CMMC Level 2 Practice 3.1.17: Protect wireless access using authentication and encryption

9 min readLast verified: February 2026By

CMMC Level 2 Practice 3.1.17 requires you to secure every wireless path that can reach CUI systems by enforcing strong authentication and strong encryption, then proving it with configuration evidence. Operationally, that means approved wireless standards, hardened WLAN configs, controlled key management, and a repeatable evidence package for assessments. 1

Key takeaways:

  • Treat wireless as a controlled access method: restrict who can connect and how they authenticate. 1
  • Encrypt wireless traffic with modern, validated configurations and disable legacy/insecure protocols. 1
  • Keep assessor-ready evidence: diagrams, configs, logs, and a written standard mapped to 3.1.17. 2

Wireless is one of the fastest ways for an attacker, a curious employee, or a poorly configured device to bypass perimeter assumptions and touch systems that process Controlled Unclassified Information (CUI). CMMC Level 2 Practice 3.1.17 focuses on a narrow, testable expectation: if you allow wireless access that could reach CUI environments (directly or indirectly), you must protect that access with authentication and encryption, and you must be able to show it consistently during assessment. 1

For many defense contractors, the real work is less about buying new gear and more about making wireless “boring”: limited coverage, known SSIDs, modern security modes, documented exceptions, and continuous confirmation that configs have not drifted. Assessors will usually look for two things: (1) is wireless technically protected, and (2) can your team explain and prove how it stays protected over time. 2

This page is requirement-level implementation guidance for a Compliance Officer, CCO, or GRC lead. It is written to help you translate 3.1.17 into concrete control statements, engineering tasks, and an evidence package you can hand to an assessor.

Regulatory text

Requirement (framework-mapped): “CMMC Level 2 practice mapped to NIST SP 800-171 Rev. 2 requirement 3.1.17 (Protect wireless access using authentication and encryption).” 1

What the operator must do:
You must ensure that any wireless access mechanism that connects to your information system environment is protected by (a) authentication (only approved identities/devices can join) and (b) encryption (wireless traffic is cryptographically protected). Your implementation needs to be consistent and testable, and you should be prepared to demonstrate it under the CMMC program expectations. 1 2 3

Plain-English interpretation (what 3.1.17 really asks)

If a device can join your network over Wi‑Fi (or any wireless path you manage) and that connection could reach systems that store, process, or transmit CUI, the wireless connection must:

  1. require strong authentication before the device joins, and
  2. encrypt the wireless traffic so it cannot be read or trivially altered in transit.

This is not satisfied by “we have Wi‑Fi passwords” in the casual sense. Assessors expect documented standards (what is allowed), enforced configurations (what is actually set), and evidence that the control operates (proof you monitor and keep it set). 2

Who it applies to (entity and operational context)

Applies to:

  • Defense contractors and subcontractors pursuing CMMC Level 2 certification where CUI is in scope. 3 2
  • Any environment boundary that can reach CUI assets: corporate WLANs that route to CUI enclaves, plant/OT Wi‑Fi that bridges to engineering networks, guest networks misconfigured to access internal segments, and “temporary” APs used for projects. 1

Wireless scenarios that typically fall in scope:

  • Internal Wi‑Fi used by employees to access CUI systems.
  • Wi‑Fi used by admins for management tasks that touch CUI assets.
  • Wireless bridges/mesh links between buildings where CUI traffic could traverse.
  • Third-party-managed wireless (e.g., MSP-managed WLAN) where you still need assurance and evidence.

What you actually need to do (step-by-step)

Step 1: Define the wireless scope tied to CUI

  1. Inventory all wireless technologies you operate: Wi‑Fi SSIDs, controllers, APs, bridges, and any wireless used in warehouses or labs.
  2. Map each to network segments and identify whether any route exists to CUI assets (even through jump hosts or shared services like DNS/AD).
  3. Document the boundary decision: “Wireless permitted in the CUI enclave” or “Wireless prohibited; enclave is wired-only,” plus how you enforce it. 1

Deliverable: a short Wireless Scope & Boundary Statement referenced in your SSP for CMMC readiness. 2

Step 2: Publish a wireless security standard (the rules of the road)

Create a Wireless Security Standard that states, at minimum:

  • Approved authentication methods (for example, enterprise authentication with unique user/device credentials; avoid shared keys where feasible).
  • Approved encryption modes and minimum configurations.
  • Prohibited protocols and configurations (legacy security modes, open networks for anything but isolated guest use, insecure management interfaces).
  • Requirements for segmentation: corporate/guest/IoT separated, and CUI-relevant traffic controlled.
  • Requirements for logging and monitoring of wireless authentication events.
  • Exception process with risk acceptance and compensating controls. 1

This document is what a CCO/GRC lead can own, while IT/security owns implementation.

Step 3: Enforce strong authentication on every in-scope SSID

Implementation checklist:

  • Require unique identities (user-based or device-based) for internal SSIDs that can reach CUI.
  • Integrate with a central identity system where possible, and ensure termination processes remove access.
  • For device authentication, control onboarding (certificate-based or equivalent) and maintain an allowlist approach for managed endpoints.
  • Disable anonymous or auto-join behaviors for managed clients where practicable. 1

Assessor angle: they will ask whether you can trace a wireless session to an identity and show that a terminated user/device can no longer join.

Step 4: Enforce strong encryption for wireless traffic

Implementation checklist:

  • Configure WLAN security to enforce strong encryption consistently across APs/controllers.
  • Disable legacy/insecure cipher suites and deprecated security modes across the board.
  • Protect management traffic to controllers/APs (admin interfaces) and keep it off guest networks.
  • If you use site-to-site wireless bridges, ensure the link encryption is enabled and keys are managed under controlled processes. 1

Practical control test: attempt to connect using a disallowed security mode; confirm it fails. Capture evidence.

Step 5: Segment and contain wireless so “guest” stays guest

Minimum operational pattern that assessors understand:

  • Guest Wi‑Fi: internet-only, isolated, no routing to internal networks.
  • Corporate Wi‑Fi: authenticated/encrypted, routed only to required enterprise services.
  • CUI enclave access: either prohibited on Wi‑Fi, or limited to a dedicated SSID/VLAN with strict access controls and monitoring. 1

If you allow Wi‑Fi into the enclave, be prepared to justify why, show strict controls, and show monitoring evidence.

Step 6: Continuous configuration assurance (drift kills assessments)

Add operational checks:

  • Centralize configuration management in the WLAN controller and restrict who can change it.
  • Review wireless security settings on a recurring basis and after changes.
  • Monitor authentication failures, rogue AP detection (if available), and newly seen devices. 1

Where Daydream fits naturally: map 3.1.17 to a documented control, assign owners, set evidence reminders, and store configuration exports/screenshots and review logs in one place so you do not rebuild the story before each assessment. 2

Required evidence and artifacts to retain

Keep evidence that proves design, implementation, and operation:

Design (what you intended)

  • Wireless Security Standard (approved, versioned)
  • Network diagrams showing SSIDs/VLANs and separation from CUI segments
  • SSP entries describing wireless boundary decisions and control mapping 2

Implementation (what is configured)

  • WLAN controller/AP configuration exports showing authentication and encryption settings
  • Screenshots of SSID security settings and disabled legacy modes
  • RADIUS/IdP configuration snippets (redact secrets)

Operation (proof it stays that way)

  • Change tickets/approvals for WLAN changes
  • Logs showing wireless authentication events and administrative access
  • Evidence of periodic review (attestations, checklists, or monitoring alerts)

Common exam/audit questions and hangups

Expect questions like:

  • “Show me all SSIDs and which are in scope for CUI access.” 2
  • “How do you know no legacy wireless security is enabled anywhere?” 1
  • “What prevents a guest user from reaching internal/CUI networks?” 1
  • “Who can change wireless configs, and how is that approved and logged?” 1
  • “How do you remove wireless access when an employee leaves or a device is lost?” 1

Hangups that slow teams down:

  • Multiple sites with “snowflake” configs and no central controller exports.
  • MSP-managed wireless where the contractor cannot produce evidence on demand.
  • “Temporary” SSIDs created for testing that never got removed.

Frequent implementation mistakes (and how to avoid them)

  1. Relying on shared passwords for privileged/internal access.
    Fix: move internal SSIDs toward identity-based authentication and document the transition plan if you cannot do it immediately. 1

  2. Allowing guest Wi‑Fi to touch internal DNS, AD, or management networks.
    Fix: enforce internet-only routing and isolate guest clients at the WLAN and firewall layers. 1

  3. Config drift across APs.
    Fix: manage via controller/templates; collect periodic config exports as evidence.

  4. No proof.
    Fix: build an evidence cadence: config export, log sample, and review signoff stored with the control record for 3.1.17. “We do it” without artifacts fails fast in CMMC conversations. 2

Enforcement context and risk implications

CMMC is a DoD program with certification expectations tied to contractual eligibility, and CMMC requirements are implemented through the CMMC Program rule structure. 3 Practice 3.1.17 is a common assessment focal point because wireless misconfigurations create an easy access path into environments that may otherwise be well controlled. 1

Risk outcomes if you miss 3.1.17:

  • Unauthorized access via weak or shared wireless credentials.
  • Interception of sensitive traffic over poorly encrypted wireless.
  • Assessment failure due to inability to demonstrate consistent implementation and operation. 2

Practical 30/60/90-day execution plan

First 30 days (stabilize and scope)

  • Complete wireless inventory across sites (SSIDs, controllers, APs, bridges).
  • Decide and document where wireless can reach CUI (allowed vs prohibited) and update network diagrams.
  • Freeze ad-hoc SSID creation; require change approval.
  • Start evidence capture: current configs, screenshots, and log samples. 2

Days 31–60 (implement and standardize)

  • Publish the Wireless Security Standard and get it approved.
  • Standardize authentication and encryption settings per SSID type (corp/guest/IoT/CUI).
  • Segment guest and non-corporate devices; verify routing boundaries.
  • Restrict administrative access to WLAN management interfaces; verify logging.

Days 61–90 (operationalize and prove)

  • Build recurring review checks (config export review, log review, rogue AP/device review where available).
  • Test control effectiveness: attempt unauthorized joins, attempt to connect with prohibited security settings, confirm failures, and retain results.
  • Package assessor-ready evidence mapped to 3.1.17 inside your GRC system (Daydream or equivalent): control narrative, owner, configs, logs, tickets, and review attestations. 2

Frequently Asked Questions

Does 3.1.17 mean we must allow Wi‑Fi in the CUI enclave?

No. You can prohibit wireless access to the enclave and enforce that boundary, but you still must secure any wireless that could otherwise reach CUI systems. Document the decision and how you enforce it. 1

Are guest networks in scope for 3.1.17?

If guest wireless is truly isolated and cannot reach CUI systems or supporting services, your main obligation is to prove that isolation. If it can route internally, it becomes part of the wireless access path you must protect. 1

What evidence is most persuasive to an assessor?

Controller configuration exports that show authentication and encryption settings, plus diagrams and a written standard mapping to 3.1.17. Add operational proof: change records and log samples. 2

We outsource IT. Who owns the evidence for wireless controls?

You do. A third party can operate the WLAN, but your organization must be able to produce configurations, logs, and change approvals on request and show they meet 3.1.17. 2

Is a single shared Wi‑Fi password ever acceptable?

Shared credentials make it hard to prove individual accountability and timely removal of access. If you cannot move off shared keys immediately, document the exception, add compensating controls, and set a transition plan you can defend in assessment. 1

How do we handle wireless IoT devices (printers, scanners, lab gear) near CUI?

Put them on a dedicated SSID/VLAN with strong authentication where supported, restrict routing tightly, and document which systems they can reach. Treat “can’t do modern auth” as an exception that requires compensating controls and evidence. 1

Footnotes

  1. NIST SP 800-171 Rev. 2

  2. DoD CMMC Program Guidance

  3. 32 CFR Part 170

Frequently Asked Questions

Does 3.1.17 mean we must allow Wi‑Fi in the CUI enclave?

No. You can prohibit wireless access to the enclave and enforce that boundary, but you still must secure any wireless that could otherwise reach CUI systems. Document the decision and how you enforce it. (Source: NIST SP 800-171 Rev. 2)

Are guest networks in scope for 3.1.17?

If guest wireless is truly isolated and cannot reach CUI systems or supporting services, your main obligation is to prove that isolation. If it can route internally, it becomes part of the wireless access path you must protect. (Source: NIST SP 800-171 Rev. 2)

What evidence is most persuasive to an assessor?

Controller configuration exports that show authentication and encryption settings, plus diagrams and a written standard mapping to 3.1.17. Add operational proof: change records and log samples. (Source: DoD CMMC Program Guidance)

We outsource IT. Who owns the evidence for wireless controls?

You do. A third party can operate the WLAN, but your organization must be able to produce configurations, logs, and change approvals on request and show they meet 3.1.17. (Source: DoD CMMC Program Guidance)

Is a single shared Wi‑Fi password ever acceptable?

Shared credentials make it hard to prove individual accountability and timely removal of access. If you cannot move off shared keys immediately, document the exception, add compensating controls, and set a transition plan you can defend in assessment. (Source: NIST SP 800-171 Rev. 2)

How do we handle wireless IoT devices (printers, scanners, lab gear) near CUI?

Put them on a dedicated SSID/VLAN with strong authentication where supported, restrict routing tightly, and document which systems they can reach. Treat “can’t do modern auth” as an exception that requires compensating controls and evidence. (Source: NIST SP 800-171 Rev. 2)

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream