NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Cisco Unified Communications Manager (CUCM) 11.5

Certificate Date:  2018.11.14

Validation Report Number:  CCEVS-VR-VID10900-2018

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314
  Extended Package for Enterprise Session Controller (ESC) Version 1.0

CC Testing Lab:  Acumen Security

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The TOE is Cisco Unified Communications Manager running CUCM 11.5 (herein after referred to as CUCM).  The TOE is a hardware and software-based call-processing component of the Cisco Unified Communications family of products.  The TOE extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications.

The evaluated configuration of the TOE includes the CUCM 11.5 software installed on one of the Cisco Unified Computing System™ (UCS) C220 M4, UCS C240 M4, UCS C220 M5S, UCS C240 M5S Servers.

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Cisco Unified Communications Manager 11.5 (CUCM) was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4.  The product, when delivered configured as identified in the Cisco Unified Communications Manager 11.5 Common Criteria AGD, satisfies all of the security functional requirements stated in the Cisco Unified Communications Manager 11.5 Common Criteria Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in November.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

Security Audit:

The Cisco CUCM provides extensive auditing capabilities. The TOE can audit events related to cryptographic functionality, identification and authentication, and administrative actions.  The TOE generates an audit record for each auditable event.  Each security relevant audit event has the date, timestamp, event description, and subject identity.  The administrator configures auditable events, performs back-up operations, and manages audit data storage.  The TOE audit event logging is centralized and enabled by default.  Audit logs can be backed up over a secure TLS channel to an external audit server. The TOE also generates log records related to the faults and system health of the UCS platform.  The logs include notices for current IP connections (physical NIC network configured connections), CPU usage, memory usage, disk capacity usage, fan status and if dual power supply is supported, power status when one source fails.  The logs can be viewed via the GUI interface. 

 Cryptographic Support:

The TOE provides cryptography in support of other Cisco CUCM security functionality.  The CUCM software calls the Cisco FIPS Object Module (FOM) v6.0 that has been validated.

The TOE provides cryptography in support of remote administrative management via HTTPS, to secure the connection to an external audit server and the video and voice recording server using TLS.  The TOE uses the X.509v3 certificate for securing TLS connections, including SIP and SRTP connections to ESC peers and endpoints. The TOE also authenticates software updates to the TOE using a published hash. 

Full Residual Information Protection:

The TOE ensures that all information flows from the TOE do not contain residual information from previous traffic.  Residual data is never transmitted from the TOE.

Identification and authentication:

The TOE provides authentication services for administrative users to connect to the TOE’s GUI administrator interface.  The TOE requires Authorized Administrators to be successfully identified and authenticated prior to being granted access to any of the management functionality.  The TOE can be configured to require a minimum password length of 15 characters.  The TOE provides administrator authentication against a local user database using the GUI interface accessed via secure HTTPS connection. 

Security Management:

The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE.  All TOE administration occurs either through a secure HTTPS session or via a local console connection.  The TOE provides the ability to securely manage:

  • All TOE administrative users;
  • All identification and authentication;
  • All audit functionality of the TOE;
  • All TOE cryptographic functionality;
  • Update to the TOE; and
  • TOE configuration 

The TOE supports the security administrator role.   Only the privileged administrator can perform the above security relevant management functions. Administrators can create configurable login banners to be displayed at time of login. 

Protection of the TSF:

The TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to Authorized Administrators.  The TOE prevents reading of cryptographic keys and passwords.  Additionally Cisco CUCM is not a general-purpose operating system and access to Cisco CUCM memory space is restricted to only Cisco CUCM functions. The TOE initially synchronizes time with an NTP server and then internally maintains the date and time.  This date and time is used as the timestamp that is applied to audit records generated by the TOE. 

The TOE performs testing to verify correct operation of the system itself and that of the cryptographic module. Finally, the TOE is able to verify any software updates prior to the software updates being installed on the TOE to avoid the installation of unauthorized software.

TOE Access:

The TOE can terminate inactive sessions after an Authorized Administrator configurable time-period.  Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session.  The TOE can also be configured to display an Authorized Administrator specified banner on the GUI management interfaces prior to accessing the TOE.

Trusted path/Channels:

The TOE allows trusted paths to be established to itself from remote administrators over HTTPS and initiates secure TLS connections to transmit audit messages to remote syslog servers and TLS is also used to secure the transmission of VVR to remote servers.  The connection to NTP is secured using NTPv4.  The TOE also allows secure communications between itself and a SIP Client using SRTP and between itself and another ESC Server using TLS.  

Vendor Information

Cisco Systems, Inc.
Terrie Diaz
Site Map              Contact Us              Home