Nowadays, most companies in the Defense Industrial Base (DIB) are keenly aware of their cybersecurity requirements under NIST SP 800-171. The framework introduces baseline security standards required to protect Controlled Unclassified Information (CUI) from unauthorized access. The controls listed in that document must be applied to any information systems that process, store, or transmit CUI. However, does 800-171 allow for Voice over IP (VoIP) and if so, do the CUI protection measures apply? The short answer is yes… but the more accurate answer is “it depends”.
Applying 800-171 protections to VoIP
Put simply, NIST SP 800-171 treats VoIP as an information system the same as any other. To pass an assessment, you’ll need to apply tailored security controls to the parts of your VoIP deployment (e.g., logging servers, call managers, etc.) that enable CUI discussions. However, there are differences in how the controls should be implemented for VoIP compared to other information systems.
For example, 800-171 control AC 3.1.2 demands that organizations “limit system access to the types of transactions and functions that authorized users are permitted to execute”. For a regular computer workstation, the limitations would be focused on which files a particular user needs to access in order to perform their duties. Access control for a VoIP system, on the other hand, may instead limit capabilities like international calls to certain users. In some cases, the ability to make calls altogether could be restricted to regular business hours.
AU 3.3.2 requires the ability to “ensure that the actions of individual system users can be uniquely traced to those users”. This enables accountability, which is essential for investigating potential security incidents… or simply to help an organization pinpoint the employee making expensive personal phone calls on the company’s dime.
The importance of properly tailoring your security controls is illustrated by the policy’s only VoIP-specific control, SC 3.13.14. This control calls on organizations to “control and monitor the use of VoIP technologies”. Full compliance means restricting the use and access of VoIP resources in a way designed to mitigate the risk of malicious use. In practical terms, you will need documented guidelines, technical controls, and robust monitoring to ensure compliance. Once you’ve integrated VoIP into your security program, you may want to validate the efficacy of your controls through a Self-Assessment. NIST SP 800-171A walks you through the process of verifying your organization’s compliance with the 800-171 requirements. Totem Tech teaches you how to perform self-assessments in our Workshops. We also offer one-on-one gap assessment engagements. Get in touch with us for more information.
The Exception to the Rule
There are some situations where 800-171 requirements may not apply to your VoIP solution. For example, if you have a large company with both private sector and government customers, the department working with CUI could be relatively small. In those cases, the best approach could be to create a logically and/or physically isolated security domain specifically for government contract work. With that division in place, most of your company’s infrastructure (including VoIP, in many cases) would be exempt from 800-171 requirements. How would employees working in the CUI security domain make phone calls? One common solution is to use lightweight, secure voice solutions such as ‘softphones’ that can be installed on a small number of workstations.
Keep in mind that even if creating a separate CUI-specific security domain allows your VoIP platform to avoid 800-171 requirements, it’s still a good idea to provide robust security for your voice systems. After all, a security breach doesn’t have to result in the unauthorized access of CUI data to inflict reputational harm on your company. Regardless of how VoIP is deployed in your organization, calling upon NIST cybersecurity guidance will help you dial in on the biggest threats and resolve them in a structured, organized manner.
How we can help with VoIP
As we mentioned above, we cover this topic and many more in our NIST/CMMC . If you are interested in exploring the NIST/CMMC requirements a little more, take our Totem™ Cybersecurity Compliance Management software for a test spin. Or just ask us a question. We love talking about this stuff!