AC.L2-3.1.16: Wireless Access Authorization
Wireless networks are a primary attack vector for unauthorized access. CMMC AC.L2-3.1.16 requires you to authorize wireless connections before they're allowed on your network. This control prevents unauthorized devices from connecting to sensitive systems and data.
What this means
This control mandates that your organization establish and enforce a formal authorization process for all wireless access. Before any device—employee laptop, mobile phone, or IoT device—connects to your wireless network, it must be explicitly authorized through your access control system. This includes both initial connection approval and ongoing re-authorization, ensuring only approved users and devices maintain wireless connectivity to systems containing controlled unclassified information (CUI).
How to comply
- 1.Document a wireless access authorization policy that defines who can request access, approval workflows, and authorization criteria
- 2.Implement a centralized wireless authentication system (802.1X, WPA2/WPA3-Enterprise, or similar) requiring credentials for connection
- 3.Establish a device inventory and approval process—maintain a list of authorized devices with owner, asset tag, and approval date
- 4.Configure wireless access points to require pre-approved device credentials or MAC addresses before establishing connections
- 5.Conduct quarterly reviews of authorized wireless devices and revoke access for inactive, transferred, or discontinued equipment
- 6.Log all wireless connection attempts, successful authentications, and rejections for audit purposes
- 7.Train users on the authorization process and require them to request approval before connecting new devices
Evidence auditors look for
- Wireless access authorization policy document with approval workflows and decision criteria
- Wireless device inventory spreadsheet showing device name, owner, device type, MAC address, and authorization date
- Screenshots from wireless authentication system (e.g., Active Directory, FreeRADIUS) showing authorized users/devices
- Wireless access point configuration files showing 802.1X or WPA2-Enterprise settings enabled
- Quarterly wireless device audit logs showing review dates, approvers, and actions taken (revocations, reauthorizations)
- Authentication server logs (last 3 months) showing successful and failed wireless connection attempts
- User training records documenting wireless access authorization procedures and user acknowledgment
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates wireless device inventory tracking and authorization workflows, automatically flags devices requiring re-authorization, and consolidates authentication logs for CMMC audits—eliminating manual spreadsheet management.
See how GRCWatch handles this control automatically
Start free trial