03.05.04: Replay-Resistant Authentication
Control Familly: Identification and Authentication
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-63-3 [27]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.05.04
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
IA-02(08)
Implement replay-resistant authentication mechanisms for access to privileged and non-privileged accounts.
Discussion:
Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replayresistant techniques include protocols that use nonces or challenges, such as time synchronous or challenge-response one-time authenticators.
Assessment Methods and Objectives
Examine [SELECT FROM: identification and authentication policy and procedures; system design documentation; system audit records; system configuration settings; list of privileged system accounts; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with system operations responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system developers; system administrators]
Test [SELECT FROM: mechanisms for supporting or implementing identification and authentication capabilities; mechanisms for supporting or implementing replayresistance]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.05.04[01]: replay-resistant authentication mechanisms for access to privileged accounts are implemented.
A.03.05.04[02]: replay-resistant authentication mechanisms for access to nonprivileged accounts are implemented.