{
"id": 23,
"benchmarkId": "Network_WLAN_Bridge_Platform_STIG",
"slug": "network_wlan_bridge_platform",
"stigSlug": "network_wlan_bridge_platform",
"versionStatus": "current",
"status": "accepted",
"statusDate": "2023-02-13T00:00:00.000Z",
"title": "Network WLAN Bridge Platform Security Technical Implementation Guide",
"description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
"version": "V7R2",
"vendor": null,
"createdAt": "2025-10-21T11:12:35.802Z",
"updatedAt": "2026-04-25T11:40:48.537Z",
"groups": [
{
"id": 1144,
"benchmarkId": 23,
"groupId": "V-243227",
"title": "SRG-NET-000512",
"description": "",
"ruleId": "SV-243227r720136_rule",
"ruleWeight": "10.0",
"ruleSeverity": "low",
"ruleVersion": "WLAN-NW-000200",
"ruleTitle": "WLAN SSIDs must be changed from the manufacturer's default to a pseudo random word that does not identify the unit, base, organization, etc.",
"ruleVulnDiscussion": "An SSID identifying the unit, site, or purpose of the WLAN or that is set to the manufacturer default may cause an OPSEC vulnerability.",
"ruleFalsePositives": "",
"ruleFalseNegatives": "",
"ruleDocumentable": "false",
"ruleMitigations": "",
"ruleIdent": "CCI-000366",
"ruleFixText": "Change the SSID to a pseudo random word that does not identify the unit, base, or organization.",
"ruleFixId": "F-46459r720135_fix",
"ruleCheckSystem": "C-46502r720134_chk",
"ruleCheckContent": "Review device configuration. \n\n1. Obtain the SSID using a wireless scanner or the AP or WLAN controller management software.\n2. Verify the name is not meaningful (e.g., site name, product name, room number, etc.) and is not set to the manufacturer's default value.\n\nIf the SSID does not meet the requirement listed above, this is a finding.",
"createdAt": "2025-10-21T11:12:36.096Z",
"updatedAt": "2025-10-21T11:12:36.096Z"
},
{
"id": 1145,
"benchmarkId": 23,
"groupId": "V-243228",
"title": "SRG-NET-000063",
"description": "",
"ruleId": "SV-243228r720139_rule",
"ruleWeight": "10.0",
"ruleSeverity": "medium",
"ruleVersion": "WLAN-NW-000400",
"ruleTitle": "WLAN components must be Wi-Fi Alliance certified with WPA2 or WPA3.",
"ruleVulnDiscussion": "Wi-Fi Alliance certification ensures compliance with DoD interoperability requirements between various WLAN products.",
"ruleFalsePositives": "",
"ruleFalseNegatives": "",
"ruleDocumentable": "false",
"ruleMitigations": "",
"ruleIdent": "CCI-001453",
"ruleFixText": "Use WLAN equipment that is Wi-Fi Alliance certified with WPA2 or WPA3.",
"ruleFixId": "F-46460r720138_fix",
"ruleCheckSystem": "C-46503r720137_chk",
"ruleCheckContent": "Review the WLAN equipment specification and verify it is Wi-Fi Alliance certified with either the older WPA2 certification or the newer WPA3 certification. WPA3 is preferred but not required at this time.\n\nIf the WLAN equipment is not Wi-Fi Alliance certified with WPA2 or WPA3, this is a finding.",
"createdAt": "2025-10-21T11:12:36.096Z",
"updatedAt": "2025-10-21T11:12:36.096Z"
},
{
"id": 1146,
"benchmarkId": 23,
"groupId": "V-243229",
"title": "SRG-NET-000151",
"description": "",
"ruleId": "SV-243229r891323_rule",
"ruleWeight": "10.0",
"ruleSeverity": "medium",
"ruleVersion": "WLAN-NW-000600",
"ruleTitle": "WLAN components must be FIPS 140-2 or FIPS 140-3 certified and configured to operate in FIPS mode.",
"ruleVulnDiscussion": "If the DoD WLAN components (WLAN AP, controller, or client) are not NIST FIPS 140-2/FIPS 140-3 (Cryptographic Module Validation Program, CMVP) certified, the WLAN system may not adequately protect sensitive unclassified DoD data from compromise during transmission.",
"ruleFalsePositives": "",
"ruleFalseNegatives": "",
"ruleDocumentable": "false",
"ruleMitigations": "",
"ruleIdent": "CCI-001967",
"ruleFixText": "Use WLAN equipment that is FIPS 140-2/3 (CMVP) certified. Configure the component to operate in FIPS mode.",
"ruleFixId": "F-46461r891322_fix",
"ruleCheckSystem": "C-46504r891321_chk",
"ruleCheckContent": "Review the WLAN equipment specification and verify it is FIPS 140-2/3 (CMVP) certified for data in transit, including authentication credentials. Verify the component is configured to operate in FIPS mode.\n\nIf the WLAN equipment is not is FIPS 140-2/3 (CMVP) certified or is not configured to operate in FIPS mode, this is a finding.",
"createdAt": "2025-10-21T11:12:36.096Z",
"updatedAt": "2025-10-21T11:12:36.096Z"
},
{
"id": 1147,
"benchmarkId": 23,
"groupId": "V-243230",
"title": "SRG-NET-000512",
"description": "",
"ruleId": "SV-243230r720145_rule",
"ruleWeight": "10.0",
"ruleSeverity": "medium",
"ruleVersion": "WLAN-NW-001100",
"ruleTitle": "Wireless access points and bridges must be placed in dedicated subnets outside the enclave's perimeter.",
"ruleVulnDiscussion": "If an adversary is able to compromise an access point or controller that is directly connected to an enclave network, the adversary can easily surveil and attack other devices from that beachhead. A defense-in-depth approach requires an additional layer of protection between the WLAN and the enclave network. This is particularly important for wireless networks, which may be vulnerable to attack from outside the physical perimeter of the facility or base given the inherent nature of radio communications to penetrate walls, fences, and other physical boundaries.\n\nWireless access points and bridges must not be directly connected to the enclave network. A network device must separate wireless access from other elements of the enclave network. Sites must also comply with the Network Infrastructure STIG configuration requirements for DMZ, VLAN, and VPN configurations, as applicable.\n\nExamples of acceptable architectures include placing access points or controllers in a screened subnet (e.g., DMZ separating intranet and wireless network) or dedicated virtual LAN (VLAN) with ACLs.",
"ruleFalsePositives": "",
"ruleFalseNegatives": "",
"ruleDocumentable": "false",
"ruleMitigations": "",
"ruleIdent": "CCI-000366",
"ruleFixText": "Remove wireless network devices with direct connections to an enclave network. If feasible, reconfigure network connections to isolate the WLAN infrastructure from the enclave network, separating them with a firewall or equivalent protection.",
"ruleFixId": "F-46462r720144_fix",
"ruleCheckSystem": "C-46505r720143_chk",
"ruleCheckContent": "Review network architecture with the network administrator.\n\n1. Verify compliance by inspecting the site network topology diagrams.\n2. Since many network diagrams are not kept up to date, walk through the connections with the network administrator using network management tools or diagnostic commands to verify the diagrams are current.\n\nIf the site's wireless infrastructure, such as access points and bridges, is not isolated from the enclave network, this is a finding.",
"createdAt": "2025-10-21T11:12:36.096Z",
"updatedAt": "2025-10-21T11:12:36.096Z"
},
{
"id": 1148,
"benchmarkId": 23,
"groupId": "V-243231",
"title": "SRG-NET-000205",
"description": "",
"ruleId": "SV-243231r720148_rule",
"ruleWeight": "10.0",
"ruleSeverity": "medium",
"ruleVersion": "WLAN-NW-001200",
"ruleTitle": "The network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.",
"ruleVulnDiscussion": "The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the OOBM network. (See SRG-NET-000205-RTR-000012.)\n\nNetwork boundaries, also known as managed interfaces, include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis, and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). Methods used for prohibiting interfaces within organizational information systems include, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.",
"ruleFalsePositives": "",
"ruleFalseNegatives": "",
"ruleDocumentable": "false",
"ruleMitigations": "",
"ruleIdent": "CCI-001097",
"ruleFixText": "Configure the network device so that only management traffic that ingresses and egresses the OOBM interface is permitted.",
"ruleFixId": "F-46463r720147_fix",
"ruleCheckSystem": "C-46506r720146_chk",
"ruleCheckContent": "Review the device configuration to determine if the OOB management interface is assigned an appropriate IP address from the authorized OOB management network.\n\nIf an IP address assigned to the interface is not from an authorized OOB management network, this is a finding.",
"createdAt": "2025-10-21T11:12:36.096Z",
"updatedAt": "2025-10-21T11:12:36.096Z"
},
{
"id": 1149,
"benchmarkId": 23,
"groupId": "V-243232",
"title": "SRG-NET-000131",
"description": "",
"ruleId": "SV-243232r856611_rule",
"ruleWeight": "10.0",
"ruleSeverity": "medium",
"ruleVersion": "WLAN-NW-001300",
"ruleTitle": "The network device must not be configured to have any feature enabled that calls home to the vendor.",
"ruleVulnDiscussion": "Call-home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. There is a risk that transmission of sensitive data sent to unauthorized persons could result in data loss or downtime due to an attack. (See SRG-NET-000131-RTR-000083.)",
"ruleFalsePositives": "",
"ruleFalseNegatives": "",
"ruleDocumentable": "false",
"ruleMitigations": "",
"ruleIdent": "CCI-002403",
"ruleFixText": "Configure the network device to disable the call home service or feature.\n\nNote: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.",
"ruleFixId": "F-46464r720150_fix",
"ruleCheckSystem": "C-46507r720149_chk",
"ruleCheckContent": "Review the device configuration to determine if the call home service or feature is disabled on the device. \n\nIf the call home service is enabled on the device, this is a finding.\n\nNote: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.",
"createdAt": "2025-10-21T11:12:36.096Z",
"updatedAt": "2025-10-21T11:12:36.096Z"
}
],
"profiles": [
{
"id": 140,
"benchmarkId": 23,
"profileId": "MAC-1_Classified",
"title": "I - Mission Critical Classified",
"description": "",
"createdAt": "2025-10-21T11:12:36.198Z",
"updatedAt": "2025-10-21T11:12:36.198Z"
},
{
"id": 141,
"benchmarkId": 23,
"profileId": "MAC-1_Public",
"title": "I - Mission Critical Public",
"description": "",
"createdAt": "2025-10-21T11:12:36.198Z",
"updatedAt": "2025-10-21T11:12:36.198Z"
},
{
"id": 142,
"benchmarkId": 23,
"profileId": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive",
"description": "",
"createdAt": "2025-10-21T11:12:36.198Z",
"updatedAt": "2025-10-21T11:12:36.198Z"
},
{
"id": 143,
"benchmarkId": 23,
"profileId": "MAC-2_Classified",
"title": "II - Mission Support Classified",
"description": "",
"createdAt": "2025-10-21T11:12:36.198Z",
"updatedAt": "2025-10-21T11:12:36.198Z"
},
{
"id": 144,
"benchmarkId": 23,
"profileId": "MAC-2_Public",
"title": "II - Mission Support Public",
"description": "",
"createdAt": "2025-10-21T11:12:36.198Z",
"updatedAt": "2025-10-21T11:12:36.198Z"
},
{
"id": 145,
"benchmarkId": 23,
"profileId": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive",
"description": "",
"createdAt": "2025-10-21T11:12:36.198Z",
"updatedAt": "2025-10-21T11:12:36.198Z"
},
{
"id": 146,
"benchmarkId": 23,
"profileId": "MAC-3_Classified",
"title": "III - Administrative Classified",
"description": "",
"createdAt": "2025-10-21T11:12:36.198Z",
"updatedAt": "2025-10-21T11:12:36.198Z"
},
{
"id": 147,
"benchmarkId": 23,
"profileId": "MAC-3_Public",
"title": "III - Administrative Public",
"description": "",
"createdAt": "2025-10-21T11:12:36.198Z",
"updatedAt": "2025-10-21T11:12:36.198Z"
},
{
"id": 148,
"benchmarkId": 23,
"profileId": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive",
"description": "",
"createdAt": "2025-10-21T11:12:36.198Z",
"updatedAt": "2025-10-21T11:12:36.198Z"
}
]
}