03.01.16 – Wireless Access (NIST 800-171 Rev. 3)

2025-07-03

Welcome to our breakdown of 03.01.16 – Wireless Access, another key control in the Access Control family under NIST SP 800-171 Revision 3.

This control focuses on managing the risks introduced by wireless technologies — like Wi-Fi, Bluetooth, NFC, or embedded radios — especially in systems that process Controlled Unclassified Information (CUI).

03.01.16 – Wireless Access

Wireless access is convenient — but also one of the most exploitable vectors in modern environments. This control requires you to authorize, secure, and restrict wireless capabilities across all systems and devices.

• Define all permitted wireless technologies
• Configure and secure them with strong encryption
• Disable any wireless functions not in active use
• Apply this across laptops, mobile devices, IoT, and embedded components

If you’re not using it — disable it. If you are — lock it down.

03.01.16 – Key Requirements

To comply with this control, organizations must:

• Define every allowed wireless access type
• Set usage restrictions and configuration requirements
• Authorize each wireless connection before use
• Disable wireless features not intended for operation
• Protect wireless access using authentication and encryption

03.01.16 – Implementation Tips

To implement this effectively:

• Maintain a detailed inventory of wireless-capable devices
• Disable unused Wi-Fi, Bluetooth, NFC, or hotspots before deployment
• Use WPA3 or enterprise-grade Wi-Fi encryption
• Require mutual authentication between users and systems
• Block unauthorized wireless networks at the firewall or access point
• Document everything in your access control policy and SSP

📡 Wireless access should never be a default setting — it should be a conscious, secure decision.

03.01.16 – Evidence

Auditors may ask for:

• Wireless access policies and authorization procedures
• Configuration files from wireless access points and controllers
• A list of approved wireless devices and technologies
• Proof that unused wireless features were disabled before use
• Encryption standards and authentication settings
• Wireless audit logs and activity monitoring records
• SSP entries describing your wireless access controls

Include in your SSP

Your System Security Plan should document:

• Which wireless technologies are approved
• How unauthorized wireless access is prevented
• What encryption and authentication methods are in use

Why it matters..

Wireless connections don’t stop at your building’s walls — they reach into parking lots, nearby offices, and public areas. If left unsecured, they can become entry points for attackers.

A single wireless misconfiguration can expose your entire system to threats — without anyone stepping inside.

Up next: 03.01.17 – Withdrawn. We’ll continue with the next applicable control in the Access Control family.