The organization must limit the use of commercially provided information assurance (IA) and IA-enabled Voice Video products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists, and/or the DoDIN Approved Products List (APL) maintained by DISA.

From Voice Video Policy Security Technical Implementation Guide

Associated with: CCI-000634

VVSP-01-000200_rule The organization must limit the use of commercially provided information assurance (IA) and IA-enabled Voice Video products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists, and/or the DoDIN Approved Products List (APL) maintained by DISA.

Vulnerability discussion

Information system components are discrete, identifiable information technology assets that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life-cycle.Voice Video elements must meet security functionality, assurance, and documentation requirements as produced by specific organization. NIAP provides Protection Profiles for many elements of information systems, and these are recognized for providing element-specific security guidance. Additionally, for Voice Video elements, DISA and other DoD entities have produced guidance to ensure a standards-based approach. The APL works with the Unified Capabilities Requirements (UCR) to provide consistency.

Check content

Review each Voice Video system security plan (SSP). Verify that the organization limits the use of commercially provided IA and IA-enabled Voice Video products to products that have been either: - Successfully evaluated by a NIAP-approved Protection Profile; or - Listed on the DoDIN APL maintained by DISA. The commercial products that must be NIAP validated or APL listed include Voice Video session managers, session border controllers, media and signaling gateways, and endpoints. If the Voice Video SSP does not document the limit on commercially provided IA and IA-enabled Voice Video products to be successfully evaluated by a NIAP-approved Protection Profile and/or listed on the DoDIN APL maintained by DISA, this is a finding.

Fix text

Document in the Voice Video SSP all network components and/or devices used in the design of the Voice Video system. The design must limit the use of commercially provided IA and IA-enabled Voice Video products to products that have been either: - Successfully evaluated by a NIAP-approved Protection Profile; or - Listed on the DoDIN APL maintained by DISA. The commercial products that must be NIAP validated or APL listed include Voice Video session managers, session border controllers, media and signaling gateways, and endpoints.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.