Check: VVoIP 6100 (DISN-IPVS)
Voice Video Services Policy STIG:
VVoIP 6100 (DISN-IPVS)
(in versions v3 r18 through v3 r15)
Title
The VVoIP system connection to the DISN WAN, its components, and/or changes to them are not included in the site’s enclave / LAN baseline documentation and C&A documentation. (Cat II impact)
Discussion
Documentation of the enclave / LAN configuration must include all VVoIP systems. If the current configuration cannot be determined then it is difficult to apply security policies effectively. Security is particularly important for VoIP technologies attached to the enclave network because these systems increase the potential for eavesdropping and other unauthorized access to network resources. Accurate network documentation is critical to maintaining the network and understanding its security posture, threats, and vulnerabilities. Baseline and C&A documentation is the vehicle by which the DAA receives security related information on the network for which he/she is personally responsible and accepts the security risk of operating the system. Additionally, When subscribing to DISN NIPRNet IP Voice Services (IPVS) or DISN SIPRNet IP Voice Services (IPVS) otherwise known as VoSIP, Or if the system connects to the DISN WAN for VVoIP transport between enclaves (such as in an Intranet), the enclave(s) must update their LAN / Enclave C&A and CAP documentation. The site must then seek an updated ATO/ATC or if necessary an IATO/IATC for the enclave’s connection to the DISN for VVoIP from the appropriate DISN CAP office (UCAO or CCAO). Without connection approval the site will not be included in the DISN Voice Services dial plan.
Check Content
Interview the IAO to validate compliance with the following requirement: In the event the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves, ensure the VVoIP system’s WAN connection and boundary as well as its components including as their upgrades and changes are included in the site’s enclave / LAN C&A documentation (i.e., the DIACAP Implementation Plan (DIP), System Identification Profile (SIP), Scorecard, etc.). > Review the baseline documentation and/or C&A documentation to verify that the VVoIP WAN boundary and/or modifications are included. Verify there is a procedure for approving changes to configuration.
Fix Text
In the event the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves, ensure the VVoIP system’s WAN connection and boundary as well as its components including as their upgrades and changes are included in the site’s enclave / LAN C&A documentation (i.e., the DIACAP Implementation Plan (DIP), System Identification Profile (SIP), Scorecard, etc). Add the VVoIP WAN boundary and/or its modifications to the site’s enclave / LAN baseline and C&A documentation Obtain DAA approval for the updated documentation. Submit to the SRR team lead for validation and finding closure.
Additional Identifiers
Rule ID: SV-21735r1_rule
Vulnerability ID: V-19594
Group Title: Deficient C&A: VVoIP DISN Bndry in LAN C&A doc’n
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |