What does SC.L2-3.13.14 require for CMMC Level 2?

You must control and monitor VoIP systems. VoIP calls should be encrypted. Access to VoIP systems should be restricted. Unauthorized VoIP devices should be detected.

What evidence do I need for SC.L2-3.13.14?

VoIP policy, documentation of VoIP systems in use, network configurations restricting unauthorized VoIP, encryption settings, and monitoring of VoIP traffic.

What's the most common failure for SC.L2-3.13.14?

VoIP is not encrypted, or there is no policy controlling VoIP systems. Many organizations do not have a documented VoIP policy.

SC.L2-3.13.14

SC.L2-3.13.14: Voice over Internet Protocol

Control and monitor the use of VoIP.

Updated March 30, 2026

VoIP systems are part of your infrastructure and must be controlled. SC.L2-3.13.14 requires that you document which VoIP systems are in use, encrypt VoIP traffic, and prevent unauthorized VoIP devices from connecting. The assessor will check your VoIP inventory and security controls. See SC.L2-3.13.8 for encryption of VoIP calls in transit.

Family System and Communications Protection

Practice SC.L2-3.13.14

Difficulty Easy

Key evidence VoIP policy, inventory, encryption verification, network controls

What the assessor is actually evaluating

The assessor will examine:

Inventory of VoIP systems: You should be able to list all VoIP systems, phones, and gateways in use.
VoIP security policy: Your policy should address encryption, authentication, and authorization for VoIP systems.
Encryption: VoIP calls and signaling should be encrypted using TLS or similar mechanisms.
Network controls: VoIP traffic should be isolated or controlled by firewalls to prevent unauthorized access.

What a realistic SSP definition looks like

Policy: “The organization uses Cisco Unified Communications as its VoIP platform. VoIP calls are encrypted using SRTP (Secure Real-time Transport Protocol). Call signaling is encrypted using TLS. Authorized VoIP phones are registered on the IP network. Unauthorized VoIP devices are not permitted. VoIP traffic is monitored for unusual activity.”

Supporting details:

VoIP system: Cisco Call Manager with IP phones across the organization.
Encryption: SRTP is enabled for all calls. TLS is required for phone registration and signaling.
Device authorization: Only registered phones can connect. MAC filtering can enforce authorized phones only.
Network segmentation: VoIP traffic is on a dedicated VLAN with firewall rules restricting unauthorized access.
Monitoring: VoIP system logs are reviewed for authentication failures or unusual device registration attempts.

How to present your evidence

VoIP policy document: Describes the VoIP system, security requirements, and monitoring.
VoIP system inventory: A list of all VoIP phones, gateways, and systems with model numbers and registration dates.
Encryption configuration: Documentation or screenshots showing SRTP and TLS are enabled on the VoIP system.
Network controls: Firewall rules or VLAN configuration showing VoIP traffic is segmented or controlled.
Monitoring logs: VoIP system logs showing authentication, device registration, and call activity. Look for any failed authentication attempts or unauthorized devices.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: “Describe your VoIP system. How many phones do you have, and how are they secured?”

You: “We use Cisco Unified Communications with encrypted SRTP calls. VoIP traffic is on a dedicated VLAN. All calls are encrypted.” [Pull up VoIP policy and phone inventory]

Assessor: “Show me the encryption configuration.”

You: [Open Cisco Call Manager and show SRTP and TLS are enabled]

Assessor: “How do you prevent unauthorized phones from connecting?”

You: “Only registered phones can connect to the system. Device registration requires authentication and a valid phone model. Unauthorized devices are rejected.” [Show monitoring logs with successful registrations and rejected unauthorized devices]

Common failures

No VoIP policy or inventory: The organization uses VoIP but has not documented the system or security requirements.

VoIP calls are not encrypted: Calls are sent in plaintext or with weak encryption.

No device authentication: Any device can connect to the VoIP system and register as a phone.

No network segmentation: VoIP traffic is on the same network as other systems with no separation.

Clear VoIP policy and inventory: All VoIP systems are documented. Encryption (SRTP, TLS) is enabled.

Device authorization: Only registered phones can connect. Unauthorized devices are detected and blocked.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP/MSSP

If your MSP manages VoIP, ensure the service agreement specifies encrypted calls and secure device registration. Request periodic logs showing only authorized devices are registering. You are responsible for VoIP security even if managed externally.

This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← SC.L2-3.13.15: Communications Authenticity All Practices SC.L2-3.13.13: Mobile Code →