Voice Video Session Management Security Requirements Guide

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R6

Published: 2018-07-10

Updated At: 2018-09-23 19:22:23

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-76539r1_rule SRG-NET-000004-VVSM-00010 CCI-000017 MEDIUM The Voice Video Session Manager must automatically disable Voice Video endpoint user access after a 35 day period of account inactivity. Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Voice video session
    SV-76541r2_rule SRG-NET-000015-VVSM-00001 CCI-000213 HIGH The Voice Video Session Manager must enforce registration of only approved Voice Video endpoints prior to operation. Authentication must not automatically give an entity access to an asset. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determin
    SV-76543r2_rule SRG-NET-000015-VVSM-00002 CCI-000213 HIGH The Voice Video Session Manager must disable (prevent) auto-registration of Voice Video endpoints. Authentication must not automatically give an entity access to an asset. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determin
    SV-76545r1_rule SRG-NET-000018-VVSM-00026 CCI-001368 MEDIUM The Voice Video Session Manager must control flow within the enclave based on approved dial plans. Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network
    SV-76547r2_rule SRG-NET-000019-VVSM-00027 CCI-001414 HIGH The Voice Video Session Manager must control flow outside the enclave based on approved dial plans. Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network
    SV-76549r1_rule SRG-NET-000074-VVSM-00029 CCI-000130 MEDIUM The Voice Video Session Manager must produce session (call) records containing the type of session connection. Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video sy
    SV-76551r1_rule SRG-NET-000075-VVSM-00031 CCI-000131 MEDIUM The Voice Video Session Manager must produce session (call) records containing when (date and time) the connection was established. Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video sy
    SV-76553r1_rule SRG-NET-000075-VVSM-00032 CCI-000131 MEDIUM The Voice Video Session Manager must produce session (call) records containing when (date and time) the connection was terminated. Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video sy
    SV-76557r1_rule SRG-NET-000076-VVSM-00030 CCI-000132 MEDIUM The Voice Video Session Manager must produce session (call) records containing where (location) the connection originated. Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video sy
    SV-76559r1_rule SRG-NET-000077-VVSM-00034 CCI-000133 MEDIUM The Voice Video Session Manager must produce session (call) records containing the identity of the initiator of the call. Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video sy
    SV-76561r1_rule SRG-NET-000078-VVSM-00033 CCI-000134 MEDIUM The Voice Video Session Manager must produce session (call) records containing the outcome (status) of the connection. Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video sy
    SV-76567r1_rule SRG-NET-000079-VVSM-00035 CCI-001487 MEDIUM The Voice Video Session Manager must produce session (call) records containing the identity of the users and identifiers associated with the session. Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video sy
    SV-76569r1_rule SRG-NET-000088-VVSM-00038 CCI-000139 MEDIUM The Voice Video Session Manager must alert the ISSO and SA (at a minimum) in the event of a session (call) record system failure. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process session records. Without this notification, the security personnel may be unaware of an impending failure of the session record capability. Session recor
    SV-76571r1_rule SRG-NET-000099-VVSM-00041 CCI-000163 MEDIUM The Voice Video Session Manager must protect session (call) records from unauthorized modification. If session records were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of session records, the information system and/or the applicat
    SV-76573r1_rule SRG-NET-000100-VVSM-00040 CCI-000164 MEDIUM The Voice Video Session Manager must protect session (call) records from unauthorized deletion. If session records were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of session records, the information system and/or the applicat
    SV-76575r1_rule SRG-NET-000113-VVSM-00036 CCI-000169 MEDIUM The Voice Video Session Manager must produce session (call) records for events determined to be significant and relevant by local policy. Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video sy
    SV-76577r1_rule SRG-NET-000131-VVSM-00048 CCI-000381 MEDIUM The Voice Video Session Manager must be configured to disable non-essential capabilities. It is detrimental for voice video session managers to provide, or enable by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They incre
    SV-76579r2_rule SRG-NET-000131-VVSM-00049 CCI-000382 HIGH The Voice Video Session Manager must only use of ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs). In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-76581r1_rule SRG-NET-000147-VVSM-00009 CCI-001942 MEDIUM The Voice Video Session Manager must implement attack-resistant mechanisms for Voice Video endpoint registration. Attacks against a Voice Video Session Manager may include DoS, replay attacks, or cross site scripting. A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the applicatio
    SV-76583r1_rule SRG-NET-000148-VVSM-00004 CCI-000778 MEDIUM The Voice Video Session Manager must uniquely identify each Voice Video endpoint device before registration. Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Typically, devices can be identified by MAC or IP address but certificates provide a greater level of security. Identification of devi
    SV-76585r2_rule SRG-NET-000168-VVSM-00016 CCI-000803 HIGH The Voice Video Session Manager must use encryption for signaling and media traffic. All signaling and media traffic from a Voice Video Session Manager must be encrypted. Network elements utilizing encryption are required to use FIPS compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for v
    SV-76587r2_rule SRG-NET-000213-VVSM-00011 CCI-001133 HIGH The Voice Video Session Manager must terminate all network connections associated with a communications session at the end of the session, or the session must be terminated after 15 minutes of inactivity. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple
    SV-76589r1_rule SRG-NET-000225-VVSM-00021 CCI-000366 MEDIUM The Voice Video Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) systems. If MLPP attributes are not associated with the information being transmitted between systems, then access control policies and information flows which depend on these MLPP attributes will not function and unauthorized access may result. Without the imple
    SV-76591r1_rule SRG-NET-000226-VVSM-00022 CCI-000366 MEDIUM The Voice Video Session Manager supporting Command and Control (C2) communications must validate the integrity of transmitted multilevel precedence and preemption (MLPP) attributes. If MLPP attributes are not associated with the information being transmitted between components, then access control policies and information flows which depend on these MLPP attributes will not function and unauthorized access may result. When data is ex
    SV-76593r2_rule SRG-NET-000230-VVSM-00023 CCI-001184 HIGH The Voice Video Session Manager must protect the authenticity of communications sessions. Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications protection for the application session rather than for the ne
    SV-76595r2_rule SRG-NET-000235-VVSM-00046 CCI-001190 MEDIUM The Voice Video Session Manager must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the informat
    SV-76597r1_rule SRG-NET-000273-VVSM-00037 CCI-001312 MEDIUM The Voice Video Session Manager must generate session (call) records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information. Any Voice Video session manager providing too much information in session records risks compromising the data and security of the application and system. The structure and content of session records must be carefully considered by the organization and dev
    SV-76599r1_rule SRG-NET-000315-VVSM-00003 CCI-000366 MEDIUM The Voice Video Session Manager must restrict Voice Video endpoint user access outside of operational hours. Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during operational hours can indicate hostile activity if it occurs during off hours. Depending on mission needs and conditions, usage restrictions based
    SV-76601r1_rule SRG-NET-000321-VVSM-00007 CCI-000366 MEDIUM The Voice Video Session Manager must immediately enforce changes to privileges of Voice Video endpoint user access. Without the enforcement of immediate change to privilege levels, users and devices may not provide the correct level of service. Privileges include access to outside connections, precedence, and preemption capabilities. A user with higher precedence and p
    SV-76603r1_rule SRG-NET-000322-VVSM-00008 CCI-000366 MEDIUM The Voice Video Session Manager must immediately enforce changes to privileges of Voice Video endpoint device access. Without the enforcement of immediate change to privilege levels, users and devices may not provide the correct level of service. Privileges include access to outside connections, precedence, and preemption capabilities. A user with higher precedence and p
    SV-76605r1_rule SRG-NET-000332-VVSM-00045 CCI-001920 MEDIUM The Voice Video Session Manager in support of Communications Assistance for Law Enforcement Act (CALEA) must provide the capability for authorized users to remotely view/hear, in real time, all content related to an established user session from a separate monitoring component. Without the capability to remotely view/hear all content related to a user session, investigations into suspicious user activity would be hampered. Real-time monitoring allows authorized personnel to take action before additional damage is done. The abili
    SV-76607r2_rule SRG-NET-000236-VVSM-00047 CCI-001665 MEDIUM In the event of a system failure, Voice Video Session Managers must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the informat
    SV-76609r1_rule SRG-NET-000333-VVSM-00028 CCI-001844 MEDIUM The Voice Video Session Manager must provide centralized management of session (call) records. Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. The cont
    SV-76611r1_rule SRG-NET-000334-VVSM-00039 CCI-001851 MEDIUM The Voice Video Session Manager must off-load session (call) records onto a different system or storage media. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited session record storage capacity.
    SV-76613r1_rule SRG-NET-000338-VVSM-00006 CCI-002039 MEDIUM The Voice Video Session Manager must require Voice Video endpoints to re-register at least every three (3) hours. Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system. Registration is the process of authorizing endpoints to communic
    SV-76615r1_rule SRG-NET-000343-VVSM-00005 CCI-001958 MEDIUM The Voice Video Session Manager must authenticate each Voice Video endpoint devices before registration. Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system. Registration is the process of authorizing endpoints to communic
    SV-76617r1_rule SRG-NET-000353-VVSM-00014 CCI-000366 MEDIUM The Voice Video Session Manager must provide an explicit indication of current participants in all videoconference-based and IP-based online meetings and conferences (excluding audio-only teleconferences using traditional telephony). Providing an explicit indication of current participants in videoconferences helps to prevent unauthorized individuals from participating in collaborative videoconference sessions without the explicit knowledge of other participants. videoconferences allo
    SV-76619r1_rule SRG-NET-000354-VVSM-00020 CCI-000366 MEDIUM The Voice Video Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) system components. If MLPP attributes are not associated with the information being transmitted between systems, then access control policies and information flows which depend on these MLPP attributes will not function and unauthorized access may result. Without the imple
    SV-76621r1_rule SRG-NET-000363-VVSM-00019 CCI-002394 MEDIUM The Voice Video Session Manager supporting Command and Control (C2) communications must limit and reserve bandwidth based on priority of the traffic type. Without the implementation of safeguards which allocate network communication resources based on priority, network availability, and particularly high priority traffic, may be dropped or delayed. DoD supporting C2 communications relies on the implementati
    SV-76623r3_rule SRG-NET-000371-VVSM-00017 CCI-002418 HIGH The Voice Video Session Manager must protect the confidentiality of transmitted configuration files, signaling, and media streams. Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. Communication paths outside the physical protection of a controlled boundary a
    SV-76625r3_rule SRG-NET-000371-VVSM-00018 CCI-002418 HIGH The Voice Video Session Manager must protect the integrity of transmitted configuration files, signaling, and media streams. Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. Communication paths outside the physical protection of a controlled boundary a
    SV-76627r2_rule SRG-NET-000510-VVSM-00015 CCI-002450 HIGH The Voice Video Session Manager must implement NIST FIPS-validated cryptography to generate cryptographic hashes and to protect sensitive unclassified information. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides
    SV-76629r1_rule SRG-NET-000512-VVSM-00012 CCI-001150 MEDIUM The Voice Video Session Manager must prohibit remote activation of collaborative computing devices (excluding centrally managed, dedicated videoconference suites located in approved videoconference locations). An adversary may be able to gain access to information on whiteboards, listen to conversations on a microphone, or view areas with a camera since collaboration equipment is typically not designed with security access controls and protection measures of mo
    SV-76631r1_rule SRG-NET-000512-VVSM-00042 CCI-000366 MEDIUM The Voice Video Session Manager must route Fire and Emergency Services (FES) communications as a priority call in a non-blocking manner. Configuring the voice video session manager to implement enhanced 911 (E911) and FES ensures compliance with Federal Communications Commission rules and establishes a common security baseline across DoD Voice Video systems. If E911 services are incorrectl
    SV-76633r1_rule SRG-NET-000512-VVSM-00043 CCI-000366 MEDIUM The Voice Video Session Manager must provide Fire and Emergency Services (FES) with the Automatic Number Identification (ANI) of the initiator of the call. Configuring the voice video session manager to implement enhanced 911 (E911) and FES ensures compliance with Federal Communications Commission rules and establishes a common security baseline across DoD Voice Video systems. If E911 services are incorrectl
    SV-76635r1_rule SRG-NET-000512-VVSM-00044 CCI-000366 MEDIUM The Voice Video Session Manager must provide Fire and Emergency Services (FES) with the Automatic Location Identification (ALI) of the initiator of the call. Configuring the voice video session manager to implement enhanced 911 (E911) and FES ensures compliance with Federal Communications Commission rules and establishes a common security baseline across DoD Voice Video systems. If E911 services are incorrectl
    SV-76637r1_rule SRG-NET-000512-VVSM-00050 CCI-000366 MEDIUM The Voice Video Session Manager must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, Communication Tasking Orders (CTOs), and DTMs. Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi
    SV-76639r3_rule SRG-NET-000520-VVSM-00024 CCI-000366 MEDIUM The Voice Video Session Manager must apply 802.1Q VLAN tags to signaling and media traffic or be in a private subnet. When network elements do not dynamically reconfigure the data security attributes as data is created and combined, the possibility exists that security attributes will not correctly reflect the data with which they are associated. For the Voice Video Sess
    SV-76641r3_rule SRG-NET-000520-VVSM-00025 CCI-000366 MEDIUM The Voice Video Session Manager must use a voice or video VLAN, separate from all other VLANs. When network elements do not dynamically reconfigure the data security attributes as data is created and combined, the possibility exist that security attributes will not correctly reflect the data with which they are associated. For the Voice Video Sessi
    SV-86307r1_rule SRG-NET-000512-VVSM-00054 CCI-000366 MEDIUM The Voice Video Session Manager must be configured to obfuscate passwords within configuration files. Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Voice Video Session Managers must enforce pass
    SV-86309r1_rule SRG-NET-000343-VVSM-00055 CCI-001958 MEDIUM The Voice Video Session Manager must authenticate each Voice Video peer (trunk) before registration. Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices and trunks can access the system. Registration is the process of authorizing endpoints
    SV-86311r1_rule SRG-NET-000338-VVSM-00056 CCI-002039 MEDIUM The Voice Video Session Manager must require Voice Video peers (trunks) to re-register at least every hour. Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices and trunks can access the system. Registration is the process of authorizing endpoints
    SV-86313r3_rule SRG-NET-000512-VVSM-00057 CCI-000366 MEDIUM The Voice Video Session Manager used for unclassified communication within a Sensitive Compartmented Information Facility (SCIF) or Special Access Program Facility (SAPF) must be configured in accordance with the Committee on National Security Systems Instruction (CNSSI) 5000. Configuring the Voice Video Session Manager in accordance with CNSSI 5000 for unclassified communication systems supporting VVoIP endpoints within SCIFs and SAPFs ensures compliance with federal standards and establishes a common security baseline across