AC-18(4): Restrict Configurations by Users

10 min readLast verified: February 2026By

To meet the ac-18(4): restrict configurations by users requirement, you must identify which users can independently configure wireless networking and explicitly authorize only those users, then enforce that restriction through role-based access, technical controls, and recurring access reviews. Treat “wireless configuration” as privileged administration and document who, why, and how access is controlled. 1

Key takeaways:

  • Maintain an explicit, approved list of users (or roles) allowed to configure wireless networking. 1
  • Enforce the restriction technically (RBAC/least privilege) and operationally (change control, access review, logging). 1
  • Keep assessor-ready evidence: authorization records, role mappings, configuration management records, and review results. 1

AC-18(4) is a narrow control enhancement with a predictable failure mode: too many people can change wireless settings, and nobody can prove who is allowed to do it. The requirement is straightforward: identify and explicitly authorize users allowed to independently configure wireless networking capabilities. 1

For a Compliance Officer, CCO, or GRC lead, the fastest path is to translate that sentence into three operational decisions: (1) what counts as “wireless networking capabilities” in your environment (Wi‑Fi infrastructure, SSIDs, WPA/802.1X settings, guest networks, cellular hotspots, BLE, ad hoc), (2) what counts as “independently configure” (ability to make changes without peer approval or a separate privileged workflow), and (3) what “explicitly authorize” means in your governance (named individuals, roles, or groups with documented approval and periodic validation). 1

This page gives requirement-level implementation guidance you can hand to IT/network leadership, identity administrators, and internal audit, then collect evidence that stands up in an assessment against NIST SP 800-53. 2

Regulatory text

Requirement (verbatim): “Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.” 1

What the operator must do:

  • Identify all user populations that can change wireless configuration (people and service accounts). 1
  • Explicitly authorize a constrained subset (named users or clearly defined roles/groups) to perform independent wireless configuration. 1
  • Implement restrictions so anyone not explicitly authorized cannot make those changes through the normal admin interfaces, APIs, or management tooling. 1

Plain-English interpretation (what AC-18(4) is really asking)

AC-18(4) treats wireless configuration as a privileged action. You need a clean, defensible answer to:

  • “Who can change wireless settings without needing someone else to approve or execute the change?”
  • “Where is that authorization recorded?”
  • “What prevents everyone else from doing it anyway?”

Assessors commonly look for a mismatch between documented authorization (policy or access request approvals) and the actual access granted in wireless controllers, cloud Wi‑Fi consoles, MDM/UEM, or network management platforms. Your goal is alignment: the tool permissions match the explicit authorizations you can show. 1

Who it applies to (entity and operational context)

Entities:

  • Federal information systems and organizations implementing NIST SP 800-53 controls. 2
  • Contractors and other organizations operating systems that handle federal data under security requirements aligned to NIST SP 800-53. 2

Operational context (where the control shows up):

  • Enterprise wireless LAN (WLAN) infrastructure: wireless controllers, access points, management planes.
  • Cloud-managed wireless platforms.
  • Identity and access administration tied to wireless changes (SSO/IAM groups, local accounts, break-glass accounts).
  • Endpoint management features that can configure wireless profiles at scale (because profile pushes can change authentication and routing behavior).

What you actually need to do (step-by-step)

Step 1: Define the “wireless configuration” scope you will control

Create a short scope statement that lists the systems and actions that count as wireless configuration in your environment, for example:

  • Creating/modifying SSIDs, security modes, certificates, RADIUS/802.1X settings
  • Changing segmentation/VLAN assignment, firewall rules attached to SSIDs
  • Enabling/disabling radios, mesh/backhaul settings
  • Changing management access, admin accounts, API keys, or integration settings

Write it down. This becomes your control boundary for evidence and audits.

Step 2: Inventory who can currently configure wireless

Pull an export (or screenshots if exports are not possible) from each wireless management plane showing:

  • Admin users
  • Roles/permission sets
  • Group mappings (SSO groups, directory groups)
  • API/service accounts that can change configuration

Practical tip: include “legacy” paths such as local admin accounts on controllers/APs, emergency accounts, and third-party managed service access.

Step 3: Establish explicit authorization criteria and approvers

Define the authorization standard in operational language:

  • Eligible roles (e.g., Network Engineering, Security Engineering)
  • Required training/knowledge (if your org uses it)
  • Approval chain (control owner + IT owner)
  • Separation expectations (e.g., change approval required for production SSID/security changes even if admin permissions exist)

“Explicitly authorize” means you can show a record that a person (or role membership) was approved to have this capability. AC-18(4) does not prescribe the mechanism, but assessors will expect it to be consistent and retrievable. 1

Step 4: Implement access restrictions in the tools (technical enforcement)

Do not stop at policy. Make the platforms enforce the restriction:

  • RBAC: Create roles that can view vs. change vs. administer wireless configs.
  • Group-based assignment: Tie privileged roles to directory groups with controlled membership.
  • Privileged access workflows (if available): Time-bound elevation for wireless admin tasks, tied to ticket/change records.
  • Disable shared accounts: If you must keep break-glass access, restrict it, monitor it, and document it.

Minimum outcome: only explicitly authorized users have the permissions that allow independent configuration changes. 1

Step 5: Add change control and logging that proves “independent configuration” is governed

AC-18(4) focuses on who can configure, but in practice you need supporting process controls to prove safe operation:

  • Require changes through a ticketing workflow for production wireless changes.
  • Turn on audit logging in wireless management platforms and forward logs to your central logging/SIEM if you have one.
  • Define what “config change events” you review (e.g., SSID security, auth backends, admin role changes).

This reduces the risk that an authorized admin can make untracked changes, and it gives you evidence if an assessor asks how you detect and respond to unauthorized or unexpected changes.

Step 6: Run recurring access reviews and reconcile to the explicit authorization list

Set a review cadence that matches your risk and staffing reality, then document it as “recurring.” The review should:

  • Reconcile actual admin access vs. the authorized list
  • Validate need-to-have access for each person
  • Remove access promptly when roles change or employment ends
  • Capture approvals and remediation actions

Step 7: Operationalize for third parties (managed Wi‑Fi, integrators, MSPs)

If a third party can configure your wireless, they are “users” for purposes of AC-18(4). Treat them the same way:

  • Explicitly authorize the third party individuals or named roles
  • Ensure contracts/SOWs and access requests align
  • Restrict access (least privilege, time-bound if feasible)
  • Collect evidence that access was reviewed and removed when no longer needed

Required evidence and artifacts to retain

Keep artifacts that prove authorization, enforcement, and ongoing operation:

  1. Authorization records
  • Access request tickets showing approval for wireless admin rights
  • Approved role/group membership lists for wireless admin groups
  • A maintained “Authorized Wireless Configurators” register (people/roles, approver, date)
  1. Access control configuration evidence
  • Wireless platform role definitions (screenshots or exports)
  • Directory/IAM group mappings that grant wireless admin roles
  • List of current admins/service accounts with permissions
  1. Operational evidence
  • Access review records (review results, changes made, sign-off)
  • Change control samples for wireless configuration changes
  • Audit log samples showing configuration changes and admin role changes
  1. Governance mapping
  • Control narrative (owner, scope, systems, enforcement points, review procedure)
  • RACI (who approves, who implements, who reviews)

Daydream note: many teams keep these artifacts scattered across ITSM, IAM, and network tooling. Daydream can act as the system of record for the control narrative, owners, and recurring evidence requests, so you can produce the same packet every assessment cycle without rebuilding it.

Common exam/audit questions and hangups

Expect these questions from auditors and assessors:

  • “Show me the list of users who can configure wireless, and where each was explicitly authorized.” 1
  • “How do you prevent an unapproved admin from being added to the wireless console?” 1
  • “Do any shared accounts exist? Who knows the credentials? How is use approved and logged?”
  • “Do third parties have access? Where is that approved and time-bounded?”
  • “Do API keys or automation accounts have configuration rights? Who owns them?”

Hangups:

  • Teams can show “who has access,” but cannot show “who was authorized.”
  • The “wireless” scope is incomplete (guest Wi‑Fi managed by facilities, retail Wi‑Fi, lab environments, MDM wireless profiles).
  • SSO group nesting creates indirect privilege that nobody reviews.

Frequent implementation mistakes (and how to avoid them)

Mistake Why it fails AC-18(4) Fix
Policy says “only network team can change Wi‑Fi,” but tool access is broader No technical restriction; authorization not enforced Tighten RBAC and group membership; reconcile users to approvals.
Authorizing teams instead of people, with no role definition “Explicitly authorize” becomes ambiguous Define specific roles/groups; document approvers and criteria. 1
Leaving default/local admin accounts enabled Bypasses your authorization workflow Disable or vault; monitor and require ticket-based release.
Forgetting third-party access External admins can still change configs Treat third parties as users; approve, restrict, review, and offboard.
No evidence packet Control may be operating, but you cannot prove it Standardize artifacts and collection; track in Daydream for recurring readiness.

Enforcement context and risk implications

No public enforcement cases were provided in the source material for this specific enhancement, so treat enforcement context as assessment and incident risk rather than a cited penalty story.

Operational risk is concrete:

  • Unauthorized wireless configuration changes can weaken authentication, open rogue SSIDs, bypass segmentation, or expose sensitive traffic.
  • Excess admin access increases insider risk and expands the blast radius of compromised credentials.
  • Weak evidence trails turn a manageable technical issue into an audit finding because you cannot demonstrate “explicit authorization.” 1

Practical 30/60/90-day execution plan

First 30 days (stabilize and define)

  • Name the control owner (network/security) and the compliance owner (GRC).
  • Define scope: systems, consoles, and configuration actions considered “wireless networking capabilities.”
  • Export current admin users/roles from each wireless management plane.
  • Draft the explicit authorization standard: eligible roles, approvers, and access request workflow.
  • Identify quick wins: remove obvious stale accounts; eliminate shared accounts where possible.

Days 31–60 (enforce and document)

  • Implement RBAC and directory group control for wireless admin permissions.
  • Create an “Authorized Wireless Configurators” register and link each entry to approval evidence.
  • Turn on audit logging for config changes and admin role changes; confirm logs are retained per your organization’s logging standard.
  • Align third-party access to the same workflow and document it.

Days 61–90 (operate and prove)

  • Run the first formal access review and record outcomes (adds/removals, exceptions, approvals).
  • Test the control: attempt to grant wireless admin outside the workflow and confirm it gets detected or blocked.
  • Build the assessor packet: narrative, scope, admin exports, approvals, access review, and log samples.
  • If you use Daydream, schedule recurring evidence tasks (access reviews, admin exports, third-party access attestations) so the control stays audit-ready.

Frequently Asked Questions

Does AC-18(4) require named individuals, or can I authorize a role/group?

The text requires you to “identify and explicitly authorize users.” Many organizations satisfy this by authorizing access via controlled roles/groups, then showing who is in those groups and the approvals that allowed membership. 1

What counts as “independently configure” wireless?

Treat it as the ability to change wireless configuration without a separate privileged workflow or peer approval step. If someone can log into the console and push config changes on their own, they are in scope. 1

Our managed service provider administers Wi‑Fi. Are they “users” under AC-18(4)?

Yes for practical purposes: if they can configure wireless, you must explicitly authorize that access and restrict it to approved individuals/roles. Keep evidence of approvals, scope, and offboarding. 1

Do service accounts and API keys count?

If they can change wireless configuration, include them in the inventory and authorization list, assign an accountable owner, and restrict permissions to the minimum needed. Document why the account exists and how it is reviewed. 1

What evidence is fastest to produce for an assessor?

A current admin/role export from the wireless platform, the IAM group mapping that grants admin rights, and the access requests showing explicit approval for each admin. Add the latest access review record to show ongoing operation. 1

How do we handle break-glass wireless admin access without failing the control?

Keep break-glass accounts limited, explicitly authorized, and monitored. Document who can access the credentials, under what approval, and retain logs showing when the account was used and why. 1

Footnotes

  1. NIST SP 800-53 Rev. 5 OSCAL JSON

  2. NIST SP 800-53 Rev. 5

Frequently Asked Questions

Does AC-18(4) require named individuals, or can I authorize a role/group?

The text requires you to “identify and explicitly authorize users.” Many organizations satisfy this by authorizing access via controlled roles/groups, then showing who is in those groups and the approvals that allowed membership. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

What counts as “independently configure” wireless?

Treat it as the ability to change wireless configuration without a separate privileged workflow or peer approval step. If someone can log into the console and push config changes on their own, they are in scope. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

Our managed service provider administers Wi‑Fi. Are they “users” under AC-18(4)?

Yes for practical purposes: if they can configure wireless, you must explicitly authorize that access and restrict it to approved individuals/roles. Keep evidence of approvals, scope, and offboarding. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

Do service accounts and API keys count?

If they can change wireless configuration, include them in the inventory and authorization list, assign an accountable owner, and restrict permissions to the minimum needed. Document why the account exists and how it is reviewed. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

What evidence is fastest to produce for an assessor?

A current admin/role export from the wireless platform, the IAM group mapping that grants admin rights, and the access requests showing explicit approval for each admin. Add the latest access review record to show ongoing operation. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

How do we handle break-glass wireless admin access without failing the control?

Keep break-glass accounts limited, explicitly authorized, and monitored. Document who can access the credentials, under what approval, and retain logs showing when the account was used and why. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream