>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.13.14System and Communications Protection - Derived

Derived Requirement

>Control Description

Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

>Discussion

VoIP has different requirements, features, functionality, availability, and service limitations when compared with the Plain Old Telephone Service (POTS) (i.e., the standard telephone service). In contrast, other telephone services are based on high-speed, digital communications lines, such as Integrated Services Digital Network (ISDN) and Fiber Distributed Data Interface (FDDI). The main distinctions between POTS and non-POTS services are speed and bandwidth.

To address the threats associated with VoIP, usage restrictions and implementation guidelines are based on the potential for the VoIP technology to cause damage to the system if it is used maliciously. Threats to VoIP are similar to those inherent with any Internet-based application. [SP 800-58] provides guidance on Voice Over IP Systems.

>Cross-Framework Mappings

CMMC

SC.L2-3.13.14
Compare

SCF

NET-13
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What documented policies and procedures address system and communications protection - derived for CUI systems?
  • Who is accountable for implementing and maintaining system and communications protection - derived controls?
  • How frequently are system and communications protection - derived requirements reviewed, and what triggers updates?
  • What process ensures changes to systems maintain compliance with system and communications protection - derived requirements?
  • How are exceptions to system and communications protection - derived requirements documented and approved?

Technical Implementation:

  • What technical controls enforce system and communications protection - derived in your CUI environment?
  • How are system and communications protection - derived controls configured and maintained across all CUI systems?
  • What automated mechanisms support system and communications protection - derived compliance?
  • How do you validate that system and communications protection - derived implementations achieve their intended security outcome?
  • What compensating controls exist if primary system and communications protection - derived controls cannot be fully implemented?

Evidence & Documentation:

  • What documentation proves system and communications protection - derived is implemented and operating effectively?
  • Can you provide configuration evidence showing how system and communications protection - derived is technically enforced?
  • What audit logs or monitoring data demonstrate ongoing system and communications protection - derived compliance?
  • Can you show evidence of a recent review or assessment of system and communications protection - derived controls?
  • What artifacts would you provide to a CMMC assessor to demonstrate system and communications protection - derived compliance?

Ask AI

Configure your API key to use AI features.