Free DISA STIG and SRG Library | Vaulted

Defense Switched Network (DSN) STIG

Version 2 Release 7
2015-10-23
U_DSN_V2R7_Manual-xccdf.xml
The Defense Switched Network (DSN) Security Technical Implementation Guide (STIG) provides the policy and architectual guidance for applying security concepts to DoD telecommunications systems. These policies ensure conformance to DoD requirements that govern DSN voice services deployment and operations, to include special-C2, C2, and non-C2 services. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Vulnerabilities (107)

The IAO does not conduct and document self-inspections of the DSN components at least semi-annually for security risks.

Finding ID
DSN01.01
Rule ID
SV-8407r1_rule
Severity
Cat III
CCE
(None)
Group Title
The IAO does not conduct self-inspections
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that self-inspections of the telephone components, are conducted and documented for security risks at least semi annually. If periodic security self-inspections are not conducted, vulnerabilities could go unnoticed during day to day operations resulting in an unacceptable level of risk that could lead to possible compromise. By conducting security self-inspections, security risks can be identified, analyzed, and if not mitigated, appropriately addressed.

Fix Text

Establish policy and procedures to ensure that, at a minimum, semi-annual security self-inspections are conducted.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Security Override Guidance

None

Potential Impact

Potential Impacts: Denial of Service, loss of confidentiality, and/or unauthorized access to network or voice system resources or services and the information they contain.

Responsibility

Information Assurance Officer

IA Controls

ECMT-1, ECMT-2, ECSC-1

The sites telephone switch is not frequently monitored for changing calling patterns and system uses for possible security concerns.

Finding ID
DSN01.02
Rule ID
SV-8408r1_rule
Severity
Cat III
CCE
(None)
Group Title
Switch usage is not monitored for security
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that the site’s telephone switch is frequently monitored for changing calling patterns and system uses for possible security concerns. Changing calling patterns and system uses can be an indication of telephone misuse, abuse, or even security compromise. The ISSO/IAO should ensure the sites telephone switch is frequently monitored for changing calling patterns and system uses for possible security concerns.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

Theft of services, misuse of services, degradations of service provided by the system, unauthorized access.

Responsibility

Information Assurance Officer

IA Controls

ECMT-1, ECMT-2, ECSC-1

The ISSO/IAO does not ensure that administration and maintenance personnel have proper access to the facilities, functions, commands, and calling privileges required to perform their job.

Finding ID
DSN01.03
Rule ID
SV-8409r1_rule
Severity
Cat II
CCE
(None)
Group Title
Inadequate clearance / access to perform duties
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that internal and external administrator/maintenance personnel have appropriate but limited access to the facilities, functions, commands, and calling privileges in accordance with their role as required when performing their job. Privileged access to any system should be controlled. Anyone with privileged access can cause serious system damage that could in turn have detrimental affects on the operational environment. Administration and maintenance personnel should be provided only that privileged access needed to perform their job.

Fix Text

The ISSO/IAO should Implement appropriate processes, local policies, and/or procedures to provide maintenance personnel and SAs with the appropriate access and system privileges needed to properly perform their tasks and responsibilities

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

NONE

Potential Impact

Inability to properly maintain and troubleshoot the system

Responsibility

Information Assurance Officer

IA Controls

ECLP-1, ECSC-1

DSN systems are not registered in the DISA VMS

Finding ID
DSN02.01
Rule ID
SV-8410r1_rule
Severity
Cat III
CCE
(None)
Group Title
DSN systems are not registered in the DISA VMS
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all DISA owned and operated DSN critical assets are registered with the DISA/DoD VMS as follows: - All backbone switches (TSs, STPs, MFSs) - All other switches (EOs, SMEOs, PBX1s, PBX2s and RSUs) owned by DISA - All components of the ADIMSS - All components of auxiliary/adjunct or peripheral systems owned by DISA - All TSs or MFSs owned and operated by DOD components Exception: This requirement is not applicable to systems owned, operated, and maintained by DOD components other than DISA such as EOs, SMEOs, PBX1s, PBX2s and RSUs or their OAM&P and auxiliary/adjunct or peripheral systems. See DSN02.02 below.The DISA/DoD VMS in conjunction with JTF-GNO sends out notifications on vulnerabilities (IAVMs) as they are discovered in commercial and military information infrastructures. If DSN assets and their SAs are not registered with the DISA/DoD VMS,, administrators will not be notified of important vulnerabilities such as viruses, denial of service attacks, system weaknesses, back doors and other potentially harmful situations.

Fix Text

Comply with policy. Register all assets and their SAs in the DISA/DoD VMS that are required to be registered.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain .> The DOD voice system may not be protected as required and may be vulnerable to attack or loss of availability due to a multitude of OS and application vulnerabilities. > Systems may be left vulnerable to the issue detailed in the IAVA.

Responsibility

Information Assurance Officer

IA Controls

ECND-1, ECND-2, ECSC-1

System Administrators (SAs) responsible for DSN information systems are not registered with the DISA VMS.

Finding ID
DSN02.02
Rule ID
SV-8411r1_rule
Severity
Cat III
CCE
(None)
Group Title
DSN SAs are not registered with the DISA VMS
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all Switch and System Administrators (SAs) responsible for VMS registered DSN critical assets will also be registered with the VMS. This includes non DISA personnel responsible for TSs or MFSs owned and operated by DoD components Exception: This does not apply to SAs that are ONLY responsible for systems owned, operated, and maintained by DoD components other than DISA.The DISA/DoD VMS in conjunction with JTF-GNO sends out notifications on vulnerabilities (IAVMs) as they are discovered in commercial and military information infrastructures. If DSN assets and their SAs are not registered with the DISA/DoD VMS, administrators will not be notified of important vulnerabilities such as viruses, denial of service attacks, system weaknesses, back doors and other potentially harmful situations.

Fix Text

Comply with policy. Register all assets and their SAs in the DISA/DoD VMS that are required to be registered.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > The DOD voice system may not be protected as required and may be vulnerable to attack or loss of availability due to a multitude of OS and application vulnerabilities. > Systems may be left vulnerable to the issue detailed in the IAVA.

Responsibility

Information Assurance Officer

IA Controls

ECND-1, ECND-2, ECSC-1

The ISSO/IAO and ISSM/IAM, in coordination with the SA, will be responsible for ensuring that all IAVM notices are responded to within the specified time period.

Finding ID
DSN02.03
Rule ID
SV-8412r1_rule
Severity
Cat II
CCE
(None)
Group Title
IAVAs are not responded to in the specified time
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all IAVM notices are responded to within the time period specified within the notice. The JTF-GNO (DoD CERT) automatically sends out IAVM notices that affect various systems. If appropriate actions are not taken, systems/assets may be open to a potential compromise. The DOD IAVM requirement is: Receipt of IAVM alerts will be acknowledged within 5 days and a report of compliance status provided within 30 days. For IAVM bulletins, receipt must also be acknowledged within 5 days, and a report of compliance status must be provided within 60 days. For IAVM technical advisories, receipt must be acknowledged within 5 days, but no compliance status report is required. Although DOD organizations are not required to report compliance for technical advisories, DISA organizations are required to provide a report of compliance status within 60 days.

Fix Text

Comply with policy. The ISSM/IAM/IAO will establish a policy to ensure that IAVMs are being acknowledged, implemented, and closed, in accordance with DOD policy. SAs will update affected systems in accordance with the IAVM recommendations. The ISSM/IAM/IAO will insure that systems, devices, and SAs are registered in the DISA/DoD VMS as a means for receipt and acknowledgement of IAVMs OR will insure that there is a clear and well defined path for receipt and acknowledgement of IAVMs.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > The telecommunications system will be left vulnerable to the issue detailed in the IAVA.

Responsibility

Information Assurance Officer

IA Controls

ECND-1, ECND-2, ECSC-1

Switch administration, ADIMSS, or other Network Management terminals are not located on a dedicated LAN.

Finding ID
DSN04.01
Rule ID
SV-8416r1_rule
Severity
Cat II
CCE
(None)
Group Title
Management terminals not on a dedicated LAN
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

All Network Management and switch administration terminals connecting to the DSN are to be through a dedicated DSN network segment. Only authorized systems will be connected to this LAN. No other networks may interface with components that are connected to this LAN. By connecting in this controlled manner, many vulnerabilities that are associated with IP networks are eliminated.

Fix Text

The ISSO/IAO will ensure that all DSN Network Management, switch administration components and other authorized systems are connected to a dedicated network and prohibit all connections to the ADMISS or other Network Management network that are not relevant to the operations of the DSN.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

Network Management routers located at switch sites are not configured to provide IP and packet level filtering/protection.

Finding ID
DSN04.02
Rule ID
SV-8417r1_rule
Severity
Cat II
CCE
(None)
Group Title
No IP or packet filtering on NMS routers
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that routers that provide remote connectivity to out-of-band management networks located at switch sites provide IP and packet level filtering/protection. All routers connected to a DSN Switch are to be configured to control network access to the DSN switch by IP and port/service. Implementing standard and extended access lists to control network access to the switch will add another security access layer minimizing risk to the DSN.

Fix Text

> Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

Administration terminals are used for other day-to-day functions (i.e. email, web browsing, etc).

Finding ID
DSN04.03
Rule ID
SV-8418r1_rule
Severity
Cat II
CCE
(None)
Group Title
Admin terminals are used for day-to-day apps
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that OAM&P / NM and CTI system workstations are not used for other day-to-day functions (i.e., e-mail, web browsing, etc). Dedicating DSN administration terminals to their intended purpose and not using them for day-to-day functions such as email and web browsing, will reduce the risk of unauthorized access by those that could achieve entry by exploiting an existing IP based vulnerability. Not only should DSN administration terminals connect to DSN switching systems via a controlled network segment, the terminal should also be dedicated for administration purposes only.

Fix Text

Ensure dedicated terminals and workstations are used to administer DSN switching systems to that purpose only. Do not administer DSN switching systems from computer terminals that are used for day-to-day functions (i.e. email, web browsing, etc).

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Potential Impact

> Denial of Service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

Switch Administration terminals do not connect directly to the switch administration port or connect via a controlled, dedicated, out of band network used for switch administration support.

Finding ID
DSN04.04
Rule ID
SV-8419r1_rule
Severity
Cat II
CCE
(None)
Group Title
Admin terms not on a segregated connection
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that switch/device administration terminals are connected directly to the administration port of the switch/device or are connected via an out-of-band network used only for administration support. > Switch administration terminals must connect to the switch by using either a direct connection to the administration port or through a dedicated, out of band network. Connections other than these, for example through a non-dedicated network connection, will introduce security risks. > The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from sources external to the solution. Connecting these dedicated LANs to another LAN negates this protection.

Fix Text

Ensure that the connections used are through either a dedicated out of band network or direct connection to the administration port. Any other connections to administration terminals should be disconnected and their use should be discontinued.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

Attendant console ports are available to unauthorized users by not allowing any instrument other than the Attendant console to connect to the Attendant console port.

Finding ID
DSN04.05
Rule ID
SV-8420r1_rule
Severity
Cat III
CCE
(None)
Group Title
Attendant ports available to unauthorized users
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that attendant console ports will not be available to unauthorized users by not allowing any instrument other than the attendant console to connect to the attendant console port. Additionally the attendant console shall not be able to connect to a regular instrument port. Attendant console ports provide privileged access to switch features not normally provided to the normal subscriber community. This type of access to unauthorized users or subscribers can result in disruption of calls processing, calls monitoring, or unauthorized class of service. Positive control of attendant consoles and ports must be enforced to mitigate these types of vulnerabilities.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The ISSO/IAO has not established Standard Operating Procedures.

Finding ID
DSN04.06
Rule ID
SV-8421r1_rule
Severity
Cat III
CCE
(None)
Group Title
The ISSO/IAO has not established SOPs
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will establish a standard operating procedure (SOP) or other form of record that will accomplish the following: - Identify and document all users, administrators, maintainers, managers, and their associated training requirements. - Identify and document all telephone system assets - Identify and document all telephone services required - Identify and document all telephone services that are not to be allowed - Identify and document all telephone system threats. - Identify and document all audit items as required by this document.At a minimum, the ISSO/IAO should be aware of who has what level of access to the DSN switching system, as well as possible threats to the system based on its environment. By establishing an SOP that identifies and documents all assets, services, threats, as well as users, administrators, managers and their associated operational requirements in supporting DSN systems, the ISSO/IAO will ensure that the DSN is providing the proper service securely.

Fix Text

The ISSO/IAO should develop an SOP that will satisfy the requirements as outlined in the DSN STIG.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

> The inability to effectively maintain the network or voice service and apply security policy and vulnerability mitigations. The inability for the DAA to understand the voice system’s and/or network’s security posture, threats, and vulnerabilities. The inability for the DAA to approve or accept the security risk of operating the system. > Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain.

Responsibility

Information Assurance Officer

IA Controls

DCHW-1, DCID-1, DCSD-1, DCSW-1, ECSC-1

Applicable security packages have not been installed on the system.

Finding ID
DSN05.01
Rule ID
SV-8422r1_rule
Severity
Cat II
CCE
(None)
Group Title
Security packages have not been installed
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all applicable security feature packages have been installed on the system to enable the required security features. In order for the requirements of this STIG to be met, a number of specific security software packages may need to be loaded on each switch. However, in most cases these packages will be part of the software load at the time of purchase and no additional steps will need to be taken. It is, however, the responsibility of the IAO to ensure that all necessary software is installed and up-to-date as dictated by the PMO in coordination with the DSN APL certifications. Without all system security software installed, all system security features cannot be configured or implemented. It is the responsibility of the ISSO/IAO to ensure that security features are available on the DSN components under their control through the application of certain software packages.

Fix Text

Apply all required security software to the DSN components as required.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

The inability to properly secure the system leaving it vulnerable to attack.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The IAO DOES NOT ensure that all temporary Foreign/Local National personnel given access to DSN switches and subsystems for the purpose of installation and maintenance, are controlled and provided direct supervision and oversight (e.g., escort) by a knowledgeable and appropriately cleared U.S. citizen.

Finding ID
DSN06.01
Rule ID
SV-8423r1_rule
Severity
Cat II
CCE
(None)
Group Title
Improper oversight of Foreign Nationals
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all temporary Foreign/Local National personnel given access to DSN switches and subsystems for the purpose of installation and maintenance, is controlled and provided direct supervision and oversight (e.g. escort) by a knowledgeable and appropriately cleared U.S. citizen.Foreign Nationals are not permitted to access DOD unclassified information systems without the immediate supervision by a U.S. citizen.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1, PECF-1

DSN capability to restrict user access based on duty hours must be used when available.

Finding ID
DSN06.04
Rule ID
SV-8426r2_rule
Severity
Cat III
CCE
(None)
Group Title
Duty hour restriction
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

User access should be restricted based on duty hours, where technically feasible. The restriction of user access by limiting access to the DSN associated to the users work hours and workweek will mitigate security vulnerabilities if a user account is compromised. If available, technically feasible (i.e., the system is capable of performing the restriction), and implemented, this option provides additional access control to the system.

Fix Text

Implement the DSN capability to restrict user access based on duty hours when available. If the time of day (TOD) access restriction function is available through the DSN/DRSN system, it should be provisioned to allow user access within a specified window. For example, if a user is assigned to work on a DSN component Monday through Friday 8 am – 5 pm, these are the hours the DSN component will allow that user to gain access.

Check Content

Review site documentation to confirm DSN capability to restrict user access based on duty hours is available. If the DRSN capability to restrict user access based on duty hours is not used when available, this is a finding.

Responsibility

System Administrator

IA Controls

ECLO-1, ECSC-1

The Direct Inward System Access feature and/or access to Voice Mail is not controlled by either class of service, special authorization code, or PIN.

Finding ID
DSN07.01
Rule ID
SV-8427r1_rule
Severity
Cat III
CCE
(None)
Group Title
Direct Inward System Access not controlled
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that either class of service, special authorization code or PIN controls access to Voice Mail services. If used, the Direct Inward System Access feature provides subscriber access to the DSN from outside facilities. Users of this feature may connect to the DSN switch from the trunk side of the system and appear to the system as a local user having access to system features. Such users can make calls on the DSN as if they are on the line side of the switch. If this feature is not controlled, risk of unauthorized access to the DSN could result in call fraud and abuse. If operationally required, this feature should be implemented with class of service, special authorization code, or PIN assigned. Additionally. Voice Mail access should be configured to require a PIN.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Review current configuration files of effected devices to confirm compliance

Security Override Guidance

None

Potential Impact

Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > Loss of confidentiality> Theft of services

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

Direct Inward System Access and Voice Mail access codes are not changed semi-annually.

Finding ID
DSN07.02
Rule ID
SV-8428r1_rule
Severity
Cat III
CCE
(None)
Group Title
DISA access codes are not changed semi-annually
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that if Voice Mail services are controlled by special authorization code, this code will be controlled and changed semi-annually. The special access code used by all subscribers to control access to the Direct Inward System Access and Voice Mail features should be controlled much like a password. If this special access code is not changed periodically, the service is more likely to be compromised, thus degrading system access security.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > Loss of confidentiality > Theft of services

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

Personal Identification Numbers (PIN) assigned to special subscribers used to control Direct Inward System Access and Voice Mail services are not being controlled like passwords and deactivated when no longer required.

Finding ID
DSN07.03
Rule ID
SV-8429r1_rule
Severity
Cat III
CCE
(None)
Group Title
Service access codes not changed like passwords
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The PIN used to control access to the DISA feature should be controlled much like a special access code or password. If this PIN is not changed periodically and deactivated when no longer required, the DISA feature is more likely to be compromised, thus degrading system access security.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > Loss of confidentiality > Theft of services

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

Privilege authorization, Direct Inward System Access and/or Voice Mail special authorization codes or individually assigned PINS are not changed when compromised.

Finding ID
DSN07.04
Rule ID
SV-8430r1_rule
Severity
Cat III
CCE
(None)
Group Title
Service access PINs NOT changed when compromised
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all Voice Mail (and/or Privilege authorization, Direct Inward System Access) special authorization codes or individually assigned PINs are changed immediately if it is determined that they are compromised. If special authorization codes or individually assigned PINS are determined to be compromised, all access control to this feature is lost. Furthermore, this can lead to call fraud and abuse. As with any access control mechanism, once compromised, changes should be implemented to ensure secure access.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > Loss of confidentiality > Theft of services

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

Equipment, cabling, and terminations providing Fire and Emergency Services (FES) or evacuation paging systems must be clearly identified and marked.

Finding ID
DSN08.01
Rule ID
SV-8431r2_rule
Severity
Cat III
CCE
(None)
Group Title
Emergency equipment marked
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

All equipment providing emergency life safety services, such as 911 services, must be clearly identified. The availability of Fire and Emergency Services (FES) supporting emergency life safety services such as 911 (or European 112) and emergency evacuation paging services is essential. The specific equipment that handles emergency 911 (112) service must be clearly identified to maintenance and administration personnel. Identification of the transmission equipment, i.e. DS-1 circuit packs and T-1 cross connect ports, should additionally be the focus for identification as well as any terminations occurring at the MDF. This will help to preclude unnecessary service outages due to making wrong system or wiring changes due to unidentified and unmarked systems supporting this function while maintenance and administration personnel perform standard tasks or work nearby which could result in denial of service of emergency services.

Fix Text

Clearly identify and mark equipment, cabling, and terminations providing FES and evacuation paging systems. Label all equipment, DS-1 circuit packs. T-1 cross connect ports, cables, termination points, and other critical elements handling FES or evacuation paging systems. Additionally, make personnel aware of the presence of FES systems and the consequences of its disruption.

Check Content

Inspect the site equipment, cabling, and terminations providing FES or evacuation paging systems and ensure these are clearly identified and marked. If any site equipment, cabling, and terminations providing FES or evacuation paging systems are not clearly identified and marked, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

Links within the SS7 network are not encrypted.

Finding ID
DSN09.05
Rule ID
SV-8436r1_rule
Severity
Cat II
CCE
(None)
Group Title
Links within the SS7 network are not encrypted.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all SS7 links leaving a base/post/camp/station are encrypted. The examination of traffic patterns and statistics can reveal compromising information. Such information may include call source, destination, duration, frequency, and precedence level. The DSN common channel signaling links contain this type of information and must be protected.

Fix Text

Ensure all SS7 links are, at a minimum, bulk encrypted before leaving the facility or installation.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

Information Assurance Officer

IA Controls

ECCT-1, ECSC-1

A DoD VoIP system, device, or network is NOT configured in compliance with all applicable STIGs or the appropriate STIGs have not been applied to the fullest extent possible.

Finding ID
DSN10.02
Rule ID
SV-8438r1_rule
Severity
Cat II
CCE
(None)
Group Title
VoIP system/Network NOT STIG compliant
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: Voice Over IP systems and networks will comply with the DSN, VoIP, and all other applicable STIGs as well as other applicable DOD Component guides. The applicable STIGs define threat and vulnerability mitigations that must be applied to resolve the associated threat and/or vulnerability in accordance with DoD policy.

Fix Text

> The IAO and/or SA is to configure all Voice/Video/RTS systems, server, and devices in accordance with all applicable STIGs for the specific system/server/device while taking into account any DSAWG approved open findings and their mitigations..

Check Content

> Obtain a copy of all applicable SRR or Self Assessment results and review for compliance OR perform all applicable SRRs on a representative number of RTS systems and devices. If there are a significant number of findings reported or if an applicable STIG was not applied, this is a finding. Note: The specific Voice/Video/RTS system server or device determines the applicability of any given STIG. Many Voice/Video/RTS system servers or devices are based on general-purpose operating system such as Microsoft Windows, Unix, or Linux. They may use general-purpose applications such as databases like MS-SQL or Oracle and/or employ web server technology like IIS or similar. Determine what the system under review is based upon and perform the associated SRRs. Additionally, an application SRR may be applicable for the vendor's application that makes the server or device perform the functions or the management of the system. Note: Voice/Video/RTS systems and devices are required to be tested, certified, accredited by the DSAWG and listed on the DSN APL. Each specific Voice/Video/RTS system or device may be approved while having certain open findings that are approved in light of certain mitigations. Such open findings are not to be considered in the status determination of this requirement.

Security Override Guidance

Voice/Video/RTS systems and devices are required to be tested, certified, accredited by the DSAWG and listed on the DSN APL. Each specific Voice/Video/RTS system or device may be approved while having certain open findings that are approved in light of certain mitigations. Such open findings are not to be considered in the status determination of this requirement.

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

Transport circuits are not encrypted.

Finding ID
DSN11.01
Rule ID
SV-8439r1_rule
Severity
Cat II
CCE
(None)
Group Title
Transport circuits are not encrypted.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all circuits leaving the B/C/P/S are bulk encrypted. The transport system is responsible for the delivery of voice and data circuits from one switch node to another. Though not classified, this type of information is sensitive. To ensure the security of all information being exchanged between nodes and to protect it from unauthorized monitoring and man in the middle attacks, the ISSO/IAO should ensure all circuits are bulk encrypted.

Fix Text

Bulk encrypt all trunking circuits leaving and entering the DSN switching facility of installation.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

Information Assurance Officer

IA Controls

ECCT-1, ECSC-1

Physical access to commercial Add/Drop Multiplexers (ADMs) is not restricted.

Finding ID
DSN11.02
Rule ID
SV-8440r1_rule
Severity
Cat III
CCE
(None)
Group Title
Physical access to commercial ADM not restricted
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO or other responsible party will ensure that the physical access to commercial Add/Drop Multiplexers (ADMs) is limited. Transport equipment to include ADMs may be located in isolated areas with no personnel assigned to work in these facilities on a regular basis. The site must protect these systems from unauthorized access in order to protect the integrity and reliability of the DSN.

Fix Text

> Take measures to apply or install or upgrade physical security for system core assets (Switches, Servers,) and transmission devices (network switches, routers, muxes, devices). Limit, control, and document the distribution of keys to access the equipment.

Check Content

Perform a walk through of the facility to confirm that all DSN core and transmission devices that are part of the system are located in a secure room or locked cabinet.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain. > Physical access to systems by unauthorized personnel leaves the system components vulnerable to a multitude of attack vectors and/or accidental de-activation or disconnection.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

An IA policy and information library must be maintained.

Finding ID
DSN12.01
Rule ID
SV-8441r2_rule
Severity
Cat III
CCE
(None)
Group Title
Maintain security library
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The site ISSO will ensure an up-to-date IA policy and information library is maintained to ensure current DoD guidance is available for reference. The library must include current network, voice, and policy documents published by the Chairman of the Joint Chiefs of Staff, DoD CIO's office, applicable STIGs and SRGs, accreditation certification, and other relevant documents.

Fix Text

Implement an IA policy and information library and maintain it with current DoD and other relevant policy.

Check Content

Review site documentation to confirm an IA policy and information library is maintained. If an IA policy and information library is not maintained, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

Users are not required to change their password during their first session.

Finding ID
DSN13.01
Rule ID
SV-8442r1_rule
Severity
Cat II
CCE
(None)
Group Title
Users do not change their password at first logon
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that user passwords are assigned with the requirement for the user to change their password at first logon. The ISSO/IAO will assign passwords (typically a default) to new users of DSN components. The user will be required to change this assigned password during their first session. This gives the user full accountability for a session opened in their name since the IAO will no longer know the user’s password. If this is not technically feasible, the IAO should implement and enforce a policy that requires a manual change of passwords at the first logon.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Security Override Guidance

None

Potential Impact

> Unauthorized access to network or system resources or services and the information they contain. > Reduced accountability

Responsibility

System Administrator

IA Controls

ECSC-1, IAIA-1, IAIA-2

Default passwords and user names have not been changed.

Finding ID
DSN13.02
Rule ID
SV-8443r1_rule
Severity
Cat I
CCE
(None)
Group Title
Default accounts and passwords still exist
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all system default passwords and user names are changed prior to connection to the DSN. Systems not protected with strong password schemes provide the opportunity for anyone to crack the password, gain access to the system, and cause information damage, or denial of service. Default user accounts and passwords must be changed prior to any user connection to a DSN system. This will prevent commonly known and used user accounts from being used by unauthorized users.

Fix Text

Delete / change default accts and passwords - Check the component or system for default vendor accounts and passwords. If possible, delete or rename the account and change the default password.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1, IAIA-1, IAIA-2

Shared user accounts are used and not documented by the ISSO/IAO.

Finding ID
DSN13.03
Rule ID
SV-8444r1_rule
Severity
Cat II
CCE
(None)
Group Title
Shared user accounts are used and not documented.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that shared user accounts will not be used. Unless the use of shared user accounts is operationally essential and/or the device in question does not support multiple accounts. The identity of users of DSN components need to be available to the ISSO/IAO through the use of unique usernames assigned to each user. This ensures that the ISSO/IAO is able to hold users accountable for their actions through the analysis of audit records. This type of accountability cannot be accomplished if shared accounts are used.

Fix Text

Document shared accounts - i.e., Keep a record of the human user and their assigned username. Shared accounts will only be used if required out of operational necessity and documented by the ISSO/IAO.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1, IAIA-1, IAIA-2

The option to disable user accounts after 30 days of inactivity is not being used.

Finding ID
DSN13.04
Rule ID
SV-8445r1_rule
Severity
Cat III
CCE
(None)
Group Title
Inactive accounts not disabled after 30 days
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that user accounts are disabled after 30 days of inactivity. User accounts that are inactive for more than 30 days should be disabled by the system. Outdated or unused user accounts provide penetration points that may go undetected. Deleting or disabling these types of accounts will help to prevent unauthorized users from gaining access to the DSN system by using an old account that is not needed.

Fix Text

Configure systems to disable accounts that are inactive for more than 30 days, if technically feasible. If the system does not provide this functionality, the ISSO/IAO should review accounts every 30 days to ensure that only needed accounts are active.

Check Content

Tekelec: rtrv-secu-dflt; UOUT=30

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1, IAIA-1, IAIA-2

Management access points (i.e. administrative/maintenance ports, system access, etc.) are not protected by requiring a valid username and a valid password for access.

Finding ID
DSN13.05
Rule ID
SV-8446r1_rule
Severity
Cat I
CCE
(None)
Group Title
Management access points not password protected
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A valid username and a valid password are required to access all management system workstations and administrative / management ports on any device or system. All system management access points must be password protected to ensure that all actions performed on the DSN component can be associated with a specific user. Lack of an account password provides access to anyone who knows the user account name.

Fix Text

Ensure that all access points are password protected.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Security Override Guidance

This finding can be reduced to a CAT II where access to the noncompliant device (except management stations) is directly controlled by a device that is compliant such as an access router.

Responsibility

System Administrator

IA Controls

ECSC-1, IAIA-1, IAIA-2

Passwords do not meet complexity requirements.

Finding ID
DSN13.06
Rule ID
SV-8447r1_rule
Severity
Cat III
CCE
(None)
Group Title
Passwords do not meet complexity requirements.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that passwords are required and contain at a minimum, a case sensitive, eight-character mix of upper-case letters, lower-case letters, numbers, and special characters, including at least one of each (e.g., emPagd2! Devices not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing system or information damage, or denial of service. By requiring passwords to be eight non-repeating characters in length, contain numbers, upper and lower case characters, and a special character, the probability of password guessing is mitigated.

Fix Text

Enforce a password policy to ensure complex passwords. Configure the system to require passwords to be eight non-repeating characters in length, contain numbers, upper and lower case characters, and a special character, if technically feasible.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1, IAIA-1, IAIA-2

Maximum password age does not meet minimum requirements.

Finding ID
DSN13.07
Rule ID
SV-8448r1_rule
Severity
Cat II
CCE
(None)
Group Title
Max password age does not meet minimum requirement
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all user passwords are changed at intervals of 90 days or less. The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Further, scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.

Fix Text

Ensure password life is no greater than 90 (180) days from the last password change.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Security Override Guidance

This finding can be reduced to a Category III if the password change interval is between 90 and 180 days and the DAA has accepted the risk in writing. This is permissible only if there is a compelling need, such as too many devices requiring a manual change and too few SAs to accomplish the task.

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1, IAIA-1, IAIA-2

Users are permitted to change their passwords at an interval of less than 24 hours without ISSO/IAO intervention.

Finding ID
DSN13.08
Rule ID
SV-8449r1_rule
Severity
Cat II
CCE
(None)
Group Title
Password change interval (24 hours) not enforced
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that NO user passwords will be changed at an interval of less than 24 hours without IAO intervention. Permitting passwords to be changed in immediate succession within the same day, allows users to cycle password through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.

Fix Text

Eensure that user passwords are not allowed to be changed for at least 24 hours after change operation.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1, IAIA-1, IAIA-2

Password reuse is not set to 8 or greater.

Finding ID
DSN13.09
Rule ID
SV-8450r1_rule
Severity
Cat III
CCE
(None)
Group Title
Password reuse is not set to 8 or greater.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that user passwords are not reused within eight of the previous passwords used. As a minimum. A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change a password to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes.

Fix Text

Ensure password uniqueness is set to remember 8 passwords.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1, IAIA-1, IAIA-2

The ISSO/IAO has not recorded the passwords of high level users (ADMIN) used on DSN components and stored them in a secure or controlled manner.

Finding ID
DSN13.14
Rule ID
SV-8451r1_rule
Severity
Cat II
CCE
(None)
Group Title
High level passwords not recorded and controlled
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that no user (to include Administrator) is permitted to retrieve the password of any user in clear text. Passwords should be recorded and stored in a secure location for emergency use. This helps prevent time consuming password recovery techniques and denial of administrator access, in the event a password is forgotten or the individual with the access is incapacitated. The passwords of high level users should be recorded and controlled so that the ISSO/IAO would be able to gain high level access if an unforeseen situation occurred that prevented the high level user to perform their duties.

Fix Text

Record the passwords of high level users and store in a controlled manner.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1, IAIA-1, IAIA-2

User passwords can be retrieved and viewed in clear text by another user.

Finding ID
DSN13.10
Rule ID
SV-8452r1_rule
Severity
Cat II
CCE
(None)
Group Title
Passwords can be retrieved / viewed in clear text
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that users’ passwords are not displayed in the clear when logging into the system. Password integrity is non existent if passwords are stored or displayed in clear text. Many attacks on DOD computer systems are launched internally by unsatisfied or disgruntled employees. It is imperative that all DSN systems be configured to store passwords in encrypted format. This will ensure password integrity by other system users who have privileged system access.

Fix Text

Ensure that the DSN component is provisioned to store all passwords in an encrypted format.

Check Content

>TABLE OFCOPT; PASSWORD_ENCRYPTED =Y

Security Override Guidance

None

Potential Impact

> Pasword compromise leading to any of the following: > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1, IAIA-1, IAIA-2

User passwords are displayed in the clear when logging into the system.

Finding ID
DSN13.11
Rule ID
SV-8453r1_rule
Severity
Cat II
CCE
(None)
Group Title
Passwords are displayed in the clear at logon
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that users’ passwords are not displayed in the clear when logging into the system. When passwords are displayed (echoed) during logon, the risk of password compromise is increased and password confidentiality is greatly reduced. If the password is displayed during logon, it can be easily compromised through the use of a simple technique of shoulder surfing.

Fix Text

Ensure systems are configured not to display passwords in the clear during logon. If hardware or firmware restrict the implementation of this function, upgrade as soon as possible.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Security Override Guidance

None

Potential Impact

> Pasword compromise leading to any of the following: > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1, IAIA-1, IAIA-2

The system is not configured to disable a users account after three notifications of password expiration.

Finding ID
DSN13.13
Rule ID
SV-8455r1_rule
Severity
Cat II
CCE
(None)
Group Title
Access not disabled after password expiration
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that users will be prompted by the system three times to change their passwords before or after the password has reached the maximum password lifetime. If the user fails to change their password, their account will be disabled The user should be notified three times after their password has expired. If the user does not change their password after three notifications, the system should disable the account and require the ISSO/IAO or other designated individual intervention to reactivate the account. This measure ensures that all users comply with mandatory password changes.

Fix Text

Ensure the DSN component is configured to disable a user account after the user has received three notifications of password expiration.

Check Content

>TABLE OFCENG; EXPIRED_PASSWORD_GRACE = 3

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1, IAIA-1, IAIA-2

Crash-restart vulnerabilities are present on the DSN system component.

Finding ID
DSN13.15
Rule ID
SV-8456r1_rule
Severity
Cat II
CCE
(None)
Group Title
Crash-restart vulnerabilities are present.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that tests are performed for crash-restart vulnerabilities and develop procedures to eliminate vulnerabilities found (i.e., ensure ENHANCED_PASSWORD_CONTROL is active to prevent system logons after restart on Nortel switches). Some systems reset to default settings (i.e. users names, passwords, user access privileges) when a re-boot is initiated. If this is the case and a restart occurs and action is not taken to reset default settings, the risk is increased for unauthorized access.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

ensure ENHANCED_PASSWORD_CONTROL is active to prevent system logons after restart on Nortel switches

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

The DSN system component is not installed in a controlled space with visitor access controls applied.

Finding ID
DSN14.01
Rule ID
SV-8457r1_rule
Severity
Cat II
CCE
(None)
Group Title
DSN device not installed in a secure location
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that DSN switches, peripheral, and OAM&P systems are installed in a controlled space with personnel and visitor access controls applied. Controlling access to the DSN site is critical to determine accountability for auditing purposes as well as the obvious physical security violations.

Fix Text

> Take measures to apply or install or upgrade physical security for system core assets (Switches, Servers,) and transmission devices (network switches, routers, muxes, devices). Limit, control, and document the distribution of keys to access the equipment.

Check Content

Perform a walk through of the facility and confirm compliance via inspection of the effected devices or items

Security Override Guidance

None

Potential Impact

Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > Physical access to systems by unauthorized personnel leaves the system components vulnerable to a multitude of attack vectors and/or accidental de-activation or disconnection.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1, PECF-2

Documented procedures do not exist that will prepare for a suspected compromise of a DSN component.

Finding ID
DSN14.02
Rule ID
SV-8458r1_rule
Severity
Cat II
CCE
(None)
Group Title
No SOP for responding to a device compromise
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that compromise recovery procedures are documented that will accomplish the following: - Verify the integrity of the hardware, software, and communication lines configuration.- Verify the integrity of the switch tables (database). - Perform an audit trail analysis and evaluation. - Enforce the change of all passwords for accessing the A/NM domain .- Report to the Theater and other concerned authorities the detection of possible unauthorized physical intrusion.The following measures will ensure that a compromise of a DSN component will be handled and reported properly: verification of the integrity of the hardware, software, communication lines configuration, switch tables (database); performance of an audit trail analysis and evaluation; enforcing the change of all passwords for accessing the DSN component; reporting to the theater and other concerned authorities the detection of possible unauthorized physical intrusion.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

Denial of service due to the inability to quickly recover from the compromise.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

Audit records are NOT stored in an unalterable file and can be accessed by individuals not authorized to analyze switch access activity.

Finding ID
DSN15.01
Rule ID
SV-8459r1_rule
Severity
Cat II
CCE
(None)
Group Title
Audit records NOT stored in an unalterable file
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that auditing records are placed in an unalterable audit or history file that is available only to those individuals authorized to analyze switch access and configuration activity. Audit files must be available to only those individuals who are authorized and have a need to analyze DSN activity. These records must be stored in a format that will prevent any individual from making modifications to the records. Audit files are necessary to investigate switch activity that appears to be abusive, unauthorized, or damaging to the DSN.

Fix Text

Ensure that all auditing records are recorded to a device that will not allow any individual to make alterations to their content. Ensure that only authorized individuals have access to these files.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices.

Security Override Guidance

None

Potential Impact

> Compromise, corruption, or loss of audit records/files potentially by a user that performed a security violation and/or unauthorized access the information they contain. > The inability to take administrative action or prosecute for inappropriate actions or system abuse.

Responsibility

System Administrator

IA Controls

ECSC-1, ECTP-1

Audit records do not record the identity of each person and terminal device having access to switch software or databases.

Finding ID
DSN15.02
Rule ID
SV-8460r1_rule
Severity
Cat II
CCE
(None)
Group Title
Audit records do not record individual identity
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that the auditing process records the identity of each person and terminal device having access to switch software or databases The identity of the individual user and the terminal used during their session will be recorded in the audit records. This is needed for accountability of command issues and actions taken during each session.

Fix Text

Ensure audit records contain the user and terminal identity.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Security Override Guidance

None

Potential Impact

> The inability to take administrative action or prosecute for inappropriate actions or system abuse. > The inability to effectively troubleshoot problems

Responsibility

System Administrator

IA Controls

ECAR-1, ECAR-2, ECAR-3, ECSC-1

Audit records do not record the time of the access.

Finding ID
DSN15.03
Rule ID
SV-8461r1_rule
Severity
Cat II
CCE
(None)
Group Title
Audit records do not record the time of the access
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that the auditing process records the time of the access. The time of access needs to be recorded in the audit files to determine accountability of personnel if an issue arises that requires analysis of the audit records.

Fix Text

Ensure a time stamp is provided by the system on all audit records.

Check Content

review TABLXXX for compliance

Security Override Guidance

None

Potential Impact

> The inability to effectively troubleshoot problems> The inability to take administrative action or prosecute for inappropriate actions or system abuse.

Responsibility

System Administrator

IA Controls

ECAR-3, ECSC-1

The auditing records do not record activities that may change, bypass, or negate safeguards built into the software.

Finding ID
DSN15.04
Rule ID
SV-8462r1_rule
Severity
Cat II
CCE
(None)
Group Title
Auditing does not record security bypass
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that the auditing process records commands, actions, and activities executed during each session that might change, bypass, or negate safeguards built into the software. Actions that have the potential to change, bypass, or negate safeguards must be recorded in the audit files. This will identify suspicious activities that are being investigated and will assist investigators in following the course of events that have led to a situation that is being examined.

Fix Text

Ensure that the system records commands, actions, and activities executed during each user session that might change, bypass, or negate safeguards built into the software.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain. > The inability to take administrative action or prosecute for inappropriate actions or system abuse. > The inability to effectively troubleshoot problems

Responsibility

System Administrator

IA Controls

ECAR-3, ECLC-1, ECSC-1

Audit record archive and storage do not meet minimum requirements.

Finding ID
DSN15.05
Rule ID
SV-8463r1_rule
Severity
Cat II
CCE
(None)
Group Title
Audit records not properly archived and stored
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that audit records (files) are stored on-line for 90 days and off-line for an additional 12 months. Audit records provide the means for the ISSO/IAO or other designated person to investigate any suspicious activity and to hold users accountable for their actions. By storing audit records online for 90 days and offline for 12 months, the ISSO or other designated personnel will be able to investigate all suspicious activity even if the activity is not noticed immediately. APL NOTE: The storage of log data both online and offline for a given period of time is a site responsibility. While a vendor's product may provide the required storage capacity for a sufficient number of log entries internally to satisfy the online storage requirement, it must at a minimum work in conjunction with a logging server where the logs can be collected and maintained online. The remote logging process should also be automated such that logs are collected without SA intervention. The vendor's product and the architecture in which it is implemented as a whole must support the online storage requirement. Such requirements are covered elsewhere and do not constitute a finding here..

Fix Text

Ensure audit records are stored online for 90 days and offline for 12 months.

Check Content

Inspect or review the required “documents on file” that are necessary for compliance with the requirement.

Security Override Guidance

None

Potential Impact

> The inability to take administrative action or prosecute for inappropriate actions or system abuse.> The inability to effectively troubleshoot problems

Responsibility

System Administrator

IA Controls

ECRR-1, ECSC-1, ECTB-1, ECTP-1

Audit records are not being reviewed by the ISSO/IAO weekly.

Finding ID
DSN15.06
Rule ID
SV-8464r1_rule
Severity
Cat II
CCE
(None)
Group Title
Audit records are not being reviewed weekly
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that audit records (files) are stored on-line for 90 days and off-line for an additional 12 months. By reviewing audit records on a weekly schedule, the ISSO/IAO ensures that any suspicious activity is detected in a timely manner.

Fix Text

The ISSO/IAO or security auditor should review audit records weekly for suspicious activity.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

> The inability to take administrative action or prosecute for inappropriate actions or system abuse. 1> The inability to effectively troubleshoot problems

Responsibility

System Administrator

IA Controls

ECAT-1, ECAT-2, ECRG-1, ECSC-1

An Information System Security Officer (ISSO) must be appointed in writing for each site.

Finding ID
DSN16.01
Rule ID
SV-8465r2_rule
Severity
Cat II
CCE
(None)
Group Title
ISSO appointment
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The PMO or local site command will document and ensure that an ISSO is designated to oversee the IA posture and security of each site, system, and facility. The ISSO will have the proper training and clearance level. The PMO will maintain documentation regarding ISSO assignments for all sites and systems in the inventory. The ISSO may have responsibility for systems other than DSN and may be responsible for remote sites attached to the main site or system. The local commander for DSN switch must appoint an ISSO to develop a security plan and manage its implementation.

Fix Text

The PMO or local site command must appoint an ISSO in writing. This individual is responsible for establishing, implementing, monitoring, and controlling the site telephone system security program, which ensures the evaluation of all sites telephone system components.

Check Content

Review site documentation to confirm an ISSO is appointed in writing. If an ISSO is not appointed in writing, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

DCSD-1, PECF-1

Site personnel have not received the proper security training and/or are not familiar with the documents located in the security library.

Finding ID
DSN16.02
Rule ID
SV-8466r1_rule
Severity
Cat II
CCE
(None)
Group Title
Site personnel not properly security trained
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that personnel are familiar with the security practices outlined by applicable documents found in the site’s library and have received the appropriate security training.A personnel security program, combined with other protective measures, make up a security plan to keep DSN assets safe from intrusion or other types of disruptions. The DSN Security Guide describes the personnel security requirements for various types of individuals. To be effective, any security plan requires some type of familiarization and training for its users and participants.

Fix Text

The ISSO/IAO will establish a security practices plan, as outlined in the DSN Security Guide, to ensure that personnel are familiar with the security practices outlined by applicable documents found in the site’s library and have received the appropriate security training.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

The system may be left vulnerable due to ignorance of policy, procedures, and threats to the system.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1, PRTN-1

The ISSO/IAO does not maintain a DSN Personnel Security Certification letter on file for each person involved in DSN A/NM duties.

Finding ID
DSN16.03
Rule ID
SV-8467r1_rule
Severity
Cat III
CCE
(None)
Group Title
Security Certification letters are not on file
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A DSN Personnel Security Certification letter will provide documented proof that site personnel have attended and successfully passed a security training and awareness program. This program will provide training appropriate to the security needs of each person involved with the DSN. The program will ensure that all personnel understand the risks to the DSN. This type of program reminds the personnel of the proper security-related operational and control procedures for which they are responsible.

Fix Text

Establish a DSN security awareness-training program. Review all DSN personnel security-related responsibilities and document certification by signing a Personnel Security Certification letter.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain.

Responsibility

Information Assurance Officer

IA Controls

ECAN-1, PECF-2

System administrators are NOT appropriately cleared.

Finding ID
DSN16.04
Rule ID
SV-8468r1_rule
Severity
Cat II
CCE
(None)
Group Title
SAs are not appropriately cleared
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all System Administrators are appropriately cleared. In order to maintain positive control over personnel access to DSN system components, all who are provided physical and administrative access to the components must be controlled. Confirmation of those who are authorized access must be confirmed before access is given. If physical and administrative access to systems is not confirmed and controlled, this may result in unauthorized access or compromise.

Fix Text

Obtain a System Authorization Access Request (SAAR) DD Form 2875 for each DRSN user to validate their need-to-know

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Security Override Guidance

None

Responsibility

Information Assurance Officer

IA Controls

ECSC-1, PECF-2

The identity of maintenance personnel installing or modifying a device or software must be verified and recorded.

Finding ID
DSN17.01
Rule ID
SV-8469r2_rule
Severity
Cat II
CCE
(None)
Group Title
Identity of maintenance personnel
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The identity of maintenance personnel performing software load upgrades or maintenance of a DSN component must be recorded. This will make a particular person or vendor representative accountable for all actions performed, giving the ISSO and site personnel the means to investigate activity. The preferred means of maintaining records is to obtain a DD form 2875 from all individuals performing work on the system.

Fix Text

Implement the use of DD Form 2875 to verify and record the identity of maintenance personnel installing or modifying a device or software on a DSN component. This list should contain military, civilian personnel, and vendor representatives.

Check Content

Review site documentation to confirm the identity of maintenance personnel installing or modifying a device or software is verified and recorded. Use of DD form 2875 is the preferred method to obtain identity information. If the identity of maintenance personnel installing or modifying a device or software is not verified and recorded, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1, PECF-1

The DSN local system must be backed up weekly on a removable device or media and stored off-site.

Finding ID
DSN17.02
Rule ID
SV-8470r2_rule
Severity
Cat II
CCE
(None)
Group Title
System backup weekly
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

System backups must be taken frequently (weekly at a minimum) and stored in such a way that a current copy can be obtained if needed. By storing a copy on the local system and a copy on removable media, in most instances, a copy can be used to restore the system. The storage of a copy off-site improves the safety of the copy in the event of a catastrophe at the operations site.

Fix Text

Implement and document backing up the local DSN system weekly onto a removable device or media and storing off-site. When technically feasible, configure the system to automatically perform weekly backups and record them locally on the system and on removable media. Alternately, ensure that weekly backups are performed manually. Ensure removable media is removed and stored off-site. Storing a copy on the system is highly recommended. Perform a system backup just prior to any system change, maintenance, or upgrade. If this is not feasible, the most recent weekly backup must be available for use.

Check Content

Review site documentation to confirm the local DSN system is backed up weekly onto a removable device or media and stored off-site. When feasible, a copy of the backup should be kept on the system. If the local DSN system is not backed up weekly onto a removable device or media and stored off-site, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

CODB-1, ECSC-1

The DSN local system backup media must be available and up-to-date prior to any software modification.

Finding ID
DSN17.03
Rule ID
SV-8471r2_rule
Severity
Cat II
CCE
(None)
Group Title
System backup media
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Site staff must ensure backup media is available and up-to-date prior to software modification that could cause a significant disruption to service if the new software is corrupted. Backup media will be available to site personnel prior to any software upgrades or major provisioning changes. This will enable site personnel to recover the DSN system in case of system failure under newly introduced software or major changes.

Fix Text

Implement and document DSN local system backup media onsite with the system. Ensure removable media is removed and stored off-site. Storing a copy on the system is highly recommended. Perform a system backup just prior to any system change, maintenance, or upgrade. If this is not feasible, the most recent weekly backup must be available for use.

Check Content

Review site documentation to confirm the DSN local system backup media is available and up-to-date prior to any software modification. If the DSN local system backup media is not available locally and up-to-date prior to any software modification, this is a finding.

Responsibility

System Administrator

IA Controls

COBR-1, CODB-1, CODB-2, CODB-3, ECSC-1

Modems are not physically protected to prevent unauthorized device changes.

Finding ID
DSN18.01
Rule ID
SV-8472r1_rule
Severity
Cat II
CCE
(None)
Group Title
Modems are not physically protected
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all modems are physically protected to prevent unauthorized device changes. Controlling physical access to modems supporting the DSN will limit the chance of unauthorized access to DSN system components. Failure to control physical access to modems could result in modem settings being changed to allow unauthorized access to DSN system components.

Fix Text

Ensure all modems are secured that are used to access the DSN administration/maintenance user ports. Allow only authorized personnel to have physical access to these modems.

Check Content

Perform a walk through of the facility and confirm compliance via inspection of the effected devices or items

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

A detailed listing of all modems is not being maintained.

Finding ID
DSN18.02
Rule ID
SV-8473r1_rule
Severity
Cat II
CCE
(None)
Group Title
A detailed listing of all modems is not maintained
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will maintain a listing of all modems by model number, serial number, associated phone number, and location. Ensure an accurate listing of all modems supporting the DSN is maintained. Maintaining a list of all approved modems will ensure that non-approved modems can be identified easily.

Fix Text

Collect information on all approved modems, including model number, serial number, installed location, etc. Maintain this list / inventory and update as needed.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

DCID-1, ECSC-1

Unauthorized modems are installed.

Finding ID
DSN18.03
Rule ID
SV-8474r1_rule
Severity
Cat II
CCE
(None)
Group Title
Unauthorized modems are installed.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Modems that are not provided by the Government for access to the DSN will not be allowed to connect to the DSN for access. No personally provided modems are permitted. This measure will assist the ISSO/IAO in the task of controlling remote access to the DSN components.

Fix Text

Remove all modems that are not provided by the Government. The ISSO/IAO may conduct periodic inspections for unauthorized modems.

Check Content

Perform a walk through of the facility and confirm compliance via inspection of the effected devices or items

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

DCID-1, EBCR-1, ECSC-1

Modem phone lines are not restricted and configured to their mission required purpose (i.e. inward/outward dial only).

Finding ID
DSN18.04
Rule ID
SV-8475r1_rule
Severity
Cat II
CCE
(None)
Group Title
Modem phone lines are not restricted
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all modem phone lines are restricted and configured to their mission required purpose (inward dial only or outward dial only). Ubiquitous phone lines open major security holes in a network. The more tightly they can be controlled, the less the exposure to vulnerabilities. Allowing special features to remain active on modem phone lines create advantageous situations for malicious attacks. An attacker may use special features to forward modem or voice calls to destinations that cause toll-fraud, or forward the number to itself causing a denial of service. Telephone lines that provide DSN modems dial tone will be provisioned only with their required functions. Some components of the DSN “dial back” option may require two modems for proper operation. If a modem is dedicated to receive calls, it should be provisioned to not allow outbound calling. If a modem is dedicated to place calls, it should be provisioned to not accept incoming calls.

Fix Text

Ensure that all modem lines are restricted to single line operation and configured to their mission required purpose (inward or outward dial only), without any special features (i.e. call forwarding). DSN System Administrators will ensure that the modems phone line will be disconnected until needed. Site personnel should restrict the functions of all phone lines that provide dial tone to the DSN modems based upon the needs of the modems function.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

Modem phone lines are not restricted to single-line operation.

Finding ID
DSN18.05
Rule ID
SV-8476r1_rule
Severity
Cat II
CCE
(None)
Group Title
Modem phone lines are not restricted - single-line
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all modem phone lines are restricted to single-line operation without any special features such as the call forwarding capability. By restricting modem phone lines to single-line operation, the risk of unauthorized access is limited by preventing the added functions of a multi-line to be used by an unauthorized person to gain access.

Fix Text

Ensure that only single-line phone lines are used for modem access.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

Automatic Number Identification (ANI) must be enabled when available.

Finding ID
DSN18.06
Rule ID
SV-8477r2_rule
Severity
Cat III
CCE
(None)
Group Title
Enable ANI
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

ANI must be enabled on modem lines to record access to remote access ports when this function is available. The logs will be maintained and reviewed. ANI logs should be kept for the previous twelve months. ANI logs are ideal for auditing unauthorized accesses and toll-fraud.

Fix Text

Implement ANI when available on all modems connected to DSN system. Maintain and review ANI logs periodically. ANI logs should be stored for a period of twelve months.

Check Content

Review site documentation to confirm ANI is enabled when available. If ANI is available but not enabled on all modems connected to DSN system, this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Authentication is not required for every session requested.

Finding ID
DSN18.07
Rule ID
SV-8478r1_rule
Severity
Cat II
CCE
(None)
Group Title
Authentication is not required for every session
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that identification and authentication is required for every session requested in accordance with I&A / password policy. Authentication is a measure used to verify the eligibility of a subject and the ability of that subject to access certain information. Authentication protects against the fraudulent use of a system or the deceptive transmission of information. All users must be authenticated prior to every authorized session allowing system access. This is necessary to ensure that no unauthorized sessions are granted.

Fix Text

Ensure that all interfaces to the DSN component require authentication before a session is granted.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

The option to use the “callback” feature for remote access is not being used.

Finding ID
DSN18.08
Rule ID
SV-8479r1_rule
Severity
Cat III
CCE
(None)
Group Title
The “callback” feature is not being used.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that modem access to remote management ports incorporates the “callback” feature where technically feasible. The callback feature ensures that pre-authorized user directory numbers are being used to access the DSN components. Callback features are an attempt to protect the network by providing a service that disconnects an incoming call and reestablishes the call, dialing back to a predetermined number. Upon establishment of the callback connection, the communications device will require the user to authenticate to the system. This feature enhances security authentication access to the system. If available, this feature should be used. This feature is especially important for remote unmanned switch sites where modem connections can not be physically disconnected when not in use.

Fix Text

> The ISSO/IAO should ensure that all DSN components are using the callback feature, if this feature is available.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Security Override Guidance

This is not a finding if the modem is approved and listed on the DSN APL and does not support the callback feature.

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

FIPS 140-2 validated link encryption must be used end-to-end for all data streams connecting to remote access ports of the telephone switch.

Finding ID
DSN18.09
Rule ID
SV-8480r2_rule
Severity
Cat III
CCE
(None)
Group Title
FIPS Link encryption
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

FIPS 140-2 validated encryption mechanism is used to provide security of all data streams between the management port of the DSN component and a remote management station whether connected via a modem or network. The most secure authenticated session to any remote system is accomplished via a secure connection. Encryption provides confidentiality and should be used, if possible, to secure remote access connections to DSN administration/maintenance ports.

Fix Text

Implement end-to-end FIPS 140-2 validated link encryption for all data streams connecting to remote access ports of the telephone switch.

Check Content

Review site documentation to confirm FIPS 140-2 validated link encryption is used end-to-end for all data streams connecting to remote access ports of the telephone switch. If FIPS 140-2 validated link encryption is not used for data streams connecting to remote access ports of the telephone switch, this is a finding.

Responsibility

System Administrator

IA Controls

ECCT-1, ECSC-1

Two-factor authentication must be used for remote access ports.

Finding ID
DSN18.10
Rule ID
SV-8481r2_rule
Severity
Cat III
CCE
(None)
Group Title
Remote access authentication
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Remote access ports must require two-factor authentication. This is defined as requiring something along the lines of a token in addition to a User ID and password combination. The use of two-factor authentication will help prevent unauthorized persons from accessing the DSN component.

Fix Text

Implement a site policy and procedure requires two-factor authentication for connections to remote access ports.

Check Content

Review site documentation to confirm a policy and procedure requires two-factor authentication is used to connect to remote access ports. If two-factor authentication is not used for remote access ports, this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Administrative/maintenance ports are not being controlled by deactivating or physically disconnecting remote access devices when not in use.

Finding ID
DSN18.11
Rule ID
SV-8482r1_rule
Severity
Cat II
CCE
(None)
Group Title
Admin./ maintenance ports are not being controlled
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that serial management ports are controlled by deactivating or physically disconnecting access devices (i.e. modems or terminals) that are not in use. The disconnection of remote access devices when not being used will greatly reduce the risk of unauthorized access.

Fix Text

Ensure that all remote access devices are deactivated or disconnected when not in use.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

Idle connections DO NOT disconnect in 15 min.

Finding ID
DSN18.12
Rule ID
SV-8483r1_rule
Severity
Cat II
CCE
(None)
Group Title
Idle connections DO NOT disconnect in 15 min.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that a timeout feature, set to 15 minutes, is used to disconnect idle connections. Unattended systems are susceptible to unauthorized use. The system should be locked when unattended. The user idle timeout should be set to a maximum of 15 minutes. This setting protects critical and sensitive system areas from exposure to unauthorized personnel with physical access to an unattended administration/maintenance terminal.

Fix Text

The system administrator will ensure that the timeout for unattended user administration/maintenance ports is set for no longer than 15 minutes, if technically feasible.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

The DSN component is not configured to be unavailable for 60 seconds after 3 consecutive failed logon attempts.

Finding ID
DSN18.13
Rule ID
SV-8484r1_rule
Severity
Cat II
CCE
(None)
Group Title
Maint ports do not lock out after 3 failed attempt
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that management ports that receive three consecutive failed logon attempts will be unavailable for at least 60 seconds. After three failed logon attempts the system should be configured to force the user to wait for 60 seconds. This measure will prevent unauthorized access through the means of hacking a password. If the time that the port is unavailable is substantially greater than 60 seconds, denial of service could result by maliciously attempting logins on all ports.

Fix Text

Ensure the system is configured to make the port unavailable for 60 seconds after 3 failed logon attempts.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

Serial management/maintenance ports are not configured to “force out” or drop any interrupted user session.

Finding ID
DSN18.14
Rule ID
SV-8485r1_rule
Severity
Cat III
CCE
(None)
Group Title
Serial Mgmt. Ports do not drop interrupted session
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that serial management ports immediately drop any connection that is interrupted for any reason. Reasons include modem power failure, link disconnection, loss of carrier, etc. Serial ports that are interrupted due to link disconnection, power failure or other reasons will force out the user (i.e., end the session using the port). This will prevent a remote user from ending a session without logging off and leaving the remote maintenance port available with an active session that might allow unauthorized use by someone other than the authenticated user. This will also prevent the physical hijacking of an active session by unplugging the connected cable and plugging in another. NOTE: This requirement primarily addresses the use of EIA/RS-232 serial interfaces (serial craft or console ports) in conjunction with a modem. It requires the enablement of the hardware handshaking capabilities that are typically inherent in the interface and the associated Universal Asynchronous Receiver/Transmitter (UART). The hardware handshaking capabilities can easily detect modem power failure, link disconnection, and loss of carrier. The software response to these hardware indicators is to terminate any active session such that re-authentication is required if the session is re-established. This capability also supports the prevention of physically hijacking the connection or session by unplugging the modem and plugging in a local workstation or other communications device. However, such physical hijacking is substantially mitigated by limiting physical access to the port connection to authorized personnel via physical access security methods. Unfortunately, some EIA/RS-232 port implementations in some vendor’s products do not include the physical handshaking lead connections needed to fulfill this requirement. In some cases only the three minimally required data leads (TX, RX, and GND) are implemented. In this case, Xon-Xoff flow control is used to synchronize communications as opposed to the hardware handshaking. Additional measures must be implemented in hardware or software to detect session interruption and effect its termination. This may require special serial communications software or middleware that implements a keep-alive signal. When the keep-alive signal is lost, the session is terminated. Other methods may be employed as well.

Fix Text

> Configure the DSN component to force out users when the session is interrupted.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

DSN system components must display the Standard Mandatory DoD Notice and Consent Banner exactly as specified prior to logon or initial access.

Finding ID
DSN19.01
Rule ID
SV-8486r2_rule
Severity
Cat III
CCE
(None)
Group Title
Display DoD Notice and Consent Banner
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The operating system and remotely accessed information systems are required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. This ensures the legal requirements for auditing and monitoring are met. System use notification messages must be displayed when individuals log on to the information system. The approved DoD text must be used as specified in the DoD Instruction 8500.01 dated March 14, 2014.

Fix Text

Configure all DSN system components to display the Standard Mandatory DoD Notice and Consent Banner prior to logon or initial access.

Check Content

: Interview the ISSO to validate compliance with the following requirement: Verify all DSN system components display the Standard Mandatory DoD Notice and Consent Banner prior to logon or initial access. If the displayed text is not exactly as specified in the DoD Instruction 8500.01 dated March 14, 2014, this is a finding. The text is posted on the IASE website: http://iase.disa.mil/Documents/unclass-consent_banner.zip

Responsibility

System Administrator

IA Controls

ECSC-1, ECWM-1

Voice/Video Telecommunications infrastructure components (traditional TDM, VVoIP, or VTC) are not housed in secured or “controlled access” facilities with appropriate classification level or appropriate documented access control methods.

Finding ID
VVT/VTC 1000 (GENERAL)
Rule ID
SV-8711r1_rule
Severity
Cat II
CCE
(None)
Group Title
Deficient imp'n: physical security / system access
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Controlling physical access to telecommunications infrastructure components is critical to assuring the reliability of the voice network and service delivery. Documenting or logging physical access to these components is critical to determine accountability for auditing purposes. Key control and access logs are a large part of this. Additionally, the facilities housing the telecommunications infrastructure must be certified at a classification level commensurate with the highest classification level of the information communicated by the system. NOTE: The infrastructure addressed here are components of traditional TDM, VVoIP, UC or VTC systems that support the communications endpoints. This includes “wiring closets” for traditional non IP based systems. NOTE: Physical access to the LAN infrastructure (which may also support VVoIP, UC, and VTCoIP services) is covered by a Network Infrastructure STIG requirement. This requirement does not directly address the physical security of the general LAN infrastructure, such as LAN routers and switches. NOTE: While this requirement is based on best practice and requirements for protecting classified information, it is also supported in part by DOD 5200.08-R, Physical Security Program, April 9, 2007 Incorporating change 1, 27 May 2009, Chapter 6, Security of Communications Facilities, section C6.2.4 which states: “Access shall be controlled at all communications facilities and only authorized personnel shall be allowed to enter. Facilities should be designated and posted as a minimum, a Controlled Area, as directed.”

Fix Text

Ensure all telecommunications infrastructure components are housed in secured facilities with appropriate classification level and appropriate documented access control methods. NOTE: This does not apply to end instruments. Additionally, ensure all facilities housing telecommunications infrastructure components are rated at or above the highest classification level of the information communicated. For example, VoSIP (VVoIP on SIPRNet) infrastructure components must be housed in facilities rated at or above the secret level. NOTE: This DOES apply to end instruments. Ensure that all equipment is installed in a locked room, closet, or cabinet. Ensure the distribution of keys to access the equipment is limited, controlled, and documented. Ensure access control procedures are implemented to ensure that physical access is documented such that an audit trail can be established if necessary. NOTE: The infrastructure addressed here are components of traditional TDM, VVoIP, UC or VTC systems that support the communications endpoints. This includes “wiring closets” for traditional non IP based systems. NOTE: Physical access to the LAN infrastructure (which may also support VVoIP, UC, and VTCoIP services) is covered by a Network Infrastructure STIG requirement. This requirement does not directly address the physical security of the general LAN infrastructure, such as LAN routers and switches. NOTE: While this requirement is based on best practice and requirements for protecting classified information, it is also supported in part by DOD 5200.08-R, Physical Security Program, April 9, 2007 Incorporating change 1, 27 May 2009, Chapter 6, Security of Communications Facilities, section C6.2.4 which states: “Access shall be controlled at all communications facilities and only authorized personnel shall be allowed to enter. Facilities should be designated and posted as a minimum, a Controlled Area, as directed.”

Check Content

Perform a walk through of the facilities the IAO to validate compliance with the following requirement: Ensure all telecommunications infrastructure components (traditional TDM, VVoIP, UC or VTC) are housed in secured facilities with appropriate classification level and appropriate documented access control methods. NOTE: This does not apply to end instruments. Additionally ensure all facilities housing telecommunications infrastructure components are rated at or above the highest classification level of the information communicated. For example, VoSIP (VoIP on SIPRNet) infrastructure components must be housed in facilities rated at or above the secret level. NOTE: This DOES apply to end instruments. During the walk through inspection, visually confirm that telecommunications infrastructure (traditional TDM, VVoIP, UC or VTC specific network and server) components are installed in secured areas to include locked rooms, closets, and/or cabinets. Interview the IAO to determine how the distribution of keys to access the equipment is limited, controlled, and documented. Additionally, determine if access control procedures/documentation are/is being used and review the access logs for compliance. Finally; interview the IAO regarding the security classification of the facilities housing the telecommunications infrastructure components in relation to the highest classification level of the information communicated. This is a finding in the event of the following: > Any telecommunications infrastructure component is not housed in a secured facility (locked room or cabinet). > The facility access control procedures or its documentation is deficient. > Access to the facility is not logged or the procedures are not followed. > The facility classification of any facility housing telecommunications infrastructure components is rated below the highest classification level of the information communicated. NOTE: The infrastructure addressed here are components of traditional TDM, VVoIP, UC or VTC systems that support the communications endpoints. This includes “wiring closets” for traditional non IP based systems. NOTE: Physical access to the LAN infrastructure (which may also support VVoIP, UC, and VTCoIP services) is covered by a Network Infrastructure STIG requirement. This requirement does not directly address the physical security of the general LAN infrastructure, such as LAN routers and switches. NOTE: While this requirement is based on best practice and requirements for protecting classified information, it is also supported in part by DOD 5200.08-R, Physical Security Program, April 9, 2007 Incorporating change 1, 27 May 2009, Chapter 6, Security of Communications Facilities, section C6.2.4 which states: “Access shall be controlled at all communications facilities and only authorized personnel shall be allowed to enter. Facilities should be designated and posted as a minimum, a Controlled Area, as directed.”

Security Override Guidance

None

Potential Impact

Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Physical access to systems by unauthorized personnel leaves the system components vulnerable to a multitude of attack vectors and/or accidental de-activation or disconnection.

Responsibility

Information Assurance Officer

IA Controls

DCBP-1, ECSC-1

IAVMs are not addressed using RTS system vendor approved or provided patches.

Finding ID
DSN02.04
Rule ID
SV-8833r1_rule
Severity
Cat II
CCE
(None)
Group Title
Vendor Patches not used to close IAVMs
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all IAVM notices relating to the installation of security or other patches for general-purpose operating systems and software on devices other than workstations is vetted through the system vendor and approved by the local DAA before installation. Many IPT / VoIP systems are based on general-purpose operating systems and applications such as databases and web servers (i.e., Windows XX, MS-SQL, IIS, Unix, LINUX, etc). The original vendors of these general-purpose software packages provide patches for their individual packages. A vendor of a IPT / VoIP system must test and approve these patches for use on their system before they are applied in the event that the OEM patch might break a portion of the IPT / VoIP system or degrade its security. The IPT / VoIP vendor may have to modify the OEM patch before releasing it to their customers. IPT / VoIP vendors must be immediately advised of IAVAs that apply to their systems so that they can test the required patch / mitigation and subsequently distribute an approved patch for their system (in accordance with VoIP0281) so that the site can maintain IAVA compliance.

Fix Text

Comply with policy. The ISSM/IAM/IAO will establish a policy to ensure that IAVMs are being acknowledged, implemented, and closed, in accordance with DOD policy. SAs will update affected systems in accordance with the IAVM recommendations. The ISSM/IAM/IAO will insure that systems, devices, and SAs are registered in the DISA/DoD VMS as a means for receipt and acknowledgement of IAVMs OR will insure that there is a clear and well defined path for receipt and acknowledgement of IAVMs.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Security Override Guidance

NONE

Potential Impact

Potential Impacts: Denial of Service. Patches that have not been approved and provided by a vendor and/or applied in conflict with vendor’s instructions can break features or disable the system.

Responsibility

Information Assurance Officer

IA Controls

ECND-1, ECND-2, ECSC-1

DoD voice/video/RTS information system assets and vulnerabilities are not tracked and managed using any vulnerability management system as required by DoD policy.

Finding ID
DSN02.05
Rule ID
SV-8834r1_rule
Severity
Cat III
CCE
(None)
Group Title
DoD RTS/IS vulnerabilities NOT managed with a VMS
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all systems including switches, OAM&P systems, auxiliary/adjunct, and peripheral systems connected to the DSN along with their SAs are registered and tracked with an asset and vulnerability management system similar to VMS.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Security Override Guidance

NONE

Responsibility

Information Assurance Officer

IA Controls

ECND-1, ECND-2, ECSC-1

A DoD Voice/Video/RTS system or device is NOT configured in compliance with all applicable STIGs or the appropriate STIGs have not been applied to the fullest extent possible.

Finding ID
DSN03.01
Rule ID
SV-8835r1_rule
Severity
Cat III
CCE
(None)
Group Title
Voice/Video/RTS system/device NOT STIG compliant
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all systems connected to DOD telecommunications systems that use technologies covered by a DISA/DOD STIG, is secured in compliance with the applicable STIG(s) The applicable STIGs define threat and vulnerability mitigations that must be applied to resolve the associated threat and/or vulnerability in accordance with DoD policy.

Fix Text

The IAO and/or SA is to configure all Voice/Video/RTS systems, server, and devices in accordance with all applicable STIGs for the specific system/server/device while taking into account any DSAWG approved open findings and their mitigations.

Check Content

Obtain a copy of all applicable SRR or Self Assessment results and review for compliance OR perform all applicable SRRs on a representative number of RTS systems and devices. If there are a significant number of findings reported or if an applicable STIG was not applied, this is a finding. Note: The specific Voice/Video/RTS system server or device determines the applicability of any given STIG. Many Voice/Video/RTS system servers or devices are based on general-purpose operating system such as Microsoft Windows, Unix, or Linux. They may use general-purpose applications such as databases like MS-SQL or Oracle and/or employ web server technology like IIS or similar. Determine what the system under review is based upon and perform the associated SRRs. Additionally, an application SRR may be applicable for the vendor's application that makes the server or device perform the functions or the management of the system. Note: Voice/Video/RTS systems and devices are required to be tested, certified, accredited by the DSAWG and listed on the DSN APL. Each specific Voice/Video/RTS system or device may be approved while having certain open findings that are approved in light of certain mitigations. Such open findings are not to be considered in the status determination of this requirement.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

The purchase / maintenance contract, or specification, for the Voice/Video/RTS system under review does not contain verbiage requiring compliance and validation measures for all applicable STIGs.

Finding ID
DSN03.02
Rule ID
SV-8836r1_rule
Severity
Cat III
CCE
(None)
Group Title
“STIG Compliance” not required in contracts
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The DSN PMO and/or site command/management will ensure that “compliance with all applicable STIGs” requirements and validation measures are added to specifications and contracts for commercially leased or procured telecommunications services or systems.STIG compliance is DoD policy and must be accomplished to the greatest extent possible so that any information system may be Certified and Accredited, operated, and connected to other systems if applicable. Placing this requirement in procurement contracts puts the vendor on notice that their product or solution must support these DoD policy requirements.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

Additional cost to DoD for complying with DoD security policy.Possible inability to operate the system or connect it to another DoD system.

Responsibility

Information Assurance Officer

IA Controls

DCAS-1, EBCR-1, ECSC-1

Contract requirements for STIG compliance and validation must be enforced.

Finding ID
DSN03.03
Rule ID
SV-8837r2_rule
Severity
Cat III
CCE
(None)
Group Title
Contract STIG compliance
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The ISSO must ensure that commercially contracted systems and services supporting the DSN comply with all applicable STIGs in accordance with contract requirements. STIG compliance is DoD policy and must be accomplished to the greatest extent possible so that any information system may be Certified and Accredited, operated, and connected to other systems if applicable. Placing this requirement in procurement contracts puts the vendor on notice that their product or solution must support these DoD policy requirements. The responsibility of monitoring compliance of contract requirements falls to the AO, ISSM, ISSO, and/or SA responsible for operating the system in compliance with policy. Placing compliance requirements in a contract provides no assurance that they are being met if there is no validation or enforcement of the contract requirements.

Fix Text

Implement site policy and procedures to enforce contract requirements for STIG compliance and validation.

Check Content

Review site documentation to confirm a policy and procedure enforce contract requirements for STIG compliance and validation. If a policy and procedure do not enforce contract requirements for STIG compliance and validation, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

A Voice/Video/RTS system is in operation but is not listed on the DSN APL nor is it in the process of being tested.

Finding ID
DSN03.04
Rule ID
SV-8840r1_rule
Severity
Cat II
CCE
(None)
Group Title
A RTS system is in use but is NOT DSN APL listed
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all installed systems and associated software releases for which he/she is responsible appear on the DSN APL in accordance with DODI 8100.3 requirements. This applies to previously installed, new, and upgraded systems. DOD Instruction 8100.3 which governs DOD telecommunications and the Defense Switched Network (DSN), requires that “Telecommunications switches (and associated software releases) leased, procured (whether systems or services), or operated by the DOD Components, and connected or planned for connection to the DSN, shall be joint interoperability certified by the Defense Information Systems Agency (DISA), Joint Interoperability Test Command (JITC) and granted information assurance certification and accreditation by the Defense Information System Network (DISN) Designated Approval Authorities (DAAs).” DAA certification is obtained through the DISN Security Accreditation Working Group (DSAWG). DODI 8100.3 also requires that the DOD use (or connect to the DSN) only devices that appear on the DSN Approved Products List (APL). Both IA and Interoperability certification requirements must be met for inclusion on the DSN APL. The testing for IA and IO that occurs prior to DSN APL listing determines if the system/device meets, or can be configured to meet DoD requirements. The IA testing determines any residual risk for operating the system. This risk is accepted by the DSAWG prior to APL listing.

Fix Text

Ensure non-certified VoIP systems are not connected to the DSN. Sponsor the system for DSN APL testing and certification.

Check Content

Verify that the VoIP system is listed on the DSN APL by checking at the following link: http://jitc.fhu.disa.mil/tssi/apl.html If not, contact the VCAO to determine if the system is in the testing process.

Security Override Guidance

This finding can be reduced to a CAT IV if the system is in process of being certified for placement on the APL.

Potential Impact

The possible inability to certify and accredit the system or operate it legally or connect it to another DoD system due to violation of DoD policy.

Responsibility

Information Assurance Officer

IA Controls

DCAS-1, EBCR-1, ECSC-1

A Voice/Video/RTS system or device is NOT installed according to the deployment restrictions and/or mitigations contained in the IA test report, Certifying Authority’s recommendation and/or DSAWG approval documentation.

Finding ID
DSN03.05
Rule ID
SV-8841r1_rule
Severity
Cat III
CCE
(None)
Group Title
RTS system NOT installed according to restrictions
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that products or software releases are installed and maintained in accordance with all applicable STIGs AND the installation restrictions and vulnerability mitigations presented in the Security Assessment Report and Certifying Authority’s (CA’s) Recommendation Memo to the DSAWG. Systems listed on the DSN APL have been approved by the DSAWG as having acceptable risk for operation by DoD components. The residual risk is determined by the mitigations for any findings that cannot be closed. These mitigations may be determined or proposed by the vendor, IA test team, Certifying Authority, and/or the DSAWG and may take the form of deployment limitations and/or installation restrictions. The application of the recommended mitigations along with complying with any deployment limitations and/or installation restrictions is paramount to legally operating the system in a secure manner. The required mitigations, limitations, and restrictions should be contained in final test report produced by the VCAO following DSAWG approval. The IAO should maintain a copy of the final system testing report so that the required mitigations, limitations, and restrictions can be applied and compliance can be validated or verified.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Or review the required “documents on file” that are necessary for compliance with the requirement.

Security Override Guidance

None

Potential Impact

The possible inability to certify and accredit the system or operate it legally or connect it to another DoD system due to violation of DoD policy.

Responsibility

Information Assurance Officer

IA Controls

DCAS-1, EBCR-1, ECSC-1

DSN voice and video systems and devices must be used with the same configuration and intended purpose as listed in the APL.

Finding ID
DSN03.06
Rule ID
SV-8842r2_rule
Severity
Cat III
CCE
(None)
Group Title
APL listing
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Systems must be implemented using the configuration that was approved and for the approved purpose. Alternate configurations and purposes must be resubmitted for certification to approval authorities. DSN APL listed systems are submitted for testing in coordination with the sponsor’s needs. Systems and devices are submitted with a specific suite of equipment, software, software versions, connection types, configurations, and use cases or purposes. The resulting test results are only applicable to the specific purpose submitted. As a result, it is the specific solution and purpose that is approved and listed on the APL. If any submitted solution is changed, there may be different vulnerabilities associated with the modified solution that were not present in the originally tested solution. For this reason, modified solutions must be tested to assure that any newly acquired vulnerability is found and addressed.

Fix Text

Implement DSN voice and video systems and devices with the same configuration and intended purpose as listed in the APL.

Check Content

Review site documentation to confirm all DSN voice and video systems and devices are used with the same configuration and intended purpose as listed in the APL. If the voice and video systems and devices are not used with the same configuration and intended purpose as listed in the APL, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

DCAS-1, EBCR-1, ECSC-1

DSN site procurement, installation, connection, or upgrade to voice video infrastructure must consider the APL.

Finding ID
DSN03.07
Rule ID
SV-8843r2_rule
Severity
Cat III
CCE
(None)
Group Title
APL procurement consideration
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The DSN PMO, DoD Component command, and site command must ensure that products being considered for procurement, installation, connection, or upgrade to the DSN are certified and appear on the DSN APL, OR are in the process of being certified, OR will sponsor the product for certification.

Fix Text

Implement a policy and procedure for DSN site procurement, installation, connection, or upgrade to voice video infrastructure must consider the APL.

Check Content

Review site documentation to confirm a policy or procedure require DSN site procurement, installation, connection, or upgrade to voice video infrastructure must consider the APL. If DSN procurement, installation, connection, or upgrade to voice video infrastructure do not consider the APL, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

DCAS-1, EBCR-1, ECSC-1

The voice or video system certification and accreditation must be maintained to reflect the installation or modification of the system configuration.

Finding ID
DSN03.08
Rule ID
SV-8847r1_rule
Severity
Cat III
CCE
(None)
Group Title
DSN03.08
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The DSN system is certified and accredited per the DoD Risk Management Framework (RMF) either separately or as part of a larger site accreditation. Previous to the DoD RMF, the DoD Information Assurance Certification and Accreditation Process (DIACAP) or DoD Information Technology Security Certification and Accreditation Process (DITSCAP) were used for certification and accreditation.

Fix Text

Update the voice or video system certification and accreditation documentation to accurately represent the current system configuration.

Check Content

Review the DSN system accreditation documentation and compare this with the current architecture. If the voice or video system certification and accreditation is not maintained to reflect the installation or modification of the system configuration, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

DCHW-1, DCID-1, DCSD-1, DCSW-1, ECSC-1

The SMU management port or management workstations is improperly connected to a network that is not dedicated to management of the SMU.

Finding ID
DSN20.04
Rule ID
SV-9007r1_rule
Severity
Cat II
CCE
(None)
Group Title
SMU Mgmt. port connected to NON-mgmt. network
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO at the SMU site will ensure that the SMU management port or stations are not connected to any network other than one dedicated to management of the SMU.The system design and architecture of the SMU provides for no security configuration capability (i.e., user account, password, privileged user, or auditing capability). Trunk and subscriber provisioning is accomplished via an administrator’s terminal, which is a dumb terminal, connected to the system via serial connection. From this terminal, at power up, the user has direct access to provisioning features of the system. Therefore, security protection to the SMU is provided through the physical security of the unit.

Fix Text

> Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

The ADIMSS server connected to the SMU is NOT dedicated to ADIMSS functions.

Finding ID
DSN20.03
Rule ID
SV-9008r1_rule
Severity
Cat II
CCE
(None)
Group Title
ADIMSS/SMU server NOT dedicated to ADIMSS
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO at the SMU site will ensure that the ADIMSS server connected to the SMU is dedicated to ADIMSS functions.ADIMSS servers represent mission critical equipment that contain potentially sensitive information that needs to be secured and treated with the same precautions as any other servers containing sensitive information. Dedicating critical ADIMSS servers to only ADIMSS required applications is key to securing the ADIMSS network. To minimize possible risk these servers are to be dedicated to the ADIMSS applications required for ADIMSS operations minimizing the chance of infection or attack through an unused, unnecessary application residing on the system.

Fix Text

> Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.> Degradation of security of the ADIMSS network / extended enclave

Responsibility

System Administrator

IA Controls

ECSC-1

The SMU ADIMSS connection is NOT dedicated to the ADIMSS network

Finding ID
DSN20.02
Rule ID
SV-9009r1_rule
Severity
Cat III
CCE
(None)
Group Title
SMU ADIMSS connection is NOT dedicated
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO at the SMU site will ensure that the SMU ADIMSS connection is dedicated to the ADIMSS network.In addition to the administrator terminal connection, a secondary connection is also provided for the ADIMSS network. This connection is used for remote access to the system to collect call processing and billing information. This connection is a serial connection to the SMU from an ADIMSS server physically located on site. This ADIMSS server is in turn connected to the ADIMSS network via an Ethernet connection. This server should be dedicated to the ADIMSS and SMU and not connected to any other network

Fix Text

> Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

A SMU component is not installed in a controlled space with visitor access controls applied.

Finding ID
DSN20.01
Rule ID
SV-9010r1_rule
Severity
Cat I
CCE
(None)
Group Title
A SMU is NOT installed in a secure location
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO at the SMU site will ensure that the SMU has adequate physical security protection. The system design and architecture of the SMU provides for no security configuration capability (i.e., user account, password, privileged user, or auditing capability). Trunk and subscriber provisioning is accomplished via an administrator’s terminal, which is a dumb terminal, connected to the system via serial connection. From this terminal, at power up, the user has direct access to provisioning features of the system. Therefore, security protection to the SMU is provided through the physical security of the unit.

Fix Text

> Take measures to apply or install or upgrade physical security for system core assets (Switches, Servers,) and transmission devices (network switches, routers, muxes, devices). Limit, control, and document the distribution of keys to access the equipment.

Check Content

> Perform a walk through of the facility to confirm that all DSN core and transmission devices that are part of the system are located in a secure room or locked cabinet.

Security Override Guidance

None

Potential Impact

> Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. > Physical access to systems by unauthorized personnel leaves the system components vulnerable to a multitude of attack vectors and/or accidental de-activation or disconnection.

Responsibility

System Administrator

IA Controls

ECSC-1

Network management/maintenance ports are not configured to “force out” or drop any user session that is interrupted for more than 15 seconds.

Finding ID
DSN18.17
Rule ID
SV-9011r1_rule
Severity
Cat II
CCE
(None)
Group Title
Network Mgmt. Ports do not drop interrupted sessio
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that network connected management ports drop a connection that is interrupted for any reason within 15 seconds. Network ports that are interrupted due to link disconnection, power failure or other reasons must end any session using that connection. This will prevent a user from ending a session without logging off and leaving the maintenance port available with an active session that might allow unauthorized use by someone other than the authenticated user.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

OOB management network are NOT dedicated to management of like or associated systems

Finding ID
DSN18.16
Rule ID
SV-9012r1_rule
Severity
Cat II
CCE
(None)
Group Title
OOB management network are NOT dedicated
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that network connected switch and device management ports are connected to a network dedicated to management of the device only and/or that of other associated devices, i.e. an out-of-band management network. Management networks must be dedicated to management to mitigate unauthorized access to the managed systems of the sensitive management information/traffic that is carried on the network

Fix Text

> Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

An OOB Management DOES NOT comply with the Enclave and/or Network Infrastructure STIGs.

Finding ID
DSN18.15
Rule ID
SV-9013r1_rule
Severity
Cat II
CCE
(None)
Group Title
An OOB Management network NOT STIG compliant
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that out-of-band management networks comply with the Enclave and Network Infrastructure STIGs. out-of-band management networks must comply with the requirements contained in the Enclave and Network Infrastructure STIGs so that the threats and/or vulnerabilities associated with all networks and enclaves are properly mitigated according to DoD policy.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

Foreign/Local National personnel hired by a base/post/camp/station for the purpose of operating or performing OAM&P / NM functions on DSN switches and subsystems have not been vetted through the normal process for providing SA clearance as dictated by the local Status of Forces Agreement (SOFA).

Finding ID
DSN06.02
Rule ID
SV-9016r1_rule
Severity
Cat II
CCE
(None)
Group Title
FN/LN personnel NOT properly cleared
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO and IAM will ensure that all Foreign/Local National personnel hired by a base/post/camp/station for the purpose of operating or performing OAM&P / NM functions on DSN switches and subsystems shall be vetted through the normal process for providing SA clearance as dictated by the local Status of Forces Agreement (SOFA).All SAs and particularly those who are foreign or local nationals must have the appropriate clearance before being granted access to DoD systems. Failure to do this may result in unauthorized access or compromise.

Fix Text

Obtain a System Authorization Access Request (SAAR) DD Form 2875 for each DRSN user to validate their need-to-know

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain.

Responsibility

Information Assurance Officer

IA Controls

ECAN-1, PECF-1

Foreign national personnel access to DRSN systems must be limited as directed by applicable DoD policy.

Finding ID
DSN06.03
Rule ID
SV-9017r2_rule
Severity
Cat II
CCE
(None)
Group Title
Foreign National access
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Foreign national personnel must be limited in their access to DoD Information Systems (ISs) to prevent the unauthorized disclosure of classified information. Access to DoD ISs must be authorized by the DoD Component head in accordance with DoD, Department of State, and ODNI disclosure guidance, as applicable. Mechanisms must also be in place to limit access strictly to information that has been cleared for release to the represented foreign nation, coalition, or international organization.

Fix Text

Implement a policy or procedure requiring foreign national personnel access to DRSN systems must be limited as directed by applicable DoD policy.

Check Content

Review site documentation to confirm a policy and procedure requires foreign national personnel access is limited as directed by applicable DoD policy. If foreign national personnel access to DRSN systems is not limited as directed by applicable DoD policy, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECAN-1, PECF-1

The DSN local system must have the current software updates and patches applied to all components.

Finding ID
DSN17.04
Rule ID
SV-9028r2_rule
Severity
Cat II
CCE
(None)
Group Title
Software updates and patches implemented
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Many vendors provide patches or new versions of software to incorporate mitigations for newly discovered security vulnerabilities. In some cases, this is the only way to mitigate a threat to the system. Administrators are required to use the latest vendor-provided software or patch to take advantage of security enhancements. This is not the case if the new software only provides additional features or a patch only resolves an operational issue or bug.

Fix Text

Implement and document the DSN local system with current software updates and patches to all components.

Check Content

Review site documentation to confirm the DSN local system has the current software updates and patches applied to all components. If the current software updates and patches are not applied to all components of the DSN system, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The DSN local system must use approved software updates and patches for all components.

Finding ID
DSN17.05
Rule ID
SV-9029r2_rule
Severity
Cat II
CCE
(None)
Group Title
Software updates and patches approved
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

All patches and new system software must be tested on non-production systems and hardware prior to use to determine the effects the new software will have on systems operations and security. Approved products are listed on the DoD Approved Products list (APL) to include the specific versions and releases. Additionally, the Information Assurance Vulnerability Management (IAVM) system provides information on versions and releases that may have security issues, to include zero-day vulnerabilities. The Authorizing Official (AO) can accept the risk of using software updates or patches on the system when mission essential.

Fix Text

Implement and document the DSN local system with approved software updates and patches for all components.

Check Content

Review site documentation to confirm the DSN local system uses approved software updates and patches for all components. Approved software updates and patches are listed in the DoD Approved Products List (APL). Additional requirements are provided in the Information Assurance Vulnerability Management (IAVM) system. The Authorizing Official (AO) can also approve software updates or patches. If the DSN local system is not using approved software updates and patches for all components, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The DSN system major software version releases must be tested, certified, and placed on the DoD Approved Product List (APL) prior to installation.

Finding ID
DSN17.06
Rule ID
SV-9032r2_rule
Severity
Cat II
CCE
(None)
Group Title
Major releases APL listed
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

All DSN system major software releases must be tested on non-production systems and hardware prior to use to determine the effects the new software will have on systems operations and security. DoD policy mandates testing on non-production configurations.

Fix Text

Implement and document the DSN local system with major software version releases listed on the DoD APL. Ensure only VVoIP systems listed on the DoD APL are connected to the DSN. Sponsor the system for DSN APL testing and certification.

Check Content

Review site documentation to confirm the DSN local system major software version releases on production systems are on the DoD APL. If the DSN local system major software version releases on production systems are not on the DoD APL, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

DCAS-1, EBCR-1, ECSC-1

A Fire and Emergency Services (FES) or evacuation paging system must be installed and implemented for life safety or security announcements.

Finding ID
DSN08.02
Rule ID
SV-9034r2_rule
Severity
Cat III
CCE
(None)
Group Title
Emergency announcement system
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A Fire and Emergency Services (FES) or evacuation paging system must be installed to provide emergency announcements and messages in accordance with public law in response to 11 September 2001 and local building codes. Local building codes have for years required facilities to provide evacuation and life safety sound systems. These systems may be required by federal or public law in the wake of 9/11/2001. In addition to life safety announcements about an evacuation or emergency condition within a facility, these systems may be used for security alerts; for example, instruct site personnel to be on the lookout for an intruder or other unauthorized person.

Fix Text

Implement an FES or evacuation paging system for life safety or security announcements.

Check Content

Review site documentation to confirm a policy and procedure requires FES or evacuation paging systems are installed and implemented for life safety or security announcements. If an FES or evacuation paging systems is not installed and implemented, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

A policy is NOT in place and/or NOT enforced regarding the use of unclassified telephone/RTS instruments located in areas or rooms where classified meetings, conversations, or work normally occur.

Finding ID
DSN08.03
Rule ID
SV-9036r1_rule
Severity
Cat II
CCE
(None)
Group Title
NO policy for unclassified RTS in classified areas
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that a policy is in place and enforced regarding the use of telephone instruments connected to unclassified telecommunications systems located in areas or rooms where classified meetings, conversations, or work normally occur. All unclassified voice/video/RTS terminals or instruments present a potential risk to the security of areas where classified conversations are conducted. This is due to the ability of some phones to pick up room audio and transmitting it or sending it down the wire even when the phone is on hook. This ability is usually caused by poor design or malfunction in the hook switch circuitry. Additionally speakerphones in such areas may be activated by accident or surreptitiously. These vulnerabilities can affect the security or confidentiality of any conversation at any classification level. Of particular concern are those areas or rooms used for classified meetings, conversations, or work.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Or review the required “documents on file” that are necessary for compliance with the requirement.

Security Override Guidance

None

Potential Impact

> Loss of confidentiality> Unauthorized access to classified information for which the recipient does not either have the proper clearance or need-to-know.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

An OAM&P / NM or CTI network DOES NOT comply with the Enclave and/or Network Infrastructure STIGs.

Finding ID
DSN04.10
Rule ID
SV-9038r1_rule
Severity
Cat II
CCE
(None)
Group Title
An OAM&P / NM or CTI network NOT STIG compliant
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that OAM&P / NM and CTI networks comply with the Enclave and Network Infrastructure STIGs. OAM&P / NM and CTI networks must comply with the requirements contained in the Enclave and Network Infrastructure STIGs so that the threats and/or vulnerabilities associated with all networks and enclaves are properly mitigated according to DoD policy.

Fix Text

Configure all OAM&P / NM or CTI networks in accordance with the Enclave and Network Infrastructure STIGs while taking into account any DSAWG approved open findings and their mitigations for the given solution.

Check Content

Obtain a copy of Network and Enclave SRRs or Self Assessment results and review for compliance OR perform Network and Enclave SRRs on the OAM&P / NM and/or CTI network. If there are a significant number of findings reported or if an applicable STIG was not applied, this is a finding. Note: Voice/Video/RTS and/or OAM&P / NM and/or CTI network systems and devices are required to be tested, certified, accredited by the DSAWG and listed on the DSN APL. Each specific Voice/Video/RTS system or device may be approved while having certain open findings that are approved in light of certain mitigations. Such open findings are not to be considered in the status determination of this requirement.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

An OAM&P / NM and CTI network/LAN is connected to the local general use (base) LAN without appropriate boundary protection.

Finding ID
DSN04.09
Rule ID
SV-9039r1_rule
Severity
Cat II
CCE
(None)
Group Title
OAM&P/NM / CTI LAN is connected to general use LAN
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that OAM&P / NM and CTI networks are not connected to the local general use (base) WAN. The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from sources external to the solution. Connecting these dedicated LANs to a WAN negates this protection unless a proper boundary is created. Such a boundary should be a firewall. Access to the dedicated LAN and the devices on it from the WAN must be filtered by source and destination IP addresses as well as the specific ports and protocols that are required or permitted to cross the boundary.

Fix Text

> Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Security Override Guidance

This is not a finding if there is a DAA approved and documented requirement where the connection is controlled through a dedicated firewall that only allows restricted access from specific devices or management stations. Additionally, this is not a finding of the “WAN” connection is actually a connection to a dedicated management WAN that is an extended enclave such as the ADIMSS. Boundary protection in the form of a firewall or router ACL to provide the appropriate filtering is still required

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

DCID-1, DCPA-1, EBCR-1, ECSC-1

Voice/Video/RTS devices located in SCIFs do not prevent on-hook audio pick-up and/or do not have a speakerphone feature disabled or are not implemented in accordance with DCID 6/9 or TSG Standard 2.

Finding ID
DSN08.04
Rule ID
SV-9040r1_rule
Severity
Cat II
CCE
(None)
Group Title
RTS devices located in SCIFs NOT policy compliant
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: In the event that a telephone instrument connected to an unclassified telecommunications system are placed within a Sensitive Compartmented Information Facility (SCIF), the IAO will ensure that the instrument is configured such that the instrument provides on-hook audio protection and that speakerphone audio pickup feature (microphone) is disabled or is nonexistent. (RE: Director of Central Intelligence Directive (DCID) 6/9 Annex G, Paragraphs 2.2.1, 2.2.1.1, 2.2.1.6, and Telecommunications Security Group (TSG) Standard 2) All voice/video/RTS terminals or instruments present a potential risk to the security of areas where classified conversations are conducted. This is due to the ability of some phones to pick up room audio and transmitting it or sending it down the wire even when the phone is on hook. This ability is usually caused by poor design or malfunction in the hook switch circuitry. This is covered in TSG Standard 2. Additionally speakerphones in such areas may be activated by accident or surreptitiously. These vulnerabilities can affect the security or confidentiality of any conversation at any classification level. Of particular concern are those areas or rooms used for classified meetings, conversations, or work such as SCIFs. Additionally, VoIP systems in which the central call manager controls the telephone instrument, there is the potential of hijacking control of the instrument from somewhere else on the network. This potential vulnerability means that audio pickup might be activated clandestinely without the knowledge of the people near it. Speakerphones and push to talk handsets are covered in DCID 6/9

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Or review the required “documents on file” that are necessary for compliance with the requirement.

Security Override Guidance

None

Potential Impact

> Loss of confidentiality> Unauthorized access to classified information for which the recipient does not either have the proper clearance or need-to-know.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

An OAM&P / NM and CTI network/LAN is connected to the local general use (base) LAN without appropriate boundary protection.

Finding ID
DSN04.08
Rule ID
SV-9041r1_rule
Severity
Cat II
CCE
(None)
Group Title
OAM&P/NM / CTI LAN is connected to general use LAN
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that OAM&P / NM and CTI networks are not connected to the local general use (base) LAN. The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from sources external to the solution. Connecting these dedicated LANs to another LAN negates this protection unless a proper boundary is created. Such a boundary should be a firewall but minimally must be a router ACL. Access to the dedicated LAN and the devices on it must be filtered by source and destination IP addresses as well as the specific ports and protocols that are required or permitted to cross the boundary.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Security Override Guidance

This is not a finding if there is a DAA approved and documented requirement where the connection is controlled through a dedicated firewall or router ACL that only allows restricted access from specific devices or management stations.

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

DCID-1, DCPA-1, EBCR-1, ECSC-1

OAM&P / NM and CTI networks are NOT dedicated to the system that they serve in accordance with their separate DSN APL certifications.

Finding ID
DSN04.07
Rule ID
SV-9042r1_rule
Severity
Cat II
CCE
(None)
Group Title
OAM&P/NM and CTI networks are NOT dedicated / OOB
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that out-of-band OAM&P / NM and CTI networks are dedicated to the system that they serve in accordance with their separate DSN APL certifications. CTI networks may be combined taking into consideration the vulnerabilities of each system and with documented local DAA approval. > OAM&P/NM and CTI terminals must connect to the switch by using either a direct connection to the system administration port or through a dedicated, out of band network. Connections other than these, for example through a non-dedicated network connection, will introduce security risks. > The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from sources external to the solution. Connecting these dedicated LANs to another LAN negates this protection. > OAM&P/NM and CTI solutions are tested and approved for DSN APL listing based on a dedicated / OOB network for each solution. In keeping with the requirement that APL solutions be implemented in the same configuration as was tested, these systems must be implemented on a dedicated LAN for each solution. This is because there is no way of knowing what security risks will result from merging different solutions on a single LAN without testing the specific combination. One solution could affect the security of the other.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Security Override Guidance

This is not a finding if testing has determined that the combination of solutions does not degrade the security posture of either solution AND local DAA has approved the combination of solutions in writing. This testing must be documented and maintained for review by auditors along with the DAA approval.

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

DCID-1, DCPA-1, EBCR-1, ECSC-1

The auditing process DOES NOT record security relevant actions such as the changing of security levels or categories of information

Finding ID
DSN15.07
Rule ID
SV-9043r1_rule
Severity
Cat II
CCE
(None)
Group Title
Auditing does NOT record security events
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that the auditing process records security relevant actions (e.g., the changing of security levels or categories of information). Security relevant actions such as the following should be recorded to provide an effective security audit process: - Logons and logouts - Excessive logon attempts/failures - Remote system access - Change in privileges or security attributes - Change of security levels or categories of information - Failed attempts to access restricted system privilege levels or data files - Audit file access (if possible) - Password changes - Device configuration changes The information that each audit record should have is as follows: - Date and time of the event - Origin of the request (e.g., terminal ID) - Unique ID of the user who initiated the event - Type of event - Success or failure - Description of modification to configurations

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

> The inability to take administrative action or prosecute for inappropriate actions or system abuse. > The inability to effectively troubleshoot problems > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECAR-1, ECAR-2, ECAR-3, ECSC-1

The available option of Command classes or command screening is NOT being used to limit system privileges

Finding ID
DSN06.07
Rule ID
SV-9051r1_rule
Severity
Cat III
CCE
(None)
Group Title
Command classes or command screening NOT used
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that devices that are capable of command screening or command classes are configured to use this feature in conjunction with DAC. Input screening in telecommunications switches is the feature that permits an authorized individual to use one or more command classes. This feature supports DAC requirements and is used for both local and remote administration of the switches. Most switches utilize user password protection to access the operation and configuration of the switch. Most switch designs utilize levels of privileged access, each using password submission and validation at each level, to allow access to that particular function. The lowest privilege level would allow user access to perform various routine maintenance tasks or entry of subscriber data. A second level would give access to perform highly important routines, configuration changes, and change capability of first and second level passwords. Changing a second level password often requires a distinct identification or special password. Discretionary access control for system administration and maintenance access to the switch or peripheral system commands must be restricted based on the required functions or role of the user where technically feasible. Input command screening can be implemented in switches to further control user access and privileges. To do this, individual commands available in the switch are first assigned a specific command class. Each Administrative/Maintenance user is then assigned a primary function that is associated with a collection of input commands that the system accepts from that specific user.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Security Override Guidance

This is not a finding if the system does not support command screening

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECLP-1, ECSC-1

All system administrative and maintenance user accounts are not documented.

Finding ID
DSN06.06
Rule ID
SV-9053r1_rule
Severity
Cat III
CCE
(None)
Group Title
SA and maintenance user accounts NOT documented
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will document all system administrative and maintenance user accounts. It is imperative that the IAO and SA is aware of all administrative and maintenance accounts that are configured on the system. These accounts must be documented and validated against the roster of SAs and maintenance users that are approved for access to the system. Un-needed accounts provide a means of compromise.Additionally, for each user / allowable account, the privileges, roles, and allowable commands for the account must be documented.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Security Override Guidance

None

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1

System administrative and maintenance users are assigned accounts with privileges that are not commensurate with their assigned responsibilities.

Finding ID
DSN06.05
Rule ID
SV-9055r1_rule
Severity
Cat II
CCE
(None)
Group Title
SA account privileges are not limited per duties
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that all systems and devices employ a role-based Discretionary Access Control system used to control access to OAM&P / NM systems, the devices they manage, and their command classes for administrative and maintenance users commensurate with their assigned responsibilities. To ensure system security, all assigned administrator and maintenance user account privileges must be limited to perform their specific function. Furthermore, super user access is to be held to a minimum and assigned to only those most knowledgeable of the system.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Security Override Guidance

This finding can be closed if a specific device does not support DAC but another device or system provides the DAC function. This situation must be documented and accepted by the local DAA. Additionally, this finding can be closed if the device appears on the DSN APL and is installed in accordance with its certification requirements.

Potential Impact

> Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECLP-1, ECSC-1

Strong two-factor authentication is NOT used to access all management system workstations and administrative / management ports on all devices or systems

Finding ID
DSN13.17
Rule ID
SV-9056r1_rule
Severity
Cat II
CCE
(None)
Group Title
Two-factor authentication NOT used
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure strong two-factor authentication is required to access all management system workstations and administrative / management ports on any device or system. The term strong two-factor authentication refers to the use of two forms of identification. This is usually something you know and something you have. A username and password is not considered two-factor authentication. It is actually the something you know. This could also be a security code. The something you have is a typically physical token. An example of this is a bankcard and PIN. Additionally there are tokens associated with one-time password access control systems available such as RSA Security’s SecurID and Quest Software’s NC-Pass. These provide a constantly changing code that is used in conjunction with an additional PIN or password to generate a one time password. The code is generated by a RNG algorithm that is synchronized with a server application (e.g., RSA ACE). These and similar tokens are, and have been, widely used in DoD for access control to network elements, servers, and mainframes. These and similar one-time password tokens used in conjunction with their associated access control servers meet the intent of this requirement. NOTE: One-time password tokens and systems are older technology which is no longer mentioned in DoD policy even though the technology has been in previous DoD policy; has been in use for some time; and is currently being used in many instances for access control to legacy systems. Going forward, however, DoD policy only supports DoD’s token of choice which is the Common Access Card (CAC) or Personal Identity Verification (PIV) card which contain DoD Public Key Infrastructure (PKI) certificates. The CAC/PIV is the DoD’s token of choice. Meeting this requirement does not satisfy requirements that dictate the use of CAC/PKI tokens. The use of a one-time-password token and access control server can only (and may only) serve as a mitigation for not being able to meet CAC/PKI requirements. This is typical of older legacy systems such as mainframes. APL NOTE: New systems being developed for use by DoD and those being tested for inclusion on the DoD Approved Products List (APL) should support CAC/PKI tokens rather than one-time password token systems.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Check Content

Review current configuration files of effected devices to confirm compliance

Security Override Guidance

This finding can be reduced to a CAT IIII where access to the non-compliant device (except management stations) is directly controlled by a device that is compliant such as an access router.

Potential Impact

> Loss of management control of the system and potential system abuse. > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1, IAAC-1

Access to all management system workstations and administrative / management ports is NOT remotely authenticated

Finding ID
DSN13.16
Rule ID
SV-9057r1_rule
Severity
Cat II
CCE
(None)
Group Title
Management access NOT remotely authenticated
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Requirement: The IAO will ensure that remote authentication is used to control access to all management system workstations and administrative / management ports on any device or system. The term remote authentication refers to a system or device that communicates with a remote Authentication Authorization Accounting (AAA) server to validate the users account information before granting access. The remote server can also control user rights or permissions based on their defined roles. Systems such as RADIUS, DIAMETER, and TACACS+ typically provide this functionality for network elements. Systems such as domain controllers provide this functionality for network management workstations. The use of a centralized AAA server provides for centralized management of all network element SA’s accounts and privileges. This eliminates the need for an SA to have an individual account on each network element. This reduces the chance that an account will be compromised since the centralized server can be better protected than each network element. This also reduces the number of accounts in the network that can be easily accessed and compromised. A network consists of manu network elements that cannot be individually protected. An SA account on each multiplies the chance that an account can be compromised. Additionally, the use of a centralized AAA server supports proper password management when a SA is required to manage multiple devices. If the SA had to change his/her password on each device, the chance that a password is not changed (device missed) is greater. NOTE: This requirement supports, and is supported by, the Network Infrastructure STIG requirements that AAA servers are to be implemented in the enclave’s management network. In general the DSN system should integrate with the AAA service that already exists in the enclave’s management network if possible. This requirement is primarily focused on a group of distributed devices such as those that comprise a network (e.g., LAN switches, routers, backbone transport devices, distributed media gateways, endpoints, etc). While a system/device that is itself centralized (e.g., a telecom switch or VoIP controller); is capable of comprehensive role based AAA services such that it can stand on its own; which can protected from external access much as a centralized AAA server would be, It is still best practice to integrate such a device with a centralized AAA server particularly if multiple SAs must have access from multiple locations such as different local or remote NOCs.

Fix Text

Configure the system to utilize the services of a centralized AAA server. Typically this server will be the same as is implemented in the network management network where there should be a primary and a backup server. Additionally configure the system to utilize these primary and backup AAA servers. NOTE: In the event the system/device cannot reach a centralized AAA server (such as in a tactical environment) configure the system to provide comprehensive AAA services locally.

Check Content

Review current configuration files of effected devices to confirm compliance.

Security Override Guidance

This finding can be reduced to a CAT III where access to the noncompliant device (except management workstations) is directly controlled by a device that is compliant such as an access router. This is a CAT III finding for a system/device that is itself centralized (e.g., a telecom switch or VoIP controller); that provides comprehensive role based AAA services on its own and is protected from external access much as a centralized AAA server would be. (NOTE: the finding cannot be eliminated since it is still beneficial and preferred that a centralized solution be used.) APL NOTE: the system/device should support the use of external AAA services particularly if it is normally deployed in a distributed manner (e.g., LAN switches, routers, backbone transport devices, distributed media gateways, endpoints, etc). If not, this is a CAT II finding. In the event the system/device is normally deployed in a centralized manner, AND it provides comprehensive role based AAA services such that it can stand on its own BUT it does not support remote AAA services, this is a CAT III finding.

Potential Impact

> Loss of management control of the system and potential system abuse. > Denial of Service, degradation of service, loss of confidentiality, system compromise, and/or unauthorized access to network or system resources or services and the information they contain.

Responsibility

System Administrator

IA Controls

ECSC-1, IAAC-1

VTC, Unified Capability (UC) soft client, and speakerphone microphone operations policy must prevent the pickup and transmission of sensitive or classified information over non-secure systems.

Finding ID
VVT/VTC 1905
Rule ID
SV-17063r2_rule
Severity
Cat II
CCE
(None)
Group Title
Microphone operations policy
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Microphones used with VTC systems and devices are designed to be extremely sensitive such that people speaking anywhere within a conference room is picked up and amplified so they can be heard clearly and understood at the remote location on the call. This same sensitivity is included in VTUs that are used in office spaces. This has one disadvantage. The microphones can pick up sidebar conversations that have no relationship to the conference or call in progress. Likewise, in an open area, received conference audio can be broadcast to others in the area that are not part of the conference, and possibly should not be exposed to the conference information for need-to-know reasons. Speakerphones exhibit a similar vulnerability. This is the same confidentiality vulnerability posed to audible sound information in the environment as discussed above with the added twist that the conference audio is vulnerable to others in the environment. While this is more of an issue in environments where classified conversations normally occur, it is also an issue in any environment. This is of particularly concern in open work areas or open offices where multiple people work in near proximity. Users or operators of VTC systems of any type must take care regarding who can hear what is being said during a conference call and what unrelated conversations can be picked up by the sensitive microphone. Where a VTU is used by a single person in an open area, a partial mitigation for this could be the use of a headset with earphones and a microphone. While this would limit the ability of others to hear audio from the conference and could also limit the audio pickup of unrelated conversations, it may not be fully effective. In some instances, such as when a VTU is located in a SCIF, a Push-to-Talk (PTT) handset/headset may be required Microphones embedded in or connected to a communications endpoint, PC, or PC monitor can be sensitive enough to pick up sound that is not related to a given communications session. They could pick up nearby conversations and other sounds. This capability could compromise sensitive or classified information that is not related to the communications in progress. Speakers embedded in or connected to a communications endpoint or PC can be made loud enough to be heard across a room or in the next workspace. This capability could compromise sensitive or classified information that is being communicated during a session. Users must be aware of other conversations in the area and their sensitivity when using any communications endpoint, not only a PC based voice, video, or collaboration communications application. This awareness must then translate into protecting or eliminating these other conversations. A short range, reduced gain, or noise canceling microphone may be required. A push to talk microphone may also be required for classified areas. The microphone should be muted when the user is not speaking as both mitigation for this issue, and for proper etiquette when participating in a conference. The muting function should be performed using a positively controlled disconnect, shorting switch, or mechanism instead of a software controlled mute function on the PC. Users must be aware of other people in the area that could hear what is being communicated. This is particularly an issue if the communicated information is sensitive or classified since the parties overhearing the information may not have proper clearance or a need-to-know. To mitigate this issue, a headset or speakers should be used and at a volume that only the user can hear.

Fix Text

Ensure a policy and procedure is in place and enforced that addresses the placement and operation of hardware based voice and video communications devices and PC based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Operational policy and procedures must be included in user training and guides. Produce an SOP that addresses the operation of hardware based voice and video communications devices and PC based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Such an SOP could or should include policy on the use of headsets containing short range microphones and earphones in lieu of long range microphones and speakers in an open office environment. It could or should address the volume settings of speakers such that the session information is not heard by non-participants in a work area. It could or should also address the potential for the pickup of non-session related conversations in the work area. Provide appropriate training such that users follow the SOP. Enforce user compliance with the SOP.

Check Content

Interview the ISSO to validate compliance with the following requirement: Ensure a policy and procedure is in place and enforced that addresses the placement and operation of hardware based voice and video communications devices and PC based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Operational policy and procedures are included in user training and guides. NOTE: This SOP should take into account the classification of the area where the Video Teleconferencing Unit (VTU) or PC supporting a PC based voice, video, UC, and collaboration communications applications is installed as well as the classification and need-to-know restraints of the information generally communicated via the facility or specific VTU. Along with those mentioned above, measures should be included such as closing office or conference room doors; muting of microphones before and after conference sessions, and during conference breaks; volume levels in open offices as well as muting the microphone when not speaking. Inspect the applicable SOP. Such an SOP should include policy on the use of headsets containing short range microphones and earphones in lieu of long range microphones and speakers in an open office environment. It should address the volume settings of speakers such that the session information is not heard by non-participants in a work area. It should also address the potential for the pickup of non-session related conversations in the work area. This requirement should also discuss Bluetooth, DECT/DECT 6.0, and other RF wireless technologies for accessories. Inspect user training materials and discuss practices to determine if information regarding the SOP is conveyed. Interview a random sampling of users to confirm their awareness of the SOP and related information. If the SOP or training is deficient, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

DCBP-1, ECND-1, ECSC-1

DSN system components Standard Mandatory DoD Notice and Consent Banner must be acknowledged by the user prior to logon or initial access.

Finding ID
DSN19.02
Rule ID
SV-69271r1_rule
Severity
Cat III
CCE
(None)
Group Title
Acknowledge DoD Notice and Consent Banner
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The operating system and remotely accessed information systems are required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. This ensures the legal requirements for auditing and monitoring are met. System use notification messages must be displayed when individuals log on to the information system. The approved DoD text must be used as specified in the DoD Instruction 8500.01 dated March 14, 2014.

Fix Text

Configure all DSN system components to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until acknowledgement of the usage conditions by taking explicit actions to log on for further access.

Check Content

Interview the ISSO to validate compliance with the following requirement: Verify all DSN system components retain the Standard Mandatory DoD Notice and Consent Banner on the screen until acknowledgement of the usage conditions by taking explicit actions to log on for further access.

IA Controls

ECSC-1, ECWM-1