AC.L2-3.1.17 · NIST SP 800-171 3.1.17

Wireless Access Protection

Protect wireless access using authentication and encryption.

5 points if not metMust be fully met, cannot POA&M2 assessment objectives

What an assessor scores, the objectives

AC.L2-3.1.17 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.wireless access to the system is protected using authentication
  • b.wireless access to the system is protected using encryption

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For AC.L2-3.1.17, an assessor uses these:

Examine

Access control policy; system design documentation; procedures addressing wireless implementation and usage (including restrictions); system security plan; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records

Interview

System or network administrators; personnel with information security responsibilities; system developers

Test

Mechanisms implementing wireless access protections to the system

What it means, in context

Organizations authenticate individuals and devices to help protect wireless access to the system. Special attention is given to the wide variety of devices that are part of the Internet of Things with potential wireless access to organizational systems.

Use a combination of authentication and encryption methods to protect the access to wireless networks . Authenticating users to a wireless access point can be achieved in multiple ways. The most common authentication and encryption methods used include: • WPA2-PSK (WiFi Protected Access -Pre-shared Key) – This method uses a password or passphrase known by the wireless access point and the client (user device). It is common in small companies that have little turnover because the key must be changed each time an employee leaves in order to prevent the terminated employee from connecting to the network without authorization. W PA2 is typically configured to use Advanced Encryption Standard (AES) encryption. • WPA2 Enterprise – This method may be better for larger companies and enterprise networks because authentication is based on the identity of the individual user or device rather than a shared password or passphrase. It typically requires a Remote Authentication Dial-in User Service (RADIUS) server for authentication and can provide higher security than WPA2-PSK. Open authentication must not be used because it authenticates any user and lacks security capabilities. Because the use of cryptography in this requirement is to protect the confidentiality of CUI , the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they all establish control for the connection of mobile devices and wireless devices through the use of authentication, authorization, and encryption mechanisms. Example 1 You manage the wireless network at a small company and are installing a new wireless solution that may transmit CUI. You start by selecting a product that employs encryption validated against the FIPS 140 standard. You configure the wireless solution to use WPA2, requiring users to enter a pre-shared key to connect to the wireless network [a,b]. Example 2 You manage the wireless network at a large company and are installing a new wireless solution that may transmit CUI. You start by selecting a product that employs encryption that is validated against the FIPS 140 standard. Because of the size of your workforce, you configure the wireless system to authenticate users with a RADIUS server. Users must provide the wireless system with their domain usernames and passwords to b e able to connect, and the RADIUS server verifies those credentials. Users unable to authenticate are denied access [a,b]. Potential Assessment Considerations • Is wireless access limited only to authenticated and authorized users (e.g., required to supply a username and password) [a]? • If the organization is securing its wireless network with a pre- shared key, is access to that key restricted to only authorized users [a]? • Is wireless access encrypted using FIPS -validated cryptography? Note that simply using an approved algorithm is not sufficient; the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140 [b].

What passing evidence looks like

The wireless security configuration: WPA2 or WPA3 with a strong secret or 802.1x authentication, captured from the access point admin page.

Common ways contractors fail AC.L2-3.1.17

  • !WEP or open SSIDs anywhere on the CUI network is an instant NOT MET. Also rotate the pre shared key when someone leaves, an assessor may ask when it last changed.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove AC.L2-3.1.17, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

AC.L2-3.1.17 questions, answered

How many points is CMMC requirement AC.L2-3.1.17 worth?+

AC.L2-3.1.17 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.

Can AC.L2-3.1.17 be placed on a POA&M?+

No. AC.L2-3.1.17 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does AC.L2-3.1.17 belong to?+

AC.L2-3.1.17 is in the Access Control (AC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.1.17