NIST 800-171 is a compliance for the protection of Controlled Unclassified Information (CUI). CallTower does not manage or have access to any customer data or CUI. Phone calls do not fall under the classification of CUI and the PSTN is specified as a conduit for the phone calls.
The latest draft of NIST 800-171 (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf) addresses VoIP related calls and references a separate doc NIST 800-58 (https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-58.pdf) that addresses security concerns for VoIP systems. The security concerns addressed have to do with VoIP systems at the customer site and how to address them. PSTN calls outside the organization do not fall under it. PSTN calls cannot be encrypted or secured. Page 3 of NIST 800-58 addresses this. “This publication explains the challenges of VOIP security for agency and commercial users of VOIP, and outlines steps needed to help secure an organization’s VOIP network. VOIP security considerations for the public switched telephone network (PSTN) are largely outside the scope of this document.”
With traditional VoIP systems, the communication from the phone to the PBX was an open protocol. Phones traditionally did not have the ability to encrypt communication with the PBX. For this reason, separate Voice vLans, Access List, Firewalls, etc. were incorporated in an organization’s network to secure as much as possible the communication from the phone to the PBX. NIST 800-58 addresses the different ways to secure this type of VoIP environment at the organizational level to meet NIST 800-171 compliance. From the PBX to the PSTN is not covered and is outside of NIST 800-171 compliance.
This is all different though with Microsoft Teams. Teams is not a traditional VoIP system and the device used to place calls (Teams phone or Teams PC Client) does encrypt the communication between the client and the PBX (Teams Server in O365). This encrypted communication is over a standard data network through the internet to Microsoft. The encryption of the communication between Teams Client and Server satisfies the security needed for this service. Calltower is the PSTN provider for Teams and is the PBX to PSTN connection in this scenario.
Although NIST 800-171 does not apply to CallTower or like providers, CallTower still takes security seriously for communications within our control to the carriers. (CallTower’s Corporate Security Document explains our internal processes and employee vetting. SOC reports from Data Centers where servers reside covers the physical security of the PSTN calls there)