AC-18(5): Antennas and Transmission Power Levels

The ac-18(5): antennas and transmission power levels requirement is one of those controls that fails in audits for a simple reason: teams assume “we use WPA2/WPA3” or “our SSIDs are internal” is enough. AC-18(5) is different. It is about radio physics and preventing your wireless access points from broadcasting usable signal into areas you do not control, such as public hallways, shared lobbies, adjacent tenant space, parking lots, or outdoor perimeters.

For a Compliance Officer, CCO, or GRC lead, the fastest path to operationalizing AC-18(5) is to treat it like an engineering standard with measurable acceptance criteria and recurring validation. You are not trying to prove that no signal ever leaves the building. You are trying to prove a defensible process: you select antennas intentionally, you calibrate power intentionally, you verify performance against defined boundaries, and you keep the evidence.

This page gives you requirement-level guidance you can hand to Network Engineering, Facilities, and Security Operations, then validate through change management artifacts and periodic checks aligned to your assessment cycle.

Regulatory text

Requirement (AC-18(5)): “Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.” ¹

Operator meaning: You must (1) choose antenna characteristics (type, placement, gain, directionality) and (2) set transmit power so your wireless coverage meets business needs inside controlled areas while limiting signal propagation beyond your controlled perimeter. Document the decision, enforce it through configuration standards, and validate it through measurement or another defensible method. ²

Plain-English interpretation (what auditors expect you to mean)

AC-18(5) is a “reduce likelihood” control. You pass it by demonstrating:

• You have defined what “organization-controlled boundaries” are for each site (or site type).
• You have a standard approach to antenna selection and AP power settings that targets those boundaries.
• You verify the result (before go-live and after material changes).
• You can show evidence that settings are controlled and not left to ad hoc installer defaults.

Auditors and assessors typically look for a closed loop: design standard → implementation → validation → ongoing change control.

Who it applies to (entity + operational context)

Entities

• Federal information systems and contractors handling federal data where NIST SP 800-53 is in scope ².

Operational contexts

• Corporate offices, data centers, call centers, warehouses, retail sites, labs, and any facility where you operate wireless infrastructure.
• Multi-tenant buildings and shared campuses where “outside organization-controlled boundaries” can include adjacent suites, common areas, loading docks, and public spaces.
• High-risk wireless use cases: guest networks, IoT/OT wireless, temporary event networks, and wireless bridges.

Systems/technology

• Wi‑Fi access points (controller-based or cloud-managed), mesh nodes, point-to-point radios, and any wireless infrastructure you manage.
• Bring-your-own APs are relevant because they create unmanaged transmit power and antenna behavior; you should address them via detection and response, even though AC-18(5) focuses on managed access points.

What you actually need to do (step-by-step)

Use this as an implementation runbook. Keep each step tied to an artifact so you can prove operation.

1) Define “organization-controlled boundaries” per site

Create a boundary definition that Network Engineering can implement against. Examples:

• “Inside the leased suite; not receivable in common hallway.”
• “Inside fenced perimeter; not receivable beyond fence line.”
• “Inside secure lab rooms; minimized leakage into adjacent offices.”

Deliverable: Boundary map or written boundary statement per site (can be a floorplan annotated with boundary lines).

2) Establish an RF design standard (antenna + power)

Create a standard that answers, at minimum:

• Approved antenna types (integrated, external omni, patch, directional) and when each is allowed.
• Rules for antenna gain selection and mounting placement to avoid overshooting boundaries.
• Default transmit power ranges and when to deviate.
• Band steering / minimum data rates guidance where it affects cell size (document the intent; keep it tied to spillover risk).
• Prohibited configurations (for example, high-gain directional antennas pointing toward uncontrolled space unless justified).

Deliverable: “Wireless RF Standard” (or add a section to your Wireless Security Standard) with configuration baselines.

3) Build enforceable configuration baselines in your Wi‑Fi platform

Translate the standard into templates/profiles in your controller or cloud console:

• AP group profiles by site type (office, warehouse, lab).
• SSID profiles separated by risk level (corp, guest, IoT).
• Transmit power settings per radio (2.4/5/6 GHz if applicable), with clear variance handling.
• Lock down who can change RF profiles and power settings (role-based access control, change approvals).

Deliverables: Exported config templates, screenshots, or configuration-as-code snippets showing baseline settings and admin roles.

4) Validate with a pre-deployment and post-change check

Pick a validation method you can repeat:

• RF site survey reports (predictive and/or active).
• Walk test readings at boundary points (defined test locations).
• Controller telemetry plus boundary checks (acceptable if you show how it demonstrates boundary objectives).

What matters is that you can show you checked likely egress points: exterior walls, shared hallways, stairwells, parking edges, and loading docks.

Deliverables: Survey report, boundary walk-test worksheet, and remediation notes for any adjustments made.

5) Integrate into change management

Hard requirement for audit readiness: prove control is sustained.

• Require AC-18(5) review on: new AP installs, AP relocations, antenna swaps, renovations, controller firmware changes that affect RF, and coverage expansions.
• Define approval gates: Network Engineering proposes; Security/GRC reviews exceptions; Facilities confirms boundaries if construction changed.

Deliverables: Change tickets with RF impact assessment fields, approval logs, and back-out plans.

6) Define exceptions and compensating controls

Some environments need coverage beyond boundaries (outdoor Wi‑Fi, campus networks). Handle this by documenting:

• Business justification.
• Additional safeguards (strong authentication, segmentation, monitoring, rogue AP detection).
• A time-bound exception review cadence.

Deliverables: Exception register entries, approvals, and periodic review evidence.

7) Make ownership explicit and evidence recurring

Assign:

• Control owner: Head of Network Engineering (or equivalent).
• Control oversight: GRC lead / Information Security.
• Operators: Wireless engineers, managed service provider if applicable.

Daydream can help you map AC-18(5) to a control owner, a written procedure, and a recurring evidence set so audits do not degrade into screenshot scavenger hunts.

Required evidence and artifacts to retain

Keep evidence in a single control folder (by site, if needed). Minimum set:

• Wireless RF Standard covering antenna selection and TX power calibration.
• Boundary definitions (annotated floorplans or written boundary statements).
• Baseline configurations (templates/profiles) showing transmit power settings and antenna assumptions.
• Validation artifacts: site survey reports or boundary test results, including remediation actions taken.
• Change management records: tickets for AP additions/changes that show review and approval.
• Exception register for sites where spillover is accepted, with approvals and compensating controls.
• Access control evidence: who can modify RF settings (role list, admin groups).

Common exam/audit questions and hangups

Expect these questions, and pre-answer them in your evidence:

• “How do you define organization-controlled boundaries for each location?”
• “Show me how you set or limit transmit power. Is it standardized or per engineer preference?”
• “What antenna types are deployed, and how do you ensure high-gain antennas are justified?”
• “How do you validate that signals are unlikely to be received outside controlled space?”
• “What triggers revalidation: remodels, AP moves, density changes, new neighboring tenants?”
• “How do you prevent a local admin or third party installer from increasing power to ‘fix’ coverage?”

Hangup to avoid: treating this as a one-time project. Assessors look for ongoing governance through change control.

Frequent implementation mistakes (and how to avoid them)

1. No boundary definition
   Fix: require a boundary statement per site before rollout; attach it to the site’s Wi‑Fi design packet.

2. Relying on encryption as the “control”
   Fix: keep security controls (auth, encryption) separate; AC-18(5) is about RF exposure reduction, per the control text. ¹

3. Ad hoc transmit power changes to solve coverage tickets
   Fix: route power changes through a standard RF profile and change management; document the boundary impact check.

4. No evidence of calibration
   Fix: retain the “before/after” survey or boundary test record showing the adjustment and the result.

5. Ignoring third party installers
   Fix: bake RF standards into third party statements of work, require as-built documentation, and verify settings post-install.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so you should frame risk in assessment terms, not penalty terms.

Risk to communicate internally:

• Confidentiality exposure: signal spillover increases the attack surface for interception attempts and unauthorized association attempts.
• Physical adjacency risk: shared buildings and public perimeters reduce the “effort” required for a nearby attacker.
• Audit exposure: the most common failure mode is missing or inconsistent evidence that antenna selection and transmit power are intentionally controlled.

Practical 30/60/90-day execution plan

Use these phases as a delivery plan. Adjust scope based on how many sites you operate.

First 30 days (Immediate)

• Assign control owner and approvers (Network + GRC).
• Inventory managed wireless infrastructure (AP models, antenna types, controller/cloud platform).
• Define boundary templates by site type; pilot on one representative site.
• Draft the Wireless RF Standard section for antenna selection and TX power calibration.
• Configure role restrictions for who can change RF power settings.

Days 31–60 (Near-term)

• Convert standards into enforceable RF profiles/templates in the Wi‑Fi platform.
• Perform validation on priority locations: HQ, data center, high-traffic sites, multi-tenant offices.
• Create the change management RF impact checklist and embed it in ticket workflows.
• Stand up the exception register and route known outliers through it.

Days 61–90 (Operationalize)

• Expand validation across remaining sites on a risk basis.
• Train service desk and field techs: “no TX power changes without RF review.”
• Add periodic revalidation triggers (renovations, AP moves, density increases, neighboring tenant changes).
• Put evidence collection on a recurring calendar so AC-18(5) stays audit-ready.

Frequently Asked Questions

Do we have to prove zero Wi‑Fi signal outside our building?

No. AC-18(5) calls for reducing the probability of receivable signals outside boundaries, not eliminating RF propagation. Your goal is a documented boundary objective plus evidence of antenna selection and power calibration aligned to that objective. ¹

What counts as “organization-controlled boundaries” in a multi-tenant building?

Treat boundaries as the spaces you lease or otherwise control, plus any secured areas you manage (for example, badge-controlled labs). Document them on a floorplan and use that as the acceptance reference for surveys and boundary walk tests.

Is a predictive site survey enough, or do we need an active survey?

Either can work if it is defensible and repeatable. The key is showing that you checked likely egress points and adjusted antennas/power based on results, consistent with the requirement’s intent. ²

How do we handle outdoor Wi‑Fi or campus coverage where spillover is unavoidable?

Use an exception with business justification, then add compensating controls (segmentation, strong authentication, monitoring, and tight admin change control). Keep the exception time-bound and reviewed, and retain the approval trail.

Who should own AC-18(5): Security or Network Engineering?

Network Engineering should own implementation because it is configuration and RF design work. Security/GRC should own oversight: standards approval, exception governance, and evidence checks before audits.

What evidence is easiest to produce for auditors?

A small package per site: boundary definition, current RF profile export (showing TX power settings), and a recent survey or boundary walk test with any remediation notes. Pair it with change tickets that show you control modifications over time.

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5