Requirement text: IA.3.084: Employ replay-resistant authentication mechanisms for network access to
privileged and non-privileged accounts.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Authentication processes resist replay attacks if it is impractical to successfully authenticate
by recording or replaying previous authentication messages. Replay-resistant techniques
include protocols that use nonces or challenges such as time synchronous or challenge-
response one-time authenticator.
CMMC CLARIFICATION
When insecure protocols are used for access to computing resources there is the potential
for an adversary to perform a man-in-the-middle attack and capture the information that
permitted a staff member to login. As part of a defense-in-depth strategy it is important to
use mechanisms that are resilient to the adversary reusing the captured information and
gaining access to the computing resources.
Example
To protect your IT organization, you understand that the methods for authentication must
not be easily copied and re-sent to your systems by an adversary. You conduct research and
determine certain protocols have replay resistance inherently designed into them. Your first
step is to ensure Transport Layer Security (TLS) is enabled for access to relevant IT services.
Coupled with the use of a secure protocol you evaluate the use of multifactor authentication
using public key infrastructure (PKI) or one-time password tokens (OTP) to protect staff
logins. Based on your requirements you select OTP tokens as the way to provide a time-
bound challenge for user authentication to your IT services.
References
• NIST SP 800-171 Rev 1 3.5.4
• NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7
• NIST SP 800-53 Rev 4 IA-2(8), IA-2(9)