Is a VoIP phone system in scope for CMMC Level 2?

Yes, if Controlled Unclassified Information (CUI) flows through it. Phone calls discussing CUI, voicemail and transcriptions, business SMS, call recordings, and fax all count. NIST SP 800-171 also includes a VoIP-specific control (3.13.14) requiring organizations to control and monitor VoIP use, so even out-of-scope VoIP gets assessor attention.

Does my VoIP provider need to be FedRAMP authorized for CMMC?

If the phone system stores, processes, or transmits CUI, yes. DFARS 252.204-7012 requires cloud services handling CUI to meet the FedRAMP Moderate baseline or equivalent, and DoD's equivalency standard is strict. Standard commercial editions of RingCentral, Zoom, Teams, and others do not qualify; their separate government platforms do.

Which VoIP providers offer FedRAMP-authorized government editions?

Microsoft Teams Phone in GCC High, Cisco Webex for Government, Zoom for Government, RingCentral for Government, and Dialpad for Government all maintain FedRAMP-authorized environments. Always verify current authorization status on the FedRAMP Marketplace before buying, and expect government editions to cost more than commercial with a smaller feature set.

Can I keep my commercial VoIP system and still pass CMMC Level 2?

Yes, if you can demonstrate CUI never touches it. That means documented policy, user training, technical controls, and consistent practice. Many contractors keep commercial VoIP for general business and handle CUI conversations through a separate compliant channel, such as a Teams GCC High enclave.

Guide · Compliance · Updated June 2026

VoIP and CMMC Level 2: What Defense Contractors Need to Know (2026)

CMMC assessments are now written into DoD contracts, and the phone system is one of the most commonly overlooked items in the CUI boundary. Here is when your VoIP platform is in scope, why your commercial edition probably does not qualify, and the three realistic ways to handle it.

Last updated June 11, 2026

Quick Answer

If Controlled Unclassified Information (CUI) flows through your phone system in calls, voicemail, SMS, recordings, or fax, the system is in scope for CMMC Level 2 and your VoIP provider must meet the FedRAMP Moderate baseline or equivalent. Standard commercial editions of RingCentral, Zoom Phone, Teams, and the rest do not qualify. Their separate government platforms do. Contractors who cannot justify a government edition for everyone typically carve voice out of the CUI boundary or run a small compliant enclave alongside commercial VoIP.

Why this matters now

CMMC stopped being theoretical in late 2025. The program's final acquisition rule took effect, and DoD began phasing CMMC requirements into new contracts and option years. Through 2026 the requirement expands from self-assessments toward third-party (C3PAO) certification for contractors handling CUI, which is what CMMC Level 2 covers. Level 2 maps to the 110 security controls of NIST SP 800-171.

Most contractors scope their file shares, email, and endpoints carefully, then treat the phone system as furniture. Assessors do not. NIST SP 800-171 includes a control aimed squarely at voice: 3.13.14, control and monitor the use of VoIP technologies. Your phone system will come up in the assessment whether or not it touches CUI.

Is your phone system in scope?

The scoping question is simple to state and uncomfortable to answer: does CUI get stored, processed, or transmitted by the platform? Walk through where CUI could actually flow:

Voice calls. Engineers discussing drawings, specs, or program details on a call are transmitting CUI through the platform.
Voicemail and transcription. A voicemail describing CUI is now CUI at rest in your provider's cloud, and AI transcription copies it into text.
Business SMS. Texted part numbers, schedules, or technical details put CUI in the provider's message store.
Call recording. If recording is on and a call touches CUI, you are storing CUI with the provider indefinitely.
Fax. Cloud fax of technical documents is one of the most common unnoticed CUI flows in smaller defense shops.
Contact center features. Transcripts, summaries, and AI assist features all create copies of whatever was said.

If the honest answer to any of these is "probably, sometimes," the platform is a CUI asset and lands fully in scope.

The policy-only carve-out rarely survives contact with an assessor. Declaring "we do not discuss CUI on the phone" without training records, technical controls, and consistent practice behind it is one of the most common scoping findings. If you take the carve-out path, you have to actually run it like a control, not a wish.

The FedRAMP requirement

This is the part that surprises buyers. Under DFARS 252.204-7012, any cloud service that stores, processes, or transmits covered defense information on your behalf must meet the FedRAMP Moderate baseline or equivalent. DoD's December 2023 equivalency memo made "equivalent" strict: full control coverage validated by a third-party assessment organization, not a vendor's self-attestation or a roadmap slide.

The practical consequence: the commercial edition of your UCaaS platform almost certainly does not qualify, even when the same vendor holds a FedRAMP authorization. The authorization belongs to a separate government environment with its own infrastructure, personnel screening, and feature set. Buying RingCentral or Zoom commercial and pointing at the vendor's FedRAMP press release will not pass.

The government editions

Every major UCaaS vendor now runs a separate authorized environment. Status changes, so verify the current listing on the FedRAMP Marketplace before signing anything.

Platform	Government offering	Notes
Microsoft Teams Phone	GCC High	The default for ITAR and export-controlled work; FedRAMP High environment with US-person support
Cisco Webex Calling	Webex for Government	FedRAMP-authorized environment covering meetings, messaging, and calling
Zoom Phone	Zoom for Government	Separate authorized cloud; familiar Zoom experience with a reduced feature set
RingCentral	RingCentral for Government	FedRAMP-authorized UCaaS with strong compliance credentials across HIPAA, CMMC, and SOC 2
Dialpad	Dialpad for Government	FedRAMP-authorized; brings its AI transcription stack to the government environment

Expect three consistent trade-offs on government SKUs: higher per-user pricing than commercial, feature lag because new capabilities clear authorization later, and narrower integration catalogs. Budget accordingly rather than discovering it at proposal time.

What else assessors look for on voice

FIPS-validated encryption. CUI in transit needs FIPS 140-2/140-3 validated cryptographic modules, not just "we use TLS."
A shared responsibility matrix. You need the provider's documentation of which 800-171 controls they cover and which remain yours. If a vendor cannot produce one, that tells you something.
Audit logging. Call detail records, admin activity, and access logs feeding your monitoring (3.3.x controls).
Control of the VoIP boundary itself. 3.13.14 expects you to know what VoIP runs in your environment, restrict who can use it, and monitor it, even for systems outside the CUI boundary.
ITAR overlay. If your CUI includes export-controlled technical data, US data residency and US-person support staff become requirements, which narrows the table above considerably.

Three realistic paths

Path 1 · Most common for SMB

Keep commercial VoIP, carve it out of the boundary

Keep your commercial platform for general business and make "no CUI on the phone system" a real, enforced control: written policy, annual training with records, SMS and recording restrictions, and a defined compliant channel for the conversations that do need to happen. Cheapest path, and defensible when CUI voice traffic is genuinely rare. It fails when program work actually lives on the phone.

Path 2 · Most common for dedicated defense shops

Move everyone to a government edition

If most of your business is defense work, scoping games cost more than they save. Put the whole company on GCC High, Webex for Government, or another authorized platform and let the phone system sit inside the boundary. Simplest assessment story, highest license cost.

Path 3 · The hybrid

Compliant enclave for the CUI team, commercial for everyone else

Run a small government-edition deployment for the program team that actually handles CUI, and keep the rest of the company on commercial licensing. This is the cost-effective middle for mixed commercial and defense businesses, at the price of running two phone environments and policing the seam between them.

Our view

Most contractors we talk to are overpaying in one of two directions: buying government licensing for an entire company when one program team needed it, or running naked commercial VoIP with CUI flowing through voicemail transcription nobody thought about. The right answer falls out of one honest question: where does CUI actually move in your business? Map that first. Then price the paths.

Wholesale pricing applies to government SKUs the same way it does to commercial. The premium over commercial is real, but you should not be paying list price for either.

Scoping a phone system around CMMC?

We quote both commercial and government editions across every major platform and can price all three paths for your actual headcount, including the enclave split.

Get wholesale pricing