Something I have learned from auditing 911 enterprise UCaaS, MS Teams, Cloud Calling deployments: the gap between what IT thinks is configured and what is actually happening when someone dials 911 is almost always significant.
I'm not saying that to alarm anyone unnecessarily. I say it because I have seen it repeatedly — on well-managed networks, at sophisticated organizations, with vendors who provided detailed deployment guides. The guides were followed, at the beginning. But the E911 compliance gaps were still there.
This is what Kari's Law and RAY BAUM's Act actually require of you, and this is what we find when we audit.
What the Law Actually Requires - Kari's Law, and RAY BAUM's, and...
Kari's Law has been federal law since 2018; in addition there are state-based mandates. Kari's Law requires two things of any multi-line telephone system — and MS Teams, Zoom Phone, RingCentral, and Webex Calling are all multi-line telephone systems under the FCC's definition.
First, any user must be able to dial 911 directly, without a prefix. No 9-for-an-outside-line. No additional steps. Direct. (What does that say about having to press a button on the touch screen to access the dial pad?)
Second, when a 911 call is placed from your system, a notification must be sent to a central location at your organization — somewhere that can actually dispatch help to the caller's location. Not a distribution list. Not a Teams channel that security checks twice a day. A real, monitored notification path that somebody is really going to see or hear.
RAY BAUM's Act adds the "dispatchable location" requirement. When your system routes a 911 call, it must send enough location information for the PSAP to dispatch to the right floor, wing, or room. In a large location, that's more than just the street address of your building.
These are not optional recommendations. They are federal requirements with enforcement teeth, and they are layered on top of whatever state laws apply in every state where you have employees.
What We Find When We Audit
One most common finding — and the one that surprises clients the most — is the Central Notification problem.
MS Teams, for example, can route 911 notifications to a Teams channel or to a specific number. That sounds fine. But in practice, I have seen notifications configured to look like person-to-person chats that were set up during the deployment and never tested once. The notification is technically configured. Nobody will ever receive it in time. And frankly, the wrong person is getting it. You need somebody who can unlock a door for a Paramedic, or rush down the hall to check on a coworker.
The second most common finding involves location accuracy. WiFi-based location is the dominant approach for mobile devices on enterprise networks, and vendors talk about it as though it is solved. It is not. WiFi location works well enough in dense, well-mapped environments, with finely-tuned power management, and floors that don't allow WiFi to pass to the adjacent. Real enterprise buildings have dead zones, roaming gaps, and floors where the access point density was never designed with location accuracy in mind. Real enterprise laptops stick with the old WiFi signal. We test this by walking the building and placing test calls. What we find is frequently not what the system reports.
Here is something specific that most people have not considered: your users aren't using the network links you expected. You've got great WiFi, but they're plugged in on Ethernet. Or they're on WiFi, but using the public network, not the secured enterprise network. Or they're using the wrong network link altogether, but it seems to work.
The location behavior of each scenario is different. The 911 compliance of each client is different. Your compliance posture is weakened by the varieties of endpoint behavior.
The desk phone problem deserves its own paragraph. Many enterprise PBX configurations — even on modern IP phones — require the user to press a button or go off-hook before dialing 911. This doesn't sound compliant with Kari's Law. I find it regularly: modern phones don't have physical keypads.
Why This Matters Right Now
I am not going to speculate about your corporate liability exposure — that is a conversation for your legal counsel. What I will tell you is that the FCC has been actively enforcing these requirements. Legal liability risk is real, like the $8 million settlement related to a misconfigured 911 platform.
The practical question is not whether you are at risk. The practical question is whether you know exactly where your gaps are, and to make a good faith effort to protect the safety of your workplace and the public.
How to Actually Find Out
A real audit is not a vendor self-certification questionnaire. It is not reading your contract with your UCaaS provider. It is testing what actually happens when someone on your network dials 911, from every client type, from every significant location, on every network type you support.
It means scheduling with the local emergency responders to do testing and then following the rules they set. It means using the built-in test capabilities of the system, like 933, and carefully analyzing the results. (Will the calls go to the local emergency responders, or somewhere else?) It means understanding the WiFi and ethernet behavior. That means placing test calls and verifying what location information reaches the PSAP. It means walking the building with devices and mapping where WiFi location fails or undocumented Access Points are installed. It means checking every notification path and confirming that someone who is actually monitoring those paths receives the alert. It means reviewing your configuration against the specific state laws in every state where you operate.
ECG can do this work at a fixed price, with a documented scope. We mix both engineers, and lawyers who can answer your questions and analyze your particular state laws.
We provide a plain-language report that will help you run a safer workplace. It's a report you can hand to your legal team, your risk manager, your cloud comms provider, and your CTO.
If you have deployed a UCaaS platform in the last five years, or you've replaced WiFi equipment, Ethernet switches, or phones -- but you have not yet had an independent 911 compliance audit, you have gaps. The question is how significant they are.