3.13.14 — Secure Your VoIP

The One-Liner

If your phone system runs over the network and you haven’t secured it like data traffic, you have an unprotected path into your environment.

What It Says

Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

What It Actually Means

VoIP carries voice conversations over your network — conversations that might include CUI discussions. If you use VoIP (Teams, Zoom, Cisco Unified Communications, etc.), it needs the same security controls as data:

• Network segmentation — VoIP on a separate VLAN from data traffic
• Encryption — voice traffic encrypted (SRTP for media, TLS for signaling)
• Monitoring — call logs retained, traffic monitored
• Access control — only authorized users can make calls

If you don’t use VoIP: Document it in your SSP. If all your phones are traditional PSTN landlines with no network connection, this requirement may be N/A.

If you use Teams/Zoom: The cloud provider handles much of the encryption and security. Document the CSP’s controls and your configuration in the SSP. Ensure your local network carrying VoIP traffic is appropriately segmented.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are VoIP technologies identified and controlled?	VoIP systems documented with security controls applied
2	Are VoIP communications monitored?	Call logs retained, traffic monitored for anomalies

---

What to Have Ready on Assessment Day

Documents they’ll review: System and communications protection policy; system security plan; VoIP system configuration; network diagrams showing VoIP segmentation; call log retention settings

People they’ll talk to: System or network administrators; personnel with information security responsibilities; telecommunications staff

Live demos they’ll ask for: VoIP security configuration; encryption verification; network segmentation for voice traffic

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Do you use VoIP? What platform?”
• “Is VoIP traffic on a separate VLAN from data?”
• “Is voice traffic encrypted? Show me the configuration.”
• “Are call logs retained? For how long?”
• “If you use Teams/Zoom, what security settings are configured?”
• “If no VoIP, is that documented in your SSP?”

Real-World Example

A contractor uses Microsoft Teams for all voice communications. Teams is configured with: end-to-end encryption for 1:1 calls, meeting lobby controls, recording policies requiring consent, call quality dashboard monitored weekly. The local network doesn’t carry raw VoIP traffic (Teams handles it in the cloud), but the traffic between endpoints and the Teams service is encrypted via TLS. The SSP documents: ‘VoIP services provided by Microsoft Teams. Encryption, access control, and monitoring are CSP-managed per the Microsoft 365 security documentation. Local network carries encrypted Teams traffic only.’ No separate VoIP VLAN needed because there’s no on-premise VoIP infrastructure.

---

Where Companies Trip Up

VoIP on the same VLAN as data. On-premise VoIP systems sharing network segment with CUI data. Separate VLANs for voice and data.

Unencrypted voice traffic. SIP without TLS, RTP without SRTP. Enable encrypted protocols.

No call logging. No record of who called whom. Enable and retain call logs.

N/A not documented. No VoIP but you forgot to document it in the SSP. The assessor needs to see the explicit N/A.

---

How to Talk About This

To a CEO or Board

Our VoIP system is secured with the same standards as our data network — encryption, access controls, and monitoring.

To an Engineering Team

Teams: E2E encryption for 1:1, TLS for all traffic, meeting controls enabled. On-prem VoIP (if any): separate VLAN, SRTP/TLS, call logs retained 90 days. Documented in SSP. If no VoIP, explicitly N/A in SSP.

---

Connected Requirements

Requirement	Why it matters here
3.13.1 — Guard the Boundaries	VoIP VLAN is an internal boundary to protect
3.13.8 — Encrypt in Transit	Voice traffic is data in transit that must be encrypted

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: SC.L2-3.13.14 | SPRS Weight: 1 point | POA&M Eligible: Yes