The organizations System Security Plan (SSP) for the Voice Video system must document the Voice Video session media encryption used to provide end-to-end interoperable confidentiality and integrity.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300611

Associated with: CCI-003072

VVSP-01-000160_rule The organizations System Security Plan (SSP) for the Voice Video system must document the Voice Video session media encryption used to provide end-to-end interoperable confidentiality and integrity.

Vulnerability discussion

The information security architecture at the individual information system level must be consistent with and complement the more global, organization-wide information security architecture that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface.In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role; unique security requirements; the types of information processed, stored, and transmitted by the information system; restoration priorities of information and information system services; and any other specific protection needs.Because vendors did not have interoperability, lacked end-to-end encryption, and did not provide assured service in support of Command and Control (C2) communications, VVoIP traffic originally was restricted to the local enclave. The DSN PMO, DISA Engineering, and other groups have defined network and Voice Video system requirements for DISN Voice Services. Voice Video systems use signaling protocols to set up and manage the communications session and the media transfer protocols carrying the communications. Both signaling and media protocols can be compromised when transmitted without encryption. To provide the assured service pre-emption and priority capabilities required for DISN Voice Precedence communications, DISA developed Assured Services (AS) for network infrastructure and AS-SIP. The common method of providing confidentiality and integrity for SIP signaling and providing session authentication is to encrypt it using TLS. The encryption algorithm, key strength, and key management processes are denied in the current version of the DoD Unified Capabilities Requirements (UCR) document available from the DISA voice Services PMO.

Check content

Review each organizational Voice Video SSP. Confirm the Voice Video system uses session media encryption to provide end-to-end interoperable confidentiality and integrity. The Voice Video components within the VoIP system that must be protected are endpoints, media gateways, session mangers (gatekeepers, session controllers, soft switches, etc.), border elements (session border controllers, routers, firewalls, etc.), and other network devices involved in the session media. Session media encryption meeting UCR requirements must be implemented end to end. If the SSP for the Voice Video system does not document the Voice Video session media encryption used to provide end-to-end interoperable confidentiality and integrity, this is a finding.

Fix text

Implement and document in the Voice Video SSP the session media encryption used to provide end-to-end interoperable confidentiality and integrity. Configure the Voice Video system components per the DoDIN APL deployment guide specific to the product being deployed.

Pro Tips

Powered by sagemincer