Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system protects wireless access to the system using authentication of [Selection
(one or more): users; devices] and encryption.
NIST 800-53 (r4) Supplemental Guidance:
Related controls: SC-8, SC-13.
NIST 800-53 (r5) Discussion:
Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies.
38North Guidance:
Meets Minimum Requirement:
Ensure that authentication to any and all wireless technologies is using mechanisms such as WPA2 and 802.1x. There should be NO use of WEP for provided authentication encryption.
Ensure that policies and procedures are kept current to provide guidelines and requirements for personnel when configuring wireless technologies.
For any device and encryption technologies provided by such wireless devices, ensure that FIPS 140-2 validated modules and cypher suites are implemented.
Ensure that non-repudiation mechanisms are in place in order to track all personnel and devices connected wirelessly and that unique ID's and login credentials are utilized.
Ensure that wireless technologies are configured to log all activity and forward those logs to a centralized logging solution such as a SIEM, within the authorization boundary.
Best Practice:
If possible, configure wireless technologies to provide unique login credentials for all personnel wishing to connect.
Ensure that policies and procedures are kept current to provide guidelines and requirements for personnel when configuring wireless technologies.
Ensure that passwords used to authenticate users are following NIST guidelines for addressing strong password authentication. Passwords should be rotated on an at least 90 day basis (60 days for High systems) and that at least 24 previous password iterations are not used.
Ensure that any encryption keys for device authentication are accounted for, securely stored, and rotated at least annually.
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
Screen shots of configuration settings of required wireless encryption.
Screen shots of configuration settings of required user authentication.
Screen shots showing unique IDs and logging activity.
Tickets showing device configuration changes and password/key rotation activities and any wireless account management activity.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse