DoD network users authorized to remotely connect to a DoD network from a residential WLAN must do so using an access point that is WPA2 certified.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18631	WIR0930	SV-20191r5_rule	ECWN-1	Medium

Description
The Wi-Fi Alliance WPA2 certification means that the WLAN equipment can support DoD requirements, most notably AES-CCMP. If the equipment has not been WPA Enterprise certified, then the equipment may not have the required security functionality to protect DoD networks and information.

STIG	Date
WLAN Client Security Technical Implementation Guide	2011-10-07

Details

Check Text ( C-22320r4_chk )
Detailed Policy Requirements: - The residential WLAN used for DoD work (DoD Residential WLAN) must use an access point that is WPA2 certified. Nearly all residential access points with a WPA2 certification will have the WPA2-Personal certification, although it is possible that some users will use WPA2-Enterprise certified equipment. Both are acceptable. NOTE: It is recommended that the enclave resource manager furnishes DoD users with managed DoD residential WLAN equipment at sites that allow teleworking using home WLANs. This would allow them to configure the system to comply with security requirements before issuing a device to a user and then monitor the configuration over time once it is in the user's possession. Check Procedures: Interview the IAO to determine that a procedure has been implemented to verify compliance with the WPA2 requirement. It is recommended that the IAO require the residential WLAN users provide a screen shot of the management screen of the DoD Residential WLAN to provide evidence of the make and model of the access point, as well as its security configuration settings. The IAO should validate the access point is WPA2 certified using product documentation or by searching for the certification on the Wi-Fi Alliance web site.

Check Text ( C-22320r4_chk )

Detailed Policy Requirements:

- The residential WLAN used for DoD work (DoD Residential WLAN) must use an access point that is WPA2 certified.
Nearly all residential access points with a WPA2 certification will have the WPA2-Personal certification, although it is possible that some users will use WPA2-Enterprise certified equipment. Both are acceptable.

NOTE: It is recommended that the enclave resource manager furnishes DoD users with managed DoD residential WLAN equipment at sites that allow teleworking using home WLANs. This would allow them to configure the system to comply with security requirements before issuing a device to a user and then monitor the configuration over time once it is in the user's possession.

Check Procedures:

Interview the IAO to determine that a procedure has been implemented to verify compliance with the WPA2 requirement.
It is recommended that the IAO require the residential WLAN users provide a screen shot of the management screen of the DoD Residential WLAN to provide evidence of the make and model of the access point, as well as its security configuration settings. The IAO should validate the access point is WPA2 certified using product documentation or by searching for the certification on the Wi-Fi Alliance web site.

Fix Text (F-19296r2_fix)
Procure a WPA2 certified access point for access to DoD networks from a home WLAN.