the system design and implementation plan includes consideration for VLAN segmentation.
Deploy VVoIP systems and components on a dedicated VLAN structure that is separate from the data network VLAN structure. A minimum of one VLAN is required. More than one is highly recommended. Ensure the VVoIP system and the supporting LAN are designed and implemented using multiple VLAN/subnets to segregate the VVoIP core equipment and endpoints and services from all other hosts and services (such as data and dedicated VTC) running on the LAN such that the security, QoS, and reliability of the VVoIP system/service is enhanced thus allowing VVoIP system traffic and access control using router ACLs. VLAN and subnets will be provided and equipment separated as follows: > Hardware Endpoints: multiple VLAN/subnets generally in parallel with data LAN VLANs the number of which is dependent on the size of the LAN and as required for the reduction of broadcast domains per good LAN design. For small networks there will be a minimum of one. > Software endpoints on workstations: multiples as with hardware endpoints. Voice and data traffic may coexist on the data VLAN when leaving the workstation. Based on the Unified Capabilities Requirements (UCR) requirement that the Unified Capabilities (UC) application tag its signaling and media traffic with the proper UCR defined Differentiated Service Code Point (DSCP), the LAN access switch port must route the UC traffic to the voice/video VLAN. If the LAN access switch is not capable, then routing upstream must perform this. A separate NIC is not required for UC VLANs. > VVoIP system core control equipment containing the LSC, endpoint configuration server, and DHCP server if used, etc. > Media gateways to the DSN and PSTN > Signaling gateways (SG) to the DSN > DoD WAN access VVoIP firewall (SBC or other) > Voicemail / Unified Messaging Servers. These may need to be accessible from both the voice and data VLANs. > UC servers such as those supporting IM/presence, web browser based conferencing, and directory services. These may need to be accessible from both the voice and data VLANs. NOTE: These VLAN/subnets may be replaced by direct connections to the VVoIP core routing devices so that the ACLs may be implemented on the physical interface to the device. This requires that such direct physical connections be given a discrete subnet. NOTE: The VLAN/subnets and associated ACLs need only to be assigned / applied for devices that exist in the VVoIP system. The VLAN / ACL design may change depending upon the location and physical makeup of the VVoIP core equipment. An example of this is if a MG and SG reside on the same platform and both use the same Ethernet LAN connections (and potentially the same or different IP address), then separate VLANs are not needed for the MG and SG but the ACL protecting them may need to be adjusted accordingly.
Interview the IAO and review site documentation to confirm compliance with the following requirement: Ensure critical servers/devices supporting the VVoIP/UC/UM system are dedicated to only applications required to support operations. Interview the IAO and SA to determine the purpose and use of each server/device that comprises the VVoIP/UC/UM core infrastructure. Then determine each server/device can support or run any application other than what is required in support of its primary purpose. Such servers would be the LSC, without which the system will not operate, voicemail or unified mail servers, management servers, IM / presence servers, conference bridges, etc. Inspect each server/device’s software storage looking for its installed applications. This is a finding if applications are found that are not required to fulfill the server/device’s primary function. General purpose applications like browsers, word processors, etc., or other applications like development software or special purpose applications should not be found unless directly required for operations and support. Additionally, unnecessary portions of the operating system such as sub-applications or files and routines that are not required to support the telephony system should not be found. NOTE: VVoIP core infrastructure servers/devices include but may not be limited to the TDM telephone switches, local session controller (LSC), voicemail / unified mail system, interactive voice response system, media gateway, signaling gateway, management servers and workstations, conference bridges, IM/presence servers, etc.
Ensure critical servers/devices supporting the VVoIP/UC/UM system are dedicated to only applications required to support operations. Dedicate critical servers in the VVoIP/UC/UM core infrastructure to only run applications required for executing the primary function of the server/device and those required for its support. Additionally, remove all unnecessary portions of the operating system such as sub-applications or files and routines that are not required to support the telephony system.
Interview the IAO and review site documentation to confirm compliance with the following requirement: Ensure that the VVoIP core infrastructure servers/devices have been secured and hardened in compliance with all applicable STIGs (i.e., UNIX, Microsoft Windows, database, web, etc.). Determine if the asset is based upon any of the general purpose technology (OS or application) for which there is a STIG or checklist. Obtain a copy of the applicable SRR or Self Assessment results and review for compliance. If SRR results are not available, then SRR a representative number of devices. This is a finding in the event it is evident that the appropriate STIGs have not been applied. This check is not intended to determine if the asset is in full compliance. NOTE: If the server/device is purpose built to its function (potentially considered an appliance) using an embedded or stripped down version of a general purpose OS and/or if the device has limited I/O capabilities, it may be difficult to impossible to perform a normal review that would be done on a general purpose platform. In this case the best way to determines if the device is vulnerable is to perform a network scan on it. NOTE: VVoIP core infrastructure servers/devices include but may not be limited to the TDM telephone switches, local session controller (LSC), voicemail / unified mail system, interactive voice response system, media gateway, signaling gateway, management servers and workstations, conference bridges, IM/presence servers, etc.
Secure critical servers supporting the telephony environment. Apply all applicable STIGs (i.e., UNIX, Microsoft Windows, database, web, etc. UNIX, Win2k/NT, DSN, etc.) and ensure compliance with applicable STIG guidelines.
Review site documentation to confirm all DoD-to-DoD VVOIP signaling and media traffic traversing a public or publicly accessible WAN (i.e., Internet, NIPRnet) is encrypted, natively at the application or protocol level, or using network or data-link layer encryption (i.e., encrypted VPN or bulk link encryption) using FIPS-validated encryption for unclassified traffic or NSA-approved encryption for classified traffic. Otherwise this is a finding. NOTE: This requirement is applicable to the following: - Calls established between DoD endpoints within an extended enclave (single MILDEP organization using directly interoperable VoIP systems). - Calls established between DoD endpoints located in different enclaves operated by a single MILDEP organization using directly interoperable VoIP systems. - Calls established between DoD endpoints located in different enclaves operated by different MILDEP organizations whether using directly interoperable VoIP systems and endpoints or the systems are subscribers to the DISN IPVS using IPVS standard protocols. - Calls established between remote DoD endpoints located outside their home enclave and connecting across the Internet and/or NIPRnet. In this case, a remote access VPN is used. NOTE: At this time, this requirement is not applicable for calls established from DoD to commercial VoIP telephones via commercial ITSP services implemented as a replacement for TDM-based PSTN access. This is because there is no encryption standard for end-to-end VoIP sessions to which all ITSPs and phone vendors have subscribed. Once a universal standard is adopted and implemented, or translation gateways are developed, this requirement could then be applied. Before encryption standards are adopted, the world must adopt interoperable signaling and media standards. At this time, Session Border Controllers can provide some translation services. Additional considerations are discussed in the section on ITSP services.
Implement all DoD-to-DoD VVOIP signaling and media traffic traversing a public or publicly accessible WAN network (i.e., Internet, NIPRnet) to use FIPS-validated encryption for unclassified traffic or NSA-approved encryption for classified traffic, either natively at the application or protocol level, or by using network or data-link layer encryption (i.e., encrypted VPN or bulk link encryption). The encryption of VVOIP signaling and media traffic may either use native end-to-end basis or tunnel it using site-to-site or client-to-site (remote access) VPN technologies or bulk link encryption.
Interview the IAO and review site documentation to confirm compliance with the following requirement: Ensure all systems/servers hosting the Voice Mail Service are properly secured in accordance with the DSN STIG and applicable OS STIG (i.e., Windows, Unix, etc.). Determine if the Voice Mail system/servers are based upon a general purpose OS for which there is a STIG or checklist. Obtain a copy of the applicable OS and DSN SRR or Self Assessment results and review for compliance. If SRR results are not available, perform a review to determine if the STIGs have been applied. This is a finding in the event it is evident that the appropriate STIGs have not been applied. This check is not intended to determine if the asset is in full compliance
Ensure all systems/servers hosting the Voice Mail Service are properly secured in accordance with the DSN STIG and applicable OS STIG (i.e., Windows, Unix, etc.). Secure all Voice Mail systems/servers supporting the telephony environment. Apply the DSN STIG and all applicable OS STIGs (i.e., UNIX, Microsoft Windows, etc.) and ensure compliance with applicable STIG guidelines.
Interview the IAO and review site documentation to confirm compliance with the following requirement: In the event a Voice Mail or Unified Mail server is VoIP enabled or connected to an IP network for user access to the Voice/Unified Mail service or for system management, ensure application services supporting the voice/unified mail service such as SQL, IIS, Apache, Oracle, Exchange, etc., are properly secured according to the appropriate STIGs. Determine if the Voice/Unified Mail servers are connected to an IP network. Then determine if it is based upon any of the general purpose application technologies for which there is a STIG or checklist. Note: compliance with these STIGs is in addition to compliance with the DSN and applicable OS STIGs as covered under VoIP 0330. Obtain a copy of the applicable SRR or Self Assessment results and review for compliance. If SRR results are not available, perform a review to determine if the STIGs have been applied This is a finding in the event it is evident that the appropriate STIGs have not been applied. This check is not intended to determine if the asset is in full compliance
In the event a Voice Mail or Unified Mail server is VoIP enabled or connected to an IP network for user access to the Voice/Unified Mail service or for system management, ensure application services supporting the voice/unified mail service such as SQL, IIS, Apache, Oracle, Exchange, etc., are properly secured according to the appropriate STIGs Secure IP connected Voice/Unified Mail servers. Apply all applicable general purpose application STIGs (i.e., Database, Web, Application Services, e-mail, etc.) and ensure compliance with applicable STIG guidelines.
Interview the IAO to validate compliance with the following requirement: In the event voicemail subscribers can access their voicemail settings via an IP or “web” connection (in addition to having the standard normal capability from the phone via the dial pad), ensure the connection is encrypted using HTTPS with TLS. Additionally, ensure the web server on the voicemail system/server is configured in accordance with “private web server” requirements in the Web Services STIG/Checklist. NOTE: Web Services STIG/Checklist requirements include but are not limited to user CAC/PKI authentication Inspect the Web SRR results from the web server review performed on the web based personal settings interface to the voicemail system. If there is none, perform a Web SRR. This check is not intended to determine if the asset is in full compliance, it is only to determine if the applicable STIG has been applied. This is a finding in the event the voicemail system provides a web interface that is either not configured in accordance with the applicable Web STIG/Checklist requirements and/or it does not the web interface does not use HTTPS/TLS.
Configure the voicemail system web access to personal settings in accordance with the applicable private web server requirements in the Web STIG/Checklist and ensure web interface is configured to use HTTPS/TLS.
Inspect the VVoIP site documentation to confirm VVoIP services over wireless IP networks apply the Wireless STIG to the wireless services and endpoints, specifically services used over a Wireless LAN (WLAN - Wi-Fi 802.11x) or Wireless MAN (WMAN - WiMAX 802.16) connection. Ensure the applicable endpoint and service related requirements contained in the Wireless STIG have been applied to the wireless VVoIP service and endpoints in addition to the applicable VVoIP STIG requirements. Determine if the site has implemented or supports IP based wireless (802.11x or 802.16) VVoIP endpoints. If so this implies that there is a supporting WLAN and any applicable requirements in the Wireless STIG apply to the wireless VVoIP endpoints and service in addition to those in this checklist. Obtain a copy of the Wireless SRR or Self-Assessment results and review for compliance. If SRR results are not available, then perform a wireless SRR on a representative number of wireless VVoIP endpoints and on the service. Areas of primary concern are, but are not limited to the following: - Is the endpoint an approved endpoint? - Is the endpoint configured to support the required VVoIP endpoint, registration, authentication, and media/signaling encryption requirements? - Is the endpoint configured to support the required WLAN access control, authentication, and encryption requirements? If it is evident the appropriate STIGs have not been applied, this is a finding. NOTE: Wireless endpoints in this case are typically going to be handheld devices such as a dedicated VVoIP only "cordless phone", a cellular phone with dual cellular and Wi-Fi (possibly including WiMAX) capabilities, or a PDA/PED with a UC soft client installed. However, the endpoints could also be desk phones and some could also support Bluetooth headsets, which are also covered in the Wireless STIG.
Apply requirements contained the Wireless STIG wherever VVoIP over wireless LAN (Wi-Fi 802.11x) or Wireless MAN (WiMAX 802.16) is used. Ensure the applicable endpoint and service related requirements contained in the Wireless STIG have been applied to the wireless VVoIP service and endpoints in addition to the applicable VVoIP STIG requirements.
Interview the IAO to validate compliance with the following requirement: Ensure that a policy/SOP is in place and enforced to ensure that the IPT terminal (VoIP phone or instrument) configuration and display password/PIN is managed IAW DOD password policies (e.g., password/PIN complexity (length and character mix), expiration, change intervals, other conditions requiring a change, reuse, protection and storage). Additionally investigate the enforcement of the SOP. This is a finding in the event there is no SOP addressing the concern here or the SOP does not adequately address the related DoD policies OR the policy/SOP is not enforced.
Ensure that a policy/SOP is in place and enforced to ensure that the IPT terminal (VoIP phone or instrument) configuration and display password/PIN is managed IAW DOD password policies (e.g., password/PIN complexity (length and character mix), expiration, change intervals, other conditions requiring a change, reuse, protection and storage). Develop a policy/SOP and enforced it to ensure that the IPT terminal (VoIP phone or instrument) configuration and display password is managed IAW DOD password policies (e.g., password/PIN complexity (length and character mix), expiration, change intervals, other conditions requiring a change, reuse, protection and storage)).
Interview the IAO and review site documentation to confirm compliance with the following requirement: Ensure that an inventory of authorized instruments is documented and maintained. Inspect the authorized instrument inventory. NOTE: This inventory will be separate from the inventory created within the Local Session Controller (LSC) from the listing of registered instruments. Authorized instruments must be added to this inventory before configuration in the LSC and instrument registration. The inventory may be offline or online on a separate server or workstation from the LSC (for example, the LSC management workstation). This is a finding if the inventory does not exist, does not appear to be up to date. Ask how this inventory is generated and where it is stored. This is a finding in the event it is located on the LSC.
Ensure that an inventory of authorized instruments is documented and maintained. NOTE: This inventory will be separate from the inventory created within the Local Session Controller (LSC) from the listing of registered instruments. Authorized instruments must be added to this inventory before configuration in the LSC and instrument registration. The inventory may be offline or online on a separate server or workstation from the LSC (for example, the LSC management workstation). Prepare and maintain an inventory / database of authorized VoIP instruments. Generate and store the inventory on a separate workstation or server from the LSC (for example, the LSC management workstation). Recommendation: Create the inventory in a format that can easily be compared through automation to the report of registered instruments from the LSC (if available). This will facilitate regular review of the inventory to detect unauthorized instruments and will make the IA review easier.
Interview the IAO to confirm compliance with the following requirement: In the event the VVoIP system is designed to use DHCP for initial VVoIP endpoint address assignment/configuration, ensure the design incorporates a different DHCP server than any that might be used for data components/hosts. Additionally ensure these servers reside in their respective voice or data address space and VLAN. NOTE: Soft-phones or VVoIP/UC applications residing on PC/workstations will, by default, utilize the IP information obtained by the workstation from the data DHCP server unless the workstation and soft-phone is capable of multiple VLANs and the soft-phone is assigned to the VVoIP VLAN. In case of the latter, the workstation or the soft-phone itself may obtain its IP information from the VVoIP DHCP server for use by the soft-phone or VVoIP application. Determine if, in the VVoIP system design, DHCP is used for VVoIP endpoint address assignment/configuration. If so, determine the location of the DHCP server and whether it is dedicated to the VVoIP system (separate from the data host DHCP server) and is deployed in the core VVoIP VLAN with an appropriate IP address within the dedicated VVoIP address space. This is a finding in the event DHCP is used for VVoIP endpoint address assignment/configuration and these conditions are not met. NOTE: It is recommended that the VVoIP DHCP server used as discussed in this requirement be implemented in the following order of preference: a dedicated device, part of the VVoIP call controller (LSC/MFSS) or other VVoIP related server; on an infrastructure router inside the enclave that is directly involved in the control of the VVoIP system or VLANs. NOTE: The Network Infrastructure STIG precludes the implementation of a DHCP server on a perimeter router.
If the VVoIP system design uses DHCP for VVoIP initial endpoint address assignment/configuration, ensure the design incorporates a different DHCP server than any that might be used for data components/hosts. Additionally ensure these servers reside in their respective voice or data address space and VLAN. NOTE: Soft-phones or VVoIP/UC applications residing on PC/workstations will, by default, utilize the IP information obtained by the workstation from the data DHCP server unless the workstation and soft-phone is capable of multiple VLANs and the soft-phone is assigned to the VVoIP VLAN. In case of the latter, the workstation or the soft-phone itself may obtain its IP information from the VVoIP DHCP server for use by the soft-phone or VVoIP application. NOTE: It is recommended that the VVoIP DHCP server used as discussed in this requirement be implemented in the following order of preference: a dedicated device, part of the VVoIP call controller (LSC/MFSS) or other VVoIP related server; on an infrastructure router inside the enclave that is directly involved in the control of the VVoIP system or VLANs. NOTE: The Network Infrastructure STIG precludes the implementation of a DHCP server on a perimeter router.
Interview the IAO to confirm compliance with the following requirement: Ensure customers of the DISN VoSIP service use IP addresses assigned to them by the DRSN/VoSIP PMO when defining the required dedicated address space for the VoIP controllers and endpoints within their secret C-LANs. NOTE: This is similarly applicable to other classified DISN services and customer’s C-LANs. NOTE: This is not a requirement in the event a VoIP based VVoIP communications system operated in a secret C-LAN has no need or potential need to use the worldwide DISN VoSIP service or have access the DRSN and communicate with other enclaves that do use the DISN service or have access the DRSN, they must utilize their own dedicated IP address space carved out of the address space assigned to their C-LANs by the SIPRNet PMO in accordance with the previously noted requirement. NOTE: This requirement does not directly apply to dedicated hardware based IP - VTC systems using the C-LAN and SIPRNet for transport although there may be similar requirements to address this technology in the future. Determine the following: Is the organization’s secret C-LAN connected to SIPRNet? Does the organization’s secret C-LAN support VVoIP communications (Not dedicated IP based VTC)? Does organization’s secret C-LAN VVoIP system interconnect with other enclaves using the DISN VoSIP service? What address blocks are dedicated to the VVoIP system on the C-LAN? Is there documented evidence that the DRSN/VoSIP PMO assigned these addresses to the organization or can such assignment be validated by other means? This is a finding in the event the organization’s secret C-LAN supports VVoIP communications (Not dedicated IP based VTC) AND is connected to SIPRNet AND uses the DISN VoSIP service BUT DOES NOT use the DRSN/VoSIP PMO assigned address blocks when addressing all of the VVoIP system components.
Ensure customers of the DISN VoSIP service use IP addresses assigned to them by the DRSN/VoSIP PMO when defining the required dedicated address space for the VoIP controllers and endpoints within their secret C-LANs. NOTE: This is similarly applicable to other classified DISN services and customer’s C-LANs. NOTE: This is not a requirement in the event a VoIP based VVoIP communications system operated in a secret C-LAN has no need or potential need to use the worldwide DISN VoSIP service or have access the DRSN and communicate with other enclaves that do use the DISN service or have access the DRSN, they must utilize their own dedicated IP address space carved out of the address space assigned to their C-LANs by the SIPRNet PMO in accordance with the previously noted requirement. NOTE: This requirement does not directly apply to dedicated hardware based IP - VTC systems using the C-LAN and SIPRNet for transport although there may be similar requirements to address this technology in the future. Obtain and assign IP addresses as provided by the DRSN PMO- VoSIP department when defining the required dedicated address space on the LAN.
If the system does not support a minimum of 96 instruments, this requirement is not applicable. Review site documentation to confirm the LAN supporting VVoIP services for C2 users provides assured services in accordance with the UCR. Specific attention should be given in the areas of: - Bandwidth and traffic engineering (25% voice, 25% video, 50% data) - No single point of failure affecting service to greater than 96 instruments. - Equipment reliability - Equipment redundancy above the access layer - Equipment robustness and bandwidth capability - Connection redundancy above the access layer - Connection bandwidth capability - Access layer switch size (number of phones served) - Backup power for all equipment: + 2 hours for all equipment and instruments supporting C2 users + 8 hours for all equipment and instruments supporting Special-C2 users If the LAN supporting VVoIP services for C2 users does not provide assured services in accordance with the UCR, this is a finding.
Implement and document that the LAN supporting VVoIP services for C2 users provides assured services in accordance with the UCR.
Interview the IAO to confirm compliance with the following requirement: Ensure a VVoIP or VTC hardware endpoint possessing a “PC Port” is capable of maintaining voice/data VLAN separation via the use of an Ethernet switch and that it does not contain an Ethernet hub OR ensure the “PC Port” is physically disabled. Review VVoIP or VTC hardware endpoint specifications and documentation. This is a finding in the event the VVoIP or VTC hardware endpoint that provides PC port but cannot maintain voice/data VLAN separation.
Ensure a VVoIP or VTC hardware endpoint possessing a “PC Port” contains an Ethernet switch such that VLAN separation can be maintained and that it does not contain an Ethernet hub OR ensure the “PC Port” is physically disabled.
Interview the IAO to confirm compliance with the following requirement: Verify a comprehensive VVoIP VLAN ACL design is developed for the supporting LAN such that VVoIP system access and traffic flow is properly controlled. The defined ACLs must use a deny-by-default configuration allowing only the protocols and traffic required to reach the device. The ACLs filter on VLAN, IP address, subnet, protocol type, and associated standard IP port for the protocol. The ACLs generally are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system. The ACL design will change depending on the specifics of the VVoIP system implementation such as the components used and defined VLANs. The design documentation must be maintained for future review. If a comprehensive VVoIP VLAN ACL design for the supporting LAN properly controlling VVoIP system access and traffic flow is not in place, this is a finding.
Develop a comprehensive VVoIP VLAN ACL design for the supporting LAN that properly controls VVoIP system access and traffic flow. The design documentation must be maintained for future review.
If the local enclave VoIP implementation is a stand-alone system and does not connect to external networks, this requirement is Not Applicable. The enclave must be a closed DISN classified network or an organizational intranet, the PMO must designate and implement a segregated IP address range for use by VVoIP systems, and no dedicated VoIP firewall function (as defined in the current UCR) is implemented to meet this exception. In all other cases, this requirement is Applicable. Review the VoIP System Security Plan (SSP), VoIP Access Control Plan (ACP), and other VoIP design documentation. Visually inspect the enclave boundary protection hardware and its connections to ensure it is implemented as documented in the design. Review the VoIP System Security Plan (SSP), VoIP Access Control Plan (ACP), and other VoIP configuration documentation. Ensure the enclave boundary protection is designed and implemented to protect the VoIP infrastructure and the data enclave. Interview the ISSO to confirm compliance. The data firewall function must protect the VoIP sub-enclave and infrastructure by: 1. Blocking all VoIP traffic to/from the VoIP production VLANs, except for signaling and media traffic to/from a remote endpoint entering the enclave via a properly authenticated and encrypted tunnel, where VoIP traffic is blocked from data VLANs. 2. Blocking all non-VoIP traffic to/from the VoIP production VLANs. 3. Blocking all non-VoIP traffic to/from the VoIP management VLANs, except for VoIP system management traffic to/from specifically authorized management servers and workstations (local or in a remote NOC). 4. Allow all VoIP traffic to/from the VoIP production VLANs, including SIP and SRTP traffic encrypted and encapsulated on port 443. 5. Inspecting all non-VoIP traffic to/from the VoIP management VLANs specifically required for VoIP system management. This may be performed by a separate IDPS function or an alternate data perimeter may be implemented for this purpose. The VoIP firewall function must protect the VoIP sub-enclave and infrastructure by: 1. Blocking all non-VoIP traffic to/from data production VLANs, data management VLANs, and VoIP management VLANs. 2. Inspecting all VoIP traffic to/from the VVoIP production VLANs. 3. Supporting interoperability and assured service requirements per the DoD UCR. When PSTN commercial service connects to the enclave, the connection must be through a VoIP media gateway function to protect the VoIP sub-enclave and infrastructure. If the enclave boundary protection network elements and connections are not implemented as documented, this is a finding. If the data firewall function, VoIP firewall function, and VoIP media gateway function do not protect the VoIP sub-enclave and infrastructure, this is a finding.
For all VoIP systems implemented in the local enclave with connections to external networks, ensure the design maintains enclave boundary protection for data and voice video sub-enclaves, maintaining separation within the LAN and support for interoperability of various vendor system implementations in different enclaves. Design and implement the enclave boundary protection to provide an IDPS function, data firewall function, VoIP firewall function, and VoIP media gateway function. The IDPS function must protect the VoIP sub-enclave and infrastructure by: - Inspecting all non-VoIP traffic to/from the VoIP management VLANs specifically required for VoIP system management. The data firewall function must protect the VoIP sub-enclave and infrastructure by: 1. Blocking all VoIP traffic to/from the VoIP production VLANs, except for signaling and media traffic to/from a remote endpoint entering the enclave via a properly authenticated and encrypted tunnel, where VoIP traffic is blocked from data VLANs. 2. Blocking all non-VoIP traffic to/from the VoIP production VLANs. 3. Blocking all non-VoIP traffic to/from the VoIP management VLANs, except for VoIP system management traffic to/from specifically authorized management servers and workstations (local or in a remote NOC). 4. Allow all VoIP traffic to/from the VoIP production VLANs, including SIP and SRTP traffic encrypted and encapsulated on port 443. The VoIP firewall function must protect the VoIP sub-enclave and infrastructure by: 1. Blocking all non-VoIP traffic to/from data production VLANs, data management VLANs, and VoIP management VLANs. 2. Inspecting all VoIP traffic to/from the VVoIP production VLANs. 3. Supporting interoperability and assured service requirements per the DoD UCR. The VoIP media gateway function must protect the VoIP sub-enclave and infrastructure by: - Connecting each PSTN commercial service BRI/PRI and/or CAS trunk to the enclave through a VoIP media gateway. Document the design and implementation in the VoIP System Security Plan (SSP), VoIP Access Control Plan (ACP), and other VoIP design and configuration documentation. Confirm through visual inspection the enclave boundary protection hardware and its connections are implemented as documented. Ensure the enclave boundary protection is designed and implemented to protect the VoIP infrastructure and the data enclave. NOTE: A PSTN media gateway connection may not be required if the site is approved for a commercial VoIP service connection. Concerns for this possibility will be addressed in subsequent requirements. NOTE: in the event the enclave is part of an organizational intranet, and there is no firewall at the local enclave perimeter, configure the perimeter/premise router to provide the required filtering and routing along with ensuring all inbound and outbound traffic enters the required dedicated circuit or encrypted VPN. Specific network requirements for organizational intranet design and implementation is beyond the scope of this document.
Interview the IAO to confirm compliance with the following requirement: Ensure all local DSN access for intra DoD dialup services (voice, video, fax, data) to/from a VVoIP system within a site enclave and a DSN number is via a local Media Gateway (MG) and one or more T619A trunks for C2 enclaves (MLPP support) or one or more PRI or CAS trunks for NON-C2 enclaves with a IP-PBX-2 (NO MLPP support) to a DSN EO or MFS except as follows: • The VVoIP system within a site enclave is approved for DISN NIPRNet IP Voice Services (VS) (IP enabled DSN VoIP on NIPRNet). • The VVoIP system within a site enclave is subtended to a larger enclave and tethered (connected) to it via a direct cable, or a dedicated TDM or optical circuit (e.g., a T1, DS2, OCx ). (This connection would be typical of a GSU located in relative close proximity to its MOB. This would be similar to a MAN). • The enclave is part of an organizational Intranet whose enclaves (MOBs and GSUs and regional service/computing centers or server farms) are interconnected across the DISN using dedicated TDM or optical circuits or encrypted VPN tunnels, whether site-to-site or meshed. NOTE: organizational Intranets using encrypted site-to-site or meshed VPN tunnels across a DISN IP routed network must block local access to/from the DISN IP routed network (e.g., NIPRNet) at the VPN termination points unless a full boundary protection suite of equipment is implemented locally. NOTE: This does not apply to approved remote VoIP instruments or Soft Phones that connect to the VVoIP system enclave via an encrypted VPN and are therefore part of the enclave’s LAN. NOTE: TDM or optical circuits should be bulk encrypted if using a commercial provider to supply any portion of the complete circuit. This will most likely be the case for the “last mile” connection to a DISN SDN since DoD owned facilities do not touch most sites. Determine if the VVoIP system within the site enclave is connected to a DSN EO or MFS via a local (on site) Media Gateway (MG) and one or more T619A trunks for C2 enclaves (provides MLPP support) or one or more PRI or CAS trunks for NON-C2 enclaves with a IP-PBX-2 (NO MLPP support). Additionally, determine if the following exceptions apply: • Is the VVoIP system within the site enclave approved for DISN NIPRNet IP Voice Services (VS) (IP enabled DSN VoIP on NIPRNet)? • Is the VVoIP system within the site enclave subtended to a larger enclave and tethered (connected) to it via a direct cable, or a dedicated TDM or optical circuit (e.g., a T1, DS2, OCx )? (This connection is typical of a GSU located in relative close proximity to its MOB. This would be similar to a MAN.) • Is the enclave part of an organizational Intranet whose enclaves (MOBs and GSUs and regional service centers or server farms) are interconnected across the DISN using dedicated TDM or optical circuits or encrypted VPN tunnels, whether site-to-site or meshed? This is a finding in the event the site is not connected to the DSN via a MG located at the local site enclave as described above AND one of the exceptions is not applicable. NOTE: This requirement dictates that each site’s VoIP enclave has a local (on site) MG for connecting the site locally to a DSN EO or MFS. The DSN EO or MFS may be located at a remote site, in which case the TDM trunks will carry the voice traffic between the sites. This arrangement means that VoIP traffic does not have to traverse the enclave boundary with the WAN which is one of the reasons for the requirement.
Unless one of the following exceptions apply: • The VVoIP system within a site enclave is approved for DISN NIPRNet IP Voice Services (VS) (IP enabled DSN VoIP on NIPRNet). • The VVoIP system within a site enclave is subtended to a larger enclave and tethered (connected) to it via a direct cable, or a dedicated TDM or optical circuit (e.g., a T1, DS2, OCx ). (This connection would be typical of a GSU located in relative close proximity to its MOB. This would be similar to a MAN.) • The enclave is part of an organizational Intranet whose enclaves (MOBs and GSUs and regional service/computing centers or server farms) are interconnected across the DISN using dedicated TDM or optical circuits or encrypted VPN tunnels, whether site-to-site or meshed. Ensure all DSN access for intra DoD dialup services (voice, video, fax, data) to/from a VVoIP system within a site enclave and a DSN number is via a local (on site) Media Gateway (MG) and one or more T619A trunks for C2 enclaves (MLPP support) or one or more PRI or CAS trunks for NON-C2 enclaves with a IP-PBX-2 (NO MLPP support) to a DSN EO or MFS: NOTE: This does not apply to approved remote VoIP instruments or Soft Phones that connect to the VVoIP system enclave via an encrypted VPN and are therefore part of the enclave’s LAN. NOTE: TDM or optical circuits should be bulk encrypted if using a commercial provider to supply any portion of the complete circuit. This will most likely be the case for the “last mile” connection to a DISN SDN since DoD owned facilities do not touch most sites. NOTE: organizational Intranets using encrypted site-to-site or meshed VPN tunnels across a DISN IP routed network must block local access to/from the DISN IP routed network (e.g., NIPRNet) at the VPN termination points unless a full boundary protection suite of equipment is implemented locally.
Interview the IAO and review site documentation to confirm compliance with the following requirement: Ensure that software patches for critical, VVoIP servers and other related devices originate from or are approved by the system vendor/manufacturer and are applied in accordance with their instructions. Third party OEM upgrades/patches from general-purpose OS and application vendors or the OSS community are not to be applied without the system vendor’s approval and assurance that such application will not impact the system negatively. NOTE: This includes patches or mitigations required by IAVAs. IAVA vulnerabilities must be referred to the system vendor to determine applicability and a mitigation path.
Ensure that software patches for critical, VVoIP servers and other related devices originate from or are approved by the system vendor/manufacturer and are applied in accordance with their instructions. Third party OEM upgrades/patches from general-purpose OS and application vendors or the OSS community are not to be applied without the system vendor’s approval and assurance that such application will not impact the system negatively. Note: This includes patches or mitigations required by IAVAs. IAVA vulnerabilities must be referred to the system vendor to determine applicability and a mitigation path. Only Apply vendor-approved or vendor supplied patches. Correct site policy to require only vendor provided and approved patches are applied.
Interview the IAO to validate compliance with the following requirement: Ensure C2 and special-C2 users are made aware of the potential for unreliability and reduced availability of PC based communications for assured service/C2 communications in the various situations in which they might use their PC for this purpose. The IAO will additionally ensure C2 and Special-C2 users are made aware of the need for, and availability of, backup communications methods are available and provided in these various situations. Additionally, interview a random sampling of C2 and special-C2 users to confirm their awareness. This is a finding in the event the users are unaware of the limitations of reliability and/or there is no attempt to make them aware.
Ensure C2 and Special-C2 users are made aware of the potential for unreliability and reduced availability of PC based communications for assured service/C2 communications in the various situations in which they might use their PC for this purpose. The IAO will additionally ensure C2 and Special-C2 users are made aware of the need for, and availability of, backup communications methods are available and provided in these various situations. Implement training for C2 and Special-C2 users to provide awareness of the potential for unreliability and reduced availability of PC based communications for assured service / C2 communications in the various situations in which they might use their PC for this purpose.
Interview the IAO and a sampling of C2 or Special-C2 users to determine if C2 or Special-C2 users are provided with a more reliable communications method than a PC based communications application in compliance with the following requirement: Within a C2 or Special-C2 user’s normal workspace (e.g., office) or alternate fixed workspace (e.g., quarters, alternate office), ensure C2 and Special-C2 users are provided with an alternate assured service communications device/system (e.g., hardware based IP or traditional telephone endpoint) is provided as backup to a PC based communications application (e.g., soft-phone) for their mission critical assured service (C2) voice communications needs if and when the PC or application fails or is unavailable. Note: Cell phones. PDA/PEDs, or other wireless devices are not considered reliable enough within a normal workspace to meet this requirement due to lack of reliable signal everywhere and their inability to be used in certain DoD environments. However these could be considered in a remote use case. NOTE: This is not intended to require the installation of assured service communications devices in alternate workspaces such as quarters unless there is a requirement for the C2 or Special-C2 user to place and receive C2 communications in that location. This is a finding if C2 or Special-C2 users are not provided with a more reliable communications method than a PC based communications application for their assured service needs.
Ensure C2 and Special-C2 users are provided with an alternate assured service communications device/system (e.g., hardware based IP or traditional telephone endpoint) is provided as backup to a PC based communications application (e.g., soft-phone) for their mission critical assured service (C2) voice communications needs Minimally provide C2 and Special-C2 users with a hardware based telephone and supporting infrastructure that can support reliable assured service communications within their normal or alternate workspaces.
Interview the IAO to validate compliance with the following requirement: Ensure a policy and procedure is in place and enforced that addresses the operation of video/collaboration communications related cameras (e.g., webcams or VTC cameras) regarding their ability to inadvertently capture and transmit sensitive or classified information such that: - Conference room and office users do not display sensitive or classified information on walls that are within the view of the camera(s). - Conference room and office users do not place sensitive or classified information on a table or desk within the view of the camera(s) without proper protection (e.g., a proper cover). - Conference room and office users do not read or view sensitive or classified information at such an angle that the camera(s) could focus on it. NOTE: While covering such information mitigates disclosure when a camera is to be used, if the camera is activated unexpectedly or without taking action to cover the information prior to activating, the information can be compromised. The best practice is to not display it in view of the camera at all. NOTE: Vulnerability awareness and operational training will be provided to users of video/collaboration communications related camera(s) regarding these requirements. NOTE: This requirement is relevant no matter what the classification level of the session. In an IP environment the classification of PC communications is dependent upon the classification of the network to which the PC is attached, and the classification of the facility in which it is located. While classified communications can occur at the same level of classification as the network and facility, communications having a lower classification or no classification (e.g., unclassified or FOUO) may also occur in the same environment. As such, sensitive or classified information that is not part of the communications session might be improperly disclosed without proper controls in place. Inspect the applicable SOP. Inspect a random sampling of workspaces and conference rooms to determine compliance. Look for potentially sensitive information posted on the walls in view of the camera(s). Interview the IAO to determine how the SOP is enforced. Inspect user training materials and discuss practices to determine if information regarding the SOP is conveyed. Interview a random sampling of users to confirm their awareness of the SOP and related information. This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details.
Ensure a policy and procedure is in place and enforced that addresses the operation of video/collaboration communications related cameras (e.g., webcams or VTC cameras) regarding their ability to inadvertently capture and transmit sensitive or classified information. Do not post potentially sensitive information posted on the walls in view of the camera(s). Produce an SOP that addresses the operation of video/collaboration communications related cameras (e.g., webcams or VTC cameras) regarding their ability to inadvertently capture and transmit sensitive or classified information such that: - Conference room and office users do not display sensitive or classified information on walls that are within the view of the camera(s). - Conference room and office users do not place sensitive or classified information on a table or desk within the view of the camera(s) without proper protection. (e.g., a proper cover). - Conference room and office users do not read or view sensitive or classified information at such an angle that the camera(s) could focus on it. NOTE: while covering such information mitigates disclosure when a camera is to be used, if the camera is activated unexpectedly or without taking action to cover the information prior to activating, the information can be compromised. Best practice is to not display it in view of the camera at all. Provide appropriate training such that users follow the SOP. Enforce user compliance with the SOP.
Interview the ISSO to validate compliance with the following requirement: Ensure a policy and procedure is in place and enforced that addresses the placement and operation of hardware based voice and video communications devices and PC based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Operational policy and procedures are included in user training and guides. NOTE: This SOP should take into account the classification of the area where the Video Teleconferencing Unit (VTU) or PC supporting a PC based voice, video, UC, and collaboration communications applications is installed as well as the classification and need-to-know restraints of the information generally communicated via the facility or specific VTU. Along with those mentioned above, measures should be included such as closing office or conference room doors; muting of microphones before and after conference sessions, and during conference breaks; volume levels in open offices as well as muting the microphone when not speaking. Inspect the applicable SOP. Such an SOP should include policy on the use of headsets containing short range microphones and earphones in lieu of long range microphones and speakers in an open office environment. It should address the volume settings of speakers such that the session information is not heard by non-participants in a work area. It should also address the potential for the pickup of non-session related conversations in the work area. This requirement should also discuss Bluetooth, DECT/DECT 6.0, and other RF wireless technologies for accessories. Inspect user training materials and discuss practices to determine if information regarding the SOP is conveyed. Interview a random sampling of users to confirm their awareness of the SOP and related information. If the SOP or training is deficient, this is a finding.
Ensure a policy and procedure is in place and enforced that addresses the placement and operation of hardware based voice and video communications devices and PC based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Operational policy and procedures must be included in user training and guides. Produce an SOP that addresses the operation of hardware based voice and video communications devices and PC based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Such an SOP could or should include policy on the use of headsets containing short range microphones and earphones in lieu of long range microphones and speakers in an open office environment. It could or should address the volume settings of speakers such that the session information is not heard by non-participants in a work area. It could or should also address the potential for the pickup of non-session related conversations in the work area. Provide appropriate training such that users follow the SOP. Enforce user compliance with the SOP.
Interview the IAO to validate compliance with the following requirement: Ensure a policy and procedure is in place and enforced that addresses the positioning of video displays associated with communications devices and PC based voice, video, UC, and collaboration communications applications with regard to the sensitivity of the information displayed and the ability of individuals, not part of the communications session, to view the display. Operational policy and procedures must be included in user training and guides. If video displays associated with communications devices and PC based voice, video, UC, and collaboration communications applications are used to display sensitive or classified information, interview the IAO and inspect the applicable SOP. The SOP should address the positioning of video displays associated with communications devices and PC based voice, video, UC, and collaboration communications applications with regard to the sensitivity of the information displayed and the ability of individuals, not part of the communications session, to view the display. Inspect a random sampling of workspaces and conference rooms to determine compliance. Look for displays that are viewable through a window or are viewable from common walkways or areas where non-participants can view the information. The lack of partitions or the use of short partitions separating workspaces can be an issue depending upon the sensitivity of the displayed information. Inspect user training materials and discuss practices to determine if information regarding the SOP is conveyed. Interview a random sampling of users to confirm their awareness of the SOP and related information. This is a finding if video displays associated with communications devices and PC based voice, video, UC, and collaboration communications applications that are used to display sensitive or classified information are easily viewable from locations outside the immediate user’s work area. This is also a finding if the SOP or training is deficient. NOTE: During a SRR, the review of this check may be coordinated with a traditional security reviewer if one is available so that duplication of effort is minimized. However, the similar/related traditional security check primarily addresses displays that are attached to classified systems which are displaying classified information, and not sensitive but unclassified information or privacy information.
Ensure a policy and procedure is in place and enforced that addresses the positioning of video displays associated with communications devices and PC based voice, video, UC, and collaboration communications applications with regard to the sensitivity of the information displayed and the ability of individuals, not part of the communications session, to view the display. Operational policy and procedures must be included in user training and guides. Produce an SOP that addresses the positioning of video displays associated with communications devices and PC based voice, video, UC, and collaboration communications applications with regard to the sensitivity of the information displayed and the ability of individuals, not part of the communications session, to view the display. Provide appropriate training such that users follow the SOP. Enforce user compliance with the SOP.
Interview the IAO to validate compliance with the following requirement: Ensure a policy and procedure is in place and enforced that addresses the proper implementation and use of the “Presentation and Sharing” features of collaboration applications and devices. This policy and SOP will be based on the specific application’s or device’s capabilities and will address mitigations for the possible inadvertent disclosure of information to conferees that have no need to see or have access to such information. Operational policy and procedures must be included in user training and guides. Interview the IAO and inspect the applicable SOP. The SOP should address the proper implementation and use of the “Presentation and Sharing” features of collaboration applications and devices. This policy and SOP will be based on the specific application’s or device’s capabilities and will address mitigations for the possible inadvertent disclosure of information to conferees that have no need to see or have access to. Inspect user training materials and discuss practices to determine if information regarding the SOP is conveyed. Interview a random sampling of users to confirm their awareness of the SOP and related information. This is a finding if the if the SOP or training is deficient.
Ensure a policy and procedure is in place and enforced that addresses the proper implementation and use of the “Presentation and Sharing” features of collaboration applications and devices. This policy and SOP will be based on the specific application’s or device’s capabilities and will address mitigations for the possible inadvertent disclosure of information to conferees that have no need to see or have access to such information. Operational policy and procedures must be included in user training and guides. Produce an SOP that addresses the proper implementation and use of the “Presentation and Sharing” features of collaboration applications and devices. This policy and SOP will be based on the specific application’s or device’s capabilities and will address mitigations for the possible inadvertent disclosure of information to conferees that have no need to see or have access to. Operational policy and procedures must be included in user training and guides. Provide appropriate training such that users follow the SOP. Enforce user compliance with the SOP
Interview the IAO to validate compliance with the following requirement: Ensure users of PC based collaboration applications are trained to only share control of their PC or applications with other users that they are familiar with and/or can identify as trustworthy. Determine if training is provided such that users of PC based collaboration applications only share control of their PC or applications with other users with whom they are familiar with and/or can identify as trustworthy. Inspect training materials for related content. Interview a random sampling of users to determine if they are properly trained on this topic. This is a finding if the training or training materials are deficient.
Ensure users of PC based collaboration applications are trained to only share control of their PC or applications with other users that they are familiar with and/or can identify as trustworthy. Produce training materials and provide training such that users of PC based collaboration applications only share control of their PC or applications with other users with whom they are familiar with and/or can identify as trustworthy.
Interview the IAO to validate compliance with the following requirement: Ensure audio and video pickup/capture capabilities of microphones and cameras associated with a PC are disabled or inhibited when not required for communications such that inadvertent disclosure of aural or visual information is prevented. Ensure that operational policy and procedures are included in user training and guides. Determine if the applicable training on the required operational procedures is provided. Inspect training materials. Interview a random sampling of users to determine if they are properly trained on this topic and actually perform the mitigating actions. Inspect a random sample of PCs that are not actively communicating to determine if the required mitigations are in place. NOTE: This requirement minimally involves muting the PC microphone and camera. If necessary, the camera lens must be covered, or the camera aimed at a blank wall to “mute” it. Ideally, the microphone and camera would be external devices and not embedded in the PC or an external monitor that could be disconnected from the PC when not needed. The external microphone and camera could remain connected to the PC if there was a positive physical disconnect or mute (shorting) switch for the microphone, and if the camera is disconnected by the switch or the camera lens is covered. This is a finding if any of the inspected items are deficient such that audio and video pickup/capture capabilities of microphones and cameras associated with a PC are not disabled or inhibited when not required for communications such that inadvertent disclosure of aural or visual information is prevented.
Ensure audio and video pickup/capture capabilities of microphones and cameras associated with a PC are disabled or inhibited when not required for communications such that inadvertent disclosure of aural or visual information is prevented. Ensure that operational policy and procedures are included in user training and guides. Produce training materials and provide training such that users of PC based collaboration applications disable their microphones and cameras when not participating in a collaboration session. This minimally involves muting the PC microphone and camera. If necessary, the camera lens must be covered, or the camera aimed at a blank wall to “mute” it. Ideally, the microphone and camera would be external devices and not embedded in the PC or an external monitor that could be disconnected from the PC when not needed. The external microphone and camera could remain connected to the PC if there was a positive physical disconnect or mute (shorting) switch for the microphone, and if the camera is disconnected by the switch or the camera lens is covered.
Interview the ISSO to validate compliance with the following requirement: Ensure UC soft client accessories, including PPGs, ATAs, USB phones, and wireless headsets capabilities are reviewed and their functionality tested or validated prior to approval, providing them to users, or implementing them. Determine if the use of USB phones, USB ATAs, PPGs, or wireless headsets is permitted and if they are provided to users. If so, determine if the devices have been reviewed and tested as necessary with regard to their network bridging capabilities. If these devices are provided to users and they have not been properly reviewed or tested, this is a finding. Note: this requirement applies to Bluetooth, DECT/DECT 6.0, and other RF wireless technologies for accessories. Prior to procurement and implementation of any wireless accessory, a risk analysis must be performed to ensure the technology uses acceptable encryption and does not interfere with existing technology use. This guidance is not intended to replace the existing guidance available for wireless headsets used in association with mobile devices.
Ensure UC soft client accessories (i.e., PPGs, ATAs, and/or USB phones) capabilities are reviewed and their functionality tested or validated prior to approval, providing them to users, or implementing them. Review and test the use of USB phones, USB ATAs, PPGs, and wireless headsets for network bridging capabilities. Do not use such devices if the capability exists except to fulfill a validated mission requirement.
Interview the ISSO to validate compliance with the following requirement: Ensure personnel are trained not to employ personally provided UC soft client accessories, including PPGs, ATAs, USB phones, or wireless headsets. This policy is to be acknowledged in user agreements and included in user training and user guides. Determine if training is provided to users about not employing personally provided UC soft client accessories. Inspect user agreements for acknowledgement of this training. Interview a random sampling of users regarding their awareness of this subject. This is a finding if the training, training materials, or user awareness of the policy are deficient or if the policy is not addressed and acknowledged in signed user agreements.
Ensure personnel are trained not to employ personally provided UC soft client accessories, including PPGs, ATAs, USB phones, or wireless headsets. This policy is to be acknowledged in user agreements and included in user training and user guides. Provide the appropriate user training such that they do not employ personally provided UC soft client accessories and require they sign user agreements that acknowledge the training and policy.
Interview the ISSO to validate compliance with the following requirement: Ensure UC soft client accessories, including PPGs, ATAs, USB phones, and wireless headsets that provide a network bridging capability are not used on a DoD PC or network except to fulfill a validated and approved mission requirement. Determine if UC soft client accessories, including PPGs, ATAs, USB phones, and wireless headsets, that provide a network bridging capability to the PSTN are used on a DoD PC or network. If so, further determine if there is a validated and approved mission requirement for their use. Interview a random sampling of users regarding their use of this bridging capability. This is a finding if these devices are used and there is no validated mission requirement. Note: this requirement applies to Bluetooth, DECT/DECT 6.0, and other RF wireless technologies for accessories. Prior to procurement and implementation of any wireless accessory, a risk analysis must be performed to ensure the technology uses acceptable encryption and does not interfere with existing technology use. This guidance is not intended to replace the existing guidance available for wireless headsets used in association with mobile devices.
Ensure UC soft client accessories, including PPGs, ATAs, USB phones, and wireless headsets that provide a network bridging capability are not used on a DoD PC or network except to fulfill a validated and approved mission requirement. Discontinue the use of UC soft client accessories, including PPGs, ATAs, USB phones, and wireless headsets that provide a network bridging capability unless there is a validated and approved mission requirement for their use.
Interview the ISSO to validate compliance with the following requirement: In the event a UC soft client accessory providing a network bridging capability is approved for use to fulfill a validated and approved mission requirement, the ISSO will ensure personnel are properly trained in their implementation and proper use. This training is to be acknowledged in user agreements and included in user guides. Determine if UC soft client accessories, including PPGs, ATAs, USB phones, or wireless headsets, that provide a network bridging capability to a different network (e.g., the PSTN or DSN) are used on a DoD PC or network. If so, further determine if there is a validated and approved mission requirement for their use. Inspect training materials on this subject. Interview a random sampling of users regarding their knowledge of the proper usage of this bridging capability. Inspect user agreements for acknowledgement of this training. This is a finding if the training, training materials, or user awareness of the proper use policy are deficient or if the policy is not addressed and acknowledged in signed user agreements.
In the event a UC soft client accessory providing a network bridging capability is approved for use to fulfill a validated and approved mission requirement, the ISSO will ensure personnel are properly trained in their implementation and proper use. This training is to be acknowledged in user agreements and included in user guides. Provide the appropriate user training and training materials such that users operate their UC soft client accessories, including PPGs, ATAs, USB phones, and wireless headsets that provide a network bridging in an approved manner and require they sign user agreements that acknowledge the training and policy.
Interview the IAO to validate compliance with the following requirement: Ensure training materials are developed and PC based voice, video, UC, and collaboration communications application users are trained in, and aware of, various aspects of the application’s safe and proper use as well as the application or service vulnerabilities. Training will include all items contained in user agreements and user guides. Ask the IAO about the training provided to users about the various aspects of the application’s safe and proper use as well as the application or service vulnerabilities. Inspect training materials for the content contained in user agreements. This is a finding if the training materials do not address the contents of the user agreements and the various aspects of the application’s safe and proper use as well as the application or service vulnerabilities.
Ensure training materials are developed and PC based voice, video, UC, and collaboration communications application users are trained in, and aware of, various aspects of the application’s safe and proper use as well as the application or service vulnerabilities. Training will include all items contained in user agreements and user guides. Develop training materials that address the contents of the user agreements and the various aspects of the application’s safe and proper use as well as the application or service vulnerabilities
Interview the ISSO to validate compliance with the following requirement: Verify a user agreement is developed and enforced with users in accordance with DoD policies addressing the acceptable use of UC soft client applications and associated accessories minimally providing the following information: - Users must not install any application or agent, to include UC soft clients, VTC software, or IM client that connects to or uses a public VoIP or IM service for non-official business. - Users must not install any application or agent, to include UC soft clients, VTC software, or IM client that communicates peer-to-peer with other applications, agents, or personal phone gateways. - Users must not use a USB or Ethernet subscriber line interface card (SLIC) associated with a commercial VoIP service (such as magicJack) or a personal VoIP system in the DoD unless the SLIC is sanctioned and provided by a DoD component or organization. - Users must not use UC soft client accessories capable of bridging a DoD network or DoD application with another computer, phone network, or the PSTN. - Users must not use DoD-provided UC soft client while working in their normal DoD workspace without permission of the ISSO. - Users must receive a caution notice discussing the non-assured nature of UC soft client applications for C2 user awareness that for assured service a UC soft client should not be the primary method of communications. - Users must receive instruction for the proper and safe use of webcams or built-in cameras when used in a classified environment to prevent viewing classified work or classified material over non-secure networks. - Users must receive instruction for the proper and safe use of speakerphones or built-in microphones when used in a classified environment to prevent hearing classified discussions over non-secure networks. - Users must receive instruction regarding the proper and safe use of presentation, document, and desktop sharing. Sites may modify the above items in accordance with local site policy. However, each item must be addressed in the user agreement. A user agreement may be a standalone document or a larger document addressing remote access or workstation use that enforces the acceptable use of UC soft client applications and accessories. Discuss the existence and enforcement of the UC soft client acceptable use policy. Inspect signed user agreements for compliance. If no acceptable use policy or related user agreement exists, this is a finding. If the acceptable use policy or related user agreement is deficient in content, this is a finding.
Develop and enforce a user agreement in accordance with DoD policies addressing the acceptable use of UC soft client applications and associated accessories minimally providing the following information: - Users must not install any application or agent, to include UC soft clients, VTC software, or IM client that connects to or uses a public VoIP or IM service for non-official business. - Users must not install any application or agent, to include UC soft clients, VTC software, or IM client that communicates peer-to-peer with other applications, agents, or personal phone gateways. - Users must not use a USB or Ethernet subscriber line interface card (SLIC) associated with a commercial VoIP service (such as magicJack) or a personal VoIP system in the DoD unless the SLIC is sanctioned and provided by a DoD component or organization. - Users must not use UC soft client accessories capable of bridging a DoD network or DoD application with another computer, phone network, or the PSTN. - Users must not use DoD-provided UC soft client while working in their normal DoD workspace without permission of the ISSO. - Users must receive a caution notice discussing the non-assured nature of UC soft client applications for C2 user awareness that for assured service a UC soft client should not be the primary method of communications. - Users must receive instruction for the proper and safe use of webcams or built-in cameras when used in a classified environment to prevent viewing classified work or classified material over non-secure networks. - Users must receive instruction for the proper and safe use of speakerphones or built-in microphones when used in a classified environment to prevent hearing classified discussions over non-secure networks. - Users must receive instruction regarding the proper and safe use of presentation, document, and desktop sharing. Sites may modify the above items in accordance with local site policy. However, each item must be addressed in the user agreement. A user agreement may be a standalone document or a larger document addressing remote access or workstation use that enforces the acceptable use of UC soft client applications and accessories.
Interview the ISSO to validate compliance with the following requirement: Verify a user guide is developed and distributed to users of UC soft client applications minimally providing the following information: - Review the policies and restrictions agreed to when the user agreement was signed upon receiving the communications application. - Provide a caution notice discussing the non-assured nature of UC soft client applications for C2 user awareness that for assured service a UC soft client should not be the primary method of communications. - Provide instruction for the proper and safe use of webcams or built-in cameras when used in a classified environment to prevent viewing classified work or classified material over non-secure networks. - Provide instruction for the proper and safe use of speakerphones or built-in microphones when used in a classified environment to prevent hearing classified discussions over non-secure networks. - Provide instruction regarding the proper and safe use of presentation, document, and desktop sharing. Inspect the user guide for the proper use of UC soft client and validate users received this guide by interviewing a random sampling of users. If the user guide is deficient in content or the guide is not provided to users, this is a finding.
Develop and distribute a user guide to users of UC soft client applications minimally providing the following information: - Review the policies and restrictions agreed to when the user agreement was signed upon receiving the communications application. - Provide a caution notice discussing the non-assured nature of UC soft client applications for C2 user awareness that for assured service a UC soft client should not be the primary method of communications. - Provide instruction for the proper and safe use of webcams or built-in cameras when used in a classified environment to prevent viewing classified work or classified material over non-secure networks. - Provide instruction for the proper and safe use of speakerphones or built-in microphones when used in a classified environment to prevent hearing classified discussions over non-secure networks. - Provide instruction regarding the proper and safe use of presentation, document, and desktop sharing.
Interview the IAO to validate compliance with the following requirement: In the event PC soft-phones and/or UC applications are implemented as the primary telephone endpoint in the user’s workspace, the IAO will ensure hardware based telephone instruments, are installed within a short distance (e.g., 30 to 50 feet) of every workspace to be used for backup and emergency communications. Determine if PC soft-phones and/or UC applications are implemented as the primary telephone endpoint in user’s workspaces. If so, inspect users work areas to determine if hardware based telephone instruments, are installed within a short distance (e.g., 30 to 50 feet) of every workspace to be used for backup and emergency communications. Cell phones, PDA/PEDs, or other wireless devices are not considered reliable enough to meet this requirement due to lack of reliable signal available everywhere and their inability to be used in certain DoD environments. This is a finding if these conditions are not met. NOTE: This requirement is satisfied by the implementation of hardwired hardware based telephone instruments using any telephony technology. That is, traditional analog, or digital instruments may be used or VoIP based instruments may be used. Such instruments may be part of the local site’s PBX or VoIP system, or may be served from the Local Exchange Carrier (LEC) or Competitive LEC (CLEC). Of additional concern when implementing backup/COOP or emergency telephones is power. Such phones should be remotely powered from a source that can provide backup power. Additionally, the dialing capabilities of backup/COOP or emergency may be limited to internal and/or emergency calls. This means that minimally, emergency services numbers must be reachable from these phones. PART2 manual Minimally select a random sample if not all of the implemented hard-phones and test them to ensure they are functional. This is a finding if non functional phones are found.
In the event PC soft-phones and/or UC applications are implemented as the primary telephone endpoint in the user’s workspace, the IAO will ensure hardware based telephone instruments, are installed within a short distance (e.g., 30 to 50 feet) of every workspace to be used for backup and emergency communications. NOTE: This requirement is satisfied by the implementation of hardwired hardware based telephone instruments using any telephony technology. That is, traditional analog, or digital instruments may be used or VoIP based instruments may be used. Such instruments may be part of the local site’s PBX or VoIP system, or may be served from the Local Exchange Carrier (LEC) or Competitive LEC (CLEC). Of additional concern when implementing backup/COOP or emergency telephones is power. Such phones should be remotely powered from a source that can provide backup power. Additionally, the dialing capabilities of backup/COOP or emergency may be limited to internal and/or emergency calls. This means that minimally, emergency services numbers must be reachable from these phones.
Ensure the Command and AO approves the implementation or transition to UC soft clients as the primary endpoints in writing. Approval documentation will be maintained by the ISSO for inspection by IA reviewers or auditors. Review the written Command and AO approval for the implementation of a telephone system which primarily uses UC soft client applications for its endpoints. If no written Command and AO approval exist for UC soft client endpoints, this is a finding.
Obtain the Command and AO approval for the implementation or transition to UC soft clients as the primary endpoints in writing. Approval documentation must be maintained by the ISSO for future inspection by IA reviewers or auditors. If Command and AO written approval is not available, hardware endpoints must be used as the primary endpoints. Note: This requirement is in addition to AO approval for deploying UC soft clients on DoD networks (VVoIP 1720). When UC soft clients are deployed as the primary endpoint, additional risks to availability exist.
Ensure the responsible AO approves the use of limited numbers of UC soft clients in the strategic LAN along with the measures implemented to protect these UC soft clients and the local VoIP and data infrastructure. Approval will be provided in writing and will be maintained by the ISSO for inspection by IA reviewers or auditors. When limited numbers of UC soft clients associated with the local VoIP system are implemented in the strategic LAN, a separate VLAN structure must be implemented for them. Implementation of a VLAN must not provide a bridge between the VoIP and data VLANs. Traffic must be filtered such that the UC soft client’s VoIP traffic is routed to the VoIP VLAN while all other traffic is routed to the data VLAN. A separate NIC is not required to support VLANs for voice and video segmentation under UC. NOTE: Limited numbers in this scenario means as few as possible, but may mean 25 or 30 percent of the overall PCs on the LAN. Beyond this percentage, the protections afforded by this implementation become limited or negated because of the large number of PCs in the UC soft client VLAN. Determine if limited numbers of UC soft clients are permitted to operate or are implemented in the strategic LAN. If so, review the written AO approval for the implementation. If limited numbers of UC soft clients are to be implemented in the strategic LAN without written AO approval for the implementation, this is a finding.
Ensure the responsible AO approves the use of UC soft clients in the strategic LAN along with the measures implemented to protect UC soft clients and the local VoIP and data infrastructure. Approval must be provided in writing and will be maintained by the ISSO for inspection by IA reviewers or auditors. UC soft clients do not provide assured services and therefore cannot be used as the primary method of communications for those personnel requiring assured services. When limited numbers of UC soft clients are to be implemented in the strategic LAN, obtain written approval from the responsible AO along with approval for the measures implemented to protect these UC soft clients and the local VoIP and data infrastructure. Alternately remove the UC soft clients from the LAN.
Review the site documentation to confirm a Call Center or CTI system using soft clients must be segregated into a protected enclave and limit traffic traversing the boundary. When a Call Center / CTI system/application (e.g., call center, helpdesk, operators console, E911 system, etc.) using soft clients are approved for use in the strategic LAN, ensure the following: - The supporting network is configured as a closed enclave or a segregated and access controlled sub-enclave having appropriate boundary protection between it and the local general business LAN or external WAN. - In the event the CTI application accesses resources outside this enclave and there is the potential of the application being compromised from external sources, the supporting network is configured to provide separate voice and data zones and maintains separation of voice and data traffic per the VoIP STIG if technically feasible (i.e., such separation does not break the CTI application or there is another compelling reason). - The supporting network enclave and boundary protection is configured in substantial compliance with the Enclave, Network Infrastructure, and VoIP STIGs. - The CTI application/enclave (e.g., a call center application) is supported by a dedicated VoIP controller. If a Call Center or CTI system using soft clients is not segregated into a protected enclave and limit traffic traversing the boundary, this is a finding.
Implement a Call Center or CTI system using soft clients to be segregated into a protected enclave and limit traffic traversing the boundary.
Interview the IAO to validate compliance with the following requirement: Ensure permanent, semi-permanent, or fixed (not highly mobile) tactical networks supporting IP based voice, video, unified, and/or collaboration communications are configured per the requirements for a strategic LAN supporting voice/video/UC services. Determine if the tactical LAN is supporting a fixed or generally non-moving base making it a fixed tactical LAN. If the fixed tactical network supports IP based voice, video, UC, and/or collaboration communications, determine if it is configured per the requirements for a strategic LAN. Inspect network diagrams and interview the IAO to determine compliance. This is a finding in the event the deployed tactical network is relatively permanent compared to a small highly mobile unit and the LAN is not configured as a strategic LAN for the support of supports IP based voice, video, UC, and/or collaboration communications as defined in this and other STIGs. NOTE: The factors determining whether a deployed tactical VVoIP system is subject to this requirement are varied. In general all VVoIP systems should be configured the same and such that the service and supporting infrastructure is protected. It is recognized that a small system operated out of a transit case in a tent, conex box, or a truck is highly mobile as opposed to a fixed installation in a building. While initially such a system can support a few users and remain highly mobile, as the number of users increases, the deployment becomes semi-permanent, or fixed (not highly mobile). Initial deployments may include as little as a half dozen workstations or as many as fifty. Once the initial deployment is in place, the network may grow and become relatively permanent as would be the case for a rear command or logistics center. Small deployable packages that are designed to be initially deployed with a small footprint supporting or using PC soft-phones, which are then to be the basis of a larger network, must be configured, or be configurable, to support the separate VoIP and data zones as well as hardware based instruments and admission control for C2 communications as the deployed network and supported systems grow. The network will also include soft-phone protection zones as required in a strategic network if soft-phones are permitted to be used beyond the initial deployment. NOTE: A shipboard LAN is minimally considered as a fixed tactical LAN but can also be considered as a Strategic LAN. This is because the installation is permanent within the confines of the mobile floating base.
Ensure permanent, semi-permanent, or fixed (not highly mobile) tactical networks supporting IP based voice, video, unified, and/or collaboration communications are configured per the requirements for a strategic LAN. Configure the fixed tactical LAN in accordance with the requirements for a strategic LAN that supports IP based voice, video, UC, and/or collaboration communications.
Interview the IAO to validate compliance with the following requirement: In the event voice/video/UC IA configuration measures are reduced for highly mobile tactical networks (e.g., initial deployment packages) supporting hardware or PC based voice, video, unified, and/or collaboration communications, the IAO will ensure a benefit vs. risk analysis is performed, documented, and approved in the certification and accreditation of the system. NOTE: It is recognized that deployable packages for highly mobile tactical networks may only support PC based voice, video, UC, and/or collaboration communications applications. Such a network may not require separate zones for voice and data since all traffic will be in the data zone. Determine if IA configuration measures are reduced for highly mobile tactical networks (e.g., initial deployment packages) supporting hardware or PC based voice, video, UC, and/or collaboration communications. If so, inspect network diagrams and device configurations to determine the IA measures implemented. If the implemented IA measures are reduced from those required in a strategic or fixed tactical LAN, inspect the documented benefit vs. risk analysis used in the C&A process for the system. This is a finding if there is no benefit vs. risk analysis, or it is found to be deficient in some manner, such that the appropriate risk level was not used in the C&A of the system.
In the event voice/video/UC IA configuration measures are reduced for highly mobile tactical networks (e.g., initial deployment packages) supporting hardware or PC based voice, video, unified, and/or collaboration communications, perform and document a benefit vs. risk analysis for the reduced IA measures and update the C&A for the system.
Review the site documentation and confirm the UC soft client C&A documentation is included in the C&A documentation for the supporting VVoIP system. If the UC soft client C&A documentation is not included in the C&A documentation for the supporting VVoIP system, this is a finding.
Include the UC soft client C&A documentation in the C&A documentation for the supporting VVoIP system and update the Approval To Operate (ATO) with the UC soft client application.
Review the site documentation to confirm UC soft clients are tested and approved prior to implementation. If the confirm UC soft clients are not tested and approved prior to implementation, this is a finding.
Ensure UC soft clients are tested and approved prior to implementation.
Review the site documentation to confirm the UC soft client patches and upgrades are tested and approved prior to implementation. If the UC soft client patches and upgrades are not tested and approved prior to implementation, this is a finding.
Ensure UC soft client patches and upgrades are tested and approved prior to implementation.
Interview the IAO to validate compliance with the following requirement: Ensure PC communications applications providing voice, data, or video communications interoperability with the DSN, DRSN/VoSIP, or PSTN, along with any associated accessories (e.g., USB phones, cameras, and USB ATAs), are interoperability and IA tested and placed on the Approved Products List (APL) prior to purchase, per DoDI 8100.3. NOTE : APL listing of soft-phone applications, and/or associated accessories, will be in association with, or part of, the listed VoIP telecommunications switch/system that supports the application. Other applications (VTC or collaboration) will be listed with their core service or system. NOTE: This is not a finding in the event a PC communications application implementation and/or supporting system is not associated with, interoperable with, or connected to DSN, DRSN/VoSIP, or PSTN and is never expected to be. NOTE: The DRSN is a custom and proprietary non-VoIP telephone system. It interoperates, to a degree, with a Defense Information System Network (DISN) VoIP telephone system/service on the Secret Internet Protocol Router Network (SIPRNet). This VoIP service is called VoSIP (see acronym discussion in the next note). The discussion/requirement here applies to PC communications application associated with VoSIP that ultimately can interoperate with DRSN endpoints. NOTE: NSA defines VoSIP as Voice over Secure IP or regular (un-encrypted or encrypted) VoIP over any secure or classified IP LAN (i.e., local C-LAN) or WAN (e.g., SIPRNet or JWICS). In general, VoSIP employs encryption at Layer 1/Layer 2 applied to links between un-encrypted classified enclaves. The use of the acronym VoSIP for the DISN service and for instantiations on DoD component’s classified LANs leads to confusion between the service and the intentional meaning of the acronym. NSA defines a similar acronym, SVoIP, meaning Secure VoIP. This refers to end-to-end NSA type-1 encrypted VoIP media and possibly signaling streams that can traverse a network having a lower classification. This is similar in concept to the secure voice service provided by a STU or STE as well as SCIP based devices. SCIP works at Layer 7 (application layer) and can use Type 1 or Type 3 encryption. It is not IP specific since it was developed for traditional fixed and mobile transport methods. Type 3 encryption of VoIP signaling and media is not SCIP. Unfortunately, the SVoIP acronym/term has also been corrupted by some organizations using it to refer to their implementation of VoIP on their classified LANs and the SIPRNet WAN. Inspect the APL testing report for the APL approved VoIP system supporting the PC communications application to determine if it was tested and approved along with the supporting communications system. NOTE: these applications are typically NOT listed separately on the APL. APL testing reports are available to DoD users of the product and reviewers via email from the Unified Capabilities Certification Office (UCCO) at ucco@disa.mil. It is highly recommended that requests for these reports are submitted and the report obtained before SRR trips commence. This is a finding if it is determined that the PC communications application was not tested and approved along with the supporting communications system.
Ensure PC communications applications providing voice, data, or video communications interoperability with the DSN, DRSN/VoSIP, or PSTN, along with any associated accessories (e.g., USB phones, cameras, and USB ATAs), are interoperability and IA tested and placed on the Approved Products List (APL) prior to purchase, per DoDI 8100.3. Only implement APL tested PC communications applications. If necessary contact the Unified Capabilities Certification Office (UCCO) to determine what course of action and testing submittals should be pursued.
Review the site documentation to confirm the UC soft clients are supported by the manufacturer or vendor. Sources for UC soft clients include: - UC soft clients sourced from the enclave’s VoIP system vendor or their approved partner. - VTC soft clients sourced from the enclave’s or program’s VTC system vendor or their approved partner. - UC soft clients sourced from the enclave’s or program’s Collaboration system vendor or their approved partner. - The workstation operating system vendor when the application is approved to interoperate with the primary systems above. - An information system program providing the application from an appropriate source with the required testing, certification, and accreditation. If the UC soft clients are not supported by the manufacturer or vendor, this is a finding. If the source or distribution of the UC soft client is freeware or shareware, such as applications from Yahoo, MSN, Google, or Skype, this is a finding. NOTE: this is not a finding when the UC soft clients are shareware, freeware, or sourced from a third party other than a system vendor and the UC soft client is necessary to accomplish the mission; there are no alternative IT solutions available; and the product has been assessed for information assurance impacts, and approved for use by the AO in writing.
Ensure the UC soft clients are supported by the manufacturer or vendor.
Interview the IAO to validate compliance with the following requirement: Ensure PC voice, video, UC, or collaboration communications applications, upgrades, and patches are digitally signed by the vendor and validated for integrity before installation. Determine if PC voice, video, UC, or collaboration communications applications, upgrades, and patches are digitally signed by the vendor and validated for integrity before installation. Have the IAO or SA demonstrate the application and upgrade/patch integrity validation process. This is a finding if digital signatures are not validated before installation.
Ensure PC voice, video, UC, or collaboration communications applications, upgrades, and patches are digitally signed by the vendor and validated for integrity before installation. Employ only those PC voice, video, UC, or collaboration communications applications, upgrades, and patches that are digitally signed by the vendor. Perform the appropriate digital signature validation process to validate application and upgrade/patch integrity before installation.
Interview the IAO to validate compliance with the following requirement: Ensure PC voice, video, UC, and/or collaboration communications applications are maintained at the current/latest approved patch or version/upgrade level. Determine if PC voice, video, UC, and/or collaboration communications applications are maintained at the current/latest approved patch or version/upgrade level. Consult with the vendor or their web site to determine if the version that is in use is the latest version that contains the latest IA mitigations. Determine if this version is the latest approved version.
Ensure PC voice, video, UC, and/or collaboration communications applications are maintained at the current/latest approved patch or version/upgrade level. Implement the current/latest approved patch or version/upgrade level to utilize the latest IA mitigations. If an outdated application version is no longer in use, un-install it. If the latest version is not approved, submit it for testing and approval to ensure the latest IA mitigations are available and used.
Interview the IAO to validate compliance with the following requirement: Ensure PC voice, video, UC, or collaboration communications applications do not require and/or are not configured to operate with administrative privileges. Determine if the installed PC voice, video, UC, or collaboration communications application(s) requires and/or is configured to operate with administrative privileges. Inspect a random sampling of PC voice, video, UC, or collaboration communications applications to determine if they are configured to operate with administrative privileges. This is a finding if a PC voice, video, UC, or collaboration communications application requires with administrative privileges to operate or if the application or platform is configured such that the application runs with administrative privileges. Even though a user has administrative privileges, the application should not inherit those privileges and should operate without them.
Ensure PC voice, video, UC, or collaboration communications applications do not require and/or are not configured to operate with administrative privileges. Configure the application and/or platform to not operate with administrative privileges or un-install it. Even though a user has administrative privileges, the application should not inherit those privileges and should operate without them.
Review site documentation to confirm the integrity of VVoIP endpoint configuration files downloaded during endpoint registration is validated using digital signatures. This is not applicable to hardware endpoints with a preinstalled configuration file and do not download a configuration file through the network. This is not applicable to UC soft clients that do not download a configuration file through the network. If the VVoIP endpoint configuration files downloaded during endpoint registration are not digitally signed, this is a finding. If the VVoIP endpoint configuration files downloaded during endpoint registration are not validated using digital signatures, this is a finding.
Implement and document the integrity of VVoIP endpoint configuration files downloaded during endpoint registration is validated using digital signatures. VVoIP endpoints must use DoD PKI certifications. This requirement does not apply to hardware endpoints or UC soft clients that do not download configuration files from the session manager.
Interview the IAO to validate compliance with the following requirement: Ensure PC based voice, video, UC, or collaboration communications applications are configured such that they only contact and associate with their designated and approved DoD controllers, gateways, and/or servers and their approved backups. Determine what the application’s permitted controllers, gateways, and/or servers including backups should be from the IAO. Review application configuration settings on a random sampling of PCs to determine if only the permitted controllers, gateways, and/or servers are configured. Further determine if users (not SAs) can reconfigure these settings. This is a finding if PC based voice, video, UC, or collaboration communications applications are NOT configured such that they only contact and associate with their designated and approved DoD controllers, gateways, and/or servers and their approved backups or if general users (not SAs) can reconfigure the related settings.
Ensure PC based voice, video, UC, or collaboration communications applications are configured such that they only contact and associate with their designated and approved DoD controllers, gateways, and/or servers and their approved backups. Configure PC based voice, video, UC, or collaboration communications applications such that they only contact and associate with their designated and approved DoD controllers, gateways, and/or servers and their approved backups. Further ensure general application users cannot reconfigure these settings.
Review site documentation to confirm a policy and procedure prevents an unapproved IM or UC soft client from being used on GFE. Prohibited clients and services include: - Yahoo Messenger - America Online (AOL) Instant Messenger (AIM) - Microsoft Network (MSN) Messenger - Skype - Freshtel - Google Hangouts (formerly Talk) - Magic Jack (A hardware USB ATA and UC soft client) - Soft clients associated with home telephone service from carriers such as Verizon. AT&T, and Quest, cable carriers such as Comcast and Cox, or competing VoIP carriers such as Vonage. If a policy and procedure does not prevent use of an unapproved IM or UC soft client on GFE, this is a finding. If unapproved clients or services are in use by site personnel, this is a finding.
Implement site policy and procedure to prevent the use of unapproved IM or UC soft client on GFE. Uninstall all unapproved IM or UC soft clients on site GFE.
Interview the IAO to validate compliance with the following requirement: Ensure: - Users are made aware and trained that even if their permissions allow, they are not to download and install IM and/or soft-phone applications on their DoD PCs that use or connect to public IM and/or IP telephony services unless directed to do so by their DoD organization for the fulfillment of an official requirement. - Users are made aware and trained that, they are not to attempt to use a stick phone on their DoD PC that associates itself or connects to a public IM or IP telephony services unless directed to do so by their DoD organization for the fulfillment of an official requirement. - Users are made aware and trained that, they are not to attempt to use a PPG on their DoD PC that associates itself with an installed soft-phone unless directed to do so by their DoD organization for the fulfillment of an official requirement. - The limitations in this requirement are listed in a signed user agreement. Note: DAA approval and possibly DISN DAA approval is required in the event IM and/or soft-phone applications, or stick phones that associate with or connect to a public IM or IP telephony service are to be implemented by a DoD component. Ask the IAO if the required user training is provided and if the items in the requirement are listed in a signed user agreement. Inspect user agreements for inclusion of the limitations and user acknowledgment. Additionally, interview a random sample of users to determine their awareness of these limitations. This is a finding if training is inadequate and users are unaware of the limitations and/or the limitations are not listed in signed user agreements.
Ensure users are trained as follows: - Users are made aware and trained that even if their permissions allow, they are not to download and install IM and/or soft-phone applications on their DoD PCs that use or connect to public IM and/or IP telephony services unless directed to do so by their DoD organization for the fulfillment of an official requirement. - Users are made aware and trained that, they are not to attempt to use a stick phone on their DoD PC that associates itself or connects to a public IM or IP telephony services unless directed to do so by their DoD organization for the fulfillment of an official requirement. - Users are made aware and trained that, they are not to attempt to use a PPG on their DoD PC that associates itself with an installed soft-phone unless directed to do so by their DoD organization for the fulfillment of an official requirement. Additionally ensure: - The limitations in this requirement are listed in a signed user agreement.
Interview the IAO to validate compliance with the following requirement: Ensure all IP Ports, Protocols, and Services (PPSs) used by a Voice/Video/UC system to include its core infrastructure devices and hardware-based or PC application-based endpoints are registered in the DoD Ports and Protocols Database in accordance with DoDI 8550.1. This applies to PPSs that remain within the enclave (“local PPS”) and those that cross the enclave boundary and/or any of the defined DoD boundaries. Determine the PPS used by all Voice/Video/UC system devices and endpoints (to include PC based endpoints) used at the site within the enclave and those that cross a boundary as well as the boundaries they cross where the network is exposed to them. Inspect the system documentation and if necessary contact the vendor. If necessary, use a sniffer to detect the protocols used. This would require operating all system functions or sniffing during a period of time when all functions are accessed. Inspect PPS registrations with regard to PPS used. This is a finding if all IP ports and protocols used by the Voice/Video/UC system to include its core infrastructure devices and its hardware based or PC application based endpoints are NOT registered in the DoD Ports and Protocols Database in accordance with DoDI 8550.1.
Ensure all IP Ports, Protocols, and Services (PPSs) used by a Voice/Video/UC system to include its core infrastructure devices and its hardware-based or PC application-based endpoints are registered in the DoD Ports and Protocols Database in accordance with DoDI 8550.1. This applies to PPSs that remain within the enclave (“local PPS”) and those that cross the enclave boundary and/or any of the defined DoD boundaries. Properly register all IP ports and protocols used by the Voice/Video/UC system to include its core infrastructure devices and hardware based or PC application based endpoints whether it crossed a boundary or not.
Review site documentation to confirm VVoIP session signaling is encrypted to provide end-to-end interoperable confidentiality and integrity. The devices within the VVoIP system that must be protected are endpoints, media gateways, session mangers (gatekeepers, session controllers, soft switches, etc.), border elements (session border controllers, routers, firewalls, etc.), and other network devices involved in the session signaling. Session signaling encryption meeting UCR requirements must be implemented end-to-end. If VVoIP session signaling is not encrypted to provide end-to-end interoperable confidentiality and integrity, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.
Implement VVoIP session signaling to be encrypted to provide end-to-end interoperable confidentiality and integrity. Fully document the implementation. Configure the VVoIP system components per the DoD APL IA deployment guide specific to the product being deployed. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.
Review site documentation to confirm VVoIP session media is encrypted to provide end-to-end interoperable confidentiality and integrity. The devices within the VVoIP system that must be protected are endpoints, media gateways, session mangers (gatekeepers, session controllers, soft switches, etc.), border elements (session border controllers, routers, firewalls, etc.), and other network devices involved in the session signaling. Session media encryption meeting UCR requirements must be implemented end-to-end. If VVoIP session media is not encrypted to provide end-to-end interoperable confidentiality and integrity, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.
Implement VVoIP session media to be encrypted to provide end-to-end interoperable confidentiality and integrity. Fully document the implementation. Configure the VVoIP system components per the DoD APL IA deployment guide specific to the product being deployed. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.
Interview the IAO to confirm compliance with the following requirement: Ensure all sites possessing a LSC or MFSS are capable of maintaining call/session establishment capability such that it can minimally make local internal and local commercial network calls in the event the LSC or MFSS becomes unavailable to receive and act on EI signaling requests. Determine if the LSC or LSC portion of the MFSS has a backup call/session establishment capability such that it can minimally make local internal and local commercial network calls This is a finding in the event the primary LSC or LSC portion of the MFSS has no COOP relationship with another LSC in a redundant and geographically diverse facility. NOTE: The minimum capability for placement of precedence calls (line-side or to the DISN) is dependant upon the C2 requirements of the site in question and should be determined in conjunction with the local command authority. To satisfy this requirement, however, the minimum requirement is the maintenance of ROUTINE call placement capabilities.
Establish COOP capabilities for the primary LSC or LSC portion of the MFSS using redundant LSCs or COOP arrangements with other LSCs in redundant and geographically diverse facilities. NOTE: The minimum capability for placement of precedence calls (line-side or to the DISN)is dependant upon the C2 requirements of the site in question and should be determined in conjunction with the local command authority. To satisfy this requirement, however, the minimum requirement is the maintenance of ROUTINE call placement capabilities.
Review site documentation to confirm the local VVoIP system has the capability to place intra-site and local phone calls when network connectivity is severed from the remote centrally located session controller. If the local VVoIP system does not have the capability to place intra-site and local phone calls when network connectivity is severed, this is a finding. Reliance on GFE or personal cell phones does not meet this requirement because signal strength and reliability are reduced inside buildings and cell phones are not permitted in most DoD facilities. The minimum capability for placement of line-side precedence calls is dependent upon the C2 requirements of the site and must be determined in conjunction with the local command authority. To satisfy this requirement the minimum requirement is the maintenance of ROUTINE call placement capabilities.
Implement and document the local VVoIP system with the capability to place intra-site and local phone calls when network connectivity is severed. The minimum capability for placement of line-side precedence calls is dependent upon the C2 requirements of the site and must be determined in conjunction with the local command authority. To satisfy this requirement the minimum requirement is the maintenance of ROUTINE call placement capabilities.
Interview the IAO to validate compliance with the following requirement: Ensure VVoIP system applications, upgrades, and patches are digitally signed by the vendor and validated for integrity before installation. Determine if VVoIP system applications, upgrades, and patches are digitally signed by the vendor and validated for integrity before installation. Have the IAO or SA demonstrate the application and upgrade/patch integrity validation process. This is a finding if digital signatures are not validated before installation. NOTE: This requirement addresses applications, upgrades, and patches for the overall VVoIP system infrastructure. PC based applications, upgrades, and patches are addressed separately.
Ensure VVoIP system applications, upgrades, and patches are digitally signed by the vendor and validated for integrity before installation. Employ only those VVoIP system applications, upgrades, and patches that are digitally signed by the vendor. Perform the appropriate digital signature validation process to validate application and upgrade/patch integrity before installation.
Review site documentation to confirm the confidentiality of endpoint configuration files downloaded during endpoint registration is protected. This is not applicable to hardware endpoints with a preinstalled configuration file and do not download a configuration file through the network. This is not applicable to UC soft clients that do not download a configuration file through the network. If configuration files are in a vendor specific binary format only interpretable by the vendor’s endpoints, this is not a finding. If the confidentiality of endpoint configuration files downloaded during endpoint registration is not encrypted, this is a finding.
Implement and document the confidentiality of VVoIP endpoint configuration files downloaded during endpoint registration is protected by encryption. This requirement does not apply to hardware endpoints or UC soft clients that do not download configuration files from the session manager.
If the system does not support a minimum of 96 instruments, this requirement is not applicable. Review site documentation, network diagrams, and design information to confirm the LAN supporting VVoIP services provides enhanced reliability, availability, and bandwidth. Specific attention should be given in the areas of: - Bandwidth and traffic engineering (25% voice, 25% video, 50% data) - No single point of failure affecting service to greater than 96 instruments. - Equipment reliability - Equipment redundancy above the access layer - Equipment robustness and bandwidth capability - Connection redundancy above the access layer - Connection bandwidth capability - Access layer switch size (number of phones served) - Backup power for all equipment If the LAN supporting VVoIP services does not provide enhanced reliability, availability, and bandwidth or is deficient in these areas, this is a finding. This check is not intended to initiate an in depth analysis of the network design. If the LAN is not is not properly designed it should be easily discerned because many of the criteria will not be met unless the LAN was already designed for high reliability and availability before adding VVoIP services.
Implement and document the LAN supporting VVoIP services. VVoIP services must provide enhanced reliability, availability, and bandwidth. Voice bandwidth engineering is based on 102 kbps (each direction) for each IP call for IPv4 and 110.0 kbps for IPv6. Video bandwidth engineering is not so simple since when present, a single video stream can utilize 160kbps to 7.5Mbps in addition to any audio stream.
If the system does not support a minimum of 96 instruments, this is not applicable. Review site documentation to confirm the LAN hardware supporting VVoIP services provide redundancy to support C2 assured services and FES communications. Ensure the LAN hardware is redundant as follows: - Dual Power Supplies - each platform must have a minimum of two power supplies and the loss of a single power supply shall not cause any loss of functions within the chassis. - Dual Processors (Control Supervisors) - each chassis shall support dual control processors and failure of any one processor shall not cause any loss of functions within the chassis. - Termination Sparing - each chassis shall support a (N + 1) sparing capability minimally for available Ethernet modules used to terminate to an IP subscriber. - Protocol Redundancy - each routing device shall support protocols allowing for dynamic rerouting. - Backplane Redundancy – each switching platform shall support a redundant (1 + 1) switching fabric or backplane and the second fabric’s backplane shall be in active standby so that failure of the first shall not cause loss of ongoing events within the switch. Alternately, a secondary product may be added to provide redundancy to the primary product when redundant protocols are implemented such that the failover over to the secondary product must not result in any lost calls. If the LAN hardware supporting VVoIP services does not provide redundancy to support C2 assured services and FES communications, this is a finding.
Implement and document that the LAN hardware supporting VVoIP services provides redundancy to support C2 assured services and FES communications. Mandatory redundancy includes the following: - Dual Power Supplies - each platform must have a minimum of two power supplies and the loss of a single power supply shall not cause any loss of functions within the chassis. - Dual Processors (Control Supervisors) - each chassis shall support dual control processors and failure of any one processor shall not cause any loss of functions within the chassis. - Termination Sparing - each chassis shall support a (N + 1) sparing capability minimally for available Ethernet modules used to terminate to an IP subscriber. - Protocol Redundancy - each routing device shall support protocols allowing for dynamic rerouting. - Backplane Redundancy – each switching platform shall support a redundant (1 + 1) switching fabric or backplane and the second fabric’s backplane shall be in active standby so that failure of the first shall not cause loss of ongoing events within the switch. Alternately, a secondary product may be added to provide redundancy to the primary product when redundant protocols are implemented such that the failover over to the secondary product must not result in any lost calls. Redundancy may not be required for VVoIP systems supporting less than 96 users but best practice is to provide redundancy or maintain spares such that service can be restored in a timely manner in the event of a failure.
If the system does not support a minimum of 96 instruments, this is not applicable. Review site documentation to confirm the LAN hardware supporting VVoIP services provides physically diverse pathways for redundant links supporting C2 assured services and FES communications. The inspection of uplink pathways may require inspecting cable plant drawings or tracing the physical cable path through the building. If the LAN hardware supporting VVoIP services does not provides physically diverse pathways for redundant links supporting C2 assured services and FES communications, this is a finding.
Implement and document that the LAN hardware supporting VVoIP services provides physically diverse pathways for redundant links supporting C2 assured services and FES communications. Ensure each uplink supports the full bandwidth and the appropriate routing protocol is configured for failover from one uplink to the other when a failure occurs. This applies to access layer elements connected to distribution layer elements and distribution elements connected to core layer elements. Run new cable, upgrade, or reroute as necessary.
Interview the IAO to confirm compliance with the following requirement: Ensure an uninterruptible power supply (battery at a minimum; plus optional generator) is provided for all parts of the VVoIP infrastructure (Core LSC/MFSS, adjunct systems providing critical services, EBC, CER, LAN NEs, and endpoints as follows: > All VVoIP system devices including voice endpoints and portions of the LAN that directly support any single special-C2 user are minimally provided 8 hours UPS. > All VVoIP system devices including voice endpoints and portions of the LAN that directly supports any single C2 user are minimally provided 2 hours UPS. > All VVoIP system devices including voice endpoints and portions of the LAN that supports C2R and non-C2/admin users (that is the balance of the VVoIP system) are provided some reasonable level (minimum 15 minutes / target 30 to 60 minutes) of UPS in support of emergency life-safety and security communications. > UPS systems supplying power to infrastructure that supports special-C2 and C2 users must also support environmental power (for example cooling power) such that equipment failures are prevented. This support may not need to be continuous but must be commensurate with the users supported (8 or 2hrs as appropriate). UPS. NOTE: UPS in support of C2R and non-C2/admin users’ endpoints is best provided using POE particularly if supporting the general population. (Probably more cost effective than a battery under every desk). While support of all such endpoints and infrastructure is desirable since this provides greater availability, the cost could become a negating factor. In this case, a portion of the regular endpoints or emergency use endpoints could be provided at strategic locations within the facility to fulfill the requirement to support emergency life-safety and security communications. Determine if the LAN supports Special-C2 or C2 users. If so, determine which part (or parts) of the LAN directly supports these users. Determine the method by which C2R and non-C2/admin users’ emergency life-safety and security communications are supported. This is a finding in the event, based on the interview; consideration has not been given to all aspects of backup power as described in the requirement. This finding carries a severity of Cat II if the requirements supporting a Special-C2 or C2 user are deficient. This finding carries a severity of Cat III if the requirements supporting C2R or Non-C2/admin users are deficient. NOTE: The requirement here for UPS support for C2R or Non-C2/admin users communications is negated in the event that such users have an alternate reliable means of communicating in such situations. Personal and potentially even government provided cell phones are not the answer since there are many locations in DoD facilities where they are prohibited and/or signal availability is unreliable. An alternative to this could be to put a policy and SOP into effect that requires such users to evacuate the facility to a location where the appropriate communications capability is available.
Ensure an uninterruptible power supply (battery at a minimum; plus optional generator) is provided for all parts of the VVoIP infrastructure (Core LSC/MFSS, adjunct systems providing critical services, EBC, CER, LAN NEs, and endpoints as follows: > All devices including voice endpoints and portions of the LAN that directly support any single special-C2 user are minimally provided 8 hours UPS. > All devices including voice endpoints and portions of the LAN that directly supports any single C2 user are minimally provided 2 hours UPS. > All devices including voice endpoints and portions of the LAN that supports C2R and non-C2/admin users (that is the balance of the VVoIP system) are provided some reasonable level of UPS in support of emergency life-safety and security communications. > UPS systems supplying power to infrastructure that supports special-C2 and C2 users must also support environmental power (for example cooling power) such that equipment failures are prevented. This support may not need to be continuous but must be commensurate with the users supported (8 or 2hrs as appropriate). UPS NOTE: UPS in support of C2R and non-C2/admin users’ endpoints is best provided using POE particularly if supporting the general population. (Probably more cost effective than a battery under every desk). While support of all such endpoints and infrastructure is desirable since this provides greater availability, the cost could become a negating factor. In this case, a portion of the regular endpoints or emergency use endpoints could be provided at strategic locations within the facility to fulfill the requirement to support emergency life-safety and security communications. Install, upgrade, and maintain UPS systems as needed to meet the backup power requirements.
Interview the IAO to confirm compliance with the following requirement: Ensure static addresses are assigned to the VVoIP core components within the dedicated VVoIP address space.
Ensure static addresses are assigned to the VVoIP core components within the dedicated VVoIP address space. When defining the VVoIP system implementation plan and addressing scheme, assign static addresses to the VVoIP core components
Review site documentation to confirm the VVoIP system management network provides bidirectional enclave boundary protection between the local management network and the DISN voice services management network. This requirement is applicable to VVoIP core system devices and TDM based telecom switches managed via multiple networks and those managed via a single physical Ethernet IP interface. For example, when the ADIMSS and local SAs both manage a VVoIP system or device via a common pathway such as the local management VLAN or OOB management network, a firewall is required between the local network and the ADIMSS network. Determine who owns and is responsible for the enclave boundary protection device configuration and management. This device may be owned and operated by the DISN management network or the local network. Two such devices may be owned and operated by each entity. If the VVoIP system management network does not provide bidirectional enclave boundary protection between the local management network and the DISN voice services management network, this is a finding.
Implement and document the VVoIP system management network to provide bidirectional enclave boundary protection between the local management network and the DISN voice services management network.
Inspect the connections to and the configurations of the VVoIP system core devices and those of the core LAN elements that support them. Look for the dedicated management LAN or VLAN to confirm that one has been implemented. Verify the voice/video system (VVoIP system and/or TDM switch) management is segregated or separated from production traffic and other management traffic and such that access and traffic flow can be properly controlled and role based access is supported. If the VVoIP system and LAN is not designed to provide the necessary separation of the management traffic and interfaces or such separation is not implemented as described above or at all, this is a finding. NOTE: This may be implemented using a separate voice system management VLAN or OOB network, the purpose of which is to provide for separation of access paths in support of separation of duties between the data network and server SAs and the VVoIP or TDM system SAs. This VLAN may be accessed from the general LAN management VLAN via a controlled ACL, gateway or firewall if needed.
Implement a dedicated OOB network or closed virtual In-band network (VLAN) for the VVoIP system and connect the core device management interfaces to it in compliance with the following requirement: Ensure VVoIP system management is segregated or separated from production traffic and other management traffic and such that access and traffic flow can be properly controlled and role based access is supported. NOTE: the purpose of the separate VVoIP management VLAN or OOB network is to provide for separation of access in support of separation of duties between the data network or server SAs and the VVoIP system SAs. This VLAN may be accessed from the general LAN management VLAN via a controlled ACL, gateway or firewall if needed.
Interview the IAO to confirm compliance with the following requirement: In the event the LAN supports VVoIP system core or infrastructure equipment or multiple VVoIP VLANs, ensure the supporting LAN design contains one or more routing devices (router or layer 3 switch) to provide traffic control (support for required ACLs) between the various required VVoIP VLANs required for the core equipment. This device(s) should be as close to the VVoIP core equipment as possible. As such this is the intersection of these VLANs. NOTE: this does not have to be one device but could be several, particularly if the VVoIP equipment is split and geographically diverse in support of system survivability. NOTE: These devices may be (and typically will be) the core routing devices for the data LAN as well or may be dedicated to the VVoIP system.
Ensure the VVoIP system and supporting LAN design contains one or more routing devices (router or layer 3 switch) to provide traffic control (support for required ACLs) between the various required VVoIP VLANs. Install the required routing equipment as close to the VVoIP core equipment as is practical and apply the required ACLs.
Interview the IAO to confirm compliance with the following requirement: Ensure all VVoIP system access to/from commercial dialup services (voice, video, fax, data) is via a locally implemented Media Gateway (MG) using a PRI or CAS trunk to a PSTN CO except as follows: • The enclave is small and has one or more PSTN subscriber lines terminated on individual phones, a dedicated key system, or a PBX, all of which are separate from the DoD VVoIP system. • The enclave is small and has one or more Commercial/Public VoIP subscriber lines or trunks terminated on an IP/Ethernet network that is separate from the DoD NIPRNet accessible network. (NOTE: This situation requires OSD GIG Waiver Panel approval for the required ISP connection.) NOTE: Trunks that support SS7 signaling and SS7 based signaling between a DoD network and a non-DOD network is prohibited. Determine if the following exceptions apply: • Is the enclave small and does it have one or more PSTN subscriber lines terminated on individual phones, OR a dedicated key system, OR a dedicated PBX, all of which are separate from the DoD VVoIP system? • Is the enclave small and does it have one or more Commercial/Public VoIP subscriber lines or trunks terminated on an IP/Ethernet network that is separate from the DoD NIPRNet accessible network? This is a finding in the event the site is not connected to the PSTN via a MG located within the local site enclave as described above AND one of the exceptions is not applicable.
Ensure all VVoIP system access to/from commercial dialup services (voice, video, fax, data) is via a locally implemented Media Gateway (MG) using a PRI or CAS trunk to a PSTN CO except as follows: • The enclave is small and has one or more PSTN subscriber lines terminated on individual phones, a dedicated key system, or a PBX, all of which are separate from the DoD VVoIP system. • The enclave is small and has one or more Commercial/Public VoIP subscriber lines or trunks terminated on an IP/Ethernet network that is separate from the DoD NIPRNet accessible network. (NOTE: This situation requires OSD GIG Waiver Panel approval for the required ISP connection.) NOTE: Trunks that support SS7 signaling and SS7 based signaling between a DoD network and a non DOD network is prohibited.
If the system does not support a minimum of 96 instruments, this is Not Applicable. If the site is in a tactical war zone where “friendly” service is not available, this is Not Applicable. Interview the ISSO to verify the site has local analog or TDM commercial phone service provided to support COOP and FES calls. The two most common methods to implement TDM or VVoIP systems are as follows: - Connect local commercial service to the site’s local phone system/switch (TDM or VVoIP) and program access to the local service from all Voice Video Endpoints. - Connect local commercial service to dedicated Voice Video Endpoints (separate from the site’s local phone system) throughout the facility and accessible in all work areas. These dedicated Voice Video Endpoints may be stand alone or part of a dedicated a key system, PBX, or VVoIP network separate from the site’s local VVoIP or TDM phone system. - Sites may use mobile devices for COOP and FES calls in support of non-sensitive unclassified areas. Note: The IA premise of this requirement is “availability” and COOP. The purpose of this requirement is to provide local commercial service in the event the site is cut off from DISN service or the main site to which the local site is subtended and tethered. If the site does not have local analog or TDM commercial phone service provided to support COOP and FES calls, this is a finding. If the local commercial service is VoIP or VVoIP, this is a finding.
Implement local commercial phone service (analog or TDM) according to the size of the site and the following: Ensure local analog or TDM commercial phone service supports COOP and FES calls. This applies to TDM or VVoIP systems conditionally as follows: - Connect local commercial service to the site’s local phone system/switch (TDM or VVoIP) and program access to the local service from all Voice Video Endpoints. - Connect local commercial service to dedicated Voice Video Endpoints (separate from the site’s local phone system) throughout the facility and accessible in all work areas. These dedicated Voice Video Endpoints may be stand alone or part of a dedicated a key system, PBX, or VVoIP network separate from the site’s local VVoIP or TDM phone system. - Sites may use mobile devices for COOP and FES calls in support of non-sensitive unclassified areas.
Interview the IAO to validate compliance with the following requirement: In the event the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves, ensure the VVoIP system’s WAN connection and boundary as well as its components including as their upgrades and changes are included in the site’s enclave / LAN C&A documentation (i.e., the DIACAP Implementation Plan (DIP), System Identification Profile (SIP), Scorecard, etc.). > Review the baseline documentation and/or C&A documentation to verify that the VVoIP WAN boundary and/or modifications are included. Verify there is a procedure for approving changes to configuration.
In the event the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves, ensure the VVoIP system’s WAN connection and boundary as well as its components including as their upgrades and changes are included in the site’s enclave / LAN C&A documentation (i.e., the DIACAP Implementation Plan (DIP), System Identification Profile (SIP), Scorecard, etc). Add the VVoIP WAN boundary and/or its modifications to the site’s enclave / LAN baseline and C&A documentation Obtain DAA approval for the updated documentation. Submit to the SRR team lead for validation and finding closure.
Interview the IAO to confirm compliance with the following requirement: In the event the VVoIP system within the enclave connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications between enclaves to any level of C2 user (Special C2, C2, C2(R)), ensure the system is integrated with (subscribed to) the worldwide DISN IPVS network operating on the appropriately classified DISN IP WAN service (i.e., DISN NIPRNet IP Voice Services (IPVS) or DISN SIPRNet IP Voice Services (IPVS) otherwise known as VoSIP). NOTE: an exception is given for an enclave that is part of an Intranet if the intranet as a whole is subscribed to the appropriate DISN IPVS. NOTE: An exception is given for private VVoIP communications systems implemented amongst a small community of interest to fulfill a validated mission requirement. In this case, the system is essentially an intercom even though it might span enclave boundaries and the DISN. Determine if the system is used to provide assured service communications between enclaves to any level of C2 user (Special C2, C2, C2(R)). This is a finding in the event the VVoIP system within the enclave is connected to the DISN WAN for VVoIP transport but is not subscribes to or integrated with the DISN IPVS implemented on NIPRNet or SIPRNet. This is not a finding in the event the VVoIP system within the enclave is integrated with a service level Intranet or if it is implemented as a private communications system (e.g., intercom) implemented amongst a small community of interest to fulfill a validated mission requirement.
In the event the VVoIP system within the enclave connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications between enclaves to any level of C2 user (Special C2, C2, C2(R)), ensure the system is integrated with (subscribed to) the worldwide DISN IPVS network operating on the appropriately classified DISN IP WAN service (i.e., DISN NIPRNet IP Voice Services (IPVS) or DISN SIPRNet IP Voice Services (IPVS) otherwise known as VoSIP).
Interview the ISSO to confirm compliance with the following requirement: For VVoIP systems subscribed to the DISN NIPRNet IPVS network, ensure the boundary design includes one or more DoD APL listed CE-R(s) terminating the DISN access circuits. The CE-R must be robust/reliable and provide QOS features and capabilities as required by the UCR for the specific type of site. NOTE: If the DISN access circuits are dual homed, dual CE-Rs should be implemented unless a single CE-R can provide uninterrupted (5 9s) connectivity to the DISN. NOTE: In the future this requirement may be applicable (with some modification) to the DISN SIPRNet IPVS (VoSIP) network when the PMO adopts the DISN NIPRNet IPVS architecture. NOTE: The CE-R must allow traditional SIP and SRTP traffic, and traffic encrypted and encapsulated on port 443 from Cloud Service Providers. Determine, through interview and/or physical inspection, the specific make, model, and OS version of the CER. Access the DoD APL websites at listed below: https://www.disa.mil/network-services/ucco https://aplits.disa.mil/apl/ https://www.disa.mil/Network-Services/UCCO/APL-Removal-List Verify all installed CE-Rs and software load (OS) versions are listed. If all installed CE-Rs and software load (OS) versions are not listed, this is a finding.
For VVoIP systems subscribed to the DISN NIPRNet IPVS network, ensure the boundary design includes one or more DoD APL listed CE-R(s) terminating the DISN access circuits. The CE-R must be robust/reliable and provide QOS features and capabilities as required by the UCR for the specific type of site. NOTE: If the DISN access circuits are dual homed, dual CERs should be implemented unless a single CER can provide uninterrupted (5 9s) connectivity to the DISN. NOTE: In the future this requirement may be applicable (with some modification) to the DISN SIPRNet IPVS (VoSIP) network when the PMO adopts the DISN NIPRNet IPVS architecture. NOTE: The CE-R must allow traditional SIP and SRTP traffic, and traffic encrypted and encapsulated on port 443 from Cloud Service Providers.
Interview the ISSO to confirm compliance with the following requirement: For VVoIP systems subscribed to the DISN NIPRNet IPVS network, ensure a DoD APL listed Session Border Controller (SBC) is implemented at the enclave boundary between the CER and LSC/ESC/MFSS to maintain the required enclave boundary protection while permitting DISN IPVS traffic to pass. NOTE: The SBC may be a dedicated device or may be part of the required data firewall. NOTE: In the future this requirement may be applicable (with some modification) to the DISN SIPRNet IPVS (VoSIP) network when the PMO adopts the DISN NIPRNet IPVS architecture. NOTE: The SBC may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers. Determine, through interview and/or physical inspection, the specific make, model, and OS version of the SBC. Access the DoD APL websites at listed below: https://www.disa.mil/network-services/ucco https://aplits.disa.mil/apl/ https://www.disa.mil/Network-Services/UCCO/APL-Removal-List Verify all installed SBCs and software load (OS) versions are listed. If all installed SBCs and software load (OS) versions are not listed, this is a finding.
For VVoIP systems subscribed to the DISN NIPRNet IPVS network, ensure a DoD APL listed Session Border Controller (SBC) is implemented at the enclave boundary between the CER and LSC/ESC/MFSS to maintain the required enclave boundary protection while permitting DISN IPVS traffic to pass. NOTE: The SBC may be a dedicated device or may be part of the required data firewall. NOTE: In the future this requirement may be applicable (with some modification) to the DISN SIPRNet IPVS (VoSIP) network when the PMO adopts the DISN NIPRNet IPVS architecture. NOTE: The SBC may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.
Interview the IAO to confirm compliance with the following requirement: In the event the VVoIP system within the enclave is interconnected with other VVoIP systems across the WAN, ensure the required internal Network IDS (NIDS) is implemented such that it monitors the traffic to/from both the data firewall (function) and the required VVoIP firewall/EBC (function). NOTE: This is applicable whether the VVoIP system is integrated with the DISN IPVS or not. This is a finding in the event the NIDS is not implemented such that it sees traffic from the VVoIP firewall (EBC or other) as well as the data firewall. NOTE: The NIDS monitoring the VVoIP firewall may be the same device that monitors the data firewall or it may be a separate device. In the event it is a separate device, it is subject to all Network Infrastructure STIG requirements to include CNDSP monitoring if applicable. NOTE: The Network Infrastructure STIG recognizes that many of today’s NIDS are also intrusion prevention devices. The NI STIG refers to the required NIDS as an Intrusion detection/Prevention System (IDPS).
In the event the VVoIP system within the enclave is interconnected with other VVoIP systems across the WAN, ensure the required internal Network IDS (NIDS) is implemented such that it monitors the traffic to/from both the data firewall (function) and the required VVoIP firewall/EBC (function). NOTE: This is applicable whether the VVoIP system is integrated with the DISN IPVS or not.
Interview the ISSO to confirm compliance with the following requirement: For VVoIP systems within the enclave integrated with the unclassified or classified DISN IPVS network, ensure the system is designed to include at least one LSC, ESC, or MFSS for session control within the enclave. NOTE: The LSC/ESC (one or more per site) manages local endpoint registration and calls established to/from local endpoints and facilities. Also manages calls into and out of the enclave. The MFSS (one per site and potentially a backup LSC/ESC) performs session control functions for its site and provides signaling management for a regional set of session controllers. An MFSS is a backbone device and is only required at DISN IPVS PMO designated locations. NOTE: The LSC and MFSS are robust/reliable and provide admission control, and QoS features / capabilities as required by the UCR. NOTE: The session controllers may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers. Determine, through interview and/or physical inspection, the specific make, model, and OS version of all LSCs, ESCs, and MFSS. Access the DoD APL websites at listed below: https://www.disa.mil/network-services/ucco https://aplits.disa.mil/apl/ https://www.disa.mil/Network-Services/UCCO/APL-Removal-List Verify all installed LSCs, ESCs, and MFSS and software load (OS) versions are listed. If all installed LSCs, ESCs, and MFSS and software load (OS) versions are not listed, this is a finding.
For VVoIP systems within the enclave integrated with the unclassified or classified DISN IPVS network, ensure the system is designed to include at least one LSC, ESC, or MFSS for session control within the enclave. NOTE: The LSC/ESC (one or more per site) manages local endpoint registration and calls established to/from local endpoints and facilities. Also manages calls into and out of the enclave. The MFSS (one per site and potentially a backup LSC/ESC) performs session control functions for its site and provides signaling management for a regional set of session controllers. An MFSS is a backbone device and is only required at DISN IPVS PMO designated locations. NOTE: The LSC and MFSS are robust/reliable and provide admission control, and QoS features / capabilities as required by the UCR. NOTE: The session controllers may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.
Interview the IAO to confirm compliance with the following requirement: In the event the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of C2 user (Special C2, C2, C2(R)), ensure Session Admission Control (SAC) for the DISN Core access circuit(s) is supported by engineered bandwidth budgets for VoIP and Video calls/sessions in support of Assured Service. NOTE: SAC in support of Assured Service is also referred to as Assured Service Admission Control (ASAC) NOTE: The VoIP budget covers the following types of services: Voice VoIP, FoIP, MoIP, or SCIP over IP calls NOTE: Per call/session units are defined in the UCR and are unidirectional. They must be doubled to support bi-directional communications between users which is the typical phone call. This is a finding in the event there is no evidence that the required budgets have been calculated and/or the access circuit has not been sized accordingly.
In the event the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of C2 user (Special C2, C2, C2(R)), ensure Session Admission Control (SAC) for the DISN Core access circuit(s) is supported by engineered bandwidth budgets for VoIP and Video calls/sessions in support of Assured Service. NOTE: SAC in support of Assured Service is also referred to as Assured Service Admission Control (ASAC) NOTE: The VoIP budget covers the following types of services: Voice VoIP, FoIP, MoIP, or SCIP over IP calls NOTE: Per call/session units are defined in the UCR and are unidirectional. They must be doubled to support bi-directional communications between users which is the typical phone call. NOTE: Instructions for determining voice call budgets for a DISN WAN access circuit can be found in the UCR section 5.3.3.11 Provisioning
Interview the IAO to confirm compliance with the following requirement: In the event the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of C2 user (Special C2, C2, C2(R)), ensure the enclave is dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) Aggregation Routers (AR) or DISN Provider Edge (PE) routers. NOTE: This means there are two DISN (or commercial) access circuits (many circuits will have a commercial component, typically the “last mile”) from the site/enclave to the DISN SDNs. NOTE: This assumes the site/enclave is NOT collocated with a DISN SDN such that a direct Ethernet or optical connection can be made. NOTE: If a site is located at a DISN SDN and is able to directly connect to the SDN using Ethernet or optical connections, the site may be able to rely on the dual homing of the SDN into the core. However, the site must still be homed to two geographically diverse ARs. This is dependant upon the size or type of the SDN. A large site directly connected to a smaller SDN will implement an access circuit to a geographically diverse SDN (i.e., another SDN in another location remote from the local SDN. This should not be one of the SDNs that to which the local SDN is homed. Determine if the site supports any level of C2 user. Determine how many access circuits are implemented and to what SDN they are homed. Additionally, determine the ARs or PEs to which the enclave is homed. This is a finding in the event the site is a C2 site and the DISN access circuits between the enclave’s WAN boundary and the DISN is not redundant and diverse as described in the requirement and notes. This is not a finding in the event the site does not support any level of C2 user.
In the event the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of C2 user (Special C2, C2, C2(R)), ensure the enclave is dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) routers. NOTE: This means there are two DISN (or commercial) access circuits (many circuits will have a commercial component, typically the “last mile”) from the site/enclave to the DISN SDNs. NOTE: This assumes the site/enclave is NOT collocated with a DISN SDN such that a direct Ethernet or optical connection can be made.. NOTE: If a site is located at a DISN SDN and is able to directly connect to the SDN using Ethernet or optical connections, the site may be able to rely on the dual homing of the SDN into the core. However, the site must still be homed to two geographically diverse ARs. This is dependant upon the size or type of the SDN. A large site directly connected to a smaller SDN will implement an access circuit to a geographically diverse SDN (i.e., another SDN in another location remote from the local SDN. This should not be one of the SDNs that to which the local SDN is homed.
Interview the IAO to confirm compliance with the following requirement: In the event dual homed DISN core access circuits are implemented as required to serve the enclave, ensure each circuit has the same capacity such that one is able to support the entire engineered bandwidth needs of the enclave. NOTE: Each circuit must be engineered to include additional bandwidth to support higher levels of both data and VVoIP communications in time of crisis. Determine if the site is dual homed via dual access circuits. Determine the size of both access circuits. Determine the engineered bandwidth needs for the enclave connection to the WAN.
Ensure a bandwidth engineering study is performed to determine the WAN bandwidth needs for the site to include surge capacity. Ensure each redundant DISN Core access circuit has the same capacity such that one is able to support the entire engineered bandwidth needs of the enclave.
Interview the IAO to confirm compliance with the following requirement: In the event the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of C2 user (Special C2, C2, C2(R)), ensure the required dual homed DISN Core or NIPRNet access circuits follow geographically diverse paths from the CER(s) along the entire route to the geographically diverse SDNs. Each circuit will use different facilities such as cables, demarks, and digital cross connects in geographically diverse locations. NOTE: Geographic and facilities diversity will be maintained on-site and off-site. This is a finding in the event the required dual-homed circuits follow the same path or are close enough to be damaged by a single event. NOTE: The paths taken by the access circuits must remain significantly separate for their entire length such that a single point of failure is not created.
Ensure dual homed DISN Core or NIPRNet access circuits follow geographically diverse paths from the CER(s) along the entire route to the geographically diverse SDNs. Ensure each circuit uses different facilities such as cables, demarks, and digital cross connects in geographically diverse locations. Ensure geographic and facilities is maintained on-site and off-site. Ensure the paths taken by the access circuits remain significantly separate along their entire length such that a single point of failure is not created.
Review site documentation to confirm critical network equipment is redundant and in geographically diverse locations for a site supporting C2 users. Redundant sets of CERs, SBCs, and session controllers must be housed in geographically diverse facilities within the site such that if one of locations is lost or isolated from the network, communications service is maintained. Sites facilities with a Soft Switch should have a session controller implemented in a geographically diverse location. If critical network equipment does not have redundant equipment, this is a finding. If redundant critical network equipment is not in a geographically diverse location, this is a finding. If it is determined, following a cost versus benefit study and risk analysis, that redundant facilities containing dual sets of CERs, SBCs, and session controllers are not warranted for the given site, this requirement should be marked as a finding with a justification included in the POA&M stating the Authorizing Official (AO) is cognizant of and accepts the risk. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.
Implement and document critical network equipment as redundant and in geographically diverse locations for a site supporting C2 users. Critical network equipment includes CERs, SBCs, and session controllers (or Soft Switches in combination with session controllers). NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.
Inspect the VVoIP implementation system design for connections to commercial VoIP ITSP. If the ITSP is providing converged services or other services beyond SIP trunking, NET0160 applies. The use cases applicable to this requirement: Use Case 1: ITSP connections providing direct connection to the enclave’s DoD LAN. Use Case 2: ITSP connections providing a SIP trunk terminating on a media gateway that provides TDM trunks or POTS lines to traditional non-VoIP PBX, key system, or individual end instrument. Use Case 3: ITSP connections terminating on a separate LAN from the enclave’s DoD LAN supporting a separate VoIP system. Use Case 4: ITSP connections providing service over any approved ISP gateway. If any enclave connects with commercial VoIP provider (ITSP) and is not approved by the DoDIN Waiver Panel, this is a finding. If the DOD CIO has not signed for a permanent “alternate connection” to the ITSP, this is a finding. NOTE: This connection will be a permanent connection and should be designated or recognized as such in the approval documentation since most such approvals are for temporary connections.
Obtain approval by the DoDIN Waiver Panel and signature by the DOD CIO for a permanent “alternate connection” to the ITSP for any connection with a commercial VoIP provider (ITSP).
Interview the ISSO to validate compliance with the following requirement: Ensure traffic from a Unified Capabilities (UC) soft client, operated in a remote access scenario and using an encrypted VPN as required, is routed to the VoIP VLAN such that the separation of the voice and data zones is not degraded while all other traffic is routed to the data zone. Inspect network diagrams to determine if the boundary and remote access VLAN architecture properly routes VoIP traffic from the VPN to the voice VLANs while maintaining proper flow control and access between the data VLANs and the voice VLANs. If the boundary and remote access VLAN architecture does not properly route VoIP traffic from the VPN to the voice VLANs while maintaining proper flow control and access between the data VLANs and the voice VLANs, this is a finding.
Ensure traffic from a Unified Capabilities (UC) soft client, operated in a remote access scenario and using an encrypted VPN as required, is routed to the VoIP VLAN such that the separation of the voice and data zones is not degraded while all other traffic is routed to the data zone. Configure the enclave boundary and remote access VLAN architecture to properly route VoIP traffic from the VPN to the voice VLANs and maintain proper flow control and access between the data VLANs and the voice VLANs.
If the voice video endpoints do not contain a PC port, this is not applicable. Review site documentation to confirm that when 802.1x is implemented and the voice video endpoint PC ports are disabled, the network access switch port is configured to support a disabled PC port by configuring PC port traffic to the unused VLAN. If 802.1x is implemented, the voice video endpoint PC ports are disabled, and the network access switch port is not configured to support a disabled PC port by configuring PC port traffic to the unused VLAN, this is a finding. The voice video endpoint network access switch port normally is configured with a VVoIP VLAN for the VVoIP traffic. This is IAW and supports the NI STIG requirement NET1435.
Implement and document that when 802.1x is implemented and the voice video endpoint PC ports are disabled, the network access switch port is configured to support a disabled PC port by sending PC port traffic to the unused VLAN. Do not statically assign the switch port to the voice video VLAN.
Review site documentation to confirm the appropriate number of pre-authorized MAC addresses must be statically assigned for the pre-authorized voice video endpoints, to include daisy chained devices. If static assignment is not implemented, the maximum number of MAC addresses dynamically learned on each access switch port must be limited to the minimum number of supported devices authorized to connect. If static assignment is not implemented and dynamic learning is not limited, this is a finding. The dynamic MAC-based port security used for port security where MAC addresses are learned configuration settings must be as follows: - A LAN switch port supporting a single authorized voice video endpoint is configured for a learned maximum of one. The PC port must be disabled, if present. - A LAN switch port supporting an authorized voice video endpoint providing a PC port connecting a computer is configured for a learned maximum of three dynamically learned addresses. While two authorized devices are permitted to connect, the endpoint address may be learned twice in association with the data VLAN and the voice video VLAN. - When a hardware voice video endpoint, video conference endpoint, and computer are daisy chained on one LAN drop and switch port, the switch port is configured for a learned maximum of five dynamically learned addresses. This is because both the hardware voice video endpoint and video conference endpoint will typically be assigned to the VVoIP VLAN due to switch port mode configuration limitations, and both endpoints may be learned twice in association with the data VLAN and the voice video VLAN. If the switch port supports a third VLAN in access mode, additional MAC addresses may be learned by the multiple VLANs, thereby requiring the maximum to be set higher but only if absolutely necessary. When dynamic MAC assignment is implemented, if the maximum number of MAC addresses dynamically learned on each access switch port is not limited to the minimum number of supported devices authorized to connect, this is a finding. The static mapping of MAC addresses used for port security configuration settings must be as follows: - A LAN switch port supporting a single authorized voice video endpoint is configured with one MAC address. The PC port must be disabled, if present. - A LAN switch port supporting an authorized voice video endpoint providing a PC port connecting a computer is configured with two MAC addresses. - When a hardware voice video endpoint, video conference endpoint, and computer are daisy chained on one LAN drop and switch port, the switch port is configured with the three corresponding MAC addresses. When static MAC assignment is implemented, if the appropriate numbers of pre-authorized MAC addresses are not statically assigned for the pre-authorized voice video endpoints, to include daisy chained devices, this is a finding. If static assignment is not implemented and dynamic learning is not limited as directed, this is a finding.
Implement and document that the appropriate number of pre-authorized MAC addresses are statically assigned for the pre-authorized voice video endpoints, to include daisy chained devices, or the maximum number of MAC addresses dynamically learned on each access switch port are limited to the minimum number of supported devices authorized to connect. When dynamic MAC-based port security is used for port security where MAC addresses are learned, configuration settings must be as follows: - A LAN switch port supporting a single authorized voice video endpoint is configured for a learned maximum of one. The PC port must be disabled, if present. - A LAN switch port supporting an authorized voice video endpoint providing a PC port connecting a computer is configured for a learned maximum of three dynamically learned addresses. - When a hardware voice video endpoint, video conference endpoint, and a computer are daisy chained on one LAN drop and switch port, the switch port is configured for a learned maximum of five dynamically learned addresses. When static mapping of MAC addresses is used for port security, configuration settings must be as follows: - A LAN switch port supporting a single authorized voice video endpoint is configured with one MAC address. The PC port must be disabled, if present. - A LAN switch port supporting an authorized voice video endpoint providing a PC port connecting a computer is configured with two MAC addresses. - When a hardware voice video endpoint, video conference endpoint, and computer are daisy chained on one LAN drop and switch port, the switch port is configured with the three corresponding MAC addresses.
Review site documentation to confirm the 802.1x authentication server places voice video traffic in the correct VLAN when authorizing LAN access for voice video endpoints. When the network access control implementation uses 802.1x and the network access switch ports are configured as 802.1x authenticators, ensure the voice video endpoints integrate into the 802.1x access control system. If the 802.1x authentication server does not place data and voice video traffic in the correct VLANs when authorizing LAN access for voice video endpoints, this is a finding. An example follows: If all LAN ports are configured to use 802.1x LAN access control (as the typical case would be), and are configured as disabled until a device authenticates, each port must support the authentication of a general workstation (a data device) or voice video endpoints. If a workstation authenticates, the switch port must be configured with the data VLAN. If a VVoIP endpoint authenticates, the switch port must be configured with the VVoIP VLAN. If a video conference endpoint authenticates, the switch port must be configured with the video conference VLAN. When a VVoIP endpoint that contains a PC port authenticates, the switch port must be configured with the VVoIP VLAN to receive the VVoIP traffic AND must be configured with the data VLAN to receive traffic from the PC port. When a voice video endpoint provides a PC port, and the PC port is disabled (as required) because the 802.1x implementation cannot control LAN access via the PC port once the endpoint is authorized, the required configuration for the network access switch ports is to configure the appropriate VLAN for the voice video traffic (as required) as well as configuring the “unused” VLAN for the disabled PC port (as required).
Implement and document that the 802.1x authentication server places data and voice video traffic in the correct VLANs when authorizing LAN access for voice video endpoints.
Interview the IAO to confirm compliance with the following requirement: In the event hardware based instruments are implemented in a COOP capacity for backup or emergency communications, and such instruments are not regularly used, the IAO will ensure the functionality of these instruments by implementing and documenting a testing program which will include the documentation of the results of each test. NOTE: The frequency of testing for each instrument is variable but should minimally be monthly. Weekly, daily, or randomly within a monthly cycle is better. Testing may be made the responsibility of the user(s) the instrument serves providing they document their tests. The test could minimally involve determining if dial tone is present (unless generated within the phone as with some VoIP phones), but should include the placement of a call to an emergency number.
In the event hardware based instruments are implemented in a COOP capacity for backup or emergency communications, and such instruments are not regularly used, the IAO will ensure the functionality of these instruments by implementing and documenting a testing program which will include the documentation of the results of each test. NOTE: The frequency of testing for each instrument is variable but should minimally be monthly. Weekly, daily, or randomly within a monthly cycle is better. Testing may be made the responsibility of the user(s) the instrument serves providing they document their tests. The test could minimally involve determining if dial tone is present (unless generated within the phone as with some VoIP phones), but should include the placement of a call to an emergency number.
Interview the IAO to validate compliance with the following requirement: Ensure mitigations are implemented against sensitive data exfiltration via IP based voice/video communications systems as follows: >Filter/monitor IP media traffic through Media Gateways (MGs), Session Border Controllers (SBCs), and Edge Border Controllers (EBCs) to detect and block/inhibit the exfiltration of sensitive DoD data from the network via VVoIP RTP/SRTP communications sessions. > Enable appropriate alarms and security event auditing/logging on these filters such that network security personnel and administrators can take appropriate action. Determine the following: > The type(s) of connections to external networks: >> Traditional switch trunks connected to a VVoIP system via a MG. >> A VVoIP system connected to an external IP WAN (DISN U-IPVS or ITSP) via a SBC or EBC. This is a finding in the event one or more of the following conditions exist: > Traditional switch trunks are connected to a VVoIP system via a MG without a RTP/SRTP data exfiltration filter between the MG and the VVoIP system endpoints. >> The VVoIP system is connected to an external IP WAN (DISN U-IPVS or ITSP) via a SBC or EBC without a RTP/SRTP data exfiltration filter within the SBC/EBC or between the SBC/EBC and the VVoIP system endpoints.
Implement mitigations against sensitive data exfiltration via IP based voice/video communications systems as follows: >Filter/monitor IP media traffic through Media Gateways (MGs), Session Border Controllers (SBCs), and Edge Border Controllers (EBCs) to detect and block/inhibit the exfiltration of sensitive DoD data from the network via VVoIP RTP/SRTP communications sessions. > Enable appropriate alarms and security event auditing/logging on these filters such that network security personnel and administrators can take appropriate action. Establish proactive monitoring as well as policy and procedure regarding incident response.
Interview the ISSO to validate compliance with the following requirement: Inspect the telephone system configuration to determine compliance with the requirement. Verify the site’s local DoD telephone system, VoIP or traditional, supports DoD Instruction 6055.06 telecommunication capabilities as follows: - The site implements support for DoD Instruction 6055.06 through local policies, procedures, staffing, and facilities; or agreements/contracts with external providers. - The site’s telephone system supports enhanced F&ES emergency communications. - The site’s telephone system (VoIP or traditional), provides ANI information to the emergency services answering point and a PS-ALI database is established within the telephone system or externally, the information from which is accessible to the emergency services answering point. - The site maintains and keeps current the PS-ALI database with all telephone adds, moves, and changes. If the F&ES communications over a site’s telephone system is not configured to support the DoD Instruction 6055.06 telecommunication capabilities, this is a finding. If the site does not provide F&ES telecommunications services (fire, police, medical, etc.), or support enhanced emergency communications, this is a finding.
Configure the F&ES communications over a site’s DoD telephone system, VoIP or traditional, to support the DoD Instruction 6055.06 telecommunication capabilities as follows: - The site implements support for DoD Instruction 6055.06 through local policies, procedures, staffing, and facilities; or agreements/contracts with external providers. - The site’s telephone system supports enhanced F&ES emergency communications. - The site’s telephone system (VoIP or traditional), provides ANI information to the emergency services answering point and a PS-ALI database is established within the telephone system or externally, the information from which is accessible to the emergency services answering point or call center. - The site maintains and keeps current the PS-ALI database with all telephone adds, moves, and changes.
Interview the ISSO to validate compliance with the following requirement: Inspect the telephone system configuration to determine compliance with the requirement. Verity the local DoD telephone system, VoIP or traditional, is configured to provide the originating telephone number of an F&ES call to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) or Automatic Location Identification (ALI) information. If the originating telephone number of an F&ES call is not available or is not provided to the emergency services answering point or call center, this is a finding.
Configure the local DoD telephone system, VoIP or traditional, to provide the originating telephone number of an F&ES call to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) or Automatic Location Identification (ALI) information.
Interview the ISSO to validate compliance with the following requirement: Inspect the telephone system configuration or external database to determine compliance with the requirement. Verify the local DoD telephone system, VoIP or traditional, is configured to provide the originating telephone number and the physical location of an F&ES caller to the emergency services answering point through a transfer of Automatic Number Identification (ANI) and Phone Switch Automatic Location Identification (PS-ALI) information or the emergency services answering point is provided automated access to the required PS-ALI database. If the location of an F&ES caller is not is not provided to, or is not accessible by, the emergency services answering point or call center, this is a finding. NOTE: These requirements also apply to key telephone systems and installations where a single number has multiple appearances (appears on multiple telephones) such that individual instruments in the system can be identified.
Configure the local DoD telephone system, VoIP or traditional, to provide the originating telephone number and the physical location of an F&ES caller to the emergency services answering point through a transfer of Automatic Number Identification (ANI) and Phone Switch Automatic Location Identification (PS-ALI) information or the emergency services answering point is provided automated access to the required PS-ALI database.
Interview the ISSO to validate compliance with the following requirement: Inspect the telephone system configuration and routing tables to determine compliance with the requirement. Verify the local DoD telephone system, VoIP or traditional, routes calls to the designated local emergency services number at the public and private emergency services answering point (PSAP) as a priority call in a non-blocking manner. If an emergency services number is not designated to access an emergency services answering point or call center whether internal to the local site or to another local agency or municipality, this is a finding. If calls to this number are not treated as a priority call in a non-blocking manner, this is a finding. NOTE: In the event the F&ES calls are routed to a public entity outside the private telephone system, the call must route to an internal emergency number in parallel with the external call. Both calls should have the same priority. This is so that the site can be aware of the emergency and assist the F&ES responders in reaching the location of the caller. F&ES calls may be routed to an internal on-site F&ES answering point providing the site maintains robust local police, fire, and medical services such that these can replace public services. In the event a public F&ES answering point is the primary answering point for the site, calls must be directly routed to it and not relayed via a local emergency answering point. A second call from the local emergency answering point should not be required to obtain emergency services from the public F&ES answering point unless the site maintains full and comparable police, fire, and medical services and its answering point is the primary. In the event a local private answering point is the primary answering point, and if this private answering point is not fully staffed on a 24-7 basis, the telephone system must route F&ES calls to the public answering point when the local answering point is not fully staffed, for example outside the normal working hours of the site.
Configure the local DoD telephone system, VoIP or traditional, to routes calls to the designated local emergency services number at the public or private emergency services answering point (PSAP) as a priority call in a non-blocking manner. Configure the telephone system to treat calls to the designated emergency services number as a priority call in a non-blocking manner.
Inspect the VVoIP system design for evidence of continuous backup power to the infrastructure and command and control (C2) users. Ensure a UPS system is provided for all parts of the VVoIP infrastructure, including the core LSC/MFSS, adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints as follows: - All VVoIP system devices including portions of the LAN that directly support one or more special-C2 users are minimally provided 8 hours UPS. - All special-C2 user VVoIP endpoints relying on Power over Ethernet (PoE) must have power sourcing equipment (PSE) sized to support the asset and endpoints by the UPS for a minimum 8 hours. - All special-C2 user VVoIP endpoints without PoE must be minimally provided 8 hours UPS. - UPS systems (battery at a minimum; plus optional generator) supplying infrastructure power supporting special-C2 and C2 users must also support environmental power (HVAC) such that equipment failures are prevented. - In no case should a UPS system immediately, or within a short time, drop power to the supported equipment when primary power is removed. This would indicate an undersized or defective UPS unit. Determine if the infrastructure assets being reviewed directly support one or more special-C2 user. If no special-C2 users are supported, this requirement is not applicable. If special-C2 users are supported, determine if assets are provided with 8 hours of backup power. If 8 hours of backup power is not provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support special-C2 users, this is a finding.
Ensure a UPS system is provided for all parts of the VVoIP infrastructure, including the core LSC/MFSS, adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints. All VVoIP system devices including voice endpoints and portions of the LAN that directly support one or more special-C2 users must be minimally provided 8 hours UPS. Document the VVoIP system design with UPS implementation. Note: UPS systems supplying power to infrastructure supporting special-C2 and C2 users must also support environmental power to prevent equipment failures. This support must be commensurate with the users supported (8 or 2 hours as appropriate).
Interview the IAO to validate compliance with the following requirement: For VVoIP and UC servers and endpoints, ensure all PPS that are not necessary for the operation or maintenance of the system are disabled or the supporting software removed. Limit production PPS to production interfaces and management PPS to the OAM&P interfaces.
Disable all PPS on all VVoIP or UC system servers and sevices that are not required to support OAM&P in the specific VVoIP system implementation. Additionally, if possible, remove the software for the unnecessary PPS.
Interview the IAO to validate compliance with the following requirement: In the event DNS is used in the VVoIP system, ensure the DNS server is dedicated to the VVoIP system and that any DNS server interaction with other DNS servers is limited. Additionally ensure internal system URLS and information is not published to the enterprise WAN or the Internet. Determine if: The VVoIP system DNS server is not dedicated to the VVoIP system within the LAN; OR The VVoIP system DNS server freely interacts with other DNS servers outside the VVoIP system; OR The VVoIP system information is published to the enterprise WAN or the Internet. This is a finding in the event one or more of these conditions exist.
Consider not using DNS for the VVoIP system unless it is required. In the event DNS is used in the VVoIP system, ensure the DNS server serving the VVoIP system is dedicated to the VVoIP system and that any DNS server interaction with other DNS servers is limited. Additionally ensure internal system URLS and information is not published to the enterprise WAN or the Internet. NOTE: In the event a DNS server is implemented within the VVoIP system, the DNS STIG must be applied to the server.
Interview the IAO to validate compliance with the following requirement: Ensure the VVoIP system’s time is synchronized with or receives its time from the two internal LAN NTP servers that are configured within the LAN management VLAN in accordance with the Network Infrastructure STIG. Further ensure the VVoIP endpoints receive their time from the VVoIP system controller. NOTE: The use and implementation of NTP within the VVoIP system must be implemented in accordance with the Network Infrastructure STIG NTP requirements and policies. This is a finding in the event these conditions are not met. Additionally determine how the endpoints time is synchronized. This is a finding in the event their time is not sourced from the VVoIP system controller via the VVoIP VLANs.
Implement NTP usage in the VVoIP system in accordance with the Network Infrastructure STIG policy and requirements. Ensure the VVoIP system’s time is synchronized with or receives its time from the two internal LAN NTP servers that are configured within the LAN management VLAN in accordance with the Network Infrastructure STIG. Further ensure the VVoIP endpoints receive their time from the VVoIP system controller. NOTE: Implementing NTP within the VVoIP system will require the system/call controller to be configured to receive authenticated NTP messages from the two NTP server IP addresses via its management interface. This will require that permissions be granted between the VVoIP management VLAN and the LAN management VLAN such that NTP requests and responses can flow between the VVoIP system controller and the two NTP servers in the LAN management VLAN. If the VVoIP endpoints time is synchronized via NTP, the VVoIP controller will have to serve as their NTP server since the endpoints do not have access to the VVoIP or LAN management VLANs and should not be permitted such access.
Interview the IAO to confirm compliance with the following requirement: Verify VVoIP endpoint configuration files transferred via Cisco TFTP are encrypted and signed using DoD PKI certificates. NOTE: This requirement is not applicable to systems that do not use Cisco TFTP.
Configure the VVoIP endpoint configuration files transferred via Cisco TFTP to be encrypted and signed using DoD PKI certificates. Refer to the “CISCO-UCM-TFTP” Vulnerability Analysis report provided by the Protocols, Ports, and Services management site for more details.
Interview the IAO to confirm compliance with the following requirement: Verify VVoIP endpoint configuration files traversing the DISN must be protected within a VPN secured using FIPS 140-2 or NSA approved encryption between enclaves. The reviewer may downgrade to CAT 3 when vendor provided PKI or x.509 certs are used rather than DoD PKI certificates. NOTE: This requirement is not applicable to systems that use Cisco TFTP.
Configure the VVoIP endpoint configuration files traversing the DISN to be protected within a VPN secured using FIPS 140-2 or NSA approved encryption between enclaves.
Interview the ISSO to validate compliance with the following requirement: Verify all VVoIP system components and UC soft clients display the Standard Mandatory DoD Notice and Consent Banner prior to logon or initial access. If the displayed text is not exactly as specified in the DoD Instruction 8500.01 dated March 14, 2014, this is a finding. The text is posted on the IASE website: http://iase.disa.mil/Documents/unclass-consent_banner.zip
Configure all VVoIP system components and UC soft clients to display the Standard Mandatory DoD Notice and Consent Banner prior to logon or initial access.
Interview the ISSO to validate compliance with the following requirement: Verify all VVoIP system components and UC soft clients retain the Standard Mandatory DoD Notice and Consent Banner on the screen until acknowledgement of the usage conditions by taking explicit actions to log on for further access.
Configure all VVoIP system components and UC soft clients to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until acknowledgement of the usage conditions by taking explicit actions to log on for further access.
Inspect the VVoIP system design for evidence of continuous backup power to the infrastructure and command and control (C2) users. Ensure a UPS system is provided for all parts of the VVoIP infrastructure, including the core LSC/MFSS, adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints as follows: - All VVoIP system devices including portions of the LAN that directly support one or more C2 users are minimally provided 2 hours UPS. - All C2 user VVoIP endpoints relying on Power over Ethernet (PoE) must have power sourcing equipment (PSE) sized to support the asset and endpoints by the UPS for a minimum 2 hours. - All C2 user VVoIP endpoints without PoE must be minimally provided 2 hours UPS. - UPS systems (battery at a minimum; plus optional generator) supplying power to infrastructure that supports special-C2 and C2 users must also support environmental power (HVAC) such that equipment failures are prevented. - In no case should a UPS system immediately, or within a short time, drop power to the supported equipment when primary power is removed. This would indicate an undersized or defective UPS unit. Determine if the infrastructure assets being reviewed directly support one or more C2 users. If no C2 users are supported, this requirement is not applicable. If C2 users are supported, determine if assets are provided with 2 hours of backup power. If 2 hours of backup power is not provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support C2 users, this is a finding.
Ensure an UPS system is provided for all parts of the VVoIP infrastructure, including the core LSC/MFSS, adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints. All VVoIP system devices including voice endpoints and portions of the LAN that directly support one or more C2 users must be minimally provided 2 hours UPS. Document the VVoIP system design with UPS implementation. Note: UPS systems supplying power to infrastructure supporting special-C2 and C2 users must also support environmental power to prevent equipment failures. This support must be commensurate with the users supported (8 or 2 hours as appropriate).
Inspect the VVoIP system design for evidence of continuous backup power to the infrastructure and command and control (C2) users. Ensure a UPS system is provided for all parts of the VVoIP infrastructure, including the core LSC/MFSS, adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints as follows: - All VVoIP system devices including portions of the LAN that supports non-C2 users are provided 15 minutes of UPS in support of emergency life-safety and security communications during a power failure. - In no case should a UPS system immediately, or within a short time, drop power to the supported equipment when primary power is removed. This would indicate an undersized or defective UPS unit. Determine if the infrastructure assets being reviewed support non-C2 users. If non-C2 users are supported and a 15 minutes of backup power is not provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints for emergency life-safety and security calls, this is a finding. NOTE: The requirement for UPS support to non-C2 user communications is negated when such users have an alternate reliable means of communicating in such situations. A suitable alternative would be a policy and SOP in effect requiring users to evacuate the facility to a location where mobile communications capability is available and acceptable.
Ensure a UPS system is provided for all parts of the VVoIP infrastructure, including the core LSC/MFSS, adjunct systems providing critical services, SBC, CER, LAN elements, and endpoints. All VVoIP system devices including portions of the LAN supporting non-C2 users are provided a minimum 15 minutes of UPS in support of emergency life-safety and security communications during a power failure. Note: The 15 minutes of UPS mandated by this requirement is a minimum. Backup times of 30-60 minutes are preferred. UPS systems supplying power to infrastructure supporting non-C2 users should also support environmental power to prevent equipment failures.
Review site documentation to confirm the VVoIP endpoint configuration files are not downloaded automatically during endpoint registration. If VVoIP endpoint configuration files are downloaded automatically during endpoint registration, this is a finding.
Implement and document that the VVoIP endpoint configuration files are not downloaded automatically during endpoint registration.
Review site documentation to confirm that the VVoIP system management network with a single device providing bidirectional enclave boundary protection between the local management network and the DISN voice services management network has a MoA signed by both parties in effect. The MoA must stipulate the conditions of operation of the device such that the owner implements a configuration that not only protects the owner’s network but also protects the other’s network. Further validate that both parties have agreed to and signed the MoA. If there is no such MoA, the respective owners may need to implement their own devices. If the VVoIP system management network with a single device providing bidirectional enclave boundary protection between the local management network and the DISN voice services management network does not have a MoA signed by both parties in effect, this is a finding.
Implement and document that the VVoIP system management network with a single device providing bidirectional enclave boundary protection between the local management network and the DISN voice services management network has a MoA signed by both parties in effect.
Review site documentation to confirm that the VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network has ACLs permitting only specific inbound/outbound traffic and deny all other traffic. Enclave boundary protection must be implemented at the entry point of the DISN management network to Inspect the ACLs on the boundary protection devices to ensure a deny-by-default posture allowing only specifically required protocol traffic between specific pairs of IP addresses across the boundary. The inbound ACL must include: - The ability to permit the specifically authorized and required protocol sourced from the IP address of the specifically authorized device on the DISN management network to reach the specific IP address of the managed device or required local management server. - Additional statements for each protocol and IP address pair. - Deny all other traffic. The outbound ACL must include: - The ability to permit the specifically authorized and required protocol sourced from the specific IP address of the managed device or any required local management server to reach the specific IP address of the specifically authorized device on the DISN management network. - Additional statements for each protocol and IP address pair. - Deny all other traffic. If the VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network does not have ACLs permitting only specific inbound/outbound traffic and deny all other traffic as indicated above, this is a finding.
Implement and document that the VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network has ACLs permitting only specific inbound/outbound traffic and deny all other traffic. The inbound ACL must include: - The ability to permit the specifically authorized and required protocol sourced from the IP address of the specifically authorized device on the DISN management network to reach the specific IP address of the managed device or required local management server. - Additional statements for each protocol and IP address pair. - Deny all other traffic. The outbound ACL must include: - The ability to permit the specifically authorized and required protocol sourced from the specific IP address of the managed device or any required local management server to reach the specific IP address of the specifically authorized device on the DISN management network. - Additional statements for each protocol and IP address pair. - Deny all other traffic.
Review site documentation to confirm that the VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network has been scanned to confirm protections in place are effective. Validate the effectiveness of the boundary protection ACLs by performing network vulnerability scans as follows: - Scan the entire DISN management network (e.g., RTS EMS, ADIMSS, ARDIMSS, or DCN) address space from an unused randomly selected IP address on the local management network. - Scan the entire local management network address space from an unused randomly selected IP address on the DISN management network. If the VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network has not been scanned to confirm protections in place are effective, this is a finding. If the network vulnerability scan receives a response from any host on either network, this is a finding.
Implement and document that the VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network has been scanned to confirm protections in place are effective. Validate the effectiveness of the boundary protection on an annual basis.
Confirm a policy and supporting procedures are in place that address the placement and operation of video conferencing, UC soft client, and speakerphone speakers to prevent disclosure of sensitive or classified information over non-secure systems. Operational policy and procedures are included in user training and guides. The policy and supporting procedures should take into account the classification of the area where the video conferencing equipment, the PC supporting a UC soft client, and Voice Video endpoints are placed, as well as the classification and need-to-know restraints of the information communicated within the area. Include measures such as closing office or conference room doors, adjusting volume levels in open offices, and muting microphones when not directly in use. If a policy and supporting procedures governing video conferencing, UC soft client, and speakerphone speaker operations preventing disclosure of sensitive or classified information over non-secure systems do not exist or are not enforced, this is a finding.
Document and enforce a policy and procedure for video conferencing, UC soft client, and speakerphone speaker operations to prevent disclosure of sensitive or classified information over non-secure systems. Ensure appropriate training is provided for users. The policy and supporting procedures should take into account the classification of the area where the video conferencing equipment, the PC supporting a UC soft client, and Voice Video endpoints are placed, as well as the classification and need-to-know restraints of the information communicated within the area. Include measures such as closing office or conference room doors, adjusting volume levels in open offices, and muting microphones when not directly in use.