How to Meet AC.L2-3.1.17

Requirement

AC.L2-3.1.17 – Protect wireless access using authentication and encryption.

This control comes from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2.

Understanding the Requirement

This control requires you to protect all wireless access to your systems using strong authentication and encryption. In practice, that means users must prove who they are before connecting (e.g., password, certificates, directory credentials) and all traffic over Wi‑Fi must be encrypted to prevent eavesdropping. Doing so prevents unauthorized people from joining your network, sniffing your wireless traffic, or reaching internal resources.

Policies and Procedures Needed

Define a wireless access policy that specifies approved encryption standards (e.g., WPA3/WPA2), authentication methods (pre-shared key vs. 802.1X Enterprise), network segmentation (corporate vs. guest), and key/credential management (creation, distribution, rotation, and revocation). Include onboarding/offboarding steps for users and devices, BYOD rules, device authorization for company-managed endpoints, and access reviews of who/what can connect. Document AP configuration standards, change control for SSIDs and keys, incident response for suspected rogue access points, and logging/monitoring procedures.

Technical Implementation

• Select secure Wi‑Fi standards: use WPA3-Enterprise where supported; otherwise use WPA2-Enterprise (AES/CCMP). If Enterprise is not feasible, use WPA3/WPA2 with a strong pre-shared key (PSK). Disable obsolete protocols (WEP, WPA, TKIP) and require AES only.
• Implement authentication: - For 50+ users or where you have a directory, deploy 802.1X with a RADIUS server integrated to your identity provider (e.g., Active Directory). Prefer EAP-TLS (certificate-based) for strongest security; if using PEAP-MSCHAPv2, enforce strong password policies and MFA where possible. - For small environments using PSKs, generate a unique, random passphrase (20+ characters), store it securely, and avoid sharing beyond those who need it. Consider per-device or per-user PSKs if your gear supports it.
• Segment wireless networks: create separate SSIDs for corporate and guest/BYOD. Map each SSID to distinct VLANs and apply firewall rules so guest traffic reaches the internet only. Enable client isolation on guest SSIDs to block device-to-device access. Limit management and sensitive apps to the corporate VLAN.
• Harden access points and controllers: change default admin credentials, disable WPS, restrict management to HTTPS/SSH from an admin subnet, keep firmware up to date, and set appropriate transmit power to reduce bleed-over outside your premises. Enable rogue AP detection and alerts.
• Manage keys and certificates: rotate PSKs on a defined schedule (e.g., quarterly) or immediately upon staff departure/device loss. For Enterprise Wi‑Fi, automate certificate and Wi‑Fi profile deployment with an MDM/endpoint management tool and revoke certificates during offboarding.
• Monitor and log: retain RADIUS and controller logs for connection attempts, failures, and policy violations. Set alerts for repeated authentication failures, unexpected SSIDs, or new APs. Maintain an inventory of authorized APs and known wireless clients and review monthly.

Example in a Small or Medium Business

A 60-person professional services firm standardizes on WPA2-Enterprise using 802.1X. The IT team deploys a RADIUS server tied to Active Directory and configures EAP-TLS with user and device certificates distributed through their MDM. They create two SSIDs: “Company-Secure” mapped to the corporate VLAN and “Company-Guest” mapped to an internet-only VLAN with client isolation. Default AP credentials are changed, WPS is disabled, and firmware updates are scheduled quarterly. A wireless access procedure requires HR to trigger IT offboarding so user accounts are disabled and certificates revoked the same day. RADIUS and controller logs are forwarded to the SIEM, and alerts notify IT of repeated authentication failures or the appearance of rogue SSIDs. Quarterly, the network administrator reviews wireless access logs and the inventory of APs and connected devices to confirm only authorized endpoints are present.

Summary

Meeting AC.L2-3.1.17 means pairing clear rules with solid engineering: require strong authentication to join your Wi‑Fi and ensure all traffic is encrypted, segment corporate and guest access, harden your wireless infrastructure, rotate keys or revoke certificates as people and devices change, and continuously monitor connections. With a concise wireless policy, defined onboarding/offboarding steps, and the technical measures above, an SMB can prevent unauthorized access, block eavesdropping, and maintain trustworthy wireless connectivity.