Skip to main content
NetStable
Level 2 AC.L2-3.1.17

Protect wireless access using authentication and encryption

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This control requires organizations to secure their wireless networks by ensuring that only authorized users can access them and that all data transmitted over the network is encrypted. Think of it like locking the doors to your house and ensuring that conversations inside can't be overheard. Without these protections, unauthorized individuals could easily connect to the network and intercept sensitive information. For example, an employee accessing company email over an unsecured Wi-Fi network could expose login credentials to hackers. Similarly, a contractor using an unprotected wireless printer might accidentally leak confidential documents. By implementing strong authentication and encryption, organizations can prevent these risks and safeguard their data.

🎯 Why It Matters

Unprotected wireless networks are a prime target for attackers, as they provide an easy entry point into an organization's systems. A breach through an insecure Wi-Fi network can lead to data theft, unauthorized access, and even ransomware attacks. For instance, in 2017, hackers exploited a weak wireless network at a major retailer to steal millions of customer credit card details. The financial and reputational damage from such incidents can be devastating. From the DoD/CMMC perspective, protecting wireless access is critical because Controlled Unclassified Information (CUI) often traverses these networks. Failure to secure wireless access can compromise national security and result in non-compliance penalties.

How to Implement

  1. 1. Use cloud-native wireless security services, such as AWS WAF or Azure Firewall, to enforce authentication and encryption policies.
  2. 2. Configure cloud-managed wireless access points (e.g., Meraki or Aruba) to require WPA3 encryption and 802.1X authentication.
  3. 3. Integrate wireless access with cloud-based Identity and Access Management (IAM) solutions like Okta or Azure AD.
  4. 4. Enable logging and monitoring for wireless access via cloud services like AWS CloudTrail or Azure Monitor.
  5. 5. Regularly audit wireless configurations using cloud-native tools like AWS Config or Azure Security Center.
⏱️
Estimated Effort
Implementation typically takes 2-3 days for small environments. Requires intermediate networking and security skills.

📋 Evidence Examples

Wireless Security Policy

Format: PDF or Word
Frequency: Annual review and updates.
Contents: Detailed requirements for authentication and encryption on wireless networks.
Collection: Export from policy management system.

Wireless Configuration Screenshots

Format: PNG or JPEG
Frequency: After initial setup and major changes.
Contents: Settings showing WPA3 encryption and 802.1X authentication enabled.
Collection: Capture from wireless access point admin interface.

Access Logs

Format: CSV or TXT
Frequency: Monthly.
Contents: Records of wireless network connections.
Collection: Export from RADIUS server or access point logs.

Penetration Test Report

Format: PDF
Frequency: Annual or after major changes.
Contents: Results of wireless security testing.
Collection: Obtain from third-party tester.

Training Records

Format: Excel or PDF
Frequency: Annual.
Contents: Documentation of staff training on wireless security.
Collection: Export from Learning Management System (LMS).

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For AC.L2-3.1.17 ("Protect wireless access using authentication and encryption"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how access to CUI systems is controlled, including the specific IAM tools, policies, and processes used. Reference your Access Control Policy and identify the systems in scope. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"AC.L2-3.1.17 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to protect wireless access using authentication and encryption. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"AC.L2-3.1.17 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to protect wireless access using authentication and encryption. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"AC.L2-3.1.17 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all access points to CUI systems (VPN, direct network, cloud portals)
  • Document which IAM system manages access (Azure AD, AWS IAM, on-prem AD)
  • Map user roles to system access levels
  • Ensure this control covers all systems within your defined CUI boundary where protect wireless access using authentication and encryption applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Access Control Policy
  • 📄 IAM configuration documentation
  • 📄 Access request and approval records
  • 📄 Evidence artifacts specific to AC.L2-3.1.17
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify that access controls are implemented as described, test whether unauthorized users are blocked, and review access logs for evidence of enforcement.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Is WPA3 encryption enabled on all wireless access points?

✅ YES → Proceed to Q2.
❌ NO → GAP: Enable WPA3 encryption immediately. Timeline: 1 week.
Remediation:
Upgrade firmware and configure WPA3 settings.

Question 2: Is 802.1X authentication implemented for wireless access?

✅ YES → Proceed to Q3.
❌ NO → GAP: Set up RADIUS server and configure 802.1X. Timeline: 2 weeks.
Remediation:
Deploy FreeRADIUS or Microsoft NPS.

Question 3: Are wireless networks segmented from critical systems?

✅ YES → Proceed to Q4.
❌ NO → GAP: Implement VLANs and firewall rules. Timeline: 1 week.
Remediation:
Consult network administrator.

Question 4: Are wireless access logs regularly reviewed?

✅ YES → Proceed to Q5.
❌ NO → GAP: Enable logging and schedule monthly reviews. Timeline: 1 month.
Remediation:
Configure RADIUS server logging.

Question 5: Has wireless security been tested in the last year?

✅ YES → Compliance confirmed.
❌ NO → GAP: Conduct a penetration test. Timeline: 1 month.
Remediation:
Engage a third-party tester.

⚠️ Common Mistakes (What Auditors Flag)

1. Using outdated encryption protocols like WEP.

Why this happens: Legacy devices or lack of awareness.
How to avoid: Upgrade to WPA3 and disable older protocols.

2. Failing to implement 802.1X authentication.

Why this happens: Complexity of RADIUS server setup.
How to avoid: Use managed solutions like Cisco ISE or FreeRADIUS.

3. Not reviewing wireless access logs.

Why this happens: Lack of monitoring processes.
How to avoid: Enable logging and schedule regular reviews.

4. Skipping penetration testing.

Why this happens: Cost or resource constraints.
How to avoid: Include testing in annual security budget.

5. Failing to document wireless security policies.

Why this happens: Focus on technical implementation over documentation.
How to avoid: Develop and maintain a Wireless Security Policy.

📚 Parent Policy

This practice is governed by the Access Control Policy

View AC Policy →

📚 Related Controls

AC.L2-3.1.1 - Limit system access to authorized users AC.L2-3.1.2 - Control remote access AC.L2-3.1.3 - Monitor and control communications at system boundaries
Previous
AC.L2-3.1.16
Back to AC
Next
AC.L2-3.1.18