3.1.16 — Wi-Fi Approval First

The One-Liner

Know every wireless access point in your building. Only approved devices connect. Everything else is blocked.

What It Says

Authorize wireless access prior to allowing such connections.

What It Actually Means

Before any device connects to your wireless network:

1. The device must be approved — registered with IT, meeting your security requirements
2. The user must be authorized — on the approved wireless access list
3. Your access points must be inventoried — you know every AP in your environment, including rogue ones

Draft a policy covering which devices are allowed (corporate vs personal), what configuration they need, and what usage restrictions apply. Then enforce it on the access points.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are wireless access points identified?	Complete inventory of every AP in your environment
2	Is wireless access authorized before connection?	Devices must be approved before connecting

---

What to Have Ready on Assessment Day

Documents they’ll review: Access control policy, wireless access procedures, configuration management plan, system security plan, system config, wireless access authorizations, audit logs

People they’ll talk to: Wireless access managers, information security staff

Live demos they’ll ask for: “Show me your AP inventory. Try to connect an unauthorized device — show me it’s blocked.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Do you maintain a list of approved wireless devices?”
• “Are access points configured to require authorization before connecting?”
• “Is wireless access authorized and managed?”
• “What happens when someone tries to connect an unauthorized device?”

Real-World Example

A contractor uses 802.1X with RADIUS for wireless authentication. Only devices with a valid certificate issued through Intune can connect. The AP inventory is maintained in a network management tool. Quarterly, the IT team runs a rogue AP scan. Personal devices are directed to a guest network that’s fully segmented from the CUI environment.

---

Where Companies Trip Up

Guest network shares infrastructure. Guest Wi-Fi on the same hardware as CUI network without proper segmentation.

Shared password that never changes. WPA2-PSK password known by everyone including former employees.

No AP inventory. You don’t know how many access points you have or if there are rogue ones.

Rogue access points. Unauthorized APs plugged into the network by employees wanting better coverage.

---

How to Talk About This

To a CEO or Board

Only pre-approved devices connect to our wireless network. Unauthorized devices are blocked. We maintain an inventory of every access point and scan for rogue ones quarterly.

To an Engineering Team

802.1X with RADIUS/NPS. Certificate-based device auth via Intune. Guest network on separate VLAN with no CUI access. Quarterly rogue AP scanning.

---

Connected Requirements

Requirement	Why it matters here
3.1.17 — Lock Down the Wi-Fi	Protecting wireless with authentication and encryption
3.1.18 — Mobile Device Control	Controlling which mobile devices connect

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: AC.L2-3.1.16 | SPRS Weight: 5 points | POA&M Eligible: No