This objective requires organizations to clearly define what wireless access restrictions are in place, particularly for systems that store or process Controlled Unclassified Information (CUI). These restrictions should be based on your risk profile and documented in policy or procedural guidance.