Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
b. Authorizes wireless access to the information system prior to allowing such connections.
NIST 800-53 (r4) Supplemental Guidance:
Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4.
References: NIST Special Publications 800-48, 800-94, 800-97.
NIST 800-53 (r5) Discussion:
Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication.
38North Guidance:
Meets Minimum Requirement:
If any wireless technologies are used within the information systems authorization boundary, then they must be defined and documented with specifics on the technology used, any configuration settings and connection requirements (devices permitted to access, device condition and ability to support secure wireless). Also, policies and procedures addressing the authorization of connecting to wireless technologies within the information system by personnel.
Best Practice:
Wireless technologies are usually not implemented by CSPs whose CSO is fully reliant on an IaaS provider such as AWS, Azure, or GCP, as any such technologies are inherited by the IaaS provider.
In the event that an on premise or even hybrid implementation is used to support the information system, the CSP should ensure that any and all wireless technologies used to support the information system within the authorization boundary are thoroughly documented and accounted for within policies and procedures associated with the information system. This documentation should include each type of wireless technology utilized, configuration settings for each, connection requirements, and any other specific requirements defined and enforced for personnel requesting to connect to the wireless technology within the information system.
The context of this control does depend on what the information system boundary is. For the SSP detailing the physical infrastructure of the data centers, this control would require detail surrounding how wireless access points are authorized and managed (if permitted). If the SSP and system boundary focus on the cloud environment with no physical infrastructure, than this control would be inherited from the physical layer detailed in the infrastructure SSP. AC-18 DOES NOT include wireless access occurring by the user prior to authenticating into the information system boundary. Everything beyond the VPN connection would be out of boundary and out of scope.
Unofficial FedRAMP Guidance: Ensure that any and all wireless technologies used to support an information system is accounted for and doesn't creep outside of the authorization boundary.
Assessment Evidence:
Screen shots of any and all wireless technologies configuration settings and their security requirements for permitting personnel to connect.
Supporting policies and procedures covering such requirements for configuration settings and connections for engineer deploying wireless technologies and personnel connecting to wireless technologies within the information system.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse