>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-101Unclassified Telecommunications Systems In Secure Facilities

Secret (P1)
Technical

>Control Description

(A) Unclassified telecommunications systems in Secure Facilities must not pass/transmit sensitive audio discussions when they are idle and not in use. Additionally, these telecommunications systems must be configured to prevent external control or activation. The concepts of "on-hook" audio protection outlined in Committee on National Security Systems publication CNSSI 5002 and CNSSI 5006 (Committee on National Security Systems Instructions) must be incorporated into Secure Facilities telecommunications systems. (B) Unclassified telephone systems and services must be configured to prevent technical exploitation or penetration. In addition, these systems must incorporate physical and software access controls to prevent disclosure or manipulation of system programming and stored data. (C) The organization must ensure that the following specific requirements are applied to unclassified telecommunications systems: (a) Provide on-hook audio protection by the use of CNSSI 5006 equipment, CNSSI 5006 approved disconnect devices, or equivalent CNSSI 5002 system configuration. (b) Provide isolation by use of a computerized telephone system (CTS) with software and hardware configuration control and control of audit reports (such as station message detail reporting, call detail reporting, etc.). System programming will not include the ability to place, or keep, a handset off-hook. Configuration of the system must ensure that all on-hook and off-hook vulnerabilities are identified and mitigated. (c) Ensure that equipment used for administration of telephone systems is installed inside an area where access is limited to authorized personnel. When local administration terminals (for a CTS) are not or cannot be contained within the controlled area, and safeguarded against unauthorized manipulation, then the use of CNSSI 5006 approved telephone equipment must be required, regardless of the CTS configuration. (d) Ensure that remote maintenance, outside the Secure Facility, is not used. (e) Ensure that speakerphones and audio conferencing systems are not used on unclassified telecommunications systems in Secure Facilities. Exceptions to this requirement may be approved by CSE, when these systems have sufficient audio isolation from other classified discussion areas in the Secure Facility, and procedures are established to prevent inadvertent transmission of classified information. (f) Ensure that features used for voice mail or unified messaging services, are configured to prevent unauthorized access to remote diagnostic ports or internal dial tone. (g) Ensure that telephone answering devices (TAD) and facsimile machines do not contain features that introduce security vulnerabilities, e.g., remote room monitoring, remote programming, or other similar features that may permit off-premise access to room audio. Prior CSE approval is required before installation or use. (D) All unclassified telecommunications systems and associated infrastructure must be electrically and physically isolated from any classified information/telecommunications systems in accordance with Committee on National Security Systems requirements or any other separation standards applied to the classified information system on site. (E) The security requirements and installation guidelines contained in the Committee on National Security Systems publication CNSSI 5000 shall be followed for Voice over Internet Protocol (VoIP) systems installed in any physical security zone processing classified information.

>Supplemental Guidance

A Secure Facility is any physical security zone processing classified information. Secure Facility may mean Secure Compartmented Information Facility (SCIF) at the Top Secret level, or any Secure Facility of lower level (e.g. Secret, Confidential)

>Tailoring Guidance

This security control/enhancement specifies a very specialized and/or advanced capability that is not required for all environments Consequently, inclusion in a departmental profile is made on a case by case basis.

Ask AI

Configure your API key to use AI features.