SC.L2-3.13.14 Voice over Internet Protocol
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
Source: NIST SP 800-171 Rev 2 3.13.14
Discussion: VoIP has different requirements, features, functionality, availability, and service limitations when compared with the Plain Old Telephone Service (POTS) (i.e., the standard telephone service). In contrast, other telephone services are based on high-speed, digital communications lines, such as Integrated Services Digital Network (ISDN) and Fiber Distributed Data Interface (FDDI). The main distinctions between POTS and non-POTS services are speed and bandwidth. To address the threats associated with VoIP, usage restrictions and implementation guidelines are based on the potential for the VoIP technology to cause damage to the system if it is used maliciously. Threats to VoIP are similar to those inherent with any Internet-based application. [SP 800-58] provides guidance on Voice Over IP Systems.
Assessment Objectives:
Determine if:
- [a] use of Voice over Internet Protocol (VoIP) technologies is controlled; and
- [b] use of Voice over Internet Protocol (VoIP) technologies is monitored.
Examine: [SELECT FROM: System and communications protection policy; procedures addressing VoIP; VoIP usage restrictions; VoIP implementation guidance; security plan; system design documentation; system configuration settings and associated documentation; system monitoring records; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel with responsibilities for managing VoIP].
Test: [SELECT FROM: Organizational process for authorizing, monitoring, and controlling VoIP; mechanisms supporting or implementing authorizing, monitoring, and controlling VoIP].
SPRS Score: 1
POA&M Allowed: Yes