GRCWatch
Sign inStart free trial

NIST SP 800-171 Control 3.13.14: VoIP Technologies Control & Monitoring

VoIP technologies introduce specific security and compliance risks that require deliberate control and oversight. Control 3.13.14 requires organizations to establish policies and monitoring mechanisms that govern VoIP usage to protect sensitive communications and maintain regulatory compliance.

What this means

This control requires you to implement measures that actively control and monitor how VoIP (Voice over Internet Protocol) technologies are used within your organization. VoIP systems transmit voice communications over data networks, creating potential vulnerabilities if not properly managed. You must establish clear policies defining approved VoIP solutions, restrict unauthorized VoIP applications, monitor VoIP traffic and usage patterns, and ensure VoIP systems meet your security requirements before deployment.

How to comply

  1. 1.Develop a VoIP technology policy specifying approved platforms, vendors, and use cases within your organization
  2. 2.Inventory all VoIP systems, applications, and endpoints currently in use across your network
  3. 3.Implement network monitoring and logging for VoIP traffic to detect unauthorized or anomalous usage
  4. 4.Establish approval workflows for new VoIP solutions before deployment to production environments
  5. 5.Configure access controls limiting VoIP functionality to authorized personnel and departments
  6. 6.Document encryption standards and secure protocols (e.g., SRTP, TLS) required for VoIP communications
  7. 7.Conduct periodic security assessments of VoIP infrastructure to identify vulnerabilities
  8. 8.Train users on secure VoIP practices and acceptable usage policies

Evidence auditors look for

  • VoIP technology policy document with approved vendors and usage restrictions
  • Current inventory of VoIP systems with security certifications and configuration details
  • Network traffic logs showing VoIP communications and access controls in place
  • Approval records for new VoIP solutions evaluated against security requirements
  • Configuration documentation for VoIP encryption, authentication, and access control settings
  • Security assessment reports identifying VoIP vulnerabilities and remediation actions
  • User training records and acknowledgments of VoIP security policies
  • Incident logs documenting unauthorized VoIP attempts and monitoring alerts

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

See how GRCWatch handles this control automatically.

See how GRCWatch handles this control automatically

Start free trial

Related controls

NIST 800-171 3.1.1 (Access Control)NIST 800-171 3.13.1 (Use Restrictions)NIST 800-171 3.13.2 (Information System Monitoring)NIST 800-171 3.4.1 (Cryptographic Controls)