Access Control 3.1.16 (3.1.16)

Authorize wireless access prior to allowing such connections

Get Full Guidance

What Is This CMMC Control?

Organizations must implement a formal authorization process before allowing any device or user to connect to the organization's network via wireless (Wi-Fi) connections. This means wireless access cannot be open or automatic—there must be documented approval, authentication requirements, and security controls in place before wireless connectivity is granted. The control applies to both corporate wireless networks and any wireless access points that connect to systems processing CUI.

Control Intent

Prevent unauthorized access to organizational systems and CUI through wireless network connections by ensuring only approved devices and users can establish wireless connectivity after meeting defined security requirements.

Who This Control Applies To

  • Organizations that operate wireless networks (Wi-Fi) in facilities processing CUI
  • Any wireless access points that provide connectivity to systems or networks containing CUI
  • Guest wireless networks if they share infrastructure with CUI systems
  • Wireless networks used by employees, contractors, or third parties accessing CUI
  • Mobile devices connecting wirelessly to organizational networks
  • Temporary or event-based wireless networks in CUI environments

Not Applicable When

  • The organization has no wireless networking capability whatsoever and all connections are wired only
  • Wireless capability is physically disabled in hardware and documented as permanently removed
  • The system is completely air-gapped with no wireless radios present
  • Wireless access exists but is on a completely separate network with no logical or physical connection to CUI systems (true network segmentation with documented boundary controls)

Key Objectives

  • 1Establish and enforce authorization requirements before granting wireless network access
  • 2Implement authentication mechanisms that verify user and device identity before allowing wireless connections
  • 3Define and document usage restrictions and security configurations for all wireless access
  • 4Reduce the attack surface and unauthorized access risk introduced by wireless technologies

Sample Self-Assessment Questions (Partial)

Does your organization use Wi-Fi networks in any location where CUI is accessed or processed?

Are wireless access points present in facilities where employees access CUI systems?

Implementation Approaches (High-Level)

WPA2/WPA3-Enterprise with RADIUS Authentication

Implement enterprise-grade wireless security using 802.1X authentication with a RADIUS server that validates user credentials before granting wireless access. Each user has individual credentials tied to their authorization.

Certificate-Based Wireless Authentication

Use digital certificates issued to authorized users and devices as the authentication mechanism for wireless access. Certificate issuance serves as the authorization process.

Network Access Control (NAC) with Wireless Authorization

Implement a Network Access Control system that enforces authorization policies before granting wireless network access, including device posture assessment and compliance checking.

Documented Wireless Access Authorization with WPA2/WPA3-PSK

For small environments, use WPA2/WPA3 with a strong pre-shared key, combined with a documented authorization process for distributing the wireless password only to approved users.

Managed Wi-Fi Service with Authorization Integration

Use a managed wireless service (cloud-managed Wi-Fi) that integrates with organizational identity systems to enforce authorization before granting wireless access.

MAC Address Authorization with Registration Process

Implement MAC address filtering combined with a documented device registration and authorization process. Note: This should be used in combination with encryption, not as a standalone security measure.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If currently using open or WEP-secured wireless: Immediate remediation required - upgrade to WPA2/WPA3 and implement authorization process within 30 days If using WPA2-PSK without authorization tracking: Document authorization process and maintain authorized user list within 60 days, plan migration to WPA2-Enterprise within 6-12 months If wireless authorization process is informal: Document formal policy and approval workflow within 30-60 days If RADIUS/802.1X infrastructure doesn't exist: May require 3-6 months for implementation depending on environment size - interim compensating control could be documented PSK authorization with frequent password rotation If guest wireless is not isolated: Network segmentation project may take 2-4 months - interim control is disabling guest wireless or requiring VPN for CUI access If wireless access not revoked when users leave: Implement immediate process improvement and conduct review of current authorized users within 30 days If no logging of wireless access: Enable logging within 30 days and implement log review process within 60 days If rogue AP detection not implemented: Deploy monitoring solution within 90 days, interim control is periodic physical surveys For certificate-based authentication implementation: 4-6 month timeline typical for PKI deployment, interim control is strong WPA2-Enterprise with RADIUS If MAC filtering is sole control: Add WPA2/WPA3 encryption immediately (within 30 days) and implement proper authentication within 90 days Acceptable interim controls while implementing full solution: Documented authorization with strong PSK, frequent password rotation, restricted wireless network access (no CUI access), enhanced monitoring Risk acceptance generally not appropriate for this control - wireless access without authorization creates significant unauthorized access risk to CUI

Related CMMC Controls

AC-2: Account Management - wireless access tied to user accountsAC-3: Access Enforcement - enforcing wireless authorization decisionsAC-17: Remote Access - wireless is a form of remote accessAC-18: Wireless Access Restrictions - specific wireless security requirementsAC-19: Access Control for Mobile Devices - if mobile devices use wirelessAC-20: Use of External Systems - if external devices connect wirelesslyIA-2: Identification and Authentication - authenticating wireless usersIA-3: Device Identification and Authentication - authenticating wireless devicesIA-5: Authenticator Management - managing wireless credentials/certificatesIA-8: Identification and Authentication (Non-Organizational Users) - guest wireless accessAU-2: Audit Events - logging wireless access attemptsAU-6: Audit Review - reviewing wireless access logsCM-6: Configuration Settings - wireless security configurationCM-7: Least Functionality - disabling unnecessary wireless capabilitiesSC-8: Transmission Confidentiality - wireless encryptionSC-40: Wireless Link Protection - protecting wireless communicationsSI-4: System Monitoring - monitoring for rogue wireless access points

Frequently Asked Questions

Does every employee need individual approval for wireless access, or can we approve departments or groups?

While group-based authorization is acceptable (such as authorizing all employees in a department), there must still be a documented process showing who approved wireless access for that group and what criteria were used. Individual tracking is preferred for accountability, but group authorization is acceptable if properly documented and periodically reviewed. The key is demonstrating that wireless access is not automatic and requires explicit authorization.

We use a shared Wi-Fi password for our office. Does this satisfy the authorization requirement?

Using a shared password (WPA2-PSK) can satisfy this control only if you have a documented process for who receives the password and maintain records of authorization approvals. However, this is the minimum acceptable implementation and has limitations—you cannot track individual access, easily revoke access for specific users, or audit who connected when. For CMMC Level 2 and higher, individual authentication (WPA2-Enterprise) is strongly preferred and may be required depending on your environment.

Our guest Wi-Fi network is completely separate from our corporate network. Does this control still apply?

If your guest wireless network is truly isolated with no logical or physical connection to systems processing CUI, and you can demonstrate this separation through network architecture documentation, then authorization requirements for the guest network may be reduced. However, you must still control and authorize access to any wireless network that can reach CUI systems. Many assessors will want to verify the isolation is genuine and properly maintained, as misconfigured guest networks are a common security gap.

What happens if our RADIUS server goes down? Can we have a backup that allows access without authorization?

Failover configurations that bypass authorization requirements when the RADIUS server is unavailable typically do not satisfy this control. If you implement a backup authentication method, it must still enforce authorization—for example, failing over to a secondary RADIUS server or requiring VPN access with authorization. Automatically granting wireless access without authorization during outages creates a significant security gap. Your incident response procedures should address RADIUS failures without compromising authorization requirements.

Do we need to re-authorize wireless access periodically, or is one-time authorization sufficient?

The control requires authorization prior to allowing wireless connections, but does not explicitly mandate periodic re-authorization. However, best practice and assessor expectations typically include periodic review of authorized users (at least annually) and immediate revocation when authorization should end (termination, role change). Many organizations tie wireless authorization to annual access reviews required by AC-2. One-time authorization without any review process is generally insufficient, especially for long-term employees.

Can we use MAC address filtering as our wireless authorization method?

MAC address filtering alone is not sufficient because MAC addresses can be spoofed and this method does not provide strong authentication. However, MAC filtering can be used as an additional layer of defense in combination with proper authentication (WPA2/WPA3) and a documented authorization process for registering device MAC addresses. If you use MAC filtering, you must still implement encryption and have documented approval for each MAC address added to the authorized list. This approach is most appropriate for IoT devices or specialized equipment rather than user devices.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.