Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
(b) Authorizes, monitors, and controls the use of VoIP within the information system.
NIST 800-53 (r4) Supplemental Guidance:
Related controls: CM-6, SC-7, SC-15.
NIST 800-53 (r5) Discussion:
None
38North Guidance:
Meets Minimum Requirement:
Establish usage restrictions and implementation guidance for VoIP technologies.
Authorize, monitor, and control the use of VoIP within the information system.
Best Practice:
Utilize standard anti-virus software tools, and apply regular software updates and patches to the VoIP system.
Implement identification management and authentication to control access to the VoIP system. Enforce a strong password policy and Multi-Factor Authentication (MFA).
Utilize Secure Session Initiation Protocol (SIP) over an Internet Protocol Security (IPsec) or Transport Layer Security (TLS) encrypted channel.
Utilize Secure Real-time Transport Protocol (SRTP) for encryption, message authentication, and integrity of voice messages over the communication path.
Enable encryption on VoIP telephone instruments and softphones, and ensure that data traversing the CSP's backbone network is protected by FIPS 140-2 validated encryption. In addition, TLS, IPSec, VPN, and Secure Shell (SSH) are common means of providing end-to-end encryption for VoIP administrators when remotely accessing the VoIP systems.
Only enable VoIP features that meet business or operational requirements.
Implement mechanisms that periodically scan for unauthorized changes to VoIP system configurations.
Logically or physically separate voice and data network segments within the overall network infrastructure (e.x., different firewall rules).
Protocols for VoIP systems specify the traffic type that is used for voice service. For example, SIP requires SIP clients to use Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) on port numbers 5060 or 5061 to connect to SIP servers and other SIP endpoints. Any signaling attempt via other port numbers should be blocked by firewalls.
Implement firewalls, Intrusion Detection Systems (IDS), Intrusion Protection Systems (IPS), and VoIP-aware network monitoring, logging, and management systems.
Choose a secure VoIP provider that meets applicable industry security requirements (e.g., FedRAMP, HIPAA, PCI, SOC 2, ISO/IEC 20071, etc.).
Restrict calling (no international calls) and block private calls.
Deactivate inactive VoIP accounts.
Require Wi-Fi encryption.
Require security awareness training for VoIP users.
Establish configuration requirements and baseline configurations for VoIP systems.
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
VoIP policy and/or procedure documentation that stipulates usage restrictions and implementation guidance (e.x., Rules of Behavior (RoB), Acceptable Use Policy (AUP), etc.).
Evidence showing that the use of VoIP technologies is authorized, monitored, and controlled.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse