CMMC Practice Requirement:

Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

CMMC Requirement Explanation:

Voice Over Internet Protocol (VoIP) enables people to use the internet as the transmission pathway for telephone calls. VoIP works with internet protocols (IP) instead of using traditional public switched telephone network (PSTN). Listening in on VoIP is easier than traditional telephone conversations because you do not need a physical wire tap. This is why VoIP carries additional risks and needs to be secured just as you secure your other IT systems. Below are a few generic vulnerabilities associated with VoIP technologies. Their mitigations have also been provided.: Vulnerability: Default passwords on VoIP switches. Mitigation: Change the default password. Vulnerability: Physical wiretapping. Mitigation: Restricting physical access to your VoIP equipment. Vulnerability: Insecure web portal access. Mitigations: Use https for access to VoIP login pages. Vulnerability: Insecure default settings. Mitigation: Use DISA STIGs to securely configuring your VoIP systems.

Example CMMC Implementation:

Create a policy outlining the acceptable use of VoIP. This includes who may use it, how they can access VoIP services (e.g., desk phone, soft phone, mobile phone app), and what they can discuss over VoIP (e.g., prohibiting the discussion of “Controlled Unclassified Information” (CUI)). Securely configure your VoIP equipment (e.g., VoIP switches). Install the latest security updates for your VoIP equipment. If you use soft phones (VoIP app on a PC) make sure that they are updated. If possible, encrypt VoIP communications. If you use cloud based VoIP services, review the security settings and set them to be the most restrictive. Regularly review your VoIP logs and phone number assignment to ensure that only authorized persons are using your VoIP systems.


- Scenario 1:

Your company uses VoIP for voice communication. Your VoIP infrastructure is all on premise. Your system admin make sure to securely configure the VoIP equipment in accordance with DISA STIGs. They also maintain the equipment as they would maintain other servers and systems. You have a VoIP policy restricting the use of VoIP to your employees. The policy also specifies that they may only use desk phones for communicating and restricting soft phones to only remote employees.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance