3.1.17 — Lock Down the Wi-Fi

The One-Liner

WPA2-Enterprise minimum. WPA3 preferred. FIPS-validated encryption if the wireless network carries CUI.

What It Says

Protect wireless access using authentication and encryption.

What It Actually Means

Two protections working together:

Authentication — every user proves their identity before connecting. Options from weakest to strongest:

• WPA2-PSK (shared password) — acceptable for small teams but change it when anyone leaves
• WPA2-Enterprise with RADIUS — each user authenticates individually. Preferred.
• WPA3 — strongest option where supported

Encryption — all wireless traffic is encrypted. If your wireless network carries CUI traffic, the encryption must be FIPS 140 validated (not just using an approved algorithm — the actual module must be validated).

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is wireless access protected by authentication?	Users prove identity before connecting
2	Is wireless access protected by encryption?	All wireless traffic is encrypted

---

What to Have Ready on Assessment Day

Documents they’ll review: Access control policy, wireless implementation procedures, system security plan, system config, audit logs

People they’ll talk to: Sysadmins, information security staff, system developers

Live demos they’ll ask for: “Show me the wireless authentication method. Show me the encryption configuration.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Is wireless access limited to authenticated and authorized users?”
• “If using PSK, is access to the key restricted to authorized users only?”
• “Is wireless encryption FIPS-validated? Show me the validation — the module, not just the algorithm.”

Real-World Example

A contractor uses WPA2-Enterprise with RADIUS backed by Entra ID. Each user authenticates with their own credentials plus certificate. The access points use firmware with FIPS 140-2 validated encryption modules. The IT admin has the FIPS certificate on file. No open or PSK networks exist in the CUI environment.

---

Where Companies Trip Up

Shared password that never rotates. WPA2-PSK password known by current and former employees. If you use PSK, change it on every departure.

Right algorithm, unvalidated module. Using AES but the access point firmware isn’t FIPS 140 validated.

Guest and corporate on same SSID. No separation between guest wireless and CUI-carrying traffic.

---

How to Talk About This

To a CEO or Board

Our wireless uses enterprise-grade authentication — every user authenticates individually. The encryption is FIPS-validated. No shared passwords, no open networks.

To an Engineering Team

WPA2-Enterprise, RADIUS/NPS, certificate-based auth via Intune. FIPS 140-2 validated firmware on all APs. Guest SSID on separate VLAN. No PSK networks in CUI scope.

---

Connected Requirements

Requirement	Why it matters here
3.1.16 — Wi-Fi Approval First	Authorization before this control protects
3.13.11 — FIPS or It Doesn’t Count	FIPS validation requirement for encryption

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: AC.L2-3.1.17 | SPRS Weight: 5 points | POA&M Eligible: No