STIGs Search Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 5 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Enterprise Voice, Video, and Messaging Policy Security Requirements Guide

Version

V1R4

Release Date

Dec 23, 2025

SCAP Benchmark ID

EVVM_Policy_SRG

Total Checks

51

Tags

other

CAT I: 4CAT II: 42CAT III: 5

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (51)

V-259890HIGHThe Enterprise Voice, Video, and Messaging Policy must define operations for VTC and endpoint cameras regarding the ability to pick up and transmit sensitive information.V-259891MEDIUMThe Enterprise Voice, Video, and Messaging Policy must define operations for endpoint microphones regarding the ability to pick up and transmit sensitive information.V-259892MEDIUMAn IP-based VTC system implementing a single CODEC that supports conferences on multiple networks with different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing by being sanitized of all information while transitioning from one period/network to the next.V-259893HIGHAn IP-based VTC system implementing a single CODEC that supports conferences on multiple networks with different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing by connecting the CODEC to one network at a time, matching the classification level of the session to the classification level of the network.V-259894MEDIUMAn IP-based VTC system implementing a single CODEC that supports conferences on multiple networks with different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing sanitization by purging/clearing volatile memory within the CODEC by powering the CODEC off for a minimum of 60 seconds.V-259895MEDIUMIP-based VTC systems implementing a single CODEC that support conferences on multiple networks with different classification levels must sanitize nonvolatile memory while transitioning between networks by overwriting all configurable parameters with null settings before reconfiguring the CODEC for connection to the next network.V-259896MEDIUMThe A/B, A/B/C, or A/B/C/D switch within an IP-based VTC system that supports conferences on multiple networks with different classification levels must be based on optical technologies to maintain electrical isolation between the various networks to which it connects.V-259897MEDIUMAn IP-based VTC system implementing a single CODEC that supports conferences on multiple networks with different classification levels must be implemented in such a way that configuration information for a network having a higher classification level is not disclosed to a network having a lower classification level.V-259898MEDIUMThe A/B, A/B/C, or A/B/C/D switch used for network switching in IP-based VTC systems implementing a single CODEC that supports conferences on multiple networks with different classification levels must be Common Criteria certified.V-259899LOWThe A/B, A/B/C, or A/B/C/D switch used for network switching in IP-based VTC systems implementing a single CODEC that supports conferences on multiple networks with different classification levels must be TEMPEST certified.V-259900MEDIUMAn IP-based VTC system implementing a single set of input/output devices (cameras, microphones, speakers, control system), an A/V switcher, and multiple CODECs connected to multiple IP networks with different classification levels must provide automatic mutually exclusive power control for the CODECs or their network connections so only one CODEC is powered on or one CODEC is connected to any network at any given time.V-259901MEDIUMThe implementation of an IP-based VTC system that supports conferences on multiple networks with different classification levels must maintain isolation between the networks to which it connects by implementing separation of equipment and cabling between the various networks with differing classification levels in accordance with CNSSAM TEMPEST/01-13, RED/BLACK Installation Guidance.V-259902MEDIUMVideo conferencing, Unified Capability (UC) soft client, and speakerphone speaker operations policy must prevent disclosure of sensitive or classified information over nonsecure systems.V-259903MEDIUMAn inventory of authorized instruments must be documented and maintained in support of the detection of unauthorized instruments connected to the Enterprise Voice, Video, and Messaging system.V-259904LOWCustomers of the DISN VoSIP service must use address blocks assigned by the DRSN/VoSIP PMO.V-259905MEDIUMVoice networks must not be bridged via a Unified Capability (UC) soft client accessory.V-259906MEDIUMWhen soft-phones are implemented as the primary voice endpoint in the user's workspace, a policy must be defined to supplement with physical hardware-based phones near all such workspaces.V-259907MEDIUMImplementing Unified Capabilities (UC) soft clients as the primary voice endpoint must have authorizing official (AO) approval.V-259908MEDIUMDeploying Unified Capabilities (UC) soft clients on DOD networks must have authorizing official (AO) approval.V-259909MEDIUMA Call Center or Computer Telephony Integration (CTI) system using soft clients must be segregated into a protected enclave and limit traffic traversing the boundary.V-259910MEDIUMThe local Enterprise Voice, Video, and Messaging system must have the capability to place intrasite and local phone calls when network connectivity is severed from the remote centrally located session controller.V-259911MEDIUMThe LAN hardware supporting VVoIP services must provide redundancy to support command and control (C2) assured services and Fire and Emergency Services (FES) communications.V-259912MEDIUMThe LAN hardware supporting VVoIP services must provide physically diverse pathways for redundant links supporting command and control (C2) assured services and Fire and Emergency Services (FES) communications.V-259913MEDIUMThe site's enclave boundary protection must route commercial VoIP traffic via a local Media Gateway (MG) connected to a commercial service provider using PRI, CAS, or POTS analog trunks.V-259914MEDIUMLocal commercial phone service must be provided in support of continuity of operations (COOP) and Fire and Emergency Services (FES) communications.V-259915MEDIUMThe enclave must be dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) Aggregation Routers (AR) or DISN Provider Edge (PE) routers.V-259916MEDIUMThe dual homed DISN core access circuits must be implemented so that each one can support the full bandwidth engineered for the enclave plus additional bandwidth to support surge conditions in time of crisis.V-259917MEDIUMThe required dual homed DISN Core or NIPRNet access circuits must follow geographically diverse paths from the CER(s) along the entire route to the geographically diverse SDNs.V-259918LOWCritical network equipment must be redundant and in geographically diverse locations for a site supporting command and control (C2) users.V-259919MEDIUMEnclaves with commercial VoIP connections must be approved by the DODIN Waiver Panel and signed by DOD CIO for a permanent alternate connection to the Internet Telephony Service Provider (ITSP).V-259920MEDIUMThe Fire and Emergency Services (FES) communications over a site's telephone system must be configured to support the Department of Defense Instruction (DODI) 6055.06 telecommunication capabilities.V-259921MEDIUMThe Fire and Emergency Services (F&ES) communications over a site's private telephone system must provide the originating telephone number to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) or Automatic Location Identification (ALI) information.V-259922MEDIUMThe Fire and Emergency Services (F&ES) communications over a site's private telephone system must provide a direct callback telephone number and physical location of an F&ES caller to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) and extended Automatic Location Identification (ALI) information or access to an extended ALI database.V-259923MEDIUMThe Fire and Emergency Services (F&ES) communications over a site's private telephone system must route emergency calls as a priority call in a nonblocking manner.V-259924MEDIUMEight hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support Special-C2 users.V-259925MEDIUMTwo hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support Immediate or Priority precedence C2 users.V-259926LOWSufficient backup power must be provided for LAN infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support non-command and control (C2) user accessible endpoints for emergency life safety and security calls.V-259927MEDIUMThe Session Border Controller (SBC) must filter inbound SIP and AS-SIP traffic based on the IP addresses of the internal Enterprise Session Controller (ESC), Local Session Controller (LSC), or Multifunction Soft Switch (MFSS).V-259928MEDIUMThe Session Border Controller (SBC) must be configured to terminate and decrypt inbound and outbound SIP and AS-SIP sessions to ensure proper management for the transition of the SRTP/SRTCP streams.V-259929MEDIUMThe Session Border Controller (SBC) must be configured to only process packets authenticated from an authorized source within the DISN IPVS network.V-259930MEDIUMThe Session Border Controller (SBC) must be configured to only process signaling packets whose integrity is validated.V-259931LOWThe Session Border Controller (SBC) must be configured to validate the structure and validity of SIP and AS-SIP messages so that malformed messages or messages containing errors are dropped before action is taken on the contents.V-259932MEDIUMThe Session Border Controller (SBC) must drop all SIP and AS-SIP packets except those secured with TLS.V-259933MEDIUMThe Session Border Controller (SBC) must be configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the SIP and AS-SIP messages.V-259934HIGHThe Session Border Controller (SBC) (or similar firewall type device) must perform stateful inspection and packet authentication for all VVoIP traffic (inbound and outbound) and deny all other packets.V-259935HIGHThe Session Border Controller (SBC) (or similar firewall type device) must deny all packets traversing the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions, except RTP/RTCP, SRTP/SRTCP, or other protocol/flow established by signaling messages.V-259936MEDIUMThe Session Border Controller (SBC) must be configured to notify system administrators and the information system security officer (ISSO) when attempts to cause a denial of service (DoS) or other suspicious events are detected.V-259937MEDIUMThe Enterprise Voice, Video, and Messaging system connecting with a DISN IPVS must be configured to signal with a backup Multifunction Soft Switch (MFSS) (or SS) if the primary cannot be reached.V-259938MEDIUMThe Multifunction Soft Switch (MFSS) must be configured to synchronize with at minimum a paired MFSS and/or others so that each may serve as a backup for the other when signaling with its assigned Local Session Controller (LSC), thus improving the reliability and survivability of the DISN IPVS network.V-259939MEDIUMA MAC Authentication Bypass policy must be implemented for 802.1x unsupported devices that connect to the Enterprise Voice, Video, and Messaging system.V-274463MEDIUMA site utilizing a commercial VoIP/SIP provider must use a provider compliant with FCC STIR/SHAKEN protocol rules.