System and Communications Protection 3.13.14 (3.13.14)

Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to actively manage and oversee Voice over Internet Protocol (VoIP) systems used within their environment. VoIP systems convert voice communications into digital data transmitted over IP networks, creating unique security risks compared to traditional phone systems. Organizations must implement technical controls to monitor VoIP traffic, restrict unauthorized usage, and protect against threats like eavesdropping, toll fraud, denial of service attacks, and unauthorized access. This includes configuring VoIP systems securely, segmenting VoIP traffic from other network traffic where appropriate, monitoring for anomalous activity, and establishing usage policies that address the specific vulnerabilities inherent in IP-based voice communications.

Control Intent

To ensure that Voice over Internet Protocol systems are configured, monitored, and used in a manner that prevents unauthorized access, protects the confidentiality and integrity of voice communications, and mitigates risks unique to IP-based telephony that could compromise CUI or organizational operations.

Who This Control Applies To

  • Organizations that use VoIP systems for any business communications, including softphones, IP desk phones, and unified communications platforms.
  • Environments where VoIP systems are used by personnel who handle, discuss, or have access to CUI.
  • VoIP infrastructure including IP-PBX systems, session border controllers, VoIP gateways, and SIP trunks.
  • Unified communications platforms that integrate VoIP with other collaboration tools.
  • Remote workers using VoIP applications or softphones to access organizational voice systems.

Not Applicable When

  • The organization uses exclusively traditional POTS (Plain Old Telephone Service) with no IP-based voice components.
  • VoIP systems exist but are completely isolated from any networks or systems that process, store, or transmit CUI, with documented network segmentation and no possibility of CUI discussion over VoIP.
  • The organization has no telephone or voice communication systems of any kind.

Key Objectives

  • 1Prevent unauthorized use of VoIP systems that could lead to data exfiltration or toll fraud.
  • 2Protect the confidentiality and integrity of voice communications containing or relating to CUI.
  • 3Monitor VoIP traffic and usage patterns to detect and respond to security incidents.
  • 4Implement technical controls that address VoIP-specific vulnerabilities such as eavesdropping, call interception, and denial of service attacks.

Sample Self-Assessment Questions (Partial)

Does your organization use any Voice over Internet Protocol (VoIP) phone systems, including desk phones, softphones, or unified communications platforms?

Are your VoIP systems connected to the same network as systems that handle CUI?

Implementation Approaches (High-Level)

Network Segmentation with Encrypted VoIP

VoIP traffic is isolated on dedicated VLANs or network segments with encryption enforced for all voice communications, combined with centralized monitoring and access controls.

Cloud-Hosted VoIP with Endpoint Controls

Cloud-based VoIP service with security controls enforced through endpoint configuration, network access policies, and cloud provider security features.

Session Border Controller with Centralized Monitoring

Deployment of session border controllers (SBCs) at network boundaries to control, secure, and monitor all VoIP traffic entering or leaving the organization.

Per-System VoIP Security with Endpoint Hardening

Security controls implemented individually on each VoIP system component, including IP phones, softphones, and VoIP servers, with emphasis on endpoint hardening and local monitoring.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If VoIP systems are deployed but not monitored, prioritize implementation of call detail record logging and integration with security monitoring tools. Target completion: 90 days. If VoIP traffic is not encrypted, implement SRTP for media streams and TLS for signaling. For cloud VoIP, verify encryption is enabled in provider configuration. Target completion: 60 days. If VoIP traffic is not segmented from data networks, implement VLAN segmentation with appropriate access controls. Target completion: 120 days for complex environments, 60 days for simple environments. If VoIP endpoints use default credentials, implement a credential change project with priority on administrative interfaces. Target completion: 30 days. If no usage restrictions or acceptable use policies exist for VoIP, document policies and communicate to users. Target completion: 30 days. If VoIP systems are not included in patch management, add VoIP components to asset inventory and establish firmware update schedule. Target completion: 60 days. If session border controllers or equivalent security controls are not deployed for internet-facing VoIP, evaluate SBC solutions or cloud provider security features. Target completion: 90-180 days depending on complexity. For organizations with minimal VoIP usage, consider whether VoIP is necessary for CUI environments or if alternative communication methods can be used. Document decision and implement compensating controls if VoIP is retained.

Related CMMC Controls

3.1.13.1.23.4.13.6.13.13.13.13.83.13.113.14.63.14.7

Frequently Asked Questions

Does this control apply if we only use VoIP for internal calls and never discuss CUI over the phone?

Yes, this control applies to all VoIP systems within the assessment boundary, regardless of whether CUI is discussed. VoIP systems connected to networks that process CUI create potential attack vectors for data exfiltration, lateral movement, or denial of service. Additionally, it is difficult to enforce and verify that CUI is never discussed over VoIP without technical controls and monitoring in place.

What is the difference between controlling and monitoring VoIP as required by this control?

Controlling VoIP means implementing technical restrictions and security configurations that limit how VoIP systems can be used and who can access them (e.g., authentication, encryption, network segmentation, usage policies). Monitoring VoIP means collecting and reviewing logs, call detail records, and security events to detect unauthorized usage, security incidents, or policy violations. Both controlling and monitoring are required to satisfy this control.

Can we satisfy this control by using a cloud-hosted VoIP service like Microsoft Teams or Zoom Phone?

Cloud-hosted VoIP services can satisfy this control if you implement appropriate organizational controls including endpoint security, conditional access policies, usage monitoring through cloud provider logs, and integration with your security monitoring systems. You cannot rely solely on the cloud provider's security; you must demonstrate that you are actively controlling and monitoring VoIP usage within your environment.

What specific VoIP threats does this control address?

This control addresses VoIP-specific threats including eavesdropping on voice communications, toll fraud and unauthorized calling, denial of service attacks against VoIP infrastructure, call interception and man-in-the-middle attacks, unauthorized access to VoIP systems, and use of VoIP as a vector for data exfiltration. These threats are unique to IP-based voice systems and require controls beyond those applied to traditional telephone systems.

Do we need to encrypt all VoIP traffic to satisfy this control?

While encryption is not explicitly required by the control text, it is a fundamental control mechanism for protecting VoIP communications and is expected in most CMMC assessments. At minimum, VoIP signaling (SIP) should be encrypted with TLS and media streams (RTP) should be encrypted with SRTP. If encryption is not implemented, you must demonstrate alternative controls that adequately address eavesdropping and interception risks, which is difficult to justify for systems handling or discussing CUI.

How often do we need to review VoIP usage logs and call detail records?

The control does not specify a review frequency, but best practice and assessor expectations typically require at least monthly review of VoIP usage logs and call detail records. More frequent review (weekly or real-time monitoring) is appropriate for high-risk environments or where VoIP systems have experienced security incidents. Reviews should be documented with evidence of follow-up on identified anomalies or policy violations.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.