CMMC Practice AC.L2-3.1.17 – Wireless Access Protection: Protect wireless access using authentication and encryption.
Links to Publicly Available Resources
This webpage provides the reader a basic understanding of the various wireless encryption types. This article provides an overview of how to test wireless security for an enterprise, providing an understanding of wireless and the risks and vulnerabilities involved with its use. The intended purpose of this document is to provide guidelines for proper planning, preparation, and identification of the key items to check through the analysis of a survey report. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. Follow these 10 steps today to make your network and business information safer. This infosheet gives National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) users the best practices for securing devices when conducting business in public settings. I This webpage provides the reader a basic understanding of 802.1x authentication for wireless networks. This NIST Special Publication provides organizations with recommendations for improving the security configuration and monitoring of their IEEE 802.11 wireless local area networks. This NIST Special Publication is one part in a series of documents intended to provide guidance to the Federal Government for using cryptography to protect its sensitive, but unclassified digitized information during transmission and while in storage. This NIST Special Publication covers IEEE 802.11i-based wireless LANs only. This sample policy from Rutgers is an example of how an organization can define the requirements associated with access to, and usage of, wireless networks. This policy from SANS provides an example of the conditions that wireless infrastructure devices must satisfy to connect to a company network. This is a sample wireless communication standard for enterprise customization and implementation. This SANS whitepaper discusses how to deploy secure Enterprise wireless networks. This SANS whitepaper is a step by step guide for users to be able to secure their wireless networks at home. This example policy from UCSF describes their organized approach in deploying wireless technologies on the enterprise network. In this edition of the On Call Compliance Solutions Compliance Tip of the Week, we discuss how organizations authenticate individuals and devices to help protect wireless access to the system with special attention is given to the wide variety of devices that are part of the Internet of Things with potential wireless access to organizational systems. Let's talk about NIST 800-171 Control 3.1.17 -- Protect wireless access using authentication and encryption. This provides an outline to wireless security, including: Wireless Threats, Security Methods, Encryption, & Authentication.
Discussion [NIST SP 800-171 R2]
Organizations authenticate individuals and devices to help protect wireless access to the system. Special attention is given to the wide variety of devices that are part of the Internet of Things with potential wireless access to organizational systems.
Further Discussion
Use a combination of authentication and encryption methods to protect the access to wireless networks. Authenticating users to a wireless access point can be achieved in multiple ways. The most common authentication and encryption methods used include:
- WPA2-PSK (WiFi Protected Access-Pre-shared Key) – This method uses a password or passphrase known by the wireless access point and the client (user device). It is common in small companies that have little turnover because the key must be changed each time an employee leaves in order to prevent the terminated employee from connecting to the network without authorization. WPA2 is typically configured to use Advanced Encryption Standard (AES) encryption.
- WPA2 Enterprise – This method may be better for larger companies and enterprise networks because authentication is based on the identity of the individual user or device rather than a shared password or passphrase. It typically requires a Remote Authentication Dial-in User Service (RADIUS) server for authentication and can provide higher security than WPA2-PSK.
Open authentication must not be used because it authenticates any user and lacks security capabilities.
When CMMC requires cryptography, it is to protect the confidentiality of CUI. Federal Information Processing Standard (FIPS)-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140-1 or-2 requirements. Simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. Accordingly, FIPS validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the protected environment of the covered contractor information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated.
AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary practices in that they all establish requirements to control the connection of mobile devices and wireless devices through the use of authentication, authorization, and encryption mechanisms.