SC.3.189

Control Acronym

SC

Family

System And Communications Protection

CMMC Level

3

800-171 Control #

3.13.14

CMMC Description

Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

CMMC Clarification

Controlling VoIP technologies starts with establishing guidelines and enforcing users’ proper and appropriate usage of VoIP technologies that are described in an organization’s policies. Monitoring should include the users’ activity for anything other than what is permitted and authorized and detection of insecure or unauthorized use of the VoIP technology. Security concerns for VoIP include eavesdropping on calls and using ID spoofing to impersonate trusted individuals. Example 1 The organization has established an Acceptable Use Policy for using the VoIP technology. You are an IT administrator at the organization responsible for the VoIP system. You verify that the VoIP solution is setup and configured correctly with all required security settings in compliance with the company’s policies and security standards. You also verify all softphone software installed for users is kept up to date and patched to address any security issues. Example 2 You are an IT administrator at your organization. Your organization has established a policy stating that VoIP technology may not be used without permission. You do not allow users to install VoIP applications on their devices and monitor for the unapproved use of VoIP on your network.

800-171 Description

Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

800-171 Discussion

VoIP has different requirements, features, functionality, availability, and service limitations when compared with the Plain Old Telephone Service (POTS) (i.e., the standard telephone service). In contrast, other telephone services are based on high-speed, digital communications lines, such as Integrated Services Digital Network (ISDN) and Fiber Distributed Data Interface (FDDI). The main distinctions between POTS and non-POTS services are speed and bandwidth. To address the threats associated with VoIP, usage restrictions and implementation guidelines are based on the potential for the VoIP technology to cause damage to the system if it is used maliciously. Threats to VoIP are similar to those inherent with any Internet-based application. [SP 800-58] provides guidance on Voice Over IP Systems.

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SC-19

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.13.14

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

SC.3.189.[a] use of Voice over Internet Protocol (VoIP) technologies is controlled; and

Assessment Sub-Criteria 2

SC.3.189.[b] use of Voice over Internet Protocol (VoIP) technologies is monitored.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15