Ensure Secure Authenticator Communication for Wireless FT
802.11r is disabled unless secured by approved cryptographic protocol.
Plain language
This control ensures that when your wireless network uses a feature called 'Fast Transition', which helps devices switch quickly between different Wi-Fi access points, the communications between access points are secure. Without secure communication, someone with bad intentions could potentially intercept sensitive information when devices switch between Wi-Fi hotspots, putting your data and network at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Wireless networksOfficial control statement
The use of FT (802.11r) is disabled unless authenticator-to-authenticator communications are secured by an ASD-Approved Cryptographic Protocol.
Why it matters
If 802.11r FT is enabled without secured authenticator-to-authenticator links, attackers could spoof or intercept roaming exchanges, leading to unauthorised access.
Operational notes
Confirm 802.11r FT is disabled, or secure authenticator-to-authenticator traffic with an ASD-Approved Cryptographic Protocol; periodically validate WLAN settings and protocol approval status.
Implementation tips
- The IT team should review the network settings to check if the Fast Transition feature, known as 802.11r, is enabled. If it is, they should ensure that this feature is only used if the communication between access points is secured by an approved cryptographic protocol that meets the standards set by the Australian Signals Directorate (ASD).
- The network administrator should document and list all Wi-Fi access points used in the organisation and verify they support secure 802.11r communication. This involves checking the device specifications or consulting with the vendor for detailed information on security protocols implemented.
- IT staff should regularly update the firmware on all Wi-Fi equipment to the latest version, as updates often include security enhancements. They should schedule these updates out of business hours to minimise disruptions.
- Managers should organise regular security training for staff, focusing on the importance of secure network transitions, and ensure that staff are aware of the potential risks of unsecured wireless communications.
- The IT team should periodically test the Wi-Fi network for vulnerabilities, including the secure implementation of Fast Transition. They may use tools for vulnerability scanning or engage a professional service for a scheduled security audit.
Audit / evidence tips
- AskA network configuration report: Request detailed documentation of the wireless network settings GoodIs when the report clearly demonstrates adherence to security protocols
- AskStaff training records: Request evidence of recent security training sessions held for staff. Examine attendance records and session content to ensure they include information about secure wireless network practices GoodIncludes a detailed agenda and sign-in sheet for relevant sessions
- AskTo see firmware update logs: Request the update logs for all Wi-Fi access points GoodIs logs showing regular updates to the latest versions
- AskVendor communications or documentation: Request any correspondence with vendors about the security capabilities of the access points GoodIs written confirmation from the vendor
- AskTest results from any network vulnerability scans: Request the most recent vulnerability scan reports of the wireless network GoodIncludes resolved issues and evidence of ongoing monitoring
Cross-framework mappings
How ISM-1712 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1712 requires organisations to disable 802.11r Fast Transition unless authenticator-to-authenticator communications are secured using... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.