CMMC 1.0 Practice SC.3.189 Requirement:

Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

CMMC 1.0 SC.3.189 Requirement Explanation:

Voice Over Internet Protocol (VoIP) enables people to use the internet as the transmission pathway for telephone calls. VoIP works with internet protocols (IP) instead of using traditional public switched telephone network (PSTN). Listening in on VoIP is easier than traditional telephone conversations because you do not need a physical wire tap. This is why VoIP carries additional risks and needs to be secured just as you secure your other IT systems. Below are a few generic vulnerabilities associated with VoIP technologies. Their mitigations have also been provided.: Vulnerability: Default passwords on VoIP switches. Mitigation: Change the default password. Vulnerability: Physical wiretapping. Mitigation: Restricting physical access to your VoIP equipment. Vulnerability: Insecure web portal access. Mitigations: Use https for access to VoIP login pages. Vulnerability: Insecure default settings. Mitigation: Use DISA STIGs to securely configuring your VoIP systems.

Example CMMC 1.0 SC.3.189 Implementation:

Create a policy outlining the acceptable use of VoIP. This includes who may use it, how they can access VoIP services (e.g., desk phone, soft phone, mobile phone app), and what they can discuss over VoIP (e.g., prohibiting the discussion of “Controlled Unclassified Information” (CUI)). Securely configure your VoIP equipment (e.g., VoIP switches). Install the latest security updates for your VoIP equipment. If you use soft phones (VoIP app on a PC) make sure that they are updated. If possible, encrypt VoIP communications. If you use cloud based VoIP services, review the security settings and set them to be the most restrictive. Regularly review your VoIP logs and phone number assignment to ensure that only authorized persons are using your VoIP systems.

CMMC 1.0 SC.3.189 Scenario(s):

- Scenario 1:

Your company uses VoIP for voice communication. Your VoIP infrastructure is all on premise. Your system admin make sure to securely configure the VoIP equipment in accordance with DISA STIGs. They also maintain the equipment as they would maintain other servers and systems. You have a VoIP policy restricting the use of VoIP to your employees. The policy also specifies that they may only use desk phones for communicating and restricting soft phones to only remote employees.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.