The Unified Mail system and/or server must implement applicable SRG and/or STIG guidance.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-8254	VVoIP 1045	SV-8740r2_rule		Medium

Description
Unified Mail services are subject to the guidance and requirements in the Voice VIdeo STIGs. Older voice mail systems/servers commonly use proprietary Oss, while newer ones often run on Windows or Linux. The Defense Switched Network (DSN) STIG has been sunsetted. It is available on IASE in the Sunset Products page for telecommunications to be used for reference (https://iase.disa.mil/stigs/sunset/telecomm/Pages/index.aspx). The Voice Video Services Policy STIG, VVoIP STIG, Voice Video Endpoint SRG, and Voice Video Session Mgmt SRG contain the current guidance the DSN STIG covered. Additionally, the underlying OS, any attached database, and any applications providing ancillary functions must be assessed using the most appropriate guidance SRGs/STIGs.

Description

Unified Mail services are subject to the guidance and requirements in the Voice VIdeo STIGs. Older voice mail systems/servers commonly use proprietary Oss, while newer ones often run on Windows or Linux. The Defense Switched Network (DSN) STIG has been sunsetted. It is available on IASE in the Sunset Products page for telecommunications to be used for reference (https://iase.disa.mil/stigs/sunset/telecomm/Pages/index.aspx). The Voice Video Services Policy STIG, VVoIP STIG, Voice Video Endpoint SRG, and Voice Video Session Mgmt SRG contain the current guidance the DSN STIG covered. Additionally, the underlying OS, any attached database, and any applications providing ancillary functions must be assessed using the most appropriate guidance SRGs/STIGs.

STIG	Date
Voice Video Services Policy Security Technical Implementation Guide	2019-09-27

Details

Check Text ( C-23621r2_chk )
Review the site documentation to confirm all Unified Mail systems and servers implement the appropriate SRGs and STIGs. The server OS must be assessed using the Windows, Linux, or other appropriate STIG. The application and supporting services must be assessed using the appropriate (e.g., application, web server, database) SRGs and STIGs. If the Unified Mail systems and servers are not assessed using the appropriate SRGs and STIGs, this is a finding.

Check Text ( C-23621r2_chk )

Review the site documentation to confirm all Unified Mail systems and servers implement the appropriate SRGs and STIGs. The server OS must be assessed using the Windows, Linux, or other appropriate STIG. The application and supporting services must be assessed using the appropriate (e.g., application, web server, database) SRGs and STIGs.

If the Unified Mail systems and servers are not assessed using the appropriate SRGs and STIGs, this is a finding.

Fix Text (F-20136r2_fix)
Ensure Unified Mail systems and servers are secured using the appropriate (e.g., application, web server, database, OS) SRGs and STIGs.