03.13.15: Session Authenticity
Control Familly: System and Communications Protection
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-52 [69]
SP 800-77 [18]
SP 800-95 [72]
SP 800-113 [19]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.13.15
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
SC-23
Protect the authenticity of communications sessions.
Discussion:
Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of the communications sessions in the ongoing identities of other parties and the validity of the transmitted information. Authenticity protection includes protecting against adversary-in-the-middle attacks, session hijacking, and the insertion of false information into sessions.
Assessment Methods and Objectives
Examine [SELECT FROM: system and communications protection policy and procedures; procedures for session authenticity; system design documentation; system configuration settings; system audit records; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with information security responsibilities; system administrators]
Test [SELECT FROM: mechanisms for supporting or implementing session authenticity]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.13.15: the authenticity of communications sessions is protected.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A