CMMC Practice SC.3.189

Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

Source

CMMC Version 1.02, pg. 262

Bold Coast Security Guidance

VoIP technology is subject to all the attacks of any other TCP/IP based technology, and more. Some vulnerabilities are treated as less risky, such as strong password use, but they are not less risky. As much standard practice build and hardening control must be employed. Level 3 compliance means a clear plan is in place to implement policy requirements in the environment.

Discussion From Source

DRAFT NIST SP 800-171 R2 VoIP has different requirements, features, functionality, availability, and service limitations when compared with the Plain Old Telephone Service (POTS) (i.e., the standard telephone service). In contrast, other telephone services are based on high-speed, digital communications lines, such as Integrated Services Digital Network (ISDN) and Fiber Distributed Data Interface (FDDI). The main distinctions between POTS and non-POTS services are speed and bandwidth. To address the threats associated with VoIP, usage restrictions and implementation guidelines are based on the potential for the VoIP technology to cause damage to the system if it is used maliciously. Threats to VoIP are similar to those inherent with any Internet-based application.

References