The organization must manage Voice Video system identifiers (e.g., phone numbers) by disabling phone numbers only when necessary.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300450

Associated with: CCI-000795

VVSP-01-000098_rule The organization must manage Voice Video system identifiers (e.g., phone numbers) by disabling phone numbers only when necessary.

Vulnerability discussion

Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, device-unique identifiers, and phone numbers. Preventing reuse of identifiers implies preventing the assignment of previously used identifiers to different devices. For Voice Video systems, the importance of preventing reuse must also consider fire and emergency services (FES) requirements for life safety and Command and Control (C2) requirements mandating communications among top-level officials. Location (ALI) and phone number (ANI) databases are often used with VoIP systems to identify the precise location of a Voice Video endpoint. When endpoints are reused, these databases must also be updated. Adversaries can use improperly maintained databases as a way of mobilizing security and emergency personnel to a faux site to weaken responses in another area.

Check content

Review each Voice Video system security plan (SSP). Ensure the organization manages Voice Video system identifiers (e.g., phone numbers) by disabling phone numbers only when necessary. Verify that an administrative procedure in the Voice Video SSP governs the disabling of phone numbers. Confirm that the administrative procedure contains conditions so that special-purpose phone numbers, such as FES phone numbers, are never disabled. If an administrative procedure governing the disabling of phone numbers is not included in the Voice Video SSP, this is a finding. If the administrative procedure governing the disabling of phone numbers does not prevent disabling special purpose phone numbers, such as FES phone numbers, this is a finding. NOTE: A related best practice to support FES is a procedure for unassigned phone numbers. Confirm that the phone number's unassignment procedure includes reducing the class of service to limited use, to ensure FES is available. An available working phone must be reachable in workspaces at all times. Leaving non-working phones on desks can cause confusion, resulting in death or injury, during emergency situations.

Fix text

Develop and document in each Voice Video SSP the procedures to manage Voice Video system identifiers (e.g., phone numbers) by disabling phone numbers only when necessary. The procedure must contain conditions so that special-purpose phone numbers, such as FES phone numbers, are never disabled.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer