NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
3.1.17 Protect wireless access using authentication and encryption.
Control Family: Access Control
Control Type: Derived
SPRS Value: 5
SPRS Supplemental Guidance:
Do not subtract points if wireless access not permitted
CMMC Level(s): AC.L2-3.1.14
Top Ten Failed Requirement: No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
AC-18(1)
NIST Supplemental Guidance:
[NIST CRYPTO]
Discussion:
Organizations authenticate individuals and devices to help protect wireless access to the system. Special attention is given to the wide variety of devices that are part of the Internet of Things with potential wireless access to organizational systems. See [NIST CRYPTO].
Upon assessment, assessors must determine if-
3.1.17[a] wireless access to the system is protected using authentication.
3.1.17[b] wireless access to the system is protected using encryption.
Assessors are instructed to-
Examine: [SELECT FROM: Access control policy; system design documentation; procedures addressing wireless implementation and usage (including restrictions); system security plan; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developers].
Test: [SELECT FROM: Mechanisms implementing wireless access protections to the system].
FURTHER DISCUSSION
Use a combination of authentication and encryption methods to protect the access to wireless networks. Authenticating users to a wireless access point can be achieved in multiple ways. The most common authentication and encryption methods used include:
WPA2-PSK (WiFi Protected Access-Pre-shared Key) – This method uses a password or passphrase known by the wireless access point and the client (user device). It is common in small companies that have little turnover because the key must be changed each time an employee leaves in order to prevent the terminated employee from connecting to the network without authorization. WPA2 is typically configured to use Advanced Encryption Standard (AES) encryption.
WPA2 Enterprise – This method may be better for larger companies and enterprise networks because authentication is based on the identity of the individual user or device rather than a shared password or passphrase. It typically requires a Remote Authentication Dial-in User Service (RADIUS) server for authentication and can provide higher security than WPA2-PSK.
Open authentication must not be used because it authenticates any user and lacks security capabilities. Because the use of cryptography in this requirement is to protect the confidentiality of CUI, the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11.
AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they all establish control for the connection of mobile devices and wireless devices through the use of authentication, authorization, and encryption mechanisms.
Example 1
You manage the wireless network at a small company and are installing a new wireless solution that may transmit CUI. You start by selecting a product that employs encryption validated against the FIPS 140 standard. You configure the wireless solution to use WPA2, requiring users to enter a pre-shared key to connect to the wireless network [a,b].
Example 2
You manage the wireless network at a large company and are installing a new wireless solution that may transmit CUI. You start by selecting a product that employs encryption that is validated against the FIPS 140 standard. Because of the size of your workforce, you configure the wireless system to authenticate users with a RADIUS server. Users must provide the wireless system with their domain usernames and passwords to be able to connect, and the RADIUS server verifies those credentials. Users unable to authenticate are denied access [a,b].
Potential Assessment Considerations
Is wireless access limited only to authenticated and authorized users (e.g., required to supply a username and password) [a]?
If the organization is securing its wireless network with a pre-shared key, is access to that key restricted to only authorized users [a]?
Is wireless access encrypted using FIPS-validated cryptography? Note that simply using an approved algorithm is not sufficient; the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140 [b].
Frameworks & Controls
3.1.3: Control the flow of CUI in accordance with approved authorizations
3.1.6: Use non-privileged accounts or roles when accessing nonsecurity functions
3.1.9: Provide privacy and security notices consistent with applicable CUI rules
3.1.11: Terminate (automatically) a user session after a defined condition
3.1.13: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
3.1.14: Route remote access via managed access control points
3.1.16: Authorize wireless access prior to allowing such connections
3.1.17: Protect wireless access using authentication and encryption
3.1.19: Encrypt CUI on mobile devices and mobile computing platforms
3.1.20: Verify and control/limit connections to and use of external systems
3.1.21: Limit use of portable storage devices on external systems
3.1.22: Control CUI posted or processed on publicly accessible systems