Limit PMK Caching Duration on Wireless Networks
Ensure that stored authentication data for networks isn't kept for more than a day.
Plain language
This control is about making sure that when a device connects to your Wi-Fi network, the information that proves it is allowed to connect isn't stored for more than 24 hours. This matters because if an unauthorised person gets hold of this information, they could easily access your wireless network and misuse your data or resources.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Wireless networksOfficial control statement
The PMK caching period is not set to greater than 1440 minutes (24 hours).
Why it matters
If PMK caching exceeds 24 hours, compromised credentials can keep working longer, enabling unauthorised WLAN access and raising breach risk.
Operational notes
Check WLC/AP PMK caching is set to 1440 minutes (24 hours) or less, and review after firmware changes or template updates.
Implementation tips
- The IT team should configure the wireless network settings to limit the caching duration of previous authentication. This can be done by accessing the wireless controller or access point settings and setting the PMK cache duration to a maximum of 1440 minutes.
- Business owners should ask their IT provider to regularly review these settings to ensure compliance with security guidelines. During these checks, adjustments can be made to maintain the 24-hour limit if software updates have altered settings.
- Office managers should ensure that policy documentation reflects this requirement and that team members understand why it's important to restrict the duration of stored network access data.
- IT support staff should train anyone managing wireless networks on how to implement and verify the PMK caching settings so there is no accidental deviation from the policy.
- Authorised personnel responsible for network security should receive alerts for any changes to the PMK caching duration settings to ensure prompt action can be taken to rectify any deviations.
Audit / evidence tips
-
Askthe network configuration report: Request the report that shows the current PMK caching settings
Goodsetup shows PMK caching set to no more than 1440 minutes
-
Askthe company’s wireless security policy document. Check if the policy clearly states PMK caching should not exceed 24 hours
Gooddocument is one that is clear and easy to follow, with specific times outlined
-
Askevidence of the most recent network review
Goodincludes regular reviews with actions taken to correct any discrepancies
-
Asksecurity logs that show when changes to network settings were made
Goodshould show consistent settings with responsible change management documentation
-
Askstaff training records: Request evidence of training or instructions provided to personnel on handling authentication data securely
Cross-framework mappings
How ISM-1330 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.5 | ISM-1330 mandates a concrete control on wireless authentication by limiting PMK caching to 24 hours to constrain reuse of derived keying ... | |
| Annex A 8.20 | ISM-1330 requires organisations to limit the Pairwise Master Key (PMK) caching duration on wireless networks to no more than 1440 minutes... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.