NIST 800-53 r5 · Controls catalogue · Family SC
SC-19Voice Over Internet Protocol
Technology-specific; addressed as any other technology or protocol.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Authorizing and controlling VoIP use directly enforces access control decisions over a distinct communication technology. |
CWE-287 | Improper Authentication | 4,730 | Implementation guidance and monitoring requirements force proper authentication mechanisms for VoIP endpoints and sessions. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Requiring authorization before VoIP deployment prevents critical VoIP functions (registration, call setup) from lacking authentication. |
CWE-319 | Cleartext Transmission of Sensitive Information | 1,042 | Usage restrictions and technology-specific guidance routinely mandate encryption (SRTP, TLS) for voice streams that carry sensitive information. |
CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints | 57 | Explicit control of VoIP traffic forces organizations to restrict communication channels to only intended endpoints and protocols. |
CWE-300 | Channel Accessible by Non-Endpoint | 53 | Restrictions and channel controls reduce the chance that VoIP media or signaling streams remain accessible to non-participants. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||