NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
3.1.16 Authorize wireless access prior to allowing such connections.
Control Family: Access Control
Control Type: Derived
SPRS Value: 5
SPRS Supplemental Guidance:
Do not subtract points if wireless access not permitted
CMMC Level(s): AC.L2-3.1.14
Top Ten Failed Requirement: No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
AC-18
NIST Supplemental Guidance:
[SP 800-97]
Discussion:
Establishing usage restrictions and configuration/connection requirements for wireless access to the system provides criteria for organizations to support wireless access authorization decisions. Such restrictions and requirements reduce the susceptibility to unauthorized access to the system through wireless technologies. Wireless networks use authentication protocols which provide credential protection and mutual authentication. [SP 800-97] provide guidance on secure wireless networks.
Upon assessment, assessors must determine if-
3.1.16[a] wireless access points are identified.
3.1.16[b] wireless access is authorized prior to allowing such connections.
Assessors are instructed to-
Examine: [SELECT FROM: Access control policy; configuration management plan; procedures addressing wireless access implementation and usage (including restrictions); system security plan; system design documentation; system configuration settings and associated documentation; wireless access authorizations; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for managing wireless access connections; personnel with information security responsibilities].
Test: [SELECT FROM: Wireless access management capability for the system].
FURTHER DISCUSSION
Guidelines from management form the basis for the requirements that must be met prior to authorizing a wireless connection. These guidelines may include the following:
types of devices, such as corporate or privately owned equipment;
configuration requirements of the devices;
authorization requirements before granting such connections.
AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they all establish control for the connection of mobile devices and wireless devices through the use of authentication, authorization, and encryption mechanisms.
Example
Your company is implementing a wireless network at its headquarters. CUI may be transmitted on this network. You work with management to draft a policy about the use of the wireless network. The policy states that only company-approved devices that contain verified security configuration settings are allowed to connect. The policy also includes usage restrictions that must be followed for anyone who wants to use the wireless network. Authorization is required before devices are allowed to connect to the wireless network [b].
Potential Assessment Considerations
Is an updated list of approved network devices providing wireless access to the system maintained [a]?
Are network devices providing wireless access configured to require users or devices be authorized prior to permitting a wireless connection [b]?
Is wireless access to the system authorized and managed [b]?
Frameworks & Controls
3.1.3: Control the flow of CUI in accordance with approved authorizations
3.1.6: Use non-privileged accounts or roles when accessing nonsecurity functions
3.1.9: Provide privacy and security notices consistent with applicable CUI rules
3.1.11: Terminate (automatically) a user session after a defined condition
3.1.13: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
3.1.14: Route remote access via managed access control points
3.1.16: Authorize wireless access prior to allowing such connections
3.1.17: Protect wireless access using authentication and encryption
3.1.19: Encrypt CUI on mobile devices and mobile computing platforms
3.1.20: Verify and control/limit connections to and use of external systems
3.1.21: Limit use of portable storage devices on external systems
3.1.22: Control CUI posted or processed on publicly accessible systems