FIPS validated WiFi for CMMC

I wonder if there are any DoD contracts here working through the CMMC requirements. If so, I am wondering if and how you are dealing with FIPS validated WiFi to transmit CUI. We have plant-wide WiFi, and all shop employees have Surface tablets to access Epicor, technical drawings, and our file server. All of which storage CUI, requiring the APs to be approved for FIPs.

We purchased a new SonicWall firewall and WiFi last year, and I’ve been working with SonicWall tech support to get this set up correctly for over a year now without any luck. As I research other options, I realize the SonicWall APs are not listed on the NIST CMPV. If I stick with the SonicWall solution, it appears my only options are forcing every wireless connection to use the SonicWall SSL NetExtender or RPD. Neither of these seems end-user-friendly…

Not that anyone was following this thread, but I thought I would update it in case someone was searching in the future and found it.

After two years of researching, testing, failing, researching again, and crazy lead time, we finally have a solution in place that is 100% FIPS compliant. It only took about 60 hours last week to configure and implement!

For future reference, here’s what we ended up with.

  • 2 Palo Alto PA-440s in an HA pair, running in FIPS mode
  • 1 HP Aruba 5406r zl2 switch, running in FIPS mode
  • 8 Aruba Access Points (AP-515), running in FIPS mode
  • WIFI auth is via RADIUS to Active Directory
  • VPN auth is LDAP, with Duo MFA

FYI - FIPS mode makes everything more complicated. So much so that during the many tech support calls to Palo Alto & Aruba, they continuously said, “oh, you are running in FIPS mode. Are you sure you want to do that?” I told the one tech that we were a government contractor, and he replied, “oh, that makes sense because no one would choose FIPS on their own!”

This summarizes the whole journey.
fail fun and games GIF

2 Likes