GRCWatch
Sign inStart free trial

CIS Controls 12.6: Use of Secure Network Management and Communication Protocols

Network security starts with the protocols you choose. CIS Control 12.6 requires organizations to enforce secure network management and communication protocols—like 802.1X and WPA2 Enterprise—to prevent unauthorized access and data interception. Without proper protocol enforcement, even well-designed networks remain vulnerable to lateral movement and credential compromise.

What this means

This control mandates the deployment of industry-standard secure protocols for all network management and communications. 802.1X provides port-based network access control, authenticating devices before they connect to your network. WPA2 Enterprise (or greater, such as WPA3) encrypts wireless traffic and requires strong authentication, preventing attackers from eavesdropping or injecting malicious traffic. Together, these protocols create a foundational security layer that protects both wired and wireless network segments.

How to comply

  1. 1.Inventory all network management interfaces and wireless access points across your infrastructure
  2. 2.Enable 802.1X authentication on network switches and enforce certificate-based or strong credential authentication
  3. 3.Deploy WPA2 Enterprise (minimum) or WPA3 on all wireless networks, configured with AES encryption
  4. 4.Establish a certificate infrastructure (PKI) or integrate with your directory service to support 802.1X supplicant authentication
  5. 5.Configure network devices to reject non-authenticated connections and log all access attempts
  6. 6.Test protocol enforcement to confirm devices cannot connect without proper credentials or certificates
  7. 7.Document your network protocol baseline and review quarterly for drift or unsupported legacy protocols

Evidence auditors look for

  • Network switch configurations showing 802.1X enabled on all access ports
  • Wireless access point settings displaying WPA2 Enterprise or WPA3 with AES encryption active
  • Authentication server logs (RADIUS or Active Directory) confirming device and user authentication events
  • Certificate inventory or PKI documentation tied to 802.1X deployments
  • Network access denial logs showing rejected non-compliant connection attempts
  • Policy documentation defining required protocols and approved cipher suites
  • Vulnerability scan or penetration test results confirming protocol enforcement

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically discovers and monitors your network protocols, alerts you to WPA2/WPA3 and 802.1X drift, and generates audit evidence from switch and access point logs—eliminating manual protocol audits and reducing compliance reporting time by hours.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Controls 12.1 — Network SegmentationCIS Controls 12.2 — Ensure Network Infrastructure IntegrityCIS Controls 3.3 — Address Unauthorized Software