Requirement text: AC.3.012: Protect wireless access using authentication and encryption.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Organizations authenticate individuals and devices to help protect wireless access to the
system. Special attention is given to the wide variety of devices that are part of the Internet
of Things with potential wireless access to organizational systems.
CMMC CLARIFICATION
Use a combination of authentication and encryption methods to protect the access to
wireless networks. Authenticating users to a Wireless Access Point can be done in numerous
ways. One approach uses shared key authentication based on a Pre-Shared Key. Another
possibility uses Network Extensible Authentication Protocol (EAP) based on an
authentication server (such as a Remote Authentication Dial-In User Service (RADIUS)
server) and a mechanism to enforce port-based network access control. Open authentication
should not be used because it authenticates any user, and at best, logs the MAC address,
which is easily spoofed.
Example
You are responsible for protecting the data in your organization by configuring the Wireless
Access Point to enforce authentication. Before users gain access to your network, they must
authenticate by demonstrating possession of a pre-shared key (typically used in smaller
companies) before crypto keys can be installed; or by passing credentials to a RADIUS server
(typically used in larger organizations) before the access port is opened.
References
• NIST SP 800-171 Rev 1 3.1.17
• CIS Controls v7.1 15.7, 15.8
• NIST CSF v1.1 PR.PT-4
• CERT RMM v1.2 KIM:SG4.SP1
• NIST SP 800-53 Rev 4 AC-18(1)