The organizations System Security Plan (SSP) must document that the Video Conferencing (VC) system must not connect to ISDN lines when connected to a classified network.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300611

Associated with: CCI-003072

VVSP-01-000164_rule The organizations System Security Plan (SSP) must document that the Video Conferencing (VC) system must not connect to ISDN lines when connected to a classified network.

Vulnerability discussion

The information security architecture at the individual information system level must be consistent with and complement the more global, organization-wide information security architecture that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface.In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role; unique security requirements the types of information processed, stored, and transmitted by the information system; restoration priorities of information and information system services; and any other specific protection needs.Most CODECs have a built-in IMUX so that multiple ISDN lines can terminate directly on the CODEC. ISDN lines used for VC transport are provided by a traditional telephone switch on an unclassified network. Connecting a classified IP network to an unclassified telephone network through a VC CODEC while in a conference could lead to disclosure of classified information to the unclassified network and unclassified VC endpoints. While this issue might be mitigated by using a Type 1 encryptor between the CODEC and an external IMUX, an SOP would need to be in place that would dictate that the ISDN connection must be established and the Type 1 encryptor synced with the other end BEFORE the CODEC was connected to the classified IP network. This type of operation is risky and prone to error and is therefore not recommended.

Check content

Review the Voice Video SSP for the system. Confirm the VC system architecture and inspect the VC CODEC to verify that ISDN lines are not connected directly to the CODEC if it connects to a classified IP network (e.g., SIPRNet, JWICS) at any time. If the VC system connects to ISDN lines when connected to a classified network, this is a finding. If the design and configuration are not documented in the SSP, this is a finding. NOTE: If the VC system is used to support multiple networks having different classification levels, and the ISDN lines are isolated from classified IP, they must meet Periods Processing requirements.

Fix text

Do not simultaneously connect ISDN lines to a VC CODEC if the CODEC connects to a classified IP network. Document the design and configuration in the Voice Video SSP for this system. Further document procedures, if any, used to ensure no simultaneous connections occur.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer