Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - SC.L2-3.13.14 – Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
Understanding the Requirement
This control (NIST SP 800-171 REV.2 / CMMC 2.0 Level 2) requires that an organization both restricts who can use VoIP and how VoIP is used, and actively monitors VoIP systems for misuse or compromise. Practically, that means defining acceptable use (what can and cannot be discussed, which devices and apps are allowed), securing and configuring VoIP equipment and services, and collecting and reviewing logs and assignment records so unauthorized access or eavesdropping can be detected and addressed.
Technical Implementation
-
Establish an access and device policy for VoIP: publish a short policy that specifies who may use VoIP, approved clients (desk phones, company-managed softphones, mobile apps), restrictions on discussing Controlled Unclassified Information (CUI) over VoIP, and procedures for requesting a phone line or softphone license. Require manager approval for new VoIP accounts.
-
Harden and segment VoIP infrastructure: place VoIP devices and servers on a separate VLAN or network segment with strict ACLs. Limit management interfaces to an administrative VLAN or VPN, change default credentials, and disable unused services (e.g., unused protocols or telnet). For hosted services, restrict admin portal access by IP or MFA where possible.
-
Encrypt VoIP signaling and media where feasible: enable TLS for SIP signaling and SRTP for media streams on phones, softphones, and Session Border Controllers (SBCs). If full encryption isn’t possible for all devices, document where it’s used and mitigate higher-risk endpoints with additional controls (e.g., physical security, restricted locations).
-
Keep firmware and clients updated and configured securely: institute a patch schedule for IP phones, PBX/SBC appliances, and softphone apps. Subscribe to vendor security advisories and apply critical updates promptly. For softphones on PCs, manage updates via your endpoint management tool and enforce company-approved client versions.
-
Enable logging and monitoring: collect call logs, registration/authentication events, admin access logs, and configuration changes centrally (SIEM or log server). Configure alerts for unusual events such as many failed authentications, registrations from unexpected IPs, or unknown phone number assignments. Retain logs for a period that supports forensic review (e.g., 90 days or per your compliance needs).
-
Periodic review and user controls: review phone number assignments and active accounts quarterly, revoke unused accounts, and require periodic reauthorization for users who handle sensitive information. Train users on VoIP risks (e.g., don’t discuss CUI on personal apps) and require reporting for suspicious calls or quality anomalies that could indicate interception.
Example in a Small or Medium Business
Acme Engineering runs a cloud-managed VoIP phone system for 45 employees. IT created a concise VoIP policy that limits softphone installs to company-issued laptops and prohibits discussing CUI on mobile personal apps. The network team put all VoIP devices on a dedicated VLAN with firewall rules that only allow SIP/TLS and SRTP to the VoIP vendor and block peer-to-peer media. The admin console for the cloud provider is restricted by IP and protected with multi-factor authentication; default admin accounts were disabled and new admin access requires manager approval. IT subscribes to the vendor's security advisories and applies updates to on-premise SBCs within one week for critical fixes. Call detail records and registration logs are forwarded to a lightweight SIEM where alerts are configured for failed registration spikes and new device registrations; when an alert fires, the system administrator investigates and disables suspect accounts. Quarterly reviews ensure phone numbers and softphone licenses are still needed, and the HR manager ensures departing employees’ VoIP access is deactivated before their account is closed. Employees receive brief annual training that covers what cannot be discussed on company VoIP and how to report suspected eavesdropping, completing a simple, documented compliance loop.
Summary
Combining a clear, enforceable VoIP use policy with technical controls—network segmentation, secure configuration and patching, encryption where possible, centralized logging, and periodic reviews—meets SC.L2-3.13.14’s goals of controlling and monitoring VoIP. For SMBs, focus on a small set of high-impact actions: limit who can use VoIP, isolate and harden VoIP systems, enable available encryption, collect and review logs, and remove unused accounts. These measures reduce the risk of eavesdropping and unauthorized use while providing audit evidence that the organization is actively controlling and monitoring its VoIP environment.
