Understanding SC.L2-3.13.14 – Control and Monitor the Use of VoIP Technologies
TheCMMC 2.0 Level 2requirementSC.L2-3.13.14comes fromNIST SP 800-171, Security Requirement 3.13.14, which mandates that organizations mustcontrol and monitor the use of VoIP (Voice over Internet Protocol) technologiesif used within their system boundary.
If a systemdoes not use VoIP technology, then this control isNot Applicable (N/A)because there is nothing to assess.
Why Option D is Correct
When a requirement is marked as Not Applicable (N/A), it means the OSC does not use the technology or process covered by that controlwithin its assessment boundary.
No assessment procedures are neededsince there is no VoIP system to evaluate.
Option A (Existing telephone system in scope)is incorrect becausetraditional (non-VoIP) telephone systems are not covered by SC.L2-3.13.14—only VoIP is within scope.
Option B (Error, contact the Lead Assessor)is incorrect because markingSC.L2-3.13.14 as N/A is valid if VoIP is not used. This is not an error.
Option C (VoIP in scope but using FIPS-validated encryption, so it doesn’t need to be assessed)is incorrect becauseeven if VoIP uses FIPS-validated encryption, the control would still need to be assessed to ensure monitoring and usage control are in place.
Official CMMC Documentation References
CMMC 2.0 Level 2 Assessment Guide – SC.L2-3.13.14
NIST SP 800-171, Security Requirement 3.13.14
CMMC Scoping Guidance – Determining Not Applicable (N/A) Practices
Final Verification
IfVoIP is not used within the OSC’s system boundary, the control does not require assessment, making Option D the correct answer.
