What does AC.L2-3.1.17 require for CMMC Level 2?

AC.L2-3.1.17 requires that you protect wireless access using authentication (like WPA2/WPA3) and encryption. The assessor wants to see that your wireless networks require strong authentication and that traffic is encrypted.

What evidence do I need for AC.L2-3.1.17?

You need to demonstrate your wireless access point configuration showing WPA2 or WPA3 encryption, a proof that authentication is enforced (shared key, 802.1X certificates, or RADIUS), and evidence that weak security modes (WEP, open networks) are disabled.

What's the most common failure for AC.L2-3.1.17?

Wireless access points with WPA2/WPA3 enabled but using shared pre-shared keys (PSK) without additional controls for high-privilege access. PSK is acceptable for general access but should be rotated. Better controls use 802.1X or certificate-based authentication for CUI access.

AC.L2-3.1.17

AC.L2-3.1.17: Wireless Access Protection

Protect wireless access using authentication and encryption, and demonstrate that your wireless network actually requires both.

Updated March 30, 2026

This is the technical enforcement side of wireless control. You authorized the devices in AC.L2-3.1.16. Now you need to protect them. The assessor wants to see that connections are authenticated and encrypted through active configuration, not merely as an available option in the settings.

Family Access Control

Practice AC.L2-3.1.17

Difficulty Moderate

Key evidence Wireless AP configuration showing WPA2/WPA3 + authentication method

What the assessor is actually evaluating

The NIST language says you must “protect wireless access by using authentication and encryption.” In the assessment room, the assessor is checking:

Is WPA2 or WPA3 enabled? The assessor wants to see that WEP is disabled and that you’re using a modern encryption standard. WPA3 is better than WPA2, but WPA2 meets the requirement. You should be able to show the wireless access point configuration.

How are devices authenticated? This is the critical piece. There are multiple acceptable approaches, but you need one. Shared pre-shared key (PSK) is the simplest and is acceptable for general access. 802.1X with certificates or RADIUS is stronger and required if you want enterprise-grade authentication. The assessor will ask which you’re using and why.

Is this actually enforced? The assessor wants to see that weak security modes are completely disabled. If you’re running WPA2 but left WEP or open networks as fallback options, that’s a finding.

What a realistic SSP definition looks like

Example SSP Language: AC.L2-3.1.17

[Organization Name] protects all wireless networks using WPA2 or WPA3 encryption with a minimum encryption standard of AES-128. All wireless access points are configured to require authentication prior to connection.

The primary corporate wireless network uses WPA2-PSK (pre-shared key) with a strong, unique network password that is [rotated annually / rotated upon contractor role change / managed through the wireless controller]. The password meets [organization password policy] and is not shared in plain text.

Older wireless security standards (WEP, WPA without AES, open networks) are disabled and not available. Administrative access to wireless access points is protected with strong authentication and is restricted to authorized IT staff.

Guest wireless networks operate on a separate SSID with limited network segmentation to prevent guest access to CUI systems.

The key parts here: specific encryption standard (WPA2 or WPA3), specific authentication method (PSK or 802.1X), frequency of PSK rotation (if using PSK), and disabled weaker standards.

How to present your evidence

Evidence checklist

Wireless access point configuration showing WPA2/WPA3 encryption enabled
Proof that WEP and other weak standards are disabled
Authentication method documentation (PSK rotation schedule, or 802.1X certificate details)
Wireless security policy covering encryption and authentication requirements
Network diagram showing guest vs. corporate SSID separation

Access point configuration. Log into your wireless controller and show the settings for encryption (WPA2/WPA3 enabled, AES encryption, minimum standards set). Show that WEP and legacy standards are disabled.

Authentication settings. Show either your PSK settings (including rotation frequency if you rotate it) or your 802.1X/RADIUS configuration if you’re using certificates. The assessor wants to understand exactly how devices are authenticated.

Policy documentation. Your wireless security policy that states encryption and authentication requirements. This should reference the specific standards and explain why you chose them.

Network segmentation documentation. How you’ve separated authorized corporate access from guest access. This could be a network diagram or a wireless access point configuration showing separate SSIDs with different security and network restrictions.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: "What encryption are you using for your wireless networks?"

"WPA2 with AES. [Pull up the access point configuration] Here's the SSID settings. Encryption is WPA2, cipher is AES, and WEP is disabled."

Assessor: "How do devices authenticate to the wireless network?"

"Pre-shared key. [Pull up the PSK rotation log] We rotate it annually and it meets our password policy. That's the main corporate network. [Pull up the guest network settings] Guest network is separate and has different access restrictions."

Assessor: "What prevents someone from connecting with WEP or an open connection?"

"[Pull up the access point security settings] WEP is disabled. Open networks are disabled. Only WPA2 is enabled. We've also disabled any fallback to weaker standards."

Assessor: "How often do you rotate your wireless network password?"

"Annually, or whenever someone with access leaves. [Pull up rotation records] Last rotation was [date]. It's part of our security policy review."

Common failures

What gets flagged

WPA2 enabled but WEP still available. If both are active, the assessor will flag it. Weak standards must be completely removed from the configuration, not merely deprioritized.

No documented authentication method. You're using pre-shared key but you haven't documented how often it's rotated or what it meets. That vagueness is a finding.

Same PSK for all users indefinitely. Pre-shared key is acceptable, but if you never rotate it or if multiple users share the key with no accountability, expect push-back. At minimum, rotate it annually or when staff changes.

Open guest network with same segment as CUI systems. If your guest network can access corporate systems, you've created a bypass to your wireless controls. Guest and corporate networks need separation.

What makes assessors move on satisfied

WPA2 or WPA3 enabled with AES encryption. Weak standards disabled. Clear authentication method (PSK with documented rotation, or 802.1X with certificate details). Guest network separated from corporate network. That's a passing answer.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP/MSSP

If your MSP manages your wireless infrastructure, they should own the configuration and be able to explain it in the assessment.

What’s typically on you:

Approving the wireless security standards (which encryption method, PSK rotation policy, etc.)
Reviewing PSK rotation schedules
Approving guest network policies

What’s typically on the MSP:

Configuring the access points to enforce those standards
Managing PSK rotation or certificate management if using 802.1X
Providing you with configuration reviews and compliance evidence
Monitoring for any access points that don’t meet the standard

The assessor may ask your IT person or representative to walk through the access point configuration. Make sure whoever sits in the room can log into a wireless controller and show the settings. If your MSP does this, they should be in the room for this part of the assessment.

From the assessment room

Assessors check wireless security by looking at access point configuration. WPA2/3 with AES encryption, no legacy standards, and documented authentication method. If you're using a pre-shared key, the assessor expects rotation documented in your SSP. Know your encryption standard, your authentication method, and your key rotation schedule. Have your wireless controller settings ready to show live.

A note on wireless in smaller shops

Small contractors sometimes have a simple wireless access point with a shared password. That's fine. Document the password, rotate it annually, disable weak standards, and you're compliant. More sophisticated environments using 802.1X or RADIUS are better from a trust perspective, but they're not required. The assessor cares that you've made a deliberate security choice and enforced it.

This page covers AC.L2-3.1.17 from NIST SP 800-171 Rev 2 (3.1.17). The guidance here is based on experience in real CMMC assessments and is intended to help you prepare. It is not legal or compliance advice. Your organization’s situation is unique, and you should work with qualified professionals for formal assessment preparation.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← AC.L2-3.1.18: Mobile Device Connection All Practices AC.L2-3.1.16: Wireless Access Authorization →