Defense Switched Network (DSN) STIG Version Comparison
Defense Switched Network (DSN) STIG
Comparison
There are 2 differences between versions v2 r7 (Oct. 23, 2015) (the "left" version) and v2 r8 (April 28, 2017) (the "right" version).
Check VVT/VTC 1000 (GENERAL) was removed from the benchmark in the "right" version. The text below reflects the old wording.
This check's original form is available here.
Text Differences
Title
Voice/Video Telecommunications infrastructure components (traditional TDM, VVoIP, or VTC) are not housed in secured or “controlled access” facilities with appropriate classification level or appropriate documented access control methods.
Check Content
Perform a walk through of the facilities the IAO to validate compliance with the following requirement: Ensure all telecommunications infrastructure components (traditional TDM, VVoIP, UC or VTC) are housed in secured facilities with appropriate classification level and appropriate documented access control methods. NOTE: This does not apply to end instruments. Additionally ensure all facilities housing telecommunications infrastructure components are rated at or above the highest classification level of the information communicated. For example, VoSIP (VoIP on SIPRNet) infrastructure components must be housed in facilities rated at or above the secret level. NOTE: This DOES apply to end instruments. During the walk through inspection, visually confirm that telecommunications infrastructure (traditional TDM, VVoIP, UC or VTC specific network and server) components are installed in secured areas to include locked rooms, closets, and/or cabinets. Interview the IAO to determine how the distribution of keys to access the equipment is limited, controlled, and documented. Additionally, determine if access control procedures/documentation are/is being used and review the access logs for compliance. Finally; interview the IAO regarding the security classification of the facilities housing the telecommunications infrastructure components in relation to the highest classification level of the information communicated. This is a finding in the event of the following: > Any telecommunications infrastructure component is not housed in a secured facility (locked room or cabinet). > The facility access control procedures or its documentation is deficient. > Access to the facility is not logged or the procedures are not followed. > The facility classification of any facility housing telecommunications infrastructure components is rated below the highest classification level of the information communicated. NOTE: The infrastructure addressed here are components of traditional TDM, VVoIP, UC or VTC systems that support the communications endpoints. This includes “wiring closets” for traditional non IP based systems. NOTE: Physical access to the LAN infrastructure (which may also support VVoIP, UC, and VTCoIP services) is covered by a Network Infrastructure STIG requirement. This requirement does not directly address the physical security of the general LAN infrastructure, such as LAN routers and switches. NOTE: While this requirement is based on best practice and requirements for protecting classified information, it is also supported in part by DOD 5200.08-R, Physical Security Program, April 9, 2007 Incorporating change 1, 27 May 2009, Chapter 6, Security of Communications Facilities, section C6.2.4 which states: “Access shall be controlled at all communications facilities and only authorized personnel shall be allowed to enter. Facilities should be designated and posted as a minimum, a Controlled Area, as directed.”
Discussion
Controlling physical access to telecommunications infrastructure components is critical to assuring the reliability of the voice network and service delivery. Documenting or logging physical access to these components is critical to determine accountability for auditing purposes. Key control and access logs are a large part of this. Additionally, the facilities housing the telecommunications infrastructure must be certified at a classification level commensurate with the highest classification level of the information communicated by the system. NOTE: The infrastructure addressed here are components of traditional TDM, VVoIP, UC or VTC systems that support the communications endpoints. This includes “wiring closets” for traditional non IP based systems. NOTE: Physical access to the LAN infrastructure (which may also support VVoIP, UC, and VTCoIP services) is covered by a Network Infrastructure STIG requirement. This requirement does not directly address the physical security of the general LAN infrastructure, such as LAN routers and switches. NOTE: While this requirement is based on best practice and requirements for protecting classified information, it is also supported in part by DOD 5200.08-R, Physical Security Program, April 9, 2007 Incorporating change 1, 27 May 2009, Chapter 6, Security of Communications Facilities, section C6.2.4 which states: “Access shall be controlled at all communications facilities and only authorized personnel shall be allowed to enter. Facilities should be designated and posted as a minimum, a Controlled Area, as directed.”
Fix
Ensure all telecommunications infrastructure components are housed in secured facilities with appropriate classification level and appropriate documented access control methods. NOTE: This does not apply to end instruments. Additionally, ensure all facilities housing telecommunications infrastructure components are rated at or above the highest classification level of the information communicated. For example, VoSIP (VVoIP on SIPRNet) infrastructure components must be housed in facilities rated at or above the secret level. NOTE: This DOES apply to end instruments. Ensure that all equipment is installed in a locked room, closet, or cabinet. Ensure the distribution of keys to access the equipment is limited, controlled, and documented. Ensure access control procedures are implemented to ensure that physical access is documented such that an audit trail can be established if necessary. NOTE: The infrastructure addressed here are components of traditional TDM, VVoIP, UC or VTC systems that support the communications endpoints. This includes “wiring closets” for traditional non IP based systems. NOTE: Physical access to the LAN infrastructure (which may also support VVoIP, UC, and VTCoIP services) is covered by a Network Infrastructure STIG requirement. This requirement does not directly address the physical security of the general LAN infrastructure, such as LAN routers and switches. NOTE: While this requirement is based on best practice and requirements for protecting classified information, it is also supported in part by DOD 5200.08-R, Physical Security Program, April 9, 2007 Incorporating change 1, 27 May 2009, Chapter 6, Security of Communications Facilities, section C6.2.4 which states: “Access shall be controlled at all communications facilities and only authorized personnel shall be allowed to enter. Facilities should be designated and posted as a minimum, a Controlled Area, as directed.”