Wireless Access Authorization
Authorize wireless access prior to allowing such connections.
What an assessor scores, the objectives
AC.L2-3.1.16 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.wireless access points are identified
- b.wireless access is authorized prior to allowing such connections
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For AC.L2-3.1.16, an assessor uses these:
Access control policy; configuration management plan; procedures addressing wireless access implementation and usage (including restrictions); system security plan; system design documentation; system configuration settings and associated documentation; wireless access authorizations; system audit logs and records; other relevant documents or records
Personnel with responsibilities for managing wireless access connections; personnel with information security responsibilities
Wireless access management capability for the system
What it means, in context
Establishing usage restrictions and configuration/connection requirements for wireless access to the system provides criteria for organizations to support wireless access authorization decisions. Such restrictions and requirements reduce the susceptibility to unauthorized access to the system through wireless technologies. Wireless networks use authentication protocols that provide credential protection and mutual authentication.
Guidelines from management form the basis for the requirements that must be met prior to authorizing a wireless connection. These guidelines may include the following: • types of devices, such as corporate or privately owned equipment; • configuration requirements of the devices; and • authorization requirements before granting such connections. AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they all establish control for the connection of mobile devices and wireless devices through the use of authentication, authorization, and encryption mechanisms. Example Your company is implementing a wireless network at its headquarters. CUI may be transmitted on this network. You work with management to draft a policy about the use of the wireless network. The policy states that only company -approved devices that contain verified security configuration settings are allowed to connect. The policy also includes usage restrictions that must be followed for anyone who wants to use the wireless network. Authorization is required before devices are allowed to connect to the wireless network [b]. Potential Assessment Considerations • Is an updated list of approved network devices providing wireless access to the system maintained [a]? • Are network devices providing wireless access configured to require users or devices be authorized prior to permitting a wireless connection [b]? • Is wireless access to the system authorized and managed [b]?
What passing evidence looks like
The authorized wireless list (each SSID, who approved it) and proof rogue or personal hotspots are not part of the CUI network.
Common ways contractors fail AC.L2-3.1.16
- !The guest Wi-Fi must be documented as out of the CUI path or properly separated, an undocumented guest network on the same LAN fails the boundary story too.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove AC.L2-3.1.16, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
AC.L2-3.1.16 questions, answered
How many points is CMMC requirement AC.L2-3.1.16 worth?+
AC.L2-3.1.16 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.
Can AC.L2-3.1.16 be placed on a POA&M?+
No. AC.L2-3.1.16 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.
What family does AC.L2-3.1.16 belong to?+
AC.L2-3.1.16 is in the Access Control (AC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.1.16