NIST 800-171 Control 3.1.17: Wireless Access Protection
Wireless networks are a critical attack surface for SMBs. Control 3.1.17 requires authentication and encryption to prevent unauthorized access to your systems and sensitive data. Without proper wireless controls, attackers can bypass your perimeter defenses entirely.
What this means
This control mandates that all wireless access points use strong authentication mechanisms (such as WPA2/WPA3 with pre-shared keys or 802.1X) and encryption protocols to protect data in transit. This includes securing administrative access to wireless infrastructure and preventing rogue access points from connecting to your network.
How to comply
- 1.Deploy WPA2 or WPA3 encryption on all wireless networks; disable WEP and WPA1
- 2.Implement strong pre-shared keys (PSKs) or 802.1X enterprise authentication
- 3.Segment wireless networks from sensitive systems using VLANs or network isolation
- 4.Disable broadcast of SSID and implement MAC address filtering where feasible
- 5.Conduct regular wireless network scans to detect rogue access points
- 6.Document all wireless access points, configurations, and authorized users
- 7.Apply firmware updates and security patches to wireless infrastructure
- 8.Monitor wireless traffic and access logs for unauthorized connection attempts
Evidence auditors look for
- Wireless network configuration documentation showing WPA2/WPA3 encryption enabled
- Access control lists defining authorized wireless devices and users
- Change logs from wireless access point administration dashboards
- Network topology diagrams showing wireless segmentation and VLAN configuration
- Wireless security audit reports identifying encryption standards in use
- Authentication logs showing successful and failed wireless connection attempts
- Firmware version records for all wireless infrastructure devices
- Rogue access point detection scan results with timestamps
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates wireless access point discovery, continuous encryption validation, and rogue AP detection—giving you real-time evidence for 3.1.17 compliance without manual network audits.
See how GRCWatch handles this control automatically
Start free trial