Reference: CMMC v2.13
Family: AC
Level Introduced: 2
Title: Wireless Access Authorization
Practice:
Authorize wireless access prior to allowing such connections.
Further Discussion:
Guidelines from management form the basis for the requirements that must be met prior to authorizing a wireless connection. These guidelines may include the following:
• types of devices, such as corporate or privately owned equipment;
• configuration requirements of the devices; and
• authorization requirements before granting such connections.
AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they all establish control for the connection of mobile devices and wireless devices through the use of authentication, authorization, and encryption mechanisms.
Example
Your company is implementing a wireless network at its headquarters. CUI may be transmitted on this network. You work with management to draft a policy about the use of the wireless network. The policy states that only company-approved devices that contain verified security configuration settings are allowed to connect. The policy also includes usage restrictions that must be followed for anyone who wants to use the wireless network. Authorization is required before devices are allowed to connect to the wireless network [b].
Potential Assessment Considerations
• Is an updated list of approved network devices providing wireless access to the system maintained [a]?
• Are network devices providing wireless access configured to require users or devices be authorized prior to permitting a wireless connection [b]?
• Is wireless access to the system authorized and managed [b]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-171 Requirements v2 (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.