CMMC Practice Number: AC.L2-3.1.16
CMMC Level: 2 CMMC Domain: Access Control (AC)
Practice Summary:
Authorize wireless access prior to allowing such connections.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] wireless access points are identified; and
[b] wireless access is authorized prior to allowing such connections.
Practice Clarification (DOD, CMU)
Guidelines from management form the basis for the requirements that must be met prior to authorizing a wireless connection. These guidelines may include the following:
• types of devices, such as corporate or privately-owned equipment,
• configuration requirements of the devices, and
• authorization requirements before granting such connections [b].
AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary practices in that they all establish requirements to control the connection of mobile devices and wireless devices through the use of authentication, authorization, and encryption mechanisms.
Example
Your company is implementing a wireless network at its headquarters. You work with management to draft a policy about the use of the wireless network. The policy states that only company-approved devices that contain verified security configuration settings are allowed to connect. The policy also includes usage restrictions that must be followed for anyone who wants to use the wireless network. Authorization is required before devices are allowed to connect to the wireless network [b].
Potential Assessment Considerations
• Is an updated list of approved network devices providing wireless access to the system maintained [a]?
• Are network devices providing wireless access configured to require users or devices be authorized prior to permitting a wireless connection [b]?
• Is wireless access to the system authorized and managed [b]?
Where To Look
- Access control policy;
- configuration management plan;
- procedures addressing wireless access implementation and usage (including restrictions);
- system security plan;
- system design documentation;
- system configuration settings and associated documentation;
- wireless access authorizations;
- system audit logs and records;
- other relevant documents or records.
Who To Talk To
- Personnel with responsibilities for managing wireless access connections;
- personnel with information security responsibilities.
Perform Test On
- Wireless access management capability for the system.
Additional Information
The use of wireless devices on company systems should be based on management approved guidelines. Access to the wireless network should be monitored and controlled by the company.
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Establishing usage restrictions and configuration/connection requirements for wireless access to the system provides criteria for organizations to support wireless access authorization decisions. Such restrictions and requirements reduce the susceptibility to unauthorized access to the system through wireless technologies. Wireless networks use authentication protocols which provide credential protection and mutual authentication.
CMMC References:
· NIST SP 800-171 Rev 1 3.1.16
· CIS Controls v7.1 15.1, 15.10
· NIST CSF v1.1 PR.PT-4
· CERT RMM v1.2 TM:SG2.SP2
· NIST SP 800-53 Rev 4 AC-18