Level 5 CMMC - CMMC Practices

IA.3.084  

Reference: CMMC 1.02

Family: IA

Level Introduced: 3

Practice:
Employ replay-resistant authentication mechanisms for network access to privileged and non- privileged accounts.

CMMC Clarification:
When insecure protocols are used for access to computing resources there is the potential for an adversary to perform a man-in-the-middle attack and capture the information that permitted a staff member to login. As part of a defense-in-depth strategy it is important to use mechanisms that are resilient to the adversary reusing the captured information and
gaining access to the computing resources.

Example
To protect your IT organization, you understand that the methods for authentication must not be easily copied and re-sent to your systems by an adversary. You conduct research and determine certain protocols have replay resistance inherently designed into them. Your first step is to ensure Transport Layer Security (TLS) is enabled for access to relevant IT services. Coupled with the use of a secure protocol you evaluate the use of multifactor authentication using public key infrastructure (PKI) or one-time password tokens (OTP) to protect staff logins. Based on your requirements you select OTP tokens as the way to provide a time- bound challenge for user authentication to your IT services.

3.5.4

Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

Discussion:
Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators.

[SP 800-63-3] provides guidance on digital identities.

Source: NIST Special Publication 800-171 Rev. 2

IA-2 (8)

IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT

Description:
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

Supplemental Guidance:
Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.

IA-2 (9)

IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT

Description:
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

Supplemental Guidance:
Authentication processes resist replay attacks if it is impractical to achieve successful authentications by recording/replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02