Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review device configuration. 1. Obtain the SSID using a wireless scanner or the AP or WLAN controller management software. 2. Verify the name is not meaningful (e.g., site name, product name, room number, etc.) and is not set to the manufacturer's default value. If the SSID does not meet the requirement listed above, this is a finding.
Change the SSID to a pseudo random word that does not identify the unit, base, or organization.
1. Review the relevant configuration screen of the WLAN controller or access point. 2. Verify the inactive/idle session timeout setting is set for 30 minutes or less. If the inactive/idle session timeout is not set to 30 minutes or less for the entire WLAN, or the WLAN does not have the capability to enable the session timeout feature, this is a finding.
Set the WLAN inactive/idle session timeout to 30 minutes or less.
Review the WLAN equipment specification and verify it is Wi-Fi Alliance certified with either the older WPA2 certification or the newer WPA3 certification. WPA3 is preferred but not required at this time. If the WLAN equipment is not Wi-Fi Alliance certified with WPA2 or WPA3, this is a finding.
Use WLAN equipment that is Wi-Fi Alliance certified with WPA2 or WPA3.
Review the WLAN equipment specification and verify it is FIPS 140-2/3 (CMVP) certified for data in transit, including authentication credentials. Verify the component is configured to operate in FIPS mode. If the WLAN equipment is not is FIPS 140-2/3 (CMVP) certified or is not configured to operate in FIPS mode, this is a finding.
Use WLAN equipment that is FIPS 140-2/3 (CMVP) certified. Configure the component to operate in FIPS mode.
Review documentation and inspect access point locations. 1. Review documentation showing signal strength analysis from site survey activities, if available. 2. Use testing equipment or WLAN clients to determine if the signal strength is, in the reviewer's judgment, excessively outside the required area (e.g., strong signal in the parking area, public areas, or uncontrolled spaces). 3. Lower-end access points will not have this setting available. In this case, verify the access points are located away from exterior walls to achieve compliance with this requirement. If any of the following is found, this is a finding: - Visual inspection of equipment shows obvious improper placement of access points where they will emanate into uncontrolled spaces (e.g., next to external walls, windows, or doors; uncontrolled areas; or public areas). - Building walk-through testing shows signals of sufficient quality and strength to allow wireless access to exist in areas not authorized for WLAN access.
Move access points to areas in which signals do not emanate in a way that makes them usable outside the areas authorized for WLAN access. Alternatively, replace omni-directional antennae with directional antennae if this will solve the problem. If these solutions are not effective, adjust the transmission power settings on the access point to reduce the usability of signals in unauthorized areas. If the WLAN equipment does not allow the transmission power to be adjusted, and the access points are placed in a location where the ISSO determines there is significant risk that an adversary could be present where signals may be intercepted, the site should procure WLAN equipment that permits power adjustment.
Verify the access point is configured for either WPA2/WPA3 (Enterprise) or WPA2/WPA3 (Personal) authentication. The procedure for performing this review will vary depending on the AP model. Have the SA show the configuration setting. If the access point is not configured with either WPA2 or WPA3 security, this is finding.
Configure the access point for WPA2 (or WPA3) authentication, confidentiality, and integrity services. In the case of WPA2 (Personal), this action will require the selection of a strong passcode or passphrase. In the case of WPA2 (Enterprise), this action will require the organization to deploy RADIUS or equivalent authentication services on a separate server. In cases in which the access point does not support WPA2/WPA3, the organization will need to procure new equipment.
Have the SA show how the guest WLAN is physically connected to the firewall or supporting switch and how it is logically connected through firewall or switch configuration settings. Verify the equipment is connected via a separate WLAN or logical segmentation of the host WLAN (e.g., separate service set identifier [SSID] and virtual LAN). Verify the guest WLAN only provides internet access. If a guest WLAN is not set up as a separate WLAN from the DoD network or is not set up as a logical segmentation from the DoD network or DoD WLAN, this is a finding. If the guest WLAN does not provide only internet access, this is a finding.
Reconfigure physical and logical connections as needed so the internet-only guest WLAN infrastructure resides in a dedicated subnet off the perimeter firewall or is installed as a completely separate internet-connection-only WLAN system with no access to the enterprise network.
Review the device configuration to determine if the OOB management interface is assigned an appropriate IP address from the authorized OOB management network. If an IP address assigned to the interface is not from an authorized OOB management network, this is a finding.
Configure the network device so that only management traffic that ingresses and egresses the OOBM interface is permitted.
Review the device configuration to determine if the call home service or feature is disabled on the device. If the call home service is enabled on the device, this is a finding. Note: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.
Configure the network device to disable the call home service or feature. Note: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.