STIGQter STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:

An uninterruptible power system (UPS) has not been designed or implemented to provide sufficient continuous backup power for the LAN Infrastructure, WAN boundary Infrastructure, VVoIP infrastructure, and/or VVoIP endpoints as required in support of special-C2 and C2 users system availability needs during a power outage OR sufficient backup power is not provided to C2-R or non-C2/admin user accessible endpoints, minimally in support of emergency life-safety and security calls.

DISA Rule

SV-21597r1_rule

Vulnerability Number

V-19535

Group Title

Deficient COOP design: VVOIP System Backup Power

Rule Version

VVoIP 1220 (GENERAL)

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure an uninterruptible power supply (battery at a minimum; plus optional generator) is provided for all parts of the VVoIP infrastructure (Core LSC/MFSS, adjunct systems providing critical services, EBC, CER, LAN NEs, and endpoints as follows:
> All devices including voice endpoints and portions of the LAN that directly support any single special-C2 user are minimally provided 8 hours UPS.
> All devices including voice endpoints and portions of the LAN that directly supports any single C2 user are minimally provided 2 hours UPS.
> All devices including voice endpoints and portions of the LAN that supports C2R and non-C2/admin users (that is the balance of the VVoIP system) are provided some reasonable level of UPS in support of emergency life-safety and security communications.
> UPS systems supplying power to infrastructure that supports special-C2 and C2 users must also support environmental power (for example cooling power) such that equipment failures are prevented. This support may not need to be continuous but must be commensurate with the users supported (8 or 2hrs as appropriate).
UPS
NOTE: UPS in support of C2R and non-C2/admin users’ endpoints is best provided using POE particularly if supporting the general population. (Probably more cost effective than a battery under every desk). While support of all such endpoints and infrastructure is desirable since this provides greater availability, the cost could become a negating factor. In this case, a portion of the regular endpoints or emergency use endpoints could be provided at strategic locations within the facility to fulfill the requirement to support emergency life-safety and security communications.

Install, upgrade, and maintain UPS systems as needed to meet the backup power requirements.

Check Contents

Inspect the UPS capabilities provided to the core VVoIP infrastructure EBC, and CER. Inspect the UPS capabilities in, at minimum, a random sampling of LAN infrastructure locations. Perform UPS input power failure tests and timed outage tests to determine if the provided backup is functional and of the correct capacity for the users supported. NOTE: these tests may need to be performed during non-duty hours.

In no case should a UPS immediately, or within a short time, drop power to the supported equipment. This would indicate an undersized or defective UPS unit.

This finding carries a severity of Cat II if the requirements supporting a Special-C2 or C2 user are deficient. This finding carries a severity of Cat III if the requirements supporting C2R or Non-C2/admin users are deficient.

NOTE such tests should be performed on a regular basis as part of routine maintenance but at a minimum annually as part of the annual C&A inspection reviews.

Vulnerability Number

V-19535

Documentable

False

Rule Version

VVoIP 1220 (GENERAL)

Severity Override Guidance

Inspect the UPS capabilities provided to the core VVoIP infrastructure EBC, and CER. Inspect the UPS capabilities in, at minimum, a random sampling of LAN infrastructure locations. Perform UPS input power failure tests and timed outage tests to determine if the provided backup is functional and of the correct capacity for the users supported. NOTE: these tests may need to be performed during non-duty hours.

In no case should a UPS immediately, or within a short time, drop power to the supported equipment. This would indicate an undersized or defective UPS unit.

This finding carries a severity of Cat II if the requirements supporting a Special-C2 or C2 user are deficient. This finding carries a severity of Cat III if the requirements supporting C2R or Non-C2/admin users are deficient.

NOTE such tests should be performed on a regular basis as part of routine maintenance but at a minimum annually as part of the annual C&A inspection reviews.

Check Content Reference

M

Potential Impact

Reduced or no availability and denial-of-service. A high priority command and control or emergency life-safety/security call may not be able to be completed in a timely fashion or at all.

Responsibility

Information Assurance Officer

Target Key

594

Comments