STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 6 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide

V-260036

CAT II (Medium)

For accounts using password authentication, the Enterprise Voice, Video, and Messaging Session Manager must be configured to use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.

Rule ID

SV-260036r949069_rule

STIG

Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide

Version

V1R2

CCIs

CCI-000197

Discussion

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DOD systems should not be configured to use SHA-1 for integrity of remote access sessions. The information system must specify the hash algorithm used for authenticating passwords. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. Preshared key cipher suites may only be used in networks where both the client and server belong to the same organization. Cipher suites using preshared keys must not be used with TLS 1.0 or 1.1 and must not be used with TLS 1.2 when a government client or server communicates with nongovernment systems. This requirement applies to all accounts, including authentication server, AAA, and local accounts such as the root account and the account of last resort. This requirement only applies to components where this is specific to the function of the device (e.g., Transport Layer Security [TLS] Virtual Private Network [VPN] or Application Layer Gateway [ALG]). This does not apply to authentication for the purpose of configuring the device itself (management).

Check Content

Verify the Enterprise Voice, Video, and Messaging Session Manager, for accounts using password authentication, is configured to SHA-2 or greater to protect the integrity of the password authentication process.

Note: The use of SHA-1 in accordance with SP800-131Ar2 will also meet this requirement.

If the Enterprise Voice, Video, and Messaging Session Manager is not configured to use SHA-2 or greater to protect the password authentication process, this is a finding.

Fix Text

For accounts using password authentication, configure the Enterprise Voice, Video, and Messaging Session Manager to use SHA-2 or greater to protect the integrity of the password authentication process.