Reference: CMMC 2.11
Family: SC
Level Introduced: 2
Title: Voice over Internet Protocol
Practice:
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
CMMC Clarification:
Controlling VoIP technologies starts with establishing guidelines and enforcing users' proper and appropriate usage of VoIP technologies that are described in an organization's policies. Monitoring should include the users' activity for anything other than what is permitted and authorized and detection of insecure or unauthorized use of the VoIP technology. Security concerns for VoIP include eavesdropping on calls and using ID spoofing to impersonate trusted individuals.
Example 1
The organization has established an Acceptable Use Policy for using the VoIP technology. You are an IT administrator at the organization responsible for the VoIP system. You verify that the VoIP solution is setup and configured correctly with all required security settings in compliance with the company's policies and security standards. You also verify all softphone software installed for users is kept up to date and patched to address any security issues.
Example 2
You are an IT administrator at your organization. Your organization has established a policy stating that VoIP technology may not be used without permission. You do not allow users to install VoIP applications on their devices and monitor for the unapproved use of VoIP on your network.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.