NET-15.1: Authentication & Encryption
Mechanisms exist to secure Wi-Fi (e.g., IEEE 802.11) and prevent unauthorized access by: (1) Authenticating devices trying to connect; and (2) Encrypting transmitted data.
Control Question: Does the organization secure Wi-Fi (e.g., IEEE 802.11) and prevent unauthorized access by: (1) Authenticating devices trying to connect; and (2) Encrypting transmitted data?
General (25)
| Framework | Mapping Values |
|---|---|
| GovRAMP Moderate | AC-18(01) |
| GovRAMP High | AC-18(01) |
| IEC 62443-4-2 2019 | NDR 1.6 (15.2.3(1)) |
| NIST 800-53 R4 | AC-18(1) |
| NIST 800-53 R4 (moderate) | AC-18(1) |
| NIST 800-53 R4 (high) | AC-18(1) |
| NIST 800-53 R5 (source) | AC-18(1) |
| NIST 800-53B R5 (moderate) (source) | AC-18(1) |
| NIST 800-53B R5 (high) (source) | AC-18(1) |
| NIST 800-82 R3 MODERATE OT Overlay | AC-18(1) |
| NIST 800-82 R3 HIGH OT Overlay | AC-18(1) |
| NIST 800-171 R2 (source) | 3.1.17 |
| NIST 800-171A (source) | 3.1.17[a] 3.1.17[b] |
| NIST 800-171 R3 (source) | 03.01.16.a 03.01.16.b 03.01.16.d |
| NIST 800-171A R3 (source) | A.03.01.16.d[01] A.03.01.16.d[02] |
| PCI DSS 4.0.1 (source) | 1.3 2.3.1 2.3.2 4.2.1 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 4.2.1 |
| PCI DSS 4.0.1 SAQ B-IP (source) | 2.3.1 2.3.2 |
| PCI DSS 4.0.1 SAQ C (source) | 2.3.1 2.3.2 4.2.1 |
| PCI DSS 4.0.1 SAQ C-VT (source) | 2.3.1 2.3.2 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 2.3.1 2.3.2 4.2.1 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 2.3.1 2.3.2 4.2.1 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | NET-15.1 |
| SCF CORE ESP Level 2 Critical Infrastructure | NET-15.1 |
| SCF CORE ESP Level 3 Advanced Threats | NET-15.1 |
US (12)
| Framework | Mapping Values |
|---|---|
| US CJIS Security Policy 5.9.3 (source) | AC-18(1) 5.10.1.2 |
| US CMMC 2.0 Level 2 (source) | AC.L2-3.1.17 |
| US CMMC 2.0 Level 3 (source) | AC.L2-3.1.17 |
| US CMS MARS-E 2.0 | AC-18(1) |
| US FedRAMP R4 | AC-18(1) |
| US FedRAMP R4 (moderate) | AC-18(1) |
| US FedRAMP R4 (high) | AC-18(1) |
| US FedRAMP R5 (source) | AC-18(1) |
| US FedRAMP R5 (moderate) (source) | AC-18(1) |
| US FedRAMP R5 (high) (source) | AC-18(1) |
| US IRS 1075 | AC-18(1) |
| US - TX TX-RAMP Level 2 | AC-18(1) |
EMEA (3)
| Framework | Mapping Values |
|---|---|
| EMEA EU NIS2 Annex | 11.4.2(c) |
| EMEA Israel CDMO 1.0 | 12.14 |
| EMEA UK DEFSTAN 05-138 | 2304 |
APAC (1)
| Framework | Mapping Values |
|---|---|
| APAC New Zealand NZISM 3.6 | 18.2.10.C.01 18.2.10.C.02 18.2.11.C.01 18.2.11.C.02 18.2.11.C.03 18.2.11.C.04 18.2.11.C.05 18.2.12.C.01 18.2.12.C.02 18.2.13.C.01 18.2.14.C.01 18.2.15.C.01 18.2.16.C.01 18.2.17.C.01 18.2.18.C.01 18.2.19.C.01 18.2.20.C.01 18.2.20.C.02 18.2.20.C.03 18.2.21.C.01 18.2.22.C.01 18.2.23.C.01 18.2.23.C.02 18.2.24.C.01 18.2.25.C.01 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.01.16.A 03.01.16.B 03.01.16.D |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to protect wireless access through authentication and strong encryption.
Level 1 — Performed Informally
Network Security (NET) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- IT personnel use an informal process to design, build and maintain secure networks for test, development, staging and production environments, including the implementation of appropriate cybersecurity and data protection controls.
- Administrative processes are used to configure boundary devices (e.g., firewalls, routers, etc.) to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception).
- Network monitoring is primarily reactive in nature.
Level 2 — Planned & Tracked
Network Security (NET) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Network security management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for network security management.
- IT personnel define secure networking practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets, data and network(s).
- Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
- Administrative processes are used to configure boundary devices (e.g., firewalls, routers, etc.) to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception).
- Network segmentation exists to implement separate network addresses (e.g., different subnets) to connect systems in different security domains (e.g., sensitive/regulated data environments).
Level 3 — Well Defined
Network Security (NET) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- A Technology Infrastructure team, or similar function, defines centrally-managed network security controls for implementation across the enterprise.
- Secure engineering principles are used to design and implement network security controls (e.g., industry-recognized secure practices) to enforce the concepts of least privilege and least functionality at the network level.
- IT/cybersecurity architects work with the Technology Infrastructure team to implement a “layered defense” network architecture that provides a defense-in-depth approach for redundancy and risk reduction for network-based security controls, including wired and wireless networking.
- Administrative processes and technologies configure boundary devices (e.g., firewalls, routers, etc.) to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception).
- Technologies automate the Access Control Lists (ACLs) and similar rulesets review process to identify security issues and/ or misconfigurations.
- Network segmentation exists to implement separate network addresses (e.g., different subnets) to connect systems in different security domains (e.g., sensitive/regulated data environments).
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to protect wireless access through authentication and strong encryption.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to protect wireless access through authentication and strong encryption.
Assessment Objectives
- NET-15.1_A01 wireless access to the system is protected using authentication.
- NET-15.1_A02 wireless access to the system is protected using encryption.
- NET-15.1_A03 information is/are maintained during preparation for transmission.
- NET-15.1_A04 information is/are maintained during reception.
Technology Recommendations
Micro/Small
- Secure Baseline Configurations (SBC)
Small
- Secure Baseline Configurations (SBC)
Medium
- Secure Baseline Configurations (SBC)
Large
- Secure Baseline Configurations (SBC)
Enterprise
- Secure Baseline Configurations (SBC)