CMMC Practice Number: AC.L2-3.1.17
CMMC Level: 2 CMMC Domain: Access Control (AC)
Practice Summary:
Protect wireless access using authentication and encryption.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] wireless access to the system is protected using authentication; and
[b] wireless access to the system is protected using encryption.
Practice Clarification (DOD, CMU)
Use a combination of authentication and encryption methods to protect the access to wireless networks [a,b]. Authenticating users to a wireless access point can be achieved in multiple ways. The most common authentication and encryption methods used include:
• WPA2-PSK (WiFi Protected Access-Pre-shared Key) – This method uses a password or passphrase known by the wireless access point and the client (user device). It is common in small companies that have little turnover because the key must be changed each time an employee leaves in order to prevent the terminated employee from connecting to the network without authorization. WPA2 is typically configured to use Advanced Encryption Standard (AES) encryption.
• WPA2 Enterprise – This method may be better for larger companies and enterprise networks because authentication is based on the identity of the individual user or device rather than a shared password or passphrase. It typically requires a Remote Authentication Dial-in User Service (RADIUS) server for authentication and can provide higher security than WPA2-PSK.
Open authentication must not be used because it authenticates any user and lacks security capabilities.
When CMMC requires cryptography, it is to protect the confidentiality of CUI. Federal Information Processing Standard (FIPS)-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140-1 or-2 requirements. Simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the protected environment of the covered contractor information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated.
AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary practices in that they all establish requirements to control the connection of mobile devices and wireless devices through the use of authentication, authorization, and encryption mechanisms.
Example 1
You manage the wireless network at a small company and are installing a new wireless solution. You start by selecting a product that employs encryption validated against the Federal Information Processing Standard (FIPS) 140 standard. You configure the wireless solution to use WPA2, requiring users to enter a pre-shared key to connect to the wireless network [a,b].
Example 2
You manage the wireless network at a large company and are installing a new wireless solution. You start by selecting a product that employs encryption that is validated against the FIPS 140 standard. Because of the size of your workforce, you configure the wireless system to authenticate users with a RADIUS server. Users must provide the wireless system with their domain usernames and passwords to be able to connect, and the RADIUS server verifies those credentials. Users unable to authenticate are denied access [a,b].
Potential Assessment Considerations
• Is wireless access limited only to authenticated and authorized users (e.g., required to supply a username and password) [a]?
• If the organization is securing its wireless network with a pre-shared key, is access to that key restricted to only authorized users [a]?
• Is wireless access encrypted using FIPS validated cryptography? Note that simply using an approved algorithm is not sufficient; the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140 [b].
Where To Look
- Access control policy;
- system design documentation;
- procedures addressing wireless implementation and usage (including restrictions);
- system security plan;
- system configuration settings and associated documentation;
- system audit logs and records;
- other relevant documents or records.
Who To Talk To
- System or network administrators;
- personnel with information security responsibilities;
- system developers.
Perform Test On
- Mechanisms implementing wireless access protections to the system.
Additional Information
The NIST SP 800-171 requirements for cryptography used to protect the confidentiality of CUI must use FIPS-validated cryptography, which means the cryptographic module has been tested and validated to meet FIPS 140 requirements. Simply using an approved algorithm (e.g., FIPS 197 for AES) is not sufficient – the module (software and/ or hardware) used to implement the algorithm must be separately validated under FIPS 140. When an application or device allows a choice (by selecting FIPS-mode or not), then the FIPS-mode has been validated under FIPS 140-2, but the other options (non-FIPS) allow certain operations that would not meet the FIPS requirements. More information is available at
http://csrc.nist.gov/groups/STM/cmvp/
When NIST SP 800-171 requires cryptography, it is to protect the confidentiality of CUI. Accordingly, FIPS-validated cryptography is required to protect CUI, typically when transmitted or stored outside the protected environment of the company’s information system (including wireless/remote access) if not separately protected (e.g., by a protected distribution system). FIPS-validated cryptography is required whenever the encryption is required to protect covered defense information in accordance with NIST SP 800-171 or by another DFARS contract provision.
Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated. Note that any separate contract requirement (not currently in NIST SP 800-171) to encrypt data at rest (e.g., PII) within the information system would require use of FIPS-validated cryptography.
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Organizations authenticate individuals and devices to help protect wireless access to the system. Special attention is given to the wide variety of devices that are part of the Internet of Things with potential wireless access to organizational systems.
CMMC References:
· NIST SP 800-171 Rev 1 3.1.17
· CIS Controls v7.1 15.7, 15.8
· NIST CSF v1.1 PR.PT-4
· CERT RMM v1.2 KIM:SG4.SP1
· NIST SP 800-53 Rev 4 AC-18(1)