Check: DSN08.04
Defense Switched Network (DSN) STIG:
DSN08.04
(in versions v2 r8 through v2 r7)
Title
Voice/Video/RTS devices located in SCIFs do not prevent on-hook audio pick-up and/or do not have a speakerphone feature disabled or are not implemented in accordance with DCID 6/9 or TSG Standard 2. (Cat II impact)
Discussion
Requirement: In the event that a telephone instrument connected to an unclassified telecommunications system are placed within a Sensitive Compartmented Information Facility (SCIF), the IAO will ensure that the instrument is configured such that the instrument provides on-hook audio protection and that speakerphone audio pickup feature (microphone) is disabled or is nonexistent. (RE: Director of Central Intelligence Directive (DCID) 6/9 Annex G, Paragraphs 2.2.1, 2.2.1.1, 2.2.1.6, and Telecommunications Security Group (TSG) Standard 2) All voice/video/RTS terminals or instruments present a potential risk to the security of areas where classified conversations are conducted. This is due to the ability of some phones to pick up room audio and transmitting it or sending it down the wire even when the phone is on hook. This ability is usually caused by poor design or malfunction in the hook switch circuitry. This is covered in TSG Standard 2. Additionally speakerphones in such areas may be activated by accident or surreptitiously. These vulnerabilities can affect the security or confidentiality of any conversation at any classification level. Of particular concern are those areas or rooms used for classified meetings, conversations, or work such as SCIFs. Additionally, VoIP systems in which the central call manager controls the telephone instrument, there is the potential of hijacking control of the instrument from somewhere else on the network. This potential vulnerability means that audio pickup might be activated clandestinely without the knowledge of the people near it. Speakerphones and push to talk handsets are covered in DCID 6/9
Check Content
Or review the required “documents on file” that are necessary for compliance with the requirement.
Fix Text
Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.
Additional Identifiers
Rule ID: SV-9040r1_rule
Vulnerability ID: V-8543
Group Title: RTS devices located in SCIFs NOT policy compliant
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |