Access Control 3.1.17 (3.1.17)

Protect wireless access using authentication and encryption

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to secure their wireless networks by implementing both authentication (verifying who or what is connecting) and encryption (protecting data in transit). This applies to all wireless access points, guest networks, and IoT devices that connect wirelessly to systems containing CUI. Both authentication and encryption must be implemented together - one without the other is insufficient.

Control Intent

Prevent unauthorized access to organizational systems and protect CUI from interception by ensuring that only authenticated users and devices can connect to wireless networks, and that all wireless communications are encrypted to prevent eavesdropping or data theft.

Who This Control Applies To

  • All wireless access points providing connectivity to systems processing, storing, or transmitting CUI
  • Guest wireless networks if they can reach CUI systems or provide a pathway to the organizational network
  • Wireless controllers and management systems
  • IoT devices with wireless connectivity that interact with CUI systems
  • Wireless bridges and repeaters extending network coverage
  • Mobile hotspots used for organizational purposes
  • Bluetooth and other short-range wireless technologies accessing CUI systems

Not Applicable When

  • The organization has no wireless networking capability whatsoever
  • All systems processing CUI are physically isolated with no wireless capability and no wireless devices can reach them
  • Wireless networks exist but are completely segregated with no technical ability to reach CUI systems (must be verified through network architecture review)

Key Objectives

  • 1Verify the identity of users and devices before granting wireless network access
  • 2Protect wireless communications from interception and unauthorized disclosure through encryption
  • 3Prevent unauthorized devices from connecting to organizational wireless networks
  • 4Ensure IoT and other wireless devices meet authentication and encryption requirements before network access

Sample Self-Assessment Questions (Partial)

Do you have any wireless access points or WiFi networks in your facilities?

Are any wireless networks able to connect to systems that handle CUI?

Implementation Approaches (High-Level)

WPA2-Enterprise or WPA3-Enterprise with 802.1X Authentication

Deploy enterprise-grade wireless security using WPA2-Enterprise or WPA3-Enterprise with 802.1X authentication backed by RADIUS server integrated with Active Directory or other identity management system. Each user and device authenticates with unique credentials or certificates.

WPA3-Personal with Strong Pre-Shared Key and Key Rotation

For small organizations without enterprise authentication infrastructure, use WPA3-Personal with a strong, unique pre-shared key that is rotated periodically and managed securely. This is acceptable for small deployments but requires rigorous key management.

WPA2-Enterprise with Certificate-Based Authentication for IoT Devices

Deploy certificate-based authentication specifically for IoT devices that cannot use username/password authentication. Each device receives a unique certificate from an internal certificate authority, enabling strong authentication without shared credentials.

Completely Isolated Guest Network with Separate Internet Connection

Deploy a physically or logically separate guest wireless network that has no connectivity to the organizational network containing CUI. Guest network uses its own internet connection or is isolated through firewall rules that prevent any access to internal resources.

Network Access Control (NAC) with Wireless Integration

Deploy a Network Access Control solution that integrates with wireless infrastructure to enforce authentication, encryption, and posture assessment before granting network access. NAC provides centralized policy enforcement and can quarantine non-compliant devices.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If currently using WPA2-Personal (PSK), create POA&M to migrate to WPA2-Enterprise or WPA3-Enterprise with 802.1X authentication within 6-12 months If legacy protocols (WEP, WPA, TKIP) are still enabled, create immediate POA&M to disable them within 30 days If guest network is not properly isolated, create POA&M to implement network segmentation within 90 days If IoT devices use shared credentials, create POA&M to implement certificate-based authentication within 6 months If no wireless security monitoring exists, create POA&M to implement monitoring within 90 days If pre-shared keys are not rotated, create POA&M to implement key rotation process within 60 days If wireless access points have outdated firmware, create POA&M to update within 30-60 days depending on criticality For POA&Ms involving infrastructure changes, include budget requirements, vendor selection timeline, and implementation phases Document compensating controls during POA&M period such as increased monitoring, network segmentation, or restricted wireless access Include testing and validation activities in POA&M milestones to ensure controls are effective before closure

Related CMMC Controls

3.1.13.1.23.1.203.5.13.5.23.13.113.13.163.4.13.4.23.6.13.6.23.14.6

Frequently Asked Questions

Does this control require WPA3, or is WPA2 acceptable?

Both WPA2-Enterprise and WPA3-Enterprise are acceptable for CMMC Level 2, provided they use strong encryption (AES-CCMP for WPA2, AES-GCMP for WPA3). WPA3 is preferred for new deployments due to enhanced security features, but WPA2-Enterprise with proper configuration remains compliant. WPA2-Personal (PSK) is generally not recommended for enterprise environments but may be acceptable for very small organizations with documented key management processes.

Can we use a shared WiFi password for all employees, or does everyone need unique credentials?

Using a shared pre-shared key (PSK) for all employees is the weakest acceptable implementation and is only appropriate for very small organizations without enterprise authentication infrastructure. Best practice and assessor preference is WPA2-Enterprise or WPA3-Enterprise with 802.1X authentication, where each user has unique credentials. If using PSK, you must have a documented key management process including regular rotation and immediate key changes when employees leave.

Our guest WiFi is on the same network as our main network but behind a firewall - is this acceptable?

This depends on the firewall configuration and testing validation. The guest network must be completely isolated with no ability to reach systems containing CUI. Assessors will require network architecture documentation, firewall rules, and preferably penetration testing results confirming isolation. Best practice is a physically separate internet connection or dedicated VLAN with strict deny-all rules to internal networks. Simply being 'behind a firewall' without verified isolation is insufficient.

Do IoT devices like security cameras and printers need the same wireless security as computers?

Yes, all wireless devices that can access or interact with systems containing CUI must meet the authentication and encryption requirements. IoT devices often cannot use username/password authentication, so certificate-based authentication is commonly used. Each device should have unique credentials (not shared passwords), and IoT devices should be on a segmented network with restricted access to only necessary resources. Devices using default or shared credentials are a common assessment finding.

What happens if we have legacy equipment that cannot support WPA2-Enterprise or strong encryption?

Legacy equipment that cannot support modern wireless security standards creates a compliance gap. Options include: replacing the equipment, isolating it on a separate network with no access to CUI systems, or creating a POA&M with compensating controls and a timeline for replacement. Assessors will not accept legacy equipment with weak security if it can access CUI systems. Document all legacy equipment and its limitations during the assessment.

How often do we need to change our wireless password if we use WPA2-Personal?

If using pre-shared keys (PSK), you must have a documented rotation schedule - at minimum annually, but preferably quarterly. The key must also be changed immediately when any employee with access leaves the organization or if a device with the stored key is lost or stolen. The key management process, rotation schedule, and change history must be documented and available for assessment. Failure to rotate keys or change them when employees leave is a common finding.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.