Refrain from using Wired Equivalent Privacy for Wireless Local Area Networks that use Wi-Fi Protected Access.

CONTROL ID
01648

CONTROL TYPE
Configuration

CLASSIFICATION
Preventive

This Control directly supports the implied Control(s):

Establish, implement, and maintain a Wireless Local Area Network Configuration Management program., CC ID: 01646

There are no implementation support Controls.

Has the Wired Equivalent Privacy been encrypted or moved from the default windows registry folder? (App Table 802.11 Row 3, OECD / World Bank Technology Risk Checklist, Version 7.3)
Those networks able to implement WPA completely - and without any WEP compatibility - are candidates for greater trust. Higher-level protocol protections (such as SSL, HTTPS, or VPN) should be used for wireless nodes that access any trusted resources. (§ 3-2, MasterCard Wireless LANs - Security Risks and Guidelines, December 2004)
The use of WEP as a security control is prohibited after June 30, 2010. (4.4.3.E, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
Wi-Fi Protected Access and Wired Equivalent Privacy cryptographic algorithms do not meet the Federal Information Processing Standards 140-2 requirements and require additional security controls if they are being used. (§ 5.5.7.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) cryptographic algorithms, used by all pre-802.11i protocols, do not meet the requirements for FIPS 140-2 and shall not be used. (§ 5.13.1.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)