| V-243208 | | The WLAN inactive/idle session timeout must be set for 30 minutes or less. | A WLAN session that never terminates due to inactivity may allow an opening for an adversary to highjack the session to obtain access to the network.... |
| V-243209 | | WLAN components must be Wi-Fi Alliance certified with WPA2 or WPA3. | Wi-Fi Alliance certification ensures compliance with DoD interoperability requirements between various WLAN products.... |
| V-243210 | | WLAN components must be FIPS 140-2 or FIPS 140-3 certified and configured to operate in FIPS mode. | If the DoD WLAN components (WLAN AP, controller, or client) are not NIST FIPS 140-2/FIPS 140-3 (Cryptographic Module Validation Program, CMVP) certifi... |
| V-243212 | | The WLAN access point must be configured for Wi-Fi Alliance WPA2 or WPA3 security. | The Wi-Fi Alliance's WPA2/WPA3 certification provides assurance that the device has adequate security functionality and can implement the IEEE 802.11i... |
| V-243213 | | DoD Components providing guest WLAN access (internet access only) must use separate WLAN or logical segmentation of the enterprise WLAN (e.g., separate service set identifier [SSID] and virtual LAN) or DoD network. | The purpose of the Guest WLAN network is to provide WLAN services to authorized site guests. Guests, by definition, are not authorized access to the e... |
| V-243214 | | The network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface. | The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface... |
| V-243215 | | The network device must not be configured to have any feature enabled that calls home to the vendor. | Call-home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troub... |
| V-243207 | | WLAN SSIDs must be changed from the manufacturer's default to a pseudo random word that does not identify the unit, base, organization, etc. | An SSID identifying the unit, site, or purpose of the WLAN or that is set to the manufacturer default may cause an OPSEC vulnerability.... |
| V-243211 | | WLAN signals must not be intercepted outside areas authorized for WLAN access. | Most commercially available WLAN equipment is preconfigured for signal power appropriate to most applications of the WLAN equipment. In some cases, th... |
