Who governs Wi-Fi?

Writes the MAC and PHY specification. Every 802.11 frame - its format, field offsets, IE structure, state machine - comes from this document. Wi-Fi 4 through Wi-Fi 7 are amendments that roll back into the base standard each revision cycle.

Port-based Network Access Control. Defines how EAPOL frames are carried over 802.11 - the 4-way handshake wrapper, key derivation sequence, and controlled port state machine that blocks data traffic until authentication succeeds.

Owns the Wi-Fi brand and certification programs. WFA decides what "WPA3-certified" means in practice - which AKMs are mandatory, whether PMF is required, how transition mode works. IEEE writes the protocol; WFA writes the certification rules.

Owns EAP (RFC 3748), EAP-TLS 1.3 (RFC 9190), RADIUS (RFC 2865), OWE (RFC 8110), DHCP (RFC 2131), and ARP (RFC 826). When enterprise Wi-Fi authenticates against RADIUS, that entire exchange is governed by IETF RFCs - not IEEE.

Regulate radio emissions and unlicensed band rules. FCC ss.15.407 mandates DFS and TPC on U-NII-2 channels in the US. ETSI EN 301 893 sets EU equivalents. Their rules appear directly in 802.11 frames - CSA IE, Quiet IE, country code element.

Maintains the CVE database and CVSS severity scores. Every known Wi-Fi attack - KRACK, Dragonblood, FragAttacks - has a CVE. When you identify an attack pattern in a PCAP, MITRE/NVD is the authoritative source for severity and proof-of-concept.

Defines X.509 v3 certificate format and ASN.1/DER encoding used in EAP-TLS PKI chains. When WPA2/3-Enterprise authenticates via certificate, the certificate format itself is governed by ITU-T X.509 - not IEEE or IETF.

Publishes WLAN security guidelines (SP 800-153) and cryptographic standards - FIPS 197 for AES-CCMP and FIPS 186-5 for the elliptic curves used in WPA3-SAE (Dragonfly). Every WPA2/3 deployment references NIST crypto, whether or not engineers realise it.

Runs OpenRoaming federation and WRIX interoperability for carrier Wi-Fi. When a device roams between operators or connects via Passpoint, the federation agreement is a WBA standard. IEEE 802.11k/v/r is the mechanism; WBA defines the carrier deployment rules.

Governs EAP-AKA and EAP-SIM - authentication methods that use a SIM card to authenticate to Wi-Fi. On carrier networks and eduroam, you may see EAP-AKA exchanges. 3GPP also defines how 5G and Wi-Fi interwork in non-3GPP access scenarios.

Sets wireless security requirements for cardholder data environments. PCI DSS Req 2.3 mandates strong wireless crypto. Req 4.2.1 requires WPA2-AES or WPA3 minimum. Req 11.2.x mandates quarterly rogue AP scans. Relevant whenever Wi-Fi is in scope for a PCI audit.

Decide which frequencies you can use and under what power limits. Their rules appear in DFS events, CSA IEs, and country code elements.

Every bit in every 802.11 frame. IE format, state machines, MAC rules, PHY modulation. The root document for all Wi-Fi protocol analysis.

How the device proves identity. 802.1X carries EAP (IETF) inside EAPOL frames. Certificates use X.509 (ITU-T). RADIUS is RFC 2865.

What "good enough" means in practice. WFA for interop, NIST for crypto, WBA for carrier roaming, 3GPP for SIM auth, PCI for payments.

Why this matters for diagnosis: When a client fails to associate, the frame that tells you why is IEEE 802.11 (status code in the Association Response). The cipher it rejected is governed by WFA certification rules. The EAP exchange that preceded it is IETF. The certificate that expired mid-session is ITU-T X.509. Each body owns a different layer of the failure. Knowing which body owns which layer tells you which specification to open.