AC.L2-3.1.17: Wireless Access Protection
Unsecured wireless networks are a direct entry point for attackers targeting your organization's sensitive data. CMMC AC.L2-3.1.17 requires you to implement authentication and encryption controls on all wireless access points. This control ensures that only authorized users can connect to your network and that data transmitted wirelessly remains protected.
What this means
This control mandates that all wireless access points in your environment use strong authentication mechanisms (such as WPA2/WPA3) and encryption protocols to prevent unauthorized access and eavesdropping. It applies to every wireless network—guest networks, employee devices, and IoT systems—to eliminate weak wireless security as a compliance gap.
How to comply
- 1.Inventory all wireless access points (WAPs) across your organization including corporate networks, guest networks, and portable devices
- 2.Disable legacy protocols (WEP, WPA) and implement WPA2 or WPA3 encryption as your minimum standard
- 3.Enforce strong pre-shared keys (PSKs) or certificate-based authentication using 802.1X
- 4.Configure access points to hide SSID broadcasts and disable WPS (Wi-Fi Protected Setup)
- 5.Establish separate VLANs for guest networks to isolate them from production systems
- 6.Document wireless access policies including password rotation, device registration, and access reviews
- 7.Conduct quarterly wireless security audits using network scanning tools to identify rogue access points
Evidence auditors look for
- WAP configuration reports showing WPA2/WPA3 enabled with strong encryption settings
- 802.1X authentication server logs demonstrating certificate-based access control
- Wireless policy documentation outlining encryption standards and authentication requirements
- Network scanning results showing no rogue or unencrypted access points detected
- Access point inventory with deployment dates, firmware versions, and encryption status
- Guest network configuration showing VLAN isolation from production systems
- Quarterly wireless security audit reports with remediation records
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers and monitors all wireless access points in your environment, validates encryption settings against CMMC standards, and flags configuration drift—eliminating manual audits and reducing the time spent on AC.L2-3.1.17 compliance.
See how GRCWatch handles this control automatically
Start free trial