An error occurred:

Check: SRG-VOIP-000270

Enterprise Voice, Video, and Messaging Policy SRG: SRG-VOIP-000270 (in versions v1 r2 through v1 r1)

Title

Implementing Unified Capabilities (UC) soft clients as the primary voice endpoint must have authorizing official (AO) approval. (Cat II impact)

Discussion

The AO responsible for the implementation of a voice system that uses UC soft clients for its endpoints must be made aware of the risks and benefits. In addition, the commander of an organization whose mission depends on such a telephone system must also be made aware and provide approval. When UC soft clients are fielded as the primary endpoint, the risk of unavailability is high compared to dedicated instruments. Another major difficulty for UC soft clients deployed on laptops is providing accurate location information for emergency services. When emergency services are called from the laptop, if it is not at the location entered in the Automated Location Identification (ALI) database, emergency services may be dispatched to the wrong place.

Check Content

Verify the Command and AO approves the implementation or transition to UC soft clients as the primary endpoints in writing. Verify the ISSO maintains approval documentation for inspection by IA reviewers or auditors. Review the written Command and AO approval for the implementation of a telephone system that primarily uses UC soft client applications for its endpoints. If no written Command and AO approval exists for UC soft client endpoints, this is a finding.

Fix Text

Obtain the Command and AO approval for the implementation or transition to UC soft clients as the primary endpoints in writing. Approval documentation must be maintained by the ISSO for future inspection by IA reviewers or auditors. If Command and AO written approval is not available, hardware endpoints must be used as the primary endpoints. NOTE: This requirement is in addition to AO approval for deploying UC soft clients on DOD networks. When UC soft clients are deployed as the primary endpoint, additional risks to availability exist.

Additional Identifiers

Rule ID: SV-259907r948751_rule

Vulnerability ID: V-259907

Group Title: SRG-VOIP-000270

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000073

Develop an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
PM-1

Information Security Program Plan