The NSA and CISA publish specific router security guidance for home and small business users. Here's a plain-English breakdown of their actual recommendations - not a summary, but exactly what to do.
The primary NSA/CISA router security documents for home users are: NSA Cybersecurity Information Sheet: "Best Practices for Securing Your Home Network" (2023), and CISA's "Securing Network Infrastructure Devices" guidelines. These are unclassified, publicly available documents.
Every router ships with a default admin username and password. NSA guidance: change both immediately after setup. Default credentials are published in online databases - attackers know them. Use a password manager to generate and store a unique, strong password (20+ characters) for your router admin panel.
Remote management allows someone to log into your router from outside your home network. NSA guidance: disable this feature unless you have a specific, documented need. It is usually found under Administration → Remote Management → Disable. This closes a major attack vector.
NSA guidance explicitly requires keeping router firmware current. Enable automatic updates where available. Check for manual updates every 2–3 months. If your router is end-of-life and cannot be updated, replace it.
WPS is a convenience feature that allows devices to join your WiFi via a PIN or button press. NSA guidance: disable WPS. The PIN method has a known vulnerability (it can be brute-forced in hours). WPS is found in your router's wireless settings.
NSA guidance: never use WEP or WPA (TKIP). Use WPA3-Personal if all your devices support it. Use WPA2-AES (not WPA2-TKIP) as a fallback for older devices. WPA2 with TKIP is nearly as weak as WEP.
NSA recommends separating IoT devices (smart TVs, cameras, thermostats) from computers and phones on separate network segments (VLANs or separate SSIDs). If an IoT device is compromised, network segmentation prevents it from reaching your other devices.
NSA and CISA's Volt Typhoon advisory explicitly named Chinese-owned networking equipment - particularly TP-Link - as vectors for state-sponsored attacks. The joint advisory states: "The People's Republic of China (PRC) state-sponsored cyber actor... has exploited vulnerabilities in Cisco and NETGEAR routers... and has infiltrated US critical infrastructure using TP-Link routers as attack nodes." See our Volt Typhoon explainer for the full advisory breakdown.
Yes. The NSA publishes unclassified cybersecurity information sheets for home and small business users. "Best Practices for Securing Your Home Network" is available free at nsa.gov. It covers router security, network segmentation, firmware updates, and more.
The NSA and CISA do not endorse specific router brands. Their guidance focuses on security practices (strong passwords, firmware updates, network segmentation) that apply across brands. The CISA advisory on Volt Typhoon specifically identified TP-Link as a risk vector. For specific recommendations based on security analysis, see our Top 10 Secure Routers.
Log into your router admin panel (typically 192.168.1.1 or 192.168.0.1). Go to Wireless Settings or Advanced Wireless. Find WPS (Wi-Fi Protected Setup) settings and disable it. The exact location varies by router manufacturer - check your router's manual if you can't find it.
Network segmentation separates devices into isolated groups so they can't communicate with each other. The simplest approach: enable your router's Guest Network for IoT devices, keeping them separate from your main computers and phones. More advanced: create VLANs if your router supports it (Ubiquiti and Asus are strongest for this). Devices on a guest network cannot reach devices on the main network.
CHECK YOUR ROUTER
Enter your model to get a full security report - FCC status, CVEs, grade, and your action plan.
Check a Router → Top 10 Safe Routers