Level 5 CMMC - CMMC Practices

SC.3.190  

Reference: CMMC 1.02

Family: SC

Level Introduced: 3

Practice:
Protect the authenticity of communications sessions.

CMMC Clarification:
The authentication of a session refers to a user entering login credentials to identify themselves to establish communication to the system. As the communication is established a unique session id is generated to identify the user session as authenticated. Organizations need to develop and implement the necessary controls to validate the identification and protect the session id from attacks such as hijacking.

Example
You are an IT administrator at your organization. You ensure that the two-factor user authentication mechanism for the servers is setup and configured correctly. You maintain the digital certificate your company purchased and replace it with a new one before the old on expires. You ensure the TLS configuration settings on the web servers, VPN solution, and other components that use TLS are correct, using secure settings that address risks against attacks on the encrypted sessions.

3.13.15

Protect the authenticity of communications sessions.

Discussion:
Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted.

[SP 800-77], [SP 800-95], and [SP 800-113] provide guidance on secure communications sessions.

Source: NIST Special Publication 800-171 Rev. 2

SC-23

SESSION AUTHENTICITY

Description:
The information system protects the authenticity of communications sessions.

Supplemental Guidance:
This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Related controls: SC-8, SC-10, SC-11.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02