NIST 800-171 • LEVEL 2 • ACCESS CONTROL
3.1.16 — Wireless Access
Establish usage restrictions, configuration requirements, and connection requirements for each type of wireless access to the system. Authorize each type of wireless access to the system prior to establishing such connections. Disable, when not intended for use, wireless networking capabilities prior to issuance and deployment. Protect wireless access to the system using authentication and encryption.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- each type of wireless access to the system is defined.
- usage restrictions are established for each type of wireless access to the system.
- configuration requirements are established for each type of wireless access to the system.
- connection requirements are established for each type of wireless access to the system.
- each type of wireless access to the system is authorized prior to establishing such connections.
- wireless networking capabilities not intended for use are disabled prior to issuance and deployment.
- wireless access to the system is protected using authentication.
- wireless access to the system is protected using encryption.
Practitioner Notes
Wi-Fi is convenient but also a major attack surface. You need to control who connects, how they authenticate, and make sure the wireless signal itself is encrypted. And if a device has Wi-Fi but doesn't need it, turn it off before you hand it to the user.
Example 1: On your wireless access points (e.g., Cisco Meraki, Aruba), configure WPA3-Enterprise with RADIUS authentication tied to Active Directory. In the Meraki dashboard, go to Wireless → Configure → Access Control, set Security to "WPA3 Enterprise" and RADIUS server to your NPS server. Create a separate SSID for guests with no access to internal resources.
Example 2: For devices issued to users who don't need Wi-Fi (e.g., desktop workstations on a wired network), disable the wireless adapter via GPO at Computer Configuration → Administrative Templates → Network → Network Connections → "Prohibit connection to non-domain networks when connected to domain authenticated network" = Enabled. For laptops, document in your Wireless Access Policy which SSIDs are authorized and the encryption requirements.