Requirement text: SC.3.190: Protect the authenticity of communications sessions.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Authenticity protection includes protecting against man-in-the-middle attacks, session
hijacking, and the insertion of false information into communications sessions. This
requirement addresses communications protection at the session versus packet level (e.g.,
sessions in service-oriented architectures providing web-based services) and establishes
grounds for confidence at both ends of communications sessions in ongoing identities of
other parties and in the validity of information transmitted.
CMMC CLARIFICATION
The authentication of a session refers to a user entering login credentials to identify
themselves to establish communication to the system. As the communication is established
a unique session id is generated to identify the user session as authenticated. Organizations
need to develop and implement the necessary controls to validate the identification and
protect the session id from attacks such as hijacking.
Example
You are an IT administrator at your organization. You ensure that the two-factor user
authentication mechanism for the servers is setup and configured correctly. You maintain
the digital certificate your company purchased and replace it with a new one before the old
on expires. You ensure the TLS configuration settings on the web servers, VPN solution, and
other components that use TLS are correct, using secure settings that address risks against
attacks on the encrypted sessions.
References
• NIST SP 800-171 Rev 1 3.13.15
• NIST SP 800-53 Rev 4 SC-23