STIGs Search Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 5 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide

Version

V1R2

Release Date

Dec 30, 2025

SCAP Benchmark ID

EVVM_Session_Management_SRG

Total Checks

60

Tags

other

CAT I: 10CAT II: 50CAT III: 0

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (60)

V-259987MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must automatically disable user accounts after a 35-day period of account inactivity.V-259988HIGHThe Enterprise Voice, Video, and Messaging Session Manager must disable (prevent) auto-registration of Voice Video Endpoints.V-259989MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to only enable the extension mobility feature for endpoints on a per user basis.V-259990MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to globally disable the extension mobility feature for endpoints.V-259991MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to use DNS servers assigned to support the VVoIP system.V-259992MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must display the Standard Mandatory DOD Notice and Consent Banner before granting access to management sessions.V-259993MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must retain the Standard Mandatory DOD Notice and Consent Banner on the screen for management sessions until admins acknowledge the usage conditions and take explicit actions to log on for further access.V-259994MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must limit the number of concurrent management sessions to an organizationally defined limit.V-259995HIGHThe Enterprise Voice, Video, and Messaging Session Manager must use TLS 1.2 or greater to protect the confidentiality of remote access.V-259996MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the type of session connection.V-259997MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing timestamps (date and time) for all session connections.V-259998MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing where (location) the connection originated.V-259999MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the identity of the initiator of the call.V-260000MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the outcome (status) of the connection.V-260001MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the identity of the users and identifiers associated with the session.V-260002MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must alert the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of a session (call) record system failure.V-260003MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must protect session (call) records from unauthorized read access.V-260004MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must protect session (call) records from unauthorized modification.V-260005MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must protect session (call) records from unauthorized deletion.V-260006MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records for events determined to be significant and relevant by local policy.V-260007MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to disable nonessential capabilities.V-260008HIGHThe Enterprise Voice, Video, and Messaging Session Manager must only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).V-260009HIGHThe Enterprise Voice, Video, and Messaging Session Manager must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).V-260010HIGHThe Enterprise Voice, Video, and Messaging Session Manager must be configured to use an organizational-level user account management system.V-260011MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to implement attack-resistant mechanisms for Voice Video Endpoint registration.V-260012MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to uniquely identify each Voice Video Endpoint device before registration.V-260013MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to terminate all network connections associated with a communications session at the end of the session.V-260014MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) systems.V-260015MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager supporting Command and Control (C2) communications must validate the integrity of transmitted multilevel precedence and preemption (MLPP) attributes.V-260016HIGHThe Enterprise Voice, Video, and Messaging Session Manager must be configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions.V-260017MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.V-260018MEDIUMIn the event of a system failure, Enterprise Voice, Video, and Messaging Session Managers must be configured to preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.V-260019MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to generate session (call) records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information.V-260020MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to restrict Enterprise Voice, Video, and Messaging Session Manager access outside of operational hours.V-260021MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to enforce changes to privileges of Voice Video Endpoint user access.V-260022MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to enforce changes to privileges of Voice Video Endpoint device access.V-260024HIGHThe Enterprise Voice, Video, and Messaging Session Manager must be configured to offload session (call) records to a central log server.V-260025MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to require Voice Video Endpoints to re-register at least every three hours.V-260026MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to require Voice Video peers to re-register (reauthenticate) at least every hour.V-260027MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to authenticate each Voice Video Endpoint device before registration.V-260028MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to authenticate each Voice Video peer (trunk) before registration.V-260029MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to provide an indication of current participants in all calls, meetings, and conferences.V-260030MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) system components.V-260031MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must only allow the use of DOD-approved PKI certificate authorities when using PKI.V-260032MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to protect against or limit the effects of all types of denial-of-service (DoS) attacks by employing organizationally defined security safeguards.V-260033MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to limit and reserve bandwidth based on priority of the traffic type.V-260034HIGHThe Enterprise Voice, Video, and Messaging Session Manager must be configured to protect the confidentiality and integrity of transmitted configuration files, signaling, and media streams.V-260035MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager, when using locally stored user accounts, must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.V-260036MEDIUMFor accounts using password authentication, the Enterprise Voice, Video, and Messaging Session Manager must be configured to use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.V-260037MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must generate session (call) records when concurrent logons from multiple endpoints occur.V-260038MEDIUMWhen using locally stored user accounts, the Enterprise Voice, Video, and Messaging Session Manager must generate audit records for all account creations, modifications, disabling, and termination events.V-260039HIGHThe Enterprise Voice, Video, and Messaging Session Manager must implement NIST FIPS-validated cryptography for communications sessions.V-260040MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to use the organization authoritative time source (NTP) to maintain system time.V-260041MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.V-260042MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager requiring user access authentication must provide a logout capability for user-initiated communications sessions.V-260043MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to apply 802.1Q VLAN tags to signaling and media traffic.V-260044MEDIUMThe Enterprise Voice, Video, and Messaging Session Manager must be configured to use a voice or video VLAN, separate from all other VLANs.V-260045MEDIUMWhen using locally stored user accounts, the Enterprise Voice, Video, and Messaging Session Manager must store only cryptographic representations of passwords.V-260046HIGHThe Enterprise Voice, Video, and Messaging Session Manager must be configured to use only TLS 1.2 or greater for all TLS and SSL communications.V-260047MEDIUMWhen using PKI, the Enterprise Voice, Video, and Messaging Session Manager must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.