DoD Compliance · STIG

Voice Video Session Management Security Requirements Guide

V2R1 · · 5.6 years ago · Released 23 Oct 2020 · 52 rules

Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Digest of Updates vs. V1R7 · 24 Jul 2020 +52 −52

Comparison against the immediately-prior release (V1R7). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Added rules 52

V-206810 Medium The Voice Video Session Manager must automatically disable Voice Video endpoint user access after a 35 day period of account inactivity.
V-206811 High The Voice Video Session Manager must enforce registration of only approved Voice Video endpoints prior to operation.
V-206812 High The Voice Video Session Manager must disable (prevent) auto-registration of Voice Video endpoints.
V-206813 Medium The Voice Video Session Manager must control flow within the enclave based on approved dial plans.
V-206814 High The Voice Video Session Manager must control flow outside the enclave based on approved dial plans.
V-206815 Medium The Voice Video Session Manager must produce session (call) records containing the type of session connection.
V-206816 Medium The Voice Video Session Manager must produce session (call) records containing when (date and time) the connection was established.
V-206817 Medium The Voice Video Session Manager must produce session (call) records containing when (date and time) the connection was terminated.
V-206818 Medium The Voice Video Session Manager must produce session (call) records containing where (location) the connection originated.
V-206819 Medium The Voice Video Session Manager must produce session (call) records containing the identity of the initiator of the call.
V-206820 Medium The Voice Video Session Manager must produce session (call) records containing the outcome (status) of the connection.
V-206821 Medium The Voice Video Session Manager must produce session (call) records containing the identity of the users and identifiers associated with the session.
V-206822 Medium The Voice Video Session Manager must alert the ISSO and SA (at a minimum) in the event of a session (call) record system failure.
V-206823 Medium The Voice Video Session Manager must protect session (call) records from unauthorized modification.
V-206824 Medium The Voice Video Session Manager must protect session (call) records from unauthorized deletion.
V-206825 Medium The Voice Video Session Manager must produce session (call) records for events determined to be significant and relevant by local policy.
V-206826 Medium The Voice Video Session Manager must be configured to disable non-essential capabilities.
V-206827 High The Voice Video Session Manager must only use of ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).
V-206828 Medium The Voice Video Session Manager must implement attack-resistant mechanisms for Voice Video endpoint registration.
V-206829 Medium The Voice Video Session Manager must uniquely identify each Voice Video endpoint device before registration.
V-206830 High The Voice Video Session Manager must use encryption for signaling and media traffic.
V-206831 High The Voice Video Session Manager must terminate all network connections associated with a communications session at the end of the session, or the session must be terminated after 15 minutes of inactivity.
V-206832 Medium The Voice Video Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) systems.
V-206833 Medium The Voice Video Session Manager supporting Command and Control (C2) communications must validate the integrity of transmitted multilevel precedence and preemption (MLPP) attributes.
V-206834 High The Voice Video Session Manager must protect the authenticity of communications sessions.
V-206835 Medium The Voice Video Session Manager must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
V-206836 Medium In the event of a system failure, Voice Video Session Managers must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
V-206837 Medium The Voice Video Session Manager must generate session (call) records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information.
V-206838 Medium The Voice Video Session Manager must restrict Voice Video endpoint user access outside of operational hours.
V-206839 Medium The Voice Video Session Manager must immediately enforce changes to privileges of Voice Video endpoint user access.
V-206840 Medium The Voice Video Session Manager must immediately enforce changes to privileges of Voice Video endpoint device access.
V-206842 Medium The Voice Video Session Manager must provide centralized management of session (call) records.
V-206843 Medium The Voice Video Session Manager must off-load session (call) records onto a different system or storage media.
V-206844 Medium The Voice Video Session Manager must require Voice Video endpoints to re-register at least every three (3) hours.
V-206845 Medium The Voice Video Session Manager must require Voice Video peers to re-register (re-authenticate) at least every hour.
V-206846 Medium The Voice Video Session Manager must authenticate each Voice Video endpoint devices before registration.
V-206847 Medium The Voice Video Session Manager must authenticate each Voice Video peer (trunk) before registration.
V-206848 Medium The Voice Video Session Manager must provide an explicit indication of current participants in all videoconference-based and IP-based online meetings and conferences (excluding audio-only teleconferences using traditional telephony).
V-206849 Medium The Voice Video Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) system components.
V-206850 Medium The Voice Video Session Manager supporting Command and Control (C2) communications must limit and reserve bandwidth based on priority of the traffic type.
V-206851 High The Voice Video Session Manager must protect the confidentiality of transmitted configuration files, signaling, and media streams.
V-206852 High The Voice Video Session Manager must protect the integrity of transmitted configuration files, signaling, and media streams.
V-206853 High The Voice Video Session Manager must implement NIST FIPS-validated cryptography to generate cryptographic hashes and to protect sensitive unclassified information.
V-206854 Medium The Voice Video Session Manager must prohibit remote activation of collaborative computing devices (excluding centrally managed, dedicated videoconference suites located in approved videoconference locations).
V-206855 Medium The Voice Video Session Manager must route Fire and Emergency Services (FES) communications as a priority call in a non-blocking manner.
V-206856 Medium The Voice Video Session Manager must provide Fire and Emergency Services (FES) with the Automatic Number Identification (ANI) of the initiator of the call.
V-206857 Medium The Voice Video Session Manager must provide Fire and Emergency Services (FES) with the Automatic Location Identification (ALI) of the initiator of the call.
V-206858 Medium The Voice Video Session Manager must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, Communication Tasking Orders (CTOs), and DTMs.
V-206859 Medium The Voice Video Session Manager must be configured to obfuscate passwords within configuration files.
V-206860 Medium The Voice Video Session Manager used for unclassified communication within a Sensitive Compartmented Information Facility (SCIF) or Special Access Program Facility (SAPF) must be configured in accordance with the Committee on National Security Systems Instruction (CNSSI) 5000.
V-206861 Medium The Voice Video Session Manager must apply 802.1Q VLAN tags to signaling and media traffic or be in a private subnet.
V-206862 Medium The Voice Video Session Manager must use a voice or video VLAN, separate from all other VLANs.

Removed rules 52

V-62049 Medium The Voice Video Session Manager must automatically disable Voice Video endpoint user access after a 35 day period of account inactivity.
V-62051 High The Voice Video Session Manager must enforce registration of only approved Voice Video endpoints prior to operation.
V-62053 High The Voice Video Session Manager must disable (prevent) auto-registration of Voice Video endpoints.
V-62055 Medium The Voice Video Session Manager must control flow within the enclave based on approved dial plans.
V-62057 High The Voice Video Session Manager must control flow outside the enclave based on approved dial plans.
V-62059 Medium The Voice Video Session Manager must produce session (call) records containing the type of session connection.
V-62061 Medium The Voice Video Session Manager must produce session (call) records containing when (date and time) the connection was established.
V-62063 Medium The Voice Video Session Manager must produce session (call) records containing when (date and time) the connection was terminated.
V-62067 Medium The Voice Video Session Manager must produce session (call) records containing where (location) the connection originated.
V-62069 Medium The Voice Video Session Manager must produce session (call) records containing the identity of the initiator of the call.
V-62071 Medium The Voice Video Session Manager must produce session (call) records containing the outcome (status) of the connection.
V-62077 Medium The Voice Video Session Manager must produce session (call) records containing the identity of the users and identifiers associated with the session.
V-62079 Medium The Voice Video Session Manager must alert the ISSO and SA (at a minimum) in the event of a session (call) record system failure.
V-62081 Medium The Voice Video Session Manager must protect session (call) records from unauthorized modification.
V-62083 Medium The Voice Video Session Manager must protect session (call) records from unauthorized deletion.
V-62085 Medium The Voice Video Session Manager must produce session (call) records for events determined to be significant and relevant by local policy.
V-62087 Medium The Voice Video Session Manager must be configured to disable non-essential capabilities.
V-62089 High The Voice Video Session Manager must only use of ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).
V-62091 Medium The Voice Video Session Manager must implement attack-resistant mechanisms for Voice Video endpoint registration.
V-62093 Medium The Voice Video Session Manager must uniquely identify each Voice Video endpoint device before registration.
V-62095 High The Voice Video Session Manager must use encryption for signaling and media traffic.
V-62097 High The Voice Video Session Manager must terminate all network connections associated with a communications session at the end of the session, or the session must be terminated after 15 minutes of inactivity.
V-62099 Medium The Voice Video Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) systems.
V-62101 Medium The Voice Video Session Manager supporting Command and Control (C2) communications must validate the integrity of transmitted multilevel precedence and preemption (MLPP) attributes.
V-62103 High The Voice Video Session Manager must protect the authenticity of communications sessions.
V-62105 Medium The Voice Video Session Manager must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
V-62107 Medium The Voice Video Session Manager must generate session (call) records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information.
V-62109 Medium The Voice Video Session Manager must restrict Voice Video endpoint user access outside of operational hours.
V-62111 Medium The Voice Video Session Manager must immediately enforce changes to privileges of Voice Video endpoint user access.
V-62113 Medium The Voice Video Session Manager must immediately enforce changes to privileges of Voice Video endpoint device access.
V-62117 Medium In the event of a system failure, Voice Video Session Managers must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
V-62119 Medium The Voice Video Session Manager must provide centralized management of session (call) records.
V-62121 Medium The Voice Video Session Manager must off-load session (call) records onto a different system or storage media.
V-62123 Medium The Voice Video Session Manager must require Voice Video endpoints to re-register at least every three (3) hours.
V-62125 Medium The Voice Video Session Manager must authenticate each Voice Video endpoint devices before registration.
V-62127 Medium The Voice Video Session Manager must provide an explicit indication of current participants in all videoconference-based and IP-based online meetings and conferences (excluding audio-only teleconferences using traditional telephony).
V-62129 Medium The Voice Video Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) system components.
V-62131 Medium The Voice Video Session Manager supporting Command and Control (C2) communications must limit and reserve bandwidth based on priority of the traffic type.
V-62133 High The Voice Video Session Manager must protect the confidentiality of transmitted configuration files, signaling, and media streams.
V-62135 High The Voice Video Session Manager must protect the integrity of transmitted configuration files, signaling, and media streams.
V-62137 High The Voice Video Session Manager must implement NIST FIPS-validated cryptography to generate cryptographic hashes and to protect sensitive unclassified information.
V-62139 Medium The Voice Video Session Manager must prohibit remote activation of collaborative computing devices (excluding centrally managed, dedicated videoconference suites located in approved videoconference locations).
V-62141 Medium The Voice Video Session Manager must route Fire and Emergency Services (FES) communications as a priority call in a non-blocking manner.
V-62143 Medium The Voice Video Session Manager must provide Fire and Emergency Services (FES) with the Automatic Number Identification (ANI) of the initiator of the call.
V-62145 Medium The Voice Video Session Manager must provide Fire and Emergency Services (FES) with the Automatic Location Identification (ALI) of the initiator of the call.
V-62147 Medium The Voice Video Session Manager must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, Communication Tasking Orders (CTOs), and DTMs.
V-62149 Medium The Voice Video Session Manager must apply 802.1Q VLAN tags to signaling and media traffic or be in a private subnet.
V-62151 Medium The Voice Video Session Manager must use a voice or video VLAN, separate from all other VLANs.
V-71683 Medium The Voice Video Session Manager must be configured to obfuscate passwords within configuration files.
V-71685 Medium The Voice Video Session Manager must authenticate each Voice Video peer (trunk) before registration.
V-71687 Medium The Voice Video Session Manager must require Voice Video peers (trunks) to re-register at least every hour.
V-71689 Medium The Voice Video Session Manager used for unclassified communication within a Sensitive Compartmented Information Facility (SCIF) or Special Access Program Facility (SAPF) must be configured in accordance with the Committee on National Security Systems Instruction (CNSSI) 5000.

Sort by

Expand all

The Voice Video Session Manager must automatically disable Voice Video endpoint user access after a 35 day period of account inactivity.

AC-2 - Medium - CCI-000017 - V-206810 - SV-206810r508661_rule

RMF Control

AC-2

Severity

CCI

CCI-000017

Version

SRG-NET-000004-VVSM-00010

Vuln IDs

V-206810
V-62049

Rule IDs

SV-206810r508661_rule
SV-76539

Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Voice video session managers must track periods of user inactivity and disable accounts after 35 days of inactivity. Such a process greatly reduces the risk that accounts will be misused, hijacked, or data compromised. DoD has determined that 35 days is the appropriate time period of inactivity for Inactive accounts. Therefore, systems with a per user paradigm of management would apply.

Checks: C-7065r364619_chk

Verify the Voice Video Session Manager automatically disables Voice Video endpoint user access after a 35 day period of account inactivity. This requirement refers to users rather than endpoints. If the Voice Video Session Manager does not automatically disable Voice Video endpoint user access after a 35 day period of account inactivity, this is a finding.

Fix: F-7065r364620_fix

Configure the Voice Video Session Manager too automatically disable Voice Video endpoint user access after a 35 day period of account inactivity.

The Voice Video Session Manager must enforce registration of only approved Voice Video endpoints prior to operation.

AC-3 - High - CCI-000213 - V-206811 - SV-206811r508661_rule

RMF Control

AC-3

Severity

CCI

CCI-000213

Version

SRG-NET-000015-VVSM-00001

Vuln IDs

V-206811
V-62051

Rule IDs

SV-206811r508661_rule
SV-76541

Authentication must not automatically give an entity access to an asset. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Registration authenticates and authorizes endpoints with the Voice Video Session Manager. For most VoIP systems, registration is the process of centrally recording the user ID, endpoint MAC address, service/policy profile with 2 stage authentication prior to authorizing the establishment of the session and user service. The event of successful registration creates the session record immediately. VC systems register using a similar process with a gatekeeper. Without enforcing registration, an adversary could impersonate a legitimate device on the Voice Video network.

Checks: C-7066r364622_chk

Verify the Voice Video Session Manager enforces registration of only approved Voice Video endpoints prior to the endpoints operating with the system. If the Voice Video Session Manager permits registration of unapproved Voice Video endpoints prior to operation, this is a finding.

Fix: F-7066r364623_fix

Configure the Voice Video Session Manager to enforce registration of only approved Voice Video endpoints prior to operating with the system.

The Voice Video Session Manager must disable (prevent) auto-registration of Voice Video endpoints.

AC-3 - High - CCI-000213 - V-206812 - SV-206812r508661_rule

RMF Control

AC-3

Severity

CCI

CCI-000213

Version

SRG-NET-000015-VVSM-00002

Vuln IDs

V-206812
V-62053

Rule IDs

SV-206812r508661_rule
SV-76543

Authentication must not automatically give an entity access to an asset. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Registration authenticates and authorizes endpoints with the Voice Video Session Manager. For most VoIP systems, registration is the process of centrally recording the user ID, endpoint MAC address, service/policy profile with 2 stage authentication prior to authorizing the establishment of the session and user service. The event of successful registration creates the session record immediately. VC systems register using a similar process with a gatekeeper. Auto-registration is an automatic means of detecting and registering a Voice Video endpoint on the network with a session manager and then downloading its configuration to the instrument. Auto-registration allows unauthorized instruments to be added or moved without authorization, possibly allowing theft of services or other malicious attack. Configuring the firewall to deny registration (port 1719, etc.) is another layer of defense.

Checks: C-7067r364625_chk

Verify the Voice Video Session Manager prevents auto-registration of Voice Video endpoints. During initial system installation and testing, or subsequent large redeployments and additions, it may be necessary to enable auto-registration for a short period. When auto-registration is used under these circumstances, it must be disabled within 5 days and before the system is placed into service. If the Voice Video Session Manager does not disable auto-registration of Voice Video endpoints outside of these conditions, this is a finding.

Fix: F-7067r364626_fix

Configure the Voice Video Session Manager to disable auto-registration of Voice Video endpoints.

The Voice Video Session Manager must control flow within the enclave based on approved dial plans.

AC-4 - Medium - CCI-001368 - V-206813 - SV-206813r508661_rule

RMF Control

AC-4

Severity

CCI

CCI-001368

Version

SRG-NET-000018-VVSM-00026

Vuln IDs

V-206813
V-62055

Rule IDs

SV-206813r508661_rule
SV-76545

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. For voice and video session managers, session flow of information is controlled by dial plans that coordinate connections between endpoints. Dial plans can also reduce connection costs in some cases, relying on routes across the DoDIN rather than over commercial services. Session managers can routes connections to known commercial services and DoD providers. Using DoDIN network paths reduces the risk of an adversary to intercept calls. However, dial plans can be mimicked and therefore are only part of a defense in depth approach.

Checks: C-7068r364628_chk

Verify the Voice Video Session Manager controls flow within the enclave based on approved dial plans. If the Voice Video Session Manager does not control flow within the enclave based on approved dial plans, this is a finding.

Fix: F-7068r364629_fix

Configure the Voice Video Session Manager to control flow within the enclave based on approved dial plans.

The Voice Video Session Manager must control flow outside the enclave based on approved dial plans.

AC-4 - High - CCI-001414 - V-206814 - SV-206814r508661_rule

RMF Control

AC-4

Severity

CCI

CCI-001414

Version

SRG-NET-000019-VVSM-00027

Vuln IDs

V-206814
V-62057

Rule IDs

SV-206814r508661_rule
SV-76547

Checks: C-7069r364631_chk

Verify the Voice Video Session Manager controls flow outside the enclave based on approved dial plans. If the Voice Video Session Manager does not control flow outside the enclaves based on approved dial plans, this is a finding.

Fix: F-7069r364632_fix

Configure the Voice Video Session Manager to control flow outside the enclave based on approved dial plans.

The Voice Video Session Manager must produce session (call) records containing the type of session connection.

AU-3 - Medium - CCI-000130 - V-206815 - SV-206815r508661_rule

RMF Control

AU-3

Severity

CCI

CCI-000130

Version

SRG-NET-000074-VVSM-00029

Vuln IDs

V-206815
V-62059

Rule IDs

SV-206815r508661_rule
SV-76549

Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints). Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records.

Checks: C-7070r364634_chk

Verify the Voice Video Session Manager produces session records containing the type of session connection. If the Voice Video Session Manager does not produce session records containing the type of session connection, this is a finding.

Fix: F-7070r364635_fix

Configure the Voice Video Session Manager to produce session records containing the type of session connection.

The Voice Video Session Manager must produce session (call) records containing when (date and time) the connection was established.

AU-3 - Medium - CCI-000131 - V-206816 - SV-206816r508661_rule

RMF Control

AU-3

Severity

CCI

CCI-000131

Version

SRG-NET-000075-VVSM-00031

Vuln IDs

V-206816
V-62061

Rule IDs

SV-206816r508661_rule
SV-76551

Checks: C-7071r364637_chk

Verify the Voice Video Session Manager produces session records containing when (date and time) the connection was established. If the Voice Video Session Manager does not produce session records containing when (date and time) the connection was established, this is a finding.

Fix: F-7071r364638_fix

Configure the Voice Video Session Manager to produce session records containing when (date and time) the connection was established.

The Voice Video Session Manager must produce session (call) records containing when (date and time) the connection was terminated.

AU-3 - Medium - CCI-000131 - V-206817 - SV-206817r508661_rule

RMF Control

AU-3

Severity

CCI

CCI-000131

Version

SRG-NET-000075-VVSM-00032

Vuln IDs

V-206817
V-62063

Rule IDs

SV-206817r508661_rule
SV-76553

Checks: C-7072r364640_chk

Verify the Voice Video Session Manager produces session records containing when (date and time) the connection was terminated. If the Voice Video Session Manager does not produce session records containing when (date and time) the connection was terminated, this is a finding.

Fix: F-7072r364641_fix

Configure the Voice Video Session Manager to produce session records containing when (date and time) the connection was terminated.

The Voice Video Session Manager must produce session (call) records containing where (location) the connection originated.

AU-3 - Medium - CCI-000132 - V-206818 - SV-206818r508661_rule

RMF Control

AU-3

Severity

CCI

CCI-000132

Version

SRG-NET-000076-VVSM-00030

Vuln IDs

V-206818
V-62067

Rule IDs

SV-206818r508661_rule
SV-76557

Checks: C-7073r364643_chk

Verify the Voice Video Session Manager produces session records containing where (location) the connection originated. If the Voice Video Session Manager does not produce session records containing where (location) the connection originated, this is a finding.

Fix: F-7073r364644_fix

Configure the Voice Video Session Manager to produce session records containing where (location) the connection originated.

The Voice Video Session Manager must produce session (call) records containing the identity of the initiator of the call.

AU-3 - Medium - CCI-000133 - V-206819 - SV-206819r508661_rule

RMF Control

AU-3

Severity

CCI

CCI-000133

Version

SRG-NET-000077-VVSM-00034

Vuln IDs

V-206819
V-62069

Rule IDs

SV-206819r508661_rule
SV-76559

Checks: C-7074r364646_chk

Verify the Voice Video Session Manager produces session records containing the identity of the initiator of the call. The identity of the initiator of the call in this context would be the device ID or the address of the MAC or IP. For Voice Video Session Managers that have the concept of a user rather than device, this requirement is not applicable. If the Voice Video Session Manager does not produce session records containing the identity of the initiator of the call, this is a finding.

Fix: F-7074r364647_fix

Configure the Voice Video Session Manager to produce session records containing the identity of the initiator of the call.

The Voice Video Session Manager must produce session (call) records containing the outcome (status) of the connection.

AU-3 - Medium - CCI-000134 - V-206820 - SV-206820r508661_rule

RMF Control

AU-3

Severity

CCI

CCI-000134

Version

SRG-NET-000078-VVSM-00033

Vuln IDs

V-206820
V-62071

Rule IDs

SV-206820r508661_rule
SV-76561

Checks: C-7075r364649_chk

Verify the Voice Video Session Manager produces session records containing the outcome (status) of the connection. The outcome or status of a call includes call completed normally, busy endpoint, busy network, preempted, or other pertinent description. If the Voice Video Session Manager does not produce session records containing the outcome (status) of the connection, this is a finding.

Fix: F-7075r364650_fix

Configure the Voice Video Session Manager to produce session records containing the outcome (status) of the connection.

The Voice Video Session Manager must produce session (call) records containing the identity of the users and identifiers associated with the session.

AU-3 - Medium - CCI-001487 - V-206821 - SV-206821r508661_rule

RMF Control

AU-3

Severity

CCI

CCI-001487

Version

SRG-NET-000079-VVSM-00035

Vuln IDs

V-206821
V-62077

Rule IDs

SV-206821r508661_rule
SV-76567

Checks: C-7076r364652_chk

Verify the Voice Video Session Manager produces session records containing the identity of the users and identifiers associated with the session. The identity of the users and identifiers of the call in this context would be the user ID or user name. For Voice Video Session Managers that have the concept of a device rather than users and identifiers, this requirement is not applicable. If the Voice Video Session Manager does not produce session records containing the identity of the users and identifiers associated with the session, this is a finding.

Fix: F-7076r364653_fix

Configure the Voice Video Session Manager to produce session records containing the identity of the users and identifiers associated with the session.

The Voice Video Session Manager must alert the ISSO and SA (at a minimum) in the event of a session (call) record system failure.

AU-5 - Medium - CCI-000139 - V-206822 - SV-206822r508661_rule

RMF Control

AU-5

Severity

CCI

CCI-000139

Version

SRG-NET-000088-VVSM-00038

Vuln IDs

V-206822
V-62079

Rule IDs

SV-206822r508661_rule
SV-76569

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process session records. Without this notification, the security personnel may be unaware of an impending failure of the session record capability. Session record processing failures include software/hardware errors, failures in the capturing mechanisms, and storage capacity being reached or exceeded. This requirement applies to each session record data storage repository (i.e., distinct information system component where session records are stored), the centralized session record storage capacity of organizations (i.e., all session record data storage repositories combined), or both.

Checks: C-7077r364655_chk

Verify the Voice Video Session Manager alerts the ISSO and SA (at a minimum) in the event of a session record system failure. If the Voice Video Session Manager does not alert the ISSO and SA (at a minimum) in the event of a session record system failure, this is a finding.

Fix: F-7077r364656_fix

Configure the Voice Video Session Manager to alert the ISSO and SA (at a minimum) in the event of a session record system failure.

The Voice Video Session Manager must protect session (call) records from unauthorized modification.

AU-9 - Medium - CCI-000163 - V-206823 - SV-206823r508661_rule

RMF Control

AU-9

Severity

CCI

CCI-000163

Version

SRG-NET-000099-VVSM-00041

Vuln IDs

V-206823
V-62081

Rule IDs

SV-206823r508661_rule
SV-76571

If session records were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of session records, the information system and/or the application must protect session information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations.

Checks: C-7078r364658_chk

Verify the Voice Video Session Manager protects session records from unauthorized modification. If the Voice Video Session Manager does not protect session records from unauthorized modification, this is a finding.

Fix: F-7078r364659_fix

Configure the Voice Video Session Manager protect session records from unauthorized modification.

The Voice Video Session Manager must protect session (call) records from unauthorized deletion.

AU-9 - Medium - CCI-000164 - V-206824 - SV-206824r508661_rule

RMF Control

AU-9

Severity

CCI

CCI-000164

Version

SRG-NET-000100-VVSM-00040

Vuln IDs

V-206824
V-62083

Rule IDs

SV-206824r508661_rule
SV-76573

Checks: C-7079r364661_chk

Verify the Voice Video Session Manager protects session records from unauthorized deletion. If the Voice Video Session Manager does not protect session records from unauthorized deletion, this is a finding.

Fix: F-7079r364662_fix

Configure the Voice Video Session Manager to protect session records from unauthorized deletion.

The Voice Video Session Manager must produce session (call) records for events determined to be significant and relevant by local policy.

AU-12 - Medium - CCI-000169 - V-206825 - SV-206825r508661_rule

RMF Control

AU-12

Severity

CCI

CCI-000169

Version

SRG-NET-000113-VVSM-00036

Vuln IDs

V-206825
V-62085

Rule IDs

SV-206825r508661_rule
SV-76575

Checks: C-7080r364664_chk

Verify the Voice Video Session Manager produces session records for events determined to be significant and relevant by local policy. If the Voice Video Session Manager does not produce session records for events determined to be significant and relevant by local policy, this is a finding.

Fix: F-7080r364665_fix

Configure the Voice Video Session Manager to produce session records for events determined to be significant and relevant by local policy.

The Voice Video Session Manager must be configured to disable non-essential capabilities.

CM-7 - Medium - CCI-000381 - V-206826 - SV-206826r508661_rule

RMF Control

CM-7

Severity

CCI

CCI-000381

Version

SRG-NET-000131-VVSM-00048

Vuln IDs

V-206826
V-62087

Rule IDs

SV-206826r508661_rule
SV-76577

It is detrimental for voice video session managers to provide, or enable by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Voice video session managers are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Checks: C-7081r364667_chk

Verify the Voice Video Session Manager is configured to disable non-essential capabilities. If the Voice Video Session Manager is not configured to disable non-essential capabilities, this is a finding.

Fix: F-7081r364668_fix

Configure the Voice Video Session Manager to be configured to disable non-essential capabilities.

The Voice Video Session Manager must only use of ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).

CM-7 - High - CCI-000382 - V-206827 - SV-206827r508661_rule

RMF Control

CM-7

Severity

CCI

CCI-000382

Version

SRG-NET-000131-VVSM-00049

Vuln IDs

V-206827
V-62089

Rule IDs

SV-206827r508661_rule
SV-76579

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Network elements are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network element must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. Requires further clarification from NIST.

Checks: C-7082r364670_chk

Verify the Voice Video Session Manager only uses ports, protocols, and services allowed per the PPSM CAL and VAs. If the Verify the Voice Video Session Manager uses ports, protocols, and services other than those permitted by the PPSM CAL and VAs, this is a finding.

Fix: F-7082r364671_fix

Configure the Voice Video Session Manager to only use of ports, protocols, and services allowed per the PPSM CAL and VAs.

The Voice Video Session Manager must implement attack-resistant mechanisms for Voice Video endpoint registration.

IA-2 - Medium - CCI-001942 - V-206828 - SV-206828r508661_rule

RMF Control

IA-2

Severity

CCI

CCI-001942

Version

SRG-NET-000147-VVSM-00009

Vuln IDs

V-206828
V-62091

Rule IDs

SV-206828r508661_rule
SV-76581

Attacks against a Voice Video Session Manager may include DoS, replay attacks, or cross site scripting. A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. A cross site scripting vulnerability was demonstrated on a SIP based IP phone by adding scripting code to the "From" field in the SIP invite. Upon receiving the invite, the embedded code was executed by the IP phone embedded web server to download additional malicious code.

Checks: C-7083r364673_chk

Verify the Voice Video Session Manager implements attack-resistant mechanisms for Voice Video endpoint registration. If the Voice Video Session Manager does not implement attack-resistant mechanisms for Voice Video endpoint registration, this is a finding.

Fix: F-7083r364674_fix

Configure the Voice Video Session Manager to implement attack-resistant mechanisms for Voice Video endpoint registration.

The Voice Video Session Manager must uniquely identify each Voice Video endpoint device before registration.

IA-3 - Medium - CCI-000778 - V-206829 - SV-206829r508661_rule

RMF Control

IA-3

Severity

CCI

CCI-000778

Version

SRG-NET-000148-VVSM-00004

Vuln IDs

V-206829
V-62093

Rule IDs

SV-206829r508661_rule
SV-76583

Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Typically, devices can be identified by MAC or IP address but certificates provide a greater level of security. Identification of devices works with registration of devices as part of a defense in depth approach to Voice Video networks. Registration is the process of authorizing endpoints to communicate with the session manager. Registration occurs with the SIP server in VoIP systems and with a gatekeeper in H.323 systems. Without enforcing registration, an adversary could impersonate a legitimate device on the Voice Video network.

Checks: C-7084r364676_chk

Verify the Voice Video Session Manager uniquely identifies all Voice Video endpoint devices before registration. If the Voice Video Session Manager does not uniquely identify all Voice Video endpoint devices before registration, this is a finding.

Fix: F-7084r364677_fix

Configure the Voice Video Session Manager to uniquely identify all Voice Video endpoint devices before registering those devices.

The Voice Video Session Manager must use encryption for signaling and media traffic.

IA-7 - High - CCI-000803 - V-206830 - SV-206830r508661_rule

RMF Control

IA-7

Severity

CCI

CCI-000803

Version

SRG-NET-000168-VVSM-00016

Vuln IDs

V-206830
V-62095

Rule IDs

SV-206830r508661_rule
SV-76585

All signaling and media traffic from a Voice Video Session Manager must be encrypted. Network elements utilizing encryption are required to use FIPS compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. Unapproved mechanisms used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised. Voice Video protocol suites include SIP, SCCP, and H.323. Each of these protocol suites uses different methodologies for securing transmitted signaling. The H.323 protocol suite relies on the H.235 series, which describes security within H.323, including security for both signaling and media. For SIP protocol, the DoD has created the AS-SIP protocol, which provides for implementing Transport Layer Security (TLS), Multi-Level Precedence and Preemption (MLPP), reliance on Secure Real-Time Transport Protocol (SRTP) for media streams, and Differentiated Services Code Point (DSCP) for traffic management through priority packet routing. To secure SCCP, TLS must be implemented with the protocol.

Checks: C-7085r364679_chk

Verify the Voice Video Session Manager uses encryption for signaling and media traffic. If the Voice Video Session Manager does not use encryption for signaling and media traffic, this is a finding.

Fix: F-7085r364680_fix

Configure the Voice Video Session Manager to use encryption for signaling and media traffic.

The Voice Video Session Manager must terminate all network connections associated with a communications session at the end of the session, or the session must be terminated after 15 minutes of inactivity.

SC-10 - High - CCI-001133 - V-206831 - SV-206831r508661_rule

RMF Control

SC-10

Severity

CCI

CCI-001133

Version

SRG-NET-000213-VVSM-00011

Vuln IDs

V-206831
V-62097

Rule IDs

SV-206831r508661_rule
SV-76587

Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection. Voice Video Session Managers do not conduct media session; they conduct the session termination signaling. Endpoints and border elements conduct the media sessions and de-allocate those resources. However, sessions that do not receive a response from the far end may require the session manager to request termination of communication sessions.

Checks: C-7086r459024_chk

Verify the Voice Video Session Manager terminates all network connections associated with a communications session at the end of the session, or the session terminates after 15 minutes of inactivity. If the Voice Video Session Manager does not terminate all network connections associated with a communications session at the end of the session, this is a finding. If the Voice Video Session Manager does not terminate the session after 15 minutes of inactivity, this is a finding.

Fix: F-7086r459025_fix

Configure the Voice Video Session Manager to terminate all network connections associated with a communications session at the end of the session. Alternatively, configure the Voice Video Session Manager to terminate the session after 15 minutes of inactivity.

The Voice Video Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) systems.

SC-16 - Medium - CCI-001157 - V-206832 - SV-206832r508661_rule

RMF Control

SC-16

Severity

CCI

CCI-001157

Version

SRG-NET-000225-VVSM-00021

Vuln IDs

V-206832
V-62099

Rule IDs

SV-206832r508661_rule
SV-76589

If MLPP attributes are not associated with the information being transmitted between systems, then access control policies and information flows which depend on these MLPP attributes will not function and unauthorized access may result. Without the implementation of safeguards which allocate network communication resources based on priority, network availability, and particularly high priority traffic, may be dropped or delayed. DoD relies on the implementation of MLPP to ensure that flag officers and senior staff are provided higher priority for communications than other users. For VoIP and videoconferencing systems, Voice Video Session Managers must communicate using protocols and services that provide expedited packets to users and other systems.

Checks: C-7087r364685_chk

Verify the Voice Video Session Manager supporting C2 communications associates MLPP attributes when exchanged between UC systems. If the Voice Video Session Manager supporting C2 communications does not associate MLPP attributes when exchanged between UC systems, this is a finding.

Fix: F-7087r364686_fix

Configure the Voice Video Session Manager supporting C2 communications to associate MLPP attributes when exchanged between UC systems.

The Voice Video Session Manager supporting Command and Control (C2) communications must validate the integrity of transmitted multilevel precedence and preemption (MLPP) attributes.

CM-6 - Medium - CCI-000366 - V-206833 - SV-206833r508661_rule

RMF Control

CM-6

Severity

CCI

CCI-000366

Version

SRG-NET-000226-VVSM-00022

Vuln IDs

V-206833
V-62101

Rule IDs

SV-206833r508661_rule
SV-76591

If MLPP attributes are not associated with the information being transmitted between components, then access control policies and information flows which depend on these MLPP attributes will not function and unauthorized access may result. When data is exchanged, the MLPP attributes associated with this data must be validated to ensure the data has not been changed. Without the implementation of safeguards which allocate network communication resources based on priority, network availability, and particularly high priority traffic, may be dropped or delayed. DoD relies on the implementation of MLPP to ensure that flag officers and senior staff are provided higher priority for communications than other users. For VoIP and videoconferencing systems, Voice Video Session Managers must communicate using protocols and services that provide expedited packets to users and other systems.

Checks: C-7088r364688_chk

Verify the Voice Video Session Manager supporting C2 communications validates the integrity of transmitted MLPP attributes. If the Voice Video Session Manager supporting C2 communications does not validate the integrity of transmitted MLPP attributes, this is a finding.

Fix: F-7088r364689_fix

Configure the Voice Video Session Manager supporting C2 communications to validate the integrity of transmitted MLPP attributes.

The Voice Video Session Manager must protect the authenticity of communications sessions.

SC-23 - High - CCI-001184 - V-206834 - SV-206834r508661_rule

RMF Control

SC-23

Severity

CCI

CCI-001184

Version

SRG-NET-000230-VVSM-00023

Vuln IDs

V-206834
V-62103

Rule IDs

SV-206834r508661_rule
SV-76593

Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. VC and UC require the use of TLS mutual authentication (two-way/bidirectional) for authenticity.

Checks: C-7089r364691_chk

Verify the Voice Video Session Manager protects the authenticity of communications sessions. If the Voice Video Session Manager does not protect the authenticity of communications sessions, this is a finding.

Fix: F-7089r364692_fix

Configure the Voice Video Session Manager to protect the authenticity of communications sessions.

The Voice Video Session Manager must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.

SC-24 - Medium - CCI-001190 - V-206835 - SV-206835r508661_rule

RMF Control

SC-24

Severity

CCI

CCI-001190

Version

SRG-NET-000235-VVSM-00046

Vuln IDs

V-206835
V-62105

Rule IDs

SV-206835r508661_rule
SV-76595

Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving voice video session manager state information helps to facilitate restart and return to the operational mode of the organization with less disruption to mission-essential processes. This applies to the configuration of the functionality of the voice video session manager. Abort refers to stopping a program or function before it has finished naturally and refers to both requested and unexpected terminations. This control only applies to Committee on National Security Systems Instruction (CNSSI) 1253 high confidentiality and integrity baselines.

Checks: C-7090r364694_chk

Verify the Voice Video Session Manager fails to a secure state when system initialization fails, shutdown fails, or aborts fail. If the Voice Video Session Manager does not fail to a secure state if system initialization fails, shutdown fails, or aborts fail, this is a finding.

Fix: F-7090r364695_fix

Configure the Voice Video Session Manager to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.

In the event of a system failure, Voice Video Session Managers must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.

SC-24 - Medium - CCI-001665 - V-206836 - SV-206836r508661_rule

RMF Control

SC-24

Severity

CCI

CCI-001665

Version

SRG-NET-000236-VVSM-00047

Vuln IDs

V-206836
V-62117

Rule IDs

SV-206836r508661_rule
SV-76607

Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving voice video session manager state information helps to facilitate restart and return to the operational mode of the organization with less disruption to mission-essential processes. This control only applies to Committee on National Security Systems Instruction (CNSSI) 1253 high confidentiality and integrity baselines.

Checks: C-7091r364697_chk

Verify that in the event of a system failure, the Voice Video Session Managers preserves any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. If the Voice Video Session Managers does not preserve all information necessary to determine cause of failure, this is a finding. If the Voice Video Session Managers does not preserve all information necessary to return to operations with least disruption to mission processes, this is a finding.

Fix: F-7091r364698_fix

Configure the Voice Video Session Manager, in the event of a system failure, to preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.

The Voice Video Session Manager must generate session (call) records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information.

SI-11 - Medium - CCI-001312 - V-206837 - SV-206837r508661_rule

RMF Control

SI-11

Severity

CCI

CCI-001312

Version

SRG-NET-000273-VVSM-00037

Vuln IDs

V-206837
V-62107

Rule IDs

SV-206837r508661_rule
SV-76597

Any Voice Video session manager providing too much information in session records risks compromising the data and security of the application and system. The structure and content of session records must be carefully considered by the organization and development team.

Checks: C-7092r364700_chk

Verify the Voice Video Session Manager generates session records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information. If the Voice Video Session Manager does not generate session records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information, this is a finding.

Fix: F-7092r364701_fix

Configure the Voice Video Session Manager to generate session records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information.

The Voice Video Session Manager must restrict Voice Video endpoint user access outside of operational hours.

CM-6 - Medium - CCI-000366 - V-206838 - SV-206838r508661_rule

RMF Control

CM-6

Severity

CCI

CCI-000366

Version

SRG-NET-000315-VVSM-00003

Vuln IDs

V-206838
V-62109

Rule IDs

SV-206838r508661_rule
SV-76599

Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during operational hours can indicate hostile activity if it occurs during off hours. Depending on mission needs and conditions, usage restrictions based on conditions and circumstances may be critical to limit access to resources and data to comply with operational or mission access control requirements. Thus, the network element must be configured to enforce the specific conditions or circumstances under which application accounts can be used (e.g., by restricting usage to certain days of the week, time of day, or specific durations of time). Limiting access to the voice/video network by work hours and work week mitigates the risk of unauthorized access to the system outside of duty hours, reducing misuse or abuse of the system and its resources. Areas requiring service during other times may be identified. However, it is essential that endpoints be allowed access to emergency services at all times.

Checks: C-7093r364703_chk

Verify the Voice Video Session Manager provides the capability to restrict Voice Video endpoint user access outside of operational hours to allow only essential connection capability. Areas requiring extended service times may be identified as exceptions. If the Voice Video Session Manager does not restrict Voice Video endpoint user access outside of operational hours allowing for exceptions, this is a finding.

Fix: F-7093r364704_fix

Configure the Voice Video Session Manager to restrict Voice Video endpoint user access outside of operational hours to only essential connections.

The Voice Video Session Manager must immediately enforce changes to privileges of Voice Video endpoint user access.

AC-3 - Medium - CCI-002178 - V-206839 - SV-206839r508661_rule

RMF Control

AC-3

Severity

CCI

CCI-002178

Version

SRG-NET-000321-VVSM-00007

Vuln IDs

V-206839
V-62111

Rule IDs

SV-206839r508661_rule
SV-76601

Without the enforcement of immediate change to privilege levels, users and devices may not provide the correct level of service. Privileges include access to outside connections, precedence, and preemption capabilities. A user with higher precedence and preemption capability may supplant users authorized higher levels of access. Endpoint users must be limited to the privileges needed to conduct business and changes to privileges must be enforced immediately. Access authorizations should be dynamic to reflect changing conditions; if a revocation is not enforced in a timely manner, users may have inappropriate access. Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process) is removed from a group, access may not be revoked until the next time the object (e.g., file) is opened or until the next time the subject attempts a new access to the object. Revocation based on changes to security labels may take effect immediately. It may be necessary to immediately revoke access in certain circumstances (i.e., a compromised account is being used). This may be mitigated by implementing SRG-NET-000321-VVSM-00008.

Checks: C-7094r364706_chk

Verify the Voice Video Session Manager immediately enforces change to privileges of Voice Video endpoint user access. Privileges include access to outside connections, precedence, and preemption capabilities. If the Voice Video Session Manager does not immediately enforce changes to privileges of Voice Video endpoint user access, this is a finding.

Fix: F-7094r364707_fix

Configure the Voice Video Session Manager to immediately enforce changes to privileges of Voice Video endpoint user access.

The Voice Video Session Manager must immediately enforce changes to privileges of Voice Video endpoint device access.

CM-6 - Medium - CCI-000366 - V-206840 - SV-206840r508661_rule

RMF Control

CM-6

Severity

CCI

CCI-000366

Version

SRG-NET-000322-VVSM-00008

Vuln IDs

V-206840
V-62113

Rule IDs

SV-206840r508661_rule
SV-76603

Without the enforcement of immediate change to privilege levels, users and devices may not provide the correct level of service. Privileges include access to outside connections, precedence, and preemption capabilities. A user with higher precedence and preemption capability may supplant users authorized higher levels of access. Endpoints must be limited to the privileges needed to conduct business and changes to privileges must be enforced immediately. Access authorizations should be dynamic to reflect changing conditions; if a revocation is not enforced in a timely manner, users may have inappropriate access. Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process) is removed from a group, access may not be revoked until the next time the object (e.g., file) is opened or until the next time the subject attempts a new access to the object. Revocation based on changes to security labels may take effect immediately. It may be necessary to immediately revoke access in certain circumstances (i.e., a compromised account is being used). This may be mitigated by implementing SRG-NET-000321-VVSM-00007.

Checks: C-7095r364709_chk

Verify the Voice Video Session Manager immediately enforces change to privileges of Voice Video endpoint device access. Privileges include access to outside connections, precedence, and preemption capabilities. If the Voice Video Session Manager does not immediately enforce changes to privileges of Voice Video endpoint device access, this is a finding.

Fix: F-7095r364710_fix

Configure the Voice Video Session Manager to immediately enforce changes to privileges of Voice Video endpoint device access.

The Voice Video Session Manager must provide centralized management of session (call) records.

AU-3 - Medium - CCI-001844 - V-206842 - SV-206842r508661_rule

RMF Control

AU-3

Severity

CCI

CCI-001844

Version

SRG-NET-000333-VVSM-00028

Vuln IDs

V-206842
V-62119

Rule IDs

SV-206842r508661_rule
SV-76609

Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. The content captured in audit records must be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Network components requiring centralized audit log management must have the capability to support centralized management. Session records for Voice Video systems are generally handled in a similar fashion to audit records for other systems and are used for billing, usage analysis, and record support for actions taken. These detailed records are typically produced by the session manager.

Checks: C-7097r364715_chk

Verify the Voice Video Session Manager provides centralized management of session records. Centralized management of session records may be a function of the Voice Video Session Manager or offloaded to an ancillary device. When records are offloaded, the Voice Video Session Manager must provide configuration settings to connect to the ancillary device. If the Voice Video Session Manager does not provide centralized management of session records, this is a finding.

Fix: F-7097r364716_fix

Configure the Voice Video Session Manager to provide centralized management of session records.

The Voice Video Session Manager must off-load session (call) records onto a different system or storage media.

AU-4 - Medium - CCI-001851 - V-206843 - SV-206843r508661_rule

RMF Control

AU-4

Severity

CCI

CCI-001851

Version

SRG-NET-000334-VVSM-00039

Vuln IDs

V-206843
V-62121

Rule IDs

SV-206843r508661_rule
SV-76611

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited session record storage capacity.

Checks: C-7098r364718_chk

Verify the Voice Video Session Manager off-loads session records onto a different system or storage media. If the Voice Video Session Manager does not off-load session records onto a different system or storage media, this is a finding.

Fix: F-7098r364719_fix

Configure the Voice Video Session Manager to off-load session records onto a different system or storage media.

The Voice Video Session Manager must require Voice Video endpoints to re-register at least every three (3) hours.

IA-11 - Medium - CCI-002039 - V-206844 - SV-206844r508661_rule

RMF Control

IA-11

Severity

CCI

CCI-002039

Version

SRG-NET-000338-VVSM-00006

Vuln IDs

V-206844
V-62123

Rule IDs

SV-206844r508661_rule
SV-76613

Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system. Registration is the process of authorizing endpoints to communicate with the session manager. Registration occurs with the SIP server in VoIP systems and with a gatekeeper in H.323 systems. Without enforcing registration, an adversary could impersonate a legitimate device on the Voice Video network.

Checks: C-7099r364721_chk

Verify the Voice Video Session Manager requires Voice Video endpoints to re-register at least every three hours. If the Voice Video Session Manager does not require Voice Video endpoints to re-register or does not enforce re-registration at least every three hours, this is a finding.

Fix: F-7099r364722_fix

Configure the Voice Video Session Manager to re-register Voice Video endpoints at least every three hours.

The Voice Video Session Manager must require Voice Video peers to re-register (re-authenticate) at least every hour.

IA-11 - Medium - CCI-002039 - V-206845 - SV-206845r508661_rule

RMF Control

IA-11

Severity

CCI

CCI-002039

Version

SRG-NET-000338-VVSM-00056

Vuln IDs

V-206845
V-71687

Rule IDs

SV-206845r508661_rule
SV-86311

Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices and trunks can access the system. Registration is the process of authorizing endpoints and trunks to communicate with the session manager. Registration occurs with the SIP server in VoIP systems and with a gatekeeper in H.323 systems. Without enforcing registration, an adversary could impersonate a legitimate device or peer on the Voice Video network.

Checks: C-7100r504894_chk

Verify the Voice Video Session Manager requires Voice Video peers to re-register (re-authenticate) at least every hour. If the Voice Video Session Manager does not require Voice Video peers to re-register (re-authenticate) at least every hour, this is a finding.

Fix: F-7100r504895_fix

Configure the Voice Video Session Manager to re-register (re-authenticate) Voice Video peers at least every hour.

The Voice Video Session Manager must authenticate each Voice Video endpoint devices before registration.

IA-3 - Medium - CCI-001958 - V-206846 - SV-206846r508661_rule

RMF Control

IA-3

Severity

CCI

CCI-001958

Version

SRG-NET-000343-VVSM-00005

Vuln IDs

V-206846
V-62125

Rule IDs

SV-206846r508661_rule
SV-76615

Checks: C-7101r364727_chk

Verify the Voice Video Session Manager authenticates all Voice Video endpoint devices before establishing any connection. If the Voice Video Session Manager does not authenticate all Voice Video endpoint devices before establishing any connection, this is a finding.

Fix: F-7101r364728_fix

Configure the Voice Video Session Manager to authenticate all Voice Video endpoint devices before registering those devices.

The Voice Video Session Manager must authenticate each Voice Video peer (trunk) before registration.

IA-3 - Medium - CCI-001958 - V-206847 - SV-206847r508661_rule

RMF Control

IA-3

Severity

CCI

CCI-001958

Version

SRG-NET-000343-VVSM-00055

Vuln IDs

V-206847
V-71685

Rule IDs

SV-206847r508661_rule
SV-86309

Checks: C-7102r364730_chk

Verify the Voice Video Session Manager authenticates all Voice Video peers (trunks) before establishing any connection. If the Voice Video Session Manager does not authenticate all Voice Video peers (trunks) before establishing any connection, this is a finding.

Fix: F-7102r364731_fix

Configure the Voice Video Session Manager to authenticate all Voice Video peers (trunks) before registration.

The Voice Video Session Manager must provide an explicit indication of current participants in all videoconference-based and IP-based online meetings and conferences (excluding audio-only teleconferences using traditional telephony).

SC-15 - Medium - CCI-002453 - V-206848 - SV-206848r508661_rule

RMF Control

SC-15

Severity

CCI

CCI-002453

Version

SRG-NET-000353-VVSM-00014

Vuln IDs

V-206848
V-62127

Rule IDs

SV-206848r508661_rule
SV-76617

Providing an explicit indication of current participants in videoconferences helps to prevent unauthorized individuals from participating in collaborative videoconference sessions without the explicit knowledge of other participants. videoconferences allow groups of users to collaborate and exchange information. Without knowing who is in attendance, information could be compromised. For videoconferences with large numbers of people present, the identified participant may be listed as the room rather than by each individual attending. Voice video session managers that provide a videoconference capability must provide a clear indication of who is attending the meeting, thus providing all attendees with the capability to clearly identify users who are in attendance.

Checks: C-7103r364733_chk

Verify the Voice Video Session Manager provides an explicit indication of current participants in all videoconference-based and IP-based online meetings and conferences. This requirement does not apply to audio-only teleconferences using traditional telephony. If the Voice Video Session Manager does not provide an explicit indication of current participants in all videoconference-based and IP-based online meetings and conferences, this is a finding.

Fix: F-7103r364734_fix

Configure the Voice Video Session Manager to provide an explicit indication of current participants in all videoconference-based and IP-based online meetings and conferences, except audio-only teleconferences using traditional telephony.

CM-6 - Medium - CCI-000366 - V-206849 - SV-206849r508661_rule

RMF Control

CM-6

Severity

CCI

CCI-000366

Version

SRG-NET-000354-VVSM-00020

Vuln IDs

V-206849
V-62129

Rule IDs

SV-206849r508661_rule
SV-76619

Checks: C-7104r364736_chk

Verify the Voice Video Session Manager supporting C2 communications associates MLPP attributes when exchanged between UC system components. If the Voice Video Session Manager supporting C2 communications does not associate MLPP attributes when exchanged between UC system components, this is a finding.

Fix: F-7104r364737_fix

Configure the Voice Video Session Manager supporting C2 communications to associate MLPP attributes when exchanged between UC system components.

The Voice Video Session Manager supporting Command and Control (C2) communications must limit and reserve bandwidth based on priority of the traffic type.

SC-6 - Medium - CCI-002394 - V-206850 - SV-206850r508661_rule

RMF Control

SC-6

Severity

CCI

CCI-002394

Version

SRG-NET-000363-VVSM-00019

Vuln IDs

V-206850
V-62131

Rule IDs

SV-206850r508661_rule
SV-76621

Without the implementation of safeguards which allocate network communication resources based on priority, network availability, and particularly high priority traffic, may be dropped or delayed. DoD supporting C2 communications relies on the implementation of MLPP to ensure that flag officers and senior staff are provided higher priority for communications than other users. For VoIP and videoconferencing systems, Voice Video Session Managers must communicate using protocols and services that provide expedited packets to users and other systems. Additionally, Quality of Service (QoS) is an effective security safeguard used to ensure network communications availability based on priority. Different applications and other network traffic have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to avoid and manage network congestion. When network congestion occurs, all traffic has an equal chance of being dropped. A QoS implementation categorizes network traffic into classes and provides priority treatment based on the classification.

Checks: C-7105r364739_chk

Verify the Voice Video Session Manager supporting C2 communications limits and reserves bandwidth based on priority of the traffic type. If the Voice Video Session Manager supporting C2 communications does not limit and reserve bandwidth based on priority of the traffic type, this is a finding.

Fix: F-7105r364740_fix

Configure the Voice Video Session Manager supporting C2 communications to limit and reserve bandwidth based on priority of the traffic type.

The Voice Video Session Manager must protect the confidentiality of transmitted configuration files, signaling, and media streams.

SC-8 - High - CCI-002418 - V-206851 - SV-206851r508661_rule

RMF Control

SC-8

Severity

CCI

CCI-002418

Version

SRG-NET-000371-VVSM-00017

Vuln IDs

V-206851
V-62133

Rule IDs

SV-206851r508661_rule
SV-76623

Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Voice Video protocol suites include SIP, SCCP, and H.323. Each of these protocol suites uses different methodologies for securing transmitted signaling. The H.323 protocol suite relies on the H.235 series, which describes security within H.323, including security for both signaling and media. For SIP protocol, the DoD has created the AS-SIP protocol, which provides for implementing Transport Layer Security (TLS), Multi-Level Precedence and Preemption (MLPP), reliance on Secure Real-Time Transport Protocol (SRTP) for media streams, and Differentiated Services Code Point (DSCP) for traffic management through priority packet routing. To secure SCCP, TLS must be implemented with the protocol. Note: It is expected that this requirement be used to address each protocol individually. A separate STIG requirement for each protocol used identifying the methods to protect the confidentiality and integrity of transmitted control information (including registration files) and media streams must be produced.

Checks: C-7106r364742_chk

Verify the Voice Video Session Manager protects the confidentiality of transmitted configuration files, signaling, and media streams. If the Voice Video Session Manager does not protect the confidentiality of transmitted configuration files, signaling, and media streams, this is a finding.

Fix: F-7106r364743_fix

Configure the Voice Video Session Manager to protect the confidentiality of transmitted configuration files, signaling, and media streams.

The Voice Video Session Manager must protect the integrity of transmitted configuration files, signaling, and media streams.

SC-8 - High - CCI-002418 - V-206852 - SV-206852r508661_rule

RMF Control

SC-8

Severity

CCI

CCI-002418

Version

SRG-NET-000371-VVSM-00018

Vuln IDs

V-206852
V-62135

Rule IDs

SV-206852r508661_rule
SV-76625

Checks: C-7107r364745_chk

Verify the Voice Video Session Manager protects the integrity of transmitted configuration files, signaling, and media streams. If the Voice Video Session Manager does not protect the integrity of transmitted configuration files, signaling, and media streams, this is a finding.

Fix: F-7107r364746_fix

Configure the Voice Video Session Manager to protect the integrity of transmitted configuration files, signaling, and media streams.

The Voice Video Session Manager must implement NIST FIPS-validated cryptography to generate cryptographic hashes and to protect sensitive unclassified information.

SC-13 - High - CCI-002450 - V-206853 - SV-206853r508661_rule

RMF Control

SC-13

Severity

CCI

CCI-002450

Version

SRG-NET-000510-VVSM-00015

Vuln IDs

V-206853
V-62137

Rule IDs

SV-206853r508661_rule
SV-76627

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Voice Video protocol suites include SIP, SCCP, and H.323. Each of these protocol suites uses different methodologies for securing transmitted signaling. The H.323 protocol suite relies on the H.235 series, which describes security within H.323, including security for both signaling and media. For SIP protocol, the DoD has created the AS-SIP protocol, which provides for implementing Transport Layer Security (TLS), Multi-Level Precedence and Preemption (MLPP), reliance on Secure Real-Time Transport Protocol (SRTP) for media streams, and Differentiated Services Code Point (DSCP) for traffic management through priority packet routing. To secure SCCP, TLS must be implemented with the protocol.

Checks: C-7108r364748_chk

Verify the Voice Video Session Manager implements NIST FIPS-validated cryptography to generate cryptographic hashes and to protect sensitive unclassified information. If the Voice Video Session Manager does not implements NIST FIPS-validated cryptography to generate cryptographic hashes, this is a finding. If the Voice Video Session Manager does not implements NIST FIPS-validated cryptography to protect sensitive unclassified information, this is a finding.

Fix: F-7108r364749_fix

Configure the Voice Video Session Manager to implement NIST FIPS-validated cryptography to generate cryptographic hashes and to protect sensitive unclassified information.

The Voice Video Session Manager must prohibit remote activation of collaborative computing devices (excluding centrally managed, dedicated videoconference suites located in approved videoconference locations).

SC-15 - Medium - CCI-001150 - V-206854 - SV-206854r508661_rule

RMF Control

SC-15

Severity

CCI

CCI-001150

Version

SRG-NET-000512-VVSM-00012

Vuln IDs

V-206854
V-62139

Rule IDs

SV-206854r508661_rule
SV-76629

An adversary may be able to gain access to information on whiteboards, listen to conversations on a microphone, or view areas with a camera since collaboration equipment is typically not designed with security access controls and protection measures of more sophisticated networked clients. Collaborative computing devices include, for example, networked whiteboards, cameras, and microphones. This requirement applies to collaboration applications that control collaborative computing devices. Exceptions to this would require acceptance of the risk by a cognizant AO. This requirement is not intended to prohibit remote activation of centrally managed, dedicated videoconferencing Suites for the purpose of remote testing of the equipment.

Checks: C-7109r364751_chk

Verify the Voice Video Session Manager prohibits remote activation of collaborative computing devices. For centrally managed, dedicated videoconference suites located in approved videoconference locations with full documentation, this requirement is not applicable. If the Voice Video Session Manager does not prohibit remote activation of collaborative computing devices, this is a finding.

Fix: F-7109r364752_fix

Configure the Voice Video Session Manager, except for centrally managed, dedicated videoconference suites located in approved videoconference locations, to prohibit remote activation of collaborative computing devices.

The Voice Video Session Manager must route Fire and Emergency Services (FES) communications as a priority call in a non-blocking manner.

CM-6 - Medium - CCI-000366 - V-206855 - SV-206855r508661_rule

RMF Control

CM-6

Severity

CCI

CCI-000366

Version

SRG-NET-000512-VVSM-00042

Vuln IDs

V-206855
V-62141

Rule IDs

SV-206855r508661_rule
SV-76631

Configuring the voice video session manager to implement enhanced 911 (E911) and FES ensures compliance with Federal Communications Commission rules and establishes a common security baseline across DoD Voice Video systems. If E911 services are incorrectly configured, first responders may not have sufficient information to provide emergency services. Additionally, an adversary may use incorrectly configured E911 services to attack a system or location. For DoD systems, it is essential for FES communications to have sufficient priority, providing number and location information that is accurate. The FCC requires that providers of interconnected VoIP telephone services meet E911 obligations. E911 systems automatically provide to emergency service personnel a 911 caller's call back number and, in most cases, location information. Next Generation 9-1-1 (NG911) is an initiative updating the current E911 service infrastructure in the United States and Canada to improve public emergency communications services in a growingly wireless mobile society. This new service would enable the public to transmit text, images, video and data to the PSAP.

Checks: C-7110r364754_chk

Verify the Voice Video Session Manager routes FES communications as a priority call in a non-blocking manner. If the Voice Video Session Manager does not route FES communications as a priority call in a non-blocking manner, this is a finding.

Fix: F-7110r364755_fix

Configure the Voice Video Session Manager to route FES communications as a priority call in a non-blocking manner.

The Voice Video Session Manager must provide Fire and Emergency Services (FES) with the Automatic Number Identification (ANI) of the initiator of the call.

CM-6 - Medium - CCI-000366 - V-206856 - SV-206856r508661_rule

RMF Control

CM-6

Severity

CCI

CCI-000366

Version

SRG-NET-000512-VVSM-00043

Vuln IDs

V-206856
V-62143

Rule IDs

SV-206856r508661_rule
SV-76633

Checks: C-7111r364757_chk

Verify the Voice Video Session Manager provides FES with the ANI of the initiator of the call. If the Voice Video Session Manager does not provide FES with the ANI of the initiator of the call, this is a finding.

Fix: F-7111r364758_fix

Configure the Voice Video Session Manager to provide FES with the ANI of the initiator of the call.

The Voice Video Session Manager must provide Fire and Emergency Services (FES) with the Automatic Location Identification (ALI) of the initiator of the call.

CM-6 - Medium - CCI-000366 - V-206857 - SV-206857r508661_rule

RMF Control

CM-6

Severity

CCI

CCI-000366

Version

SRG-NET-000512-VVSM-00044

Vuln IDs

V-206857
V-62145

Rule IDs

SV-206857r508661_rule
SV-76635

Checks: C-7112r364760_chk

Verify the Voice Video Session Manager provides FES with the ALI of the initiator of the call. If the Voice Video Session Manager does not provide FES with the ALI of the initiator of the call, this is a finding.

Fix: F-7112r364761_fix

Configure the Voice Video Session Manager to provide FES with the ALI of the initiator of the call.

The Voice Video Session Manager must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, Communication Tasking Orders (CTOs), and DTMs.

CM-6 - Medium - CCI-000366 - V-206858 - SV-206858r508661_rule

RMF Control

CM-6

Severity

CCI

CCI-000366

Version

SRG-NET-000512-VVSM-00050

Vuln IDs

V-206858
V-62147

Rule IDs

SV-206858r508661_rule
SV-76637

Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.

Checks: C-7113r459027_chk

Verify the Voice Video Session Manager is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If the Voice Video Session Manager is not configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs, this is a finding.

Fix: F-7113r459028_fix

Configure the Voice Video Session Manager to be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.

The Voice Video Session Manager must be configured to obfuscate passwords within configuration files.

CM-6 - Medium - CCI-000366 - V-206859 - SV-206859r508661_rule

RMF Control

CM-6

Severity

CCI

CCI-000366

Version

SRG-NET-000512-VVSM-00054

Vuln IDs

V-206859
V-71683

Rule IDs

SV-206859r508661_rule
SV-86307

Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Voice Video Session Managers must enforce password encryption when storing passwords within configuration files.

Checks: C-7114r364766_chk

Verify the Voice Video Session Manager is configured to obfuscate passwords within configuration files. If the Voice Video Session Manager is not configured to obfuscate passwords within configuration files, this is a finding.

Fix: F-7114r364767_fix

Configure the Voice Video Session Manager to obfuscate passwords within configuration files.

The Voice Video Session Manager used for unclassified communication within a Sensitive Compartmented Information Facility (SCIF) or Special Access Program Facility (SAPF) must be configured in accordance with the Committee on National Security Systems Instruction (CNSSI) 5000.

CM-6 - Medium - CCI-000366 - V-206860 - SV-206860r508661_rule

RMF Control

CM-6

Severity

CCI

CCI-000366

Version

SRG-NET-000512-VVSM-00057

Vuln IDs

V-206860
V-71689

Rule IDs

SV-206860r508661_rule
SV-86313

Configuring the Voice Video Session Manager in accordance with CNSSI 5000 for unclassified communication systems supporting VVoIP endpoints within SCIFs and SAPFs ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Voice Video Session Managers may support voice video endpoints that could potentially be activated from the session manager (inadvertently or covertly) and transmit classified conversations over unclassified networks if not properly configured. Voice Video Endpoint microphones and speakers may be activated to pick up conversation audio within the area and conduct it over the network connection, even when the endpoint is on-hook. The Technical Surveillance Counter-Measures (TSCM) program protects sensitive government information, to include classified information, through the establishment of on-hook audio security standards. References: CNSS Instruction No. 5000, Guidelines for Voice over Internet Protocol (VoIP), dated September 2016 IC Tech Spec-For ICD/ICS 705, Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities, version 1.3 dated September 10, 2015 Joint Air Force, Army, Navy (JAFAN) 6/0 Manual; Special Access Program Security Manual – Revision 1, dated May 29, 2008 Joint Air Force, Army, Navy (JAFAN) 6/9 Manual; Physical Security Standards for Special Access Program Facilities, dated March 23, 2004

Checks: C-7115r459030_chk

If the Voice Video Session Manager does not support voice video endpoints used for unclassified communication within a SCIF or SAPFs, this check procedure is Not Applicable. Verify the Voice Video Session Manager supporting voice video endpoints used for unclassified communication within a SCIF or SAPF is configured in accordance with the CNSSI 5000. If the Voice Video Session Manager is not configured in accordance with the CNSSI 5000, this is a finding.

Fix: F-7115r459031_fix

Configure the Voice Video Session Manager supporting voice video endpoints used for unclassified communication within a SCIF or SAPF to be configured in accordance with CNSSI 5000.

The Voice Video Session Manager must apply 802.1Q VLAN tags to signaling and media traffic or be in a private subnet.

AC-16 - Medium - CCI-002272 - V-206861 - SV-206861r508661_rule

RMF Control

AC-16

Severity

CCI

CCI-002272

Version

SRG-NET-000520-VVSM-00024

Vuln IDs

V-206861
V-62149

Rule IDs

SV-206861r508661_rule
SV-76639

When network elements do not dynamically reconfigure the data security attributes as data is created and combined, the possibility exists that security attributes will not correctly reflect the data with which they are associated. For the Voice Video Session Manager, the use of 802.1q tags on media and signaling, and the use of VLANs provides this layer of security. VLANs facilitate access and traffic control for voice video system components and enhanced QoS. Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3, and works with Multiprotocol Label Switching (MPLS) for enterprise and WAN environments. When VRF is used without MPLS, it is referred to as VRF lite. For Voice Video systems, subnets, VLANs, and VRFs are used to separate media and signaling streams from all other traffic.

Checks: C-7116r364772_chk

Verify the Voice Video Session Manager applies 802.1Q VLAN tags to signaling and media traffic or be in a private subnet.. If the Voice Video Session Manager does not apply 802.1Q VLAN tags to signaling and media traffic or be in a private subnet., this is a finding.

Fix: F-7116r364773_fix

Configure th Voice Video Session Manager to apply 802.1Q VLAN tags to signaling and media traffic or be in a private subnet.

The Voice Video Session Manager must use a voice or video VLAN, separate from all other VLANs.

CM-6 - Medium - CCI-000366 - V-206862 - SV-206862r508661_rule

RMF Control

CM-6

Severity

CCI

CCI-000366

Version

SRG-NET-000520-VVSM-00025

Vuln IDs

V-206862
V-62151

Rule IDs

SV-206862r508661_rule
SV-76641

When network elements do not dynamically reconfigure the data security attributes as data is created and combined, the possibility exist that security attributes will not correctly reflect the data with which they are associated. For the Voice Video Session Manager, the use of 802.1q tags on media and signaling, and the use of VLANs provides this layer of security. VLANs facilitate access and traffic control for voice video system components and enhanced QoS. Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3, and works with Multiprotocol Label Switching (MPLS) for enterprise and WAN environments. When VRF is used without MPLS, it is referred to as VRF lite. For Voice Video systems, subnets, VLANs, and VRFs are used to separate media and signaling streams from all other traffic.

Checks: C-7117r364775_chk

Verify the Voice Video Session Manager uses a voice or video VLAN separate from all other VLANs. If the Voice Video Session Manager uses a voice or video VLAN that is not separate from all other VLANs, this is a finding.

Fix: F-7117r364776_fix

Configure the Voice Video Session Manager to use a voice or video VLAN, separate from all other VLANs.

Added rules 52

Removed rules 52

Checks: C-7065r364619_chk

Fix: F-7065r364620_fix

Generate Mitigation Statement:

Checks: C-7066r364622_chk

Fix: F-7066r364623_fix

Generate Mitigation Statement:

Checks: C-7067r364625_chk

Fix: F-7067r364626_fix

Generate Mitigation Statement:

Checks: C-7068r364628_chk

Fix: F-7068r364629_fix

Generate Mitigation Statement:

Checks: C-7069r364631_chk

Fix: F-7069r364632_fix

Generate Mitigation Statement:

Checks: C-7070r364634_chk

Fix: F-7070r364635_fix

Generate Mitigation Statement:

Checks: C-7071r364637_chk

Fix: F-7071r364638_fix

Generate Mitigation Statement:

Checks: C-7072r364640_chk

Fix: F-7072r364641_fix

Generate Mitigation Statement:

Checks: C-7073r364643_chk

Fix: F-7073r364644_fix

Generate Mitigation Statement:

Checks: C-7074r364646_chk

Fix: F-7074r364647_fix

Generate Mitigation Statement:

Checks: C-7075r364649_chk

Fix: F-7075r364650_fix

Generate Mitigation Statement:

Checks: C-7076r364652_chk

Fix: F-7076r364653_fix

Generate Mitigation Statement:

Checks: C-7077r364655_chk

Fix: F-7077r364656_fix

Generate Mitigation Statement:

Checks: C-7078r364658_chk

Fix: F-7078r364659_fix

Generate Mitigation Statement:

Checks: C-7079r364661_chk

Fix: F-7079r364662_fix

Generate Mitigation Statement:

Checks: C-7080r364664_chk

Fix: F-7080r364665_fix

Generate Mitigation Statement:

Checks: C-7081r364667_chk

Fix: F-7081r364668_fix

Generate Mitigation Statement:

Checks: C-7082r364670_chk

Fix: F-7082r364671_fix

Generate Mitigation Statement:

Checks: C-7083r364673_chk

Fix: F-7083r364674_fix

Generate Mitigation Statement:

Checks: C-7084r364676_chk

Fix: F-7084r364677_fix

Generate Mitigation Statement:

Checks: C-7085r364679_chk

Fix: F-7085r364680_fix

Generate Mitigation Statement:

Checks: C-7086r459024_chk

Fix: F-7086r459025_fix

Generate Mitigation Statement:

Checks: C-7087r364685_chk

Fix: F-7087r364686_fix

Generate Mitigation Statement:

Checks: C-7088r364688_chk

Fix: F-7088r364689_fix

Generate Mitigation Statement:

Checks: C-7089r364691_chk

Fix: F-7089r364692_fix

Generate Mitigation Statement:

Checks: C-7090r364694_chk

Fix: F-7090r364695_fix

Generate Mitigation Statement: