NIST 800-53 REV 5 • ACCESS CONTROL

AC-18(4)Restrict Configurations by Users

Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Organizational authorizations to allow selected users to configure wireless networking capabilities are enforced, in part, by the access enforcement mechanisms employed within organizational systems.

Practitioner Notes

Users should not be able to independently configure wireless settings on their devices. Managed configurations prevent users from connecting to unauthorized networks.

Example 1: Via GPO, restrict wireless profile management at Computer Configuration → Administrative Templates → Network → Windows Connection Manager → "Prohibit connection to non-domain networks when connected to domain authenticated network" set to Enabled. This prevents users from connecting to personal hotspots while on the corporate network.

Example 2: In Intune, deploy WiFi profiles to managed devices and enable Connect automatically when in range for corporate SSIDs. Add a device restriction profile that blocks users from manually adding new WiFi networks, forcing them to only use IT-approved connections.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management