What does AC.L2-3.1.16 require for CMMC Level 2?

AC.L2-3.1.16 requires that you authorize wireless access before allowing devices to connect to your network. The assessor wants to see that you have a defined process for approving wireless devices and that you can show evidence of approved devices.

What evidence do I need for AC.L2-3.1.16?

You need to demonstrate a process for authorizing wireless devices, a list of approved/registered devices, and technical controls that prevent unauthorized devices from accessing the network (like MAC filtering or certificate-based authentication).

What's the most common failure for AC.L2-3.1.16?

Not having a clear authorization process or list of approved wireless devices. Companies often have the controls in place but can't demonstrate they made a deliberate decision about which devices are allowed to connect.

AC.L2-3.1.16

AC.L2-3.1.16: Wireless Access Authorization

Authorize wireless access prior to allowing connections, and explain how you control who gets on your network.

Updated March 30, 2026

Wireless is a control boundary issue. If you’re not thinking about who gets on your wireless network and how you prevent unauthorized devices from joining, you have a problem. This practice is about the authorization process. AC.L2-3.1.17 covers the technical protection once they’re authorized.

Family Access Control

Practice AC.L2-3.1.16

Difficulty Moderate

Key evidence Approved device list + authorization process

What the assessor is actually evaluating

The NIST language says you must “authorize wireless access prior to allowing such connections.” The assessor is checking three things:

Do you have a defined authorization process? Not just wireless security. Do you have a documented process that says “a device must be approved before it can connect”? Who approves it? What information do you need to grant approval?

Can you show which devices are authorized? Pull up your approved wireless device list. It should include device type, MAC address if possible, owner, and approval date. If you can’t produce that list quickly, you’re going to get pushed on how you know what’s authorized.

Is authorization actually enforced? The assessor wants to see that unauthorized devices can’t just connect to your wireless network. This is the technical piece that overlaps with AC.L2-3.1.17.

What a realistic SSP definition looks like

Example SSP Language: AC.L2-3.1.16

[Organization Name] maintains a Wireless Device Authorization Policy requiring all wireless devices to be approved prior to connecting to corporate wireless networks. Wireless access for staff devices is requested by the employee, reviewed by the IT Director, and approved based on business justification and device security posture. Personally owned mobile devices intended to connect to wireless (but not CUI systems) are approved through a simplified BYOD process.

Approved devices are maintained in a wireless device registry including device MAC address, device type, owner, and approval date. This registry is reviewed quarterly and compared against active device registrations in the wireless controller. Devices without valid business justification or that have not connected within 90 days are flagged for removal.

Unauthorized devices are prevented from connecting through MAC address filtering and SSID separation. Devices attempting to connect without pre-authorization are blocked at the wireless access point level.

Notice the specifics here. The SSP names who approves (IT Director), defines the registry (what data is tracked), specifies the review frequency (quarterly), and describes the enforcement mechanism (MAC filtering, SSID separation).

How to present your evidence

Evidence checklist

Wireless Device Authorization Policy (documented process)
Approved wireless device registry with MAC addresses and approval dates
Wireless access point configuration showing authorization enforcement
Evidence of quarterly device registration reviews
SSID configuration showing separation of authorized vs. guest networks

A wireless device registry. This is your strongest evidence. Every device that’s supposed to connect to your wireless network, its MAC address, device type, owner, and approval date. If you’re managing this in a spreadsheet, that’s fine. If you’re pulling it from your wireless controller, that’s better.

Your wireless access point configuration. Log in and show MAC filtering rules, SSID restrictions, and any 802.1X settings if you’re using certificate-based authorization. The assessor wants to see that the device registry actually prevents unauthorized connections.

Authorization process documentation. Your policy that explains how devices get approved. The request workflow doesn’t have to be elaborate. It can be as simple as “manager approves, IT adds to registry, device connects.”

Evidence of reviews. Dated records showing you’ve reviewed the approved device list against current registrations. Quarterly is good. More frequently is fine.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: "Walk me through what happens when someone wants to connect a device to your wireless network."

"They submit a request with their device MAC address. [Pull up the request form] IT Director approves it. [Pull up the device registry] It goes into here. Then the wireless controller is updated to allow that MAC address."

Assessor: "How do you know the devices in your registry are still active?"

"We review quarterly. [Pull up last quarter's review] We compare the registry against what's actually connected in the access point logs. Anything that hasn't connected in 90 days gets flagged."

Assessor: "What happens if someone tries to connect a device that's not on the list?"

"[Pull up the wireless controller MAC filter rules] They're blocked at the AP. We also have a separate guest SSID for devices that shouldn't access corporate systems."

Assessor: "Do you allow personal devices to connect?"

"Yes, but only to the guest SSID. If someone wants to connect a personal device to corporate systems, they have to request approval just like a company device. [Pull up the device registry] You can see we have a few approved personal devices here with approval dates."

Common failures

What gets flagged

"We have a wireless network but no authorization process." If there's no documented decision about which devices are allowed, the assessor will flag it. Having WPA2 encryption doesn't count as authorization.

No evidence of approved devices. You have a policy that says devices must be approved, but you can't produce a list of what's actually approved. This is a direct finding.

Wireless controller shows devices that aren't in your registry. If the assessor pulls up your MAC filter or connected devices list and sees things that don't match your approved list, it raises questions about your authorization process.

No separation between authorized and guest networks. Small contractors sometimes have everything on one SSID with shared passwords. That doesn't meet this requirement. Separate SSIDs for authorized corporate devices and guest access is the baseline.

What makes assessors move on satisfied

A clear registry of approved devices with recent approval dates. Documented authorization process. Wireless controller configuration that enforces the registry. Evidence of regular reviews. When all of that is in place, the assessor checks the box.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP/MSSP

If your MSP manages your wireless infrastructure, the authorization decision needs to be clearly yours. The MSP shouldn’t be unilaterally adding devices to the approved list.

The split usually looks like:

What’s typically on you:

Deciding whether a device should be authorized
Approving device access requests
Reviewing the approved device list

What’s typically on the MSP:

Maintaining the device registry
Configuring the wireless access points
Providing current device connection logs for your reviews
Blocking unauthorized devices

The assessor wants to understand who actually makes the authorization call. If your MSP is accepting requests and approving them without your sign-off, you need to fix that. You should be the gatekeeper.

From the assessment room

Assessors want to see a clear list of approved wireless devices. Have your device registry ready showing approval dates and who authorized each one. If the assessor asks "can you show me all the wireless devices you've approved to access your network?" be prepared to produce the list without hesitation. If you don't have a formal authorization process or registry, that's a finding. Establish this control before the assessment.

A note on wireless registry maintenance

The best MSSPs I've worked with maintain the device registry themselves but present it to you quarterly for sign-off. They compare the registry against actual connected devices, flag anything unusual, and hand you a dated review form. If your MSP can do that, ask for it. A well-maintained registry is the strongest evidence for this control.

This page covers AC.L2-3.1.16 from NIST SP 800-171 Rev 2 (3.1.16). The guidance here is based on experience in real CMMC assessments and is intended to help you prepare. It is not legal or compliance advice. Your organization’s situation is unique, and you should work with qualified professionals for formal assessment preparation.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← AC.L2-3.1.17: Wireless Access Protection All Practices AC.L2-3.1.15: Privileged Remote Access →