03.01.16: Wireless Access
Control Familly: Access Control
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-94 [29]
SP 800-97 [30]
SP 800-124 [28]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.01.16
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
AC-18
AC-18(01)
AC-18(03)
a. Establish usage restrictions, configuration requirements, and connection requirements for each type of wireless access to the system.
b. Authorize each type of wireless access to the system prior to establishing such connections.
c. Disable, when not intended for use, wireless networking capabilities prior to issuance and deployment.
d. Protect wireless access to the system using authentication and encryption.
Discussion:
Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. Establishing usage restrictions, configuration requirements, and connection requirements for wireless access to the system provides criteria to support access authorization decisions. These restrictions and requirements reduce susceptibility to unauthorized system access through wireless technologies. Wireless networks use authentication protocols that provide credential protection and mutual authentication. Organizations authenticate individuals and devices to protect wireless access to the system. Special attention is given to the variety of devices with potential wireless access to the system, including small form factor mobile devices (e.g., smart phones, tablets, smart watches). Wireless networking capabilities that are embedded within system components represent a potential vulnerability that can be exploited by adversaries. Strong authentication of users and devices, strong encryption, and disabling wireless capabilities that are not needed for essential mission or business functions can reduce susceptibility to threats by adversaries involving wireless technologies.
Assessment Methods and Objectives
Examine [SELECT FROM: access control policy and procedures; procedures for wireless system access; wireless system access configuration and connection requirements; configuration management plan; system configuration settings; wireless access authorizations; system audit records; system design documentation; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with responsibilities for managing wireless access connections; personnel with information security responsibilities; system developers; system administrators]
Test [SELECT FROM: wireless access management capability for the system; mechanisms for implementing wireless access protections to the system; mechanisms for managing the disabling of wireless networking capabilities]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.01.16.a[01]: each type of wireless access to the system is defined.
A.03.01.16.a[02]: usage restrictions are established for each type of wireless access to the system.
A.03.01.16.a[03]: configuration requirements are established for each type of wireless access to the system.
A.03.01.16.a[04]: connection requirements are established for each type of wireless access to the system.
A.03.01.16.b: each type of wireless access to the system is authorized prior to establishing such connections.
A.03.01.16.c: wireless networking capabilities not intended for use are disabled prior to issuance and deployment.
A.03.01.16.d[01]: wireless access to the system is protected using authentication.
A.03.01.16.d[02]: wireless access to the system is protected using encryption.