CMMC SC.3.189 - Control and Monitor use of VOIP Technologies

CMMC SC.3.189 - Control and Monitor use of VOIP Technologies

Requirement text: SC.3.189: Control and monitor the use of Voice over Internet Protocol (VoIP)
technologies.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
VoIP has different requirements, features, functionality, availability, and service limitations
when compared with the Plain Old Telephone Service (POTS) (i.e., the standard telephone
service). In contrast, other telephone services are based on high-speed, digital
communications lines, such as Integrated Services Digital Network (ISDN) and Fiber
Distributed Data Interface (FDDI). The main distinctions between POTS and non-POTS
services are speed and bandwidth. To address the threats associated with VoIP, usage
restrictions and implementation guidelines are based on the potential for the VoIP
technology to cause damage to the system if it is used maliciously. Threats to VoIP are similar
to those inherent with any Internet-based application.

CMMC CLARIFICATION
Controlling VoIP technologies starts with establishing guidelines and enforcing users’ proper
and appropriate usage of VoIP technologies that are described in an organization’s policies.
Monitoring should include the users’ activity for anything other than what is permitted and
authorized and detection of insecure or unauthorized use of the VoIP technology. Security
concerns for VoIP include eavesdropping on calls and using ID spoofing to impersonate
trusted individuals.

Example 1
The organization has established an Acceptable Use Policy for using the VoIP technology.
You are an IT administrator at the organization responsible for the VoIP system. You verify
that the VoIP solution is setup and configured correctly with all required security settings in
compliance with the company’s policies and security standards. You also verify all softphone
software installed for users is kept up to date and patched to address any security issues.

Example 2
You are an IT administrator at your organization. Your organization has established a policy
stating that VoIP technology may not be used without permission. You do not allow users to
install VoIP applications on their devices and monitor for the unapproved use of VoIP on
your network.

References
• NIST SP 800-171 Rev 1 3.13.14
• NIST SP 800-53 Rev 4 SC-19

    • Related Articles

    • CMMC SC.1.175 – Monitor and Control Communications

      Requirement text: SC.1.175: Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems. ...

    • CMMC SC.3.188 - Control the Use of Mobile Code

      Requirement text: SC.3.188: Control and monitor the use of mobile code. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Mobile code technologies include Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. ...

    • Access Control: SP 800-171 Security Family 3.1

      Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to:       • use information,       • use information processing services, and       • enter company facilities.  System-based ...

    • CMMC Level 1 Overview - Basic Cyber Hygiene

      CMMC Level 1 l focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the ...

    • Systems and Communications Protection: SP 800-171 Security Family 3.13

      System and communications protection requirements provide an array of safeguards for the system. Some of the requirements in this family address the confidentiality information at rest and in transit. The protection of confidentiality can be provided ...