The organizations System Security Plan (SSP) for the Voice Video system must have approval for all commercial Voice Video connections by the DoDIN Waiver Panel, signed by DOD CIO for a permanent alternate connection to the Internet Telephony Service Provider (ITSP).

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300611

Associated with: CCI-003072

VVSP-01-000161_rule The organizations System Security Plan (SSP) for the Voice Video system must have approval for all commercial Voice Video connections by the DoDIN Waiver Panel, signed by DOD CIO for a permanent alternate connection to the Internet Telephony Service Provider (ITSP).

Vulnerability discussion

The information security architecture at the individual information system level must be consistent with and complement the more global, organization-wide information security architecture that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface.In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role; unique security requirements; the types of information processed, stored, and transmitted by the information system; restoration priorities of information and information system services; and any other specific protection needs.The DoD requires the use of DISN Voice Services as the first choice to meet core communications needs. When additional services for SIP trunks are necessary, an ITSP (for VoIP services) may provide an alternate connection, but this requires approval by the DoDIN Waiver Panel and signature by the DoD CIO. Local ITSP connections provide an Internet pathway into the DISN, placing the DoDIN directly at risk for exploitation. A local ITSP connection can circumnavigate DoD protections of the DISN at its boundaries with the Internet. Using commercial VoIP service from an ISP requires the implementation of a connection path to the Internet. These types of connections must be approved and must meet the requirements for an Internet Access Point (IAP). ITSP connections may provide SIP trunks terminating on a media gateway, which then provides TDM trunks or POTS lines to traditional non-VoIP PBX, key system, or individual end instrument. ITSP VoIP connections terminating in a separate LAN from the enclave's DoD LAN may support a separate VoIP system. This connection type might be used for a small site having a small VoIP system or a few discrete phones dedicated to commercial network calling.

Check content

Review the Voice Video SSP for the system. Confirm the Voice Video system has approval for all commercial Voice Video connections by the DoDIN Waiver Panel, signed by DOD CIO for a permanent alternate connection to the ITSP. Voice Video system use cases applicable to this requirement: - Use Case 1: ITSP connections providing direct connection to the enclave's DoD LAN - Use Case 2: ITSP connections providing a SIP trunk terminating on a media gateway that provides TDM trunks or POTS lines to traditional non-VoIP PBX, key system, or individual end instrument - Use Case 3: ITSP connections terminating on a separate LAN from the enclave's DoD LAN supporting a separate VoIP system - Use Case 4: ITSP connections providing service over any approved ISP gateway If any enclave connects with a commercial VoIP provider (ITSP) and is not approved by the DoDIN Waiver Panel, this is a finding. If the DOD CIO has not signed for a permanent alternate connection to the ITSP, this is a finding. NOTE: This connection will be a permanent connection and should be designated or recognized as such in the approval documentation since most approvals of this type are for temporary connections.

Fix text

Obtain and document in the Voice Video SSP the approval by the DoDIN Waiver Panel and signature by the DOD CIO for a permanent alternate connection to the ITSP for any connection with a commercial VoIP provider (ITSP).

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer