Title

A Voice/Video/RTS system is in operation but is not listed on the DSN APL nor is it in the process of being tested. (Cat II impact)

Discussion

Requirement: The IAO will ensure that all installed systems and associated software releases for which he/she is responsible appear on the DSN APL in accordance with DODI 8100.3 requirements. This applies to previously installed, new, and upgraded systems. DOD Instruction 8100.3 which governs DOD telecommunications and the Defense Switched Network (DSN), requires that “Telecommunications switches (and associated software releases) leased, procured (whether systems or services), or operated by the DOD Components, and connected or planned for connection to the DSN, shall be joint interoperability certified by the Defense Information Systems Agency (DISA), Joint Interoperability Test Command (JITC) and granted information assurance certification and accreditation by the Defense Information System Network (DISN) Designated Approval Authorities (DAAs).” DAA certification is obtained through the DISN Security Accreditation Working Group (DSAWG). DODI 8100.3 also requires that the DOD use (or connect to the DSN) only devices that appear on the DSN Approved Products List (APL). Both IA and Interoperability certification requirements must be met for inclusion on the DSN APL. The testing for IA and IO that occurs prior to DSN APL listing determines if the system/device meets, or can be configured to meet DoD requirements. The IA testing determines any residual risk for operating the system. This risk is accepted by the DSAWG prior to APL listing.

Check Content

Verify that the VoIP system is listed on the DSN APL by checking at the following link: http://jitc.fhu.disa.mil/tssi/apl.html If not, contact the VCAO to determine if the system is in the testing process.

Fix Text

Ensure non-certified VoIP systems are not connected to the DSN. Sponsor the system for DSN APL testing and certification.

Additional Identifiers

Rule ID: SV-8840r1_rule

Vulnerability ID: V-8345

Group Title: A RTS system is in use but is NOT DSN APL listed

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.