GRCWatch
Sign inStart free trial

SC.L2-3.13.14: Control and Monitor VoIP Technologies

Voice over Internet Protocol (VoIP) introduces unique security risks to your network infrastructure. SC.L2-3.13.14 requires organizations to establish controls and continuous monitoring of VoIP systems to prevent unauthorized access, eavesdropping, and system compromise. Proper VoIP governance is essential for maintaining CMMC Level 2 compliance.

What this means

This control requires you to implement technical and administrative controls over VoIP technologies in your environment. You must identify all VoIP systems, document their usage policies, establish access controls, enable logging and monitoring, and regularly audit VoIP traffic and configurations. The goal is to prevent unauthorized use, detect anomalies, and maintain visibility into voice communications that may contain sensitive or controlled unclassified information (CUI).

How to comply

  1. 1.Identify and inventory all VoIP systems, devices, and applications within your infrastructure
  2. 2.Establish a documented VoIP usage policy defining authorized users, devices, and communication purposes
  3. 3.Implement authentication controls requiring strong credentials for VoIP system access
  4. 4.Enable encryption for VoIP traffic in transit using protocols like SRTP or TLS
  5. 5.Configure logging and monitoring of all VoIP activities including call records, login attempts, and configuration changes
  6. 6.Establish firewall rules and network segmentation to isolate VoIP traffic from general network traffic
  7. 7.Conduct regular audits of VoIP systems for unauthorized devices, configurations, or usage patterns
  8. 8.Document and restrict VoIP access to authorized personnel only
  9. 9.Review and update VoIP controls at least annually or when significant system changes occur

Evidence auditors look for

  • VoIP inventory documentation listing all systems, endpoints, and authorized users
  • VoIP usage and security policy signed by management
  • Configuration screenshots showing encryption settings and authentication requirements
  • Firewall and network access control lists restricting VoIP traffic
  • VoIP system logs and monitoring dashboards showing call records and access attempts
  • Audit reports documenting VoIP compliance reviews and findings
  • Network diagrams showing VoIP system segmentation and architecture
  • User access lists with approval documentation for VoIP system access

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates VoIP control mapping to your infrastructure, tracks encryption and access control configurations, and centralizes audit evidence—eliminating manual monitoring tasks and reducing compliance preparation time by up to 60%.

See how GRCWatch handles this control automatically

Start free trial

Related controls

SC.L2-3.13.1 — Boundary ProtectionSC.L2-3.13.11 — Appliance MonitoringSC.L2-3.4.1 — Identification & AuthenticationSC.L2-3.13.5 — Transmission Confidentiality & Integrity