Network WLAN AP-IG Platform Security Technical Implementation Guide

Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Network WLAN AP-IG Platform Security Technical Implementation Guide

Overview

Version	Date	Finding Count (9)			Downloads
7	2021-04-16 2022-02-03 2022-02-03 2022-02-03 2023-02-13 2023-02-13 2023-02-13 2023-02-13 2023-02-13 2023-02-13	CAT I (High): 0	CAT II (Med): 7	CAT III (Low): 2	Excel	JSON	XML

STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Classified	Public	Sensitive
I - Mission Critical Classified	I - Mission Critical Public	I - Mission Critical Sensitive	II - Mission Support Classified	II - Mission Support Public	II - Mission Support Sensitive	III - Administrative Classified	III - Administrative Public	III - Administrative Sensitive

Findings (MAC III - Administrative Sensitive)

Finding ID	Severity	Title	Description
V-243215	Medium	The network device must not be configured to have any feature enabled that calls home to the vendor.	Call-home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. There is a risk that transmission...
V-243214	Medium	The network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.	The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the...
V-243213	Medium	DoD Components providing guest WLAN access (internet access only) must use separate WLAN or logical segmentation of the enterprise WLAN (e.g., separate service set identifier [SSID] and virtual LAN) or DoD network.	The purpose of the Guest WLAN network is to provide WLAN services to authorized site guests. Guests, by definition, are not authorized access to the enterprise network. If the guest WLAN is not...
V-243212	Medium	The WLAN access point must be configured for Wi-Fi Alliance WPA2 or WPA3 security.	The Wi-Fi Alliance's WPA2/WPA3 certification provides assurance that the device has adequate security functionality and can implement the IEEE 802.11i standard for robust security networks. The...
V-243208	Medium	The WLAN inactive session timeout must be set for 30 minutes or less.	A WLAN session that never terminates due to inactivity may allow an opening for an adversary to highjack the session to obtain access to the network.
V-243209	Medium	WLAN components must be Wi-Fi Alliance certified with WPA2 or WPA3.	Wi-Fi Alliance certification ensures compliance with DoD interoperability requirements between various WLAN products.
V-243210	Medium	WLAN components must be FIPS 140-2 or FIPS 140-3 certified.	If the DoD WLAN components (WLAN AP, controller, or client) are not NIST FIPS 140-2/FIPS 140-3 (Cryptographic Module Validation Program, CMVP) certified, the WLAN system may not adequately protect...
V-243211	Low	WLAN signals must not be intercepted outside areas authorized for WLAN access.	Most commercially available WLAN equipment is preconfigured for signal power appropriate to most applications of the WLAN equipment. In some cases, this may permit the signals to be received...
V-243207	Low	WLAN SSIDs must be changed from the manufacturer's default to a pseudo random word that does not identify the unit, base, organization, etc.	An SSID identifying the unit, site, or purpose of the WLAN or that is set to the manufacturer default may cause an OPSEC vulnerability.