Wireless access to systems transmitting, processing, or storing CUI must be protected with FIPS 140-validated cryptography and access must be limited to authenticated users. This ensures confidentiality and integrity of CUI while preventing unauthorized wireless access.

Exact Extracts (official CMMC Assessor/Study documents):

SC.L2-3.13.13: “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.”

AC.L2-3.1.1 / 3.1.2: “Limit system access to authorized users… and authenticate the identities of those users.”

SC.L2-3.13.17: “Protect wireless access to the system using authentication and encryption.”

Assessment Guide clarifies: “Wireless access must use FIPS 140 validated cryptographic modules and must be restricted to authenticated users.”

Why other options are not correct:

A: Only requires encryption; does not address authenticated access, which is mandatory.

B: Vetting and access lists may be useful, but they are not sufficient substitutes for cryptographic and authentication requirements.

D: Identifying users in diagrams is good documentation practice but not a CMMC requirement for wireless protection.

References (official CCA/CMMC documents):

CMMC Assessment Guide – Level 2, Version 2.13: Practices SC.L2-3.13.13 and SC.L2-3.13.17 (pp. 134–136).

NIST SP 800-171A, Assessment Objectives for wireless access and cryptographic requirements.