IA.3.084

Control Acronym

IA

Family

Identification And Authentication

CMMC Level

3

800-171 Control #

3.5.4

CMMC Description

Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

CMMC Clarification

When insecure protocols are used for access to computing resources there is the potential for an adversary to perform a man-in-the-middle attack and capture the information that permitted a staff member to login. As part of a defense-in-depth strategy it is important to use mechanisms that are resilient to the adversary reusing the captured information and gaining access to the computing resources. Example To protect your IT organization, you understand that the methods for authentication must not be easily copied and re-sent to your systems by an adversary. You conduct research and determine certain protocols have replay resistance inherently designed into them. Your first step is to ensure Transport Layer Security (TLS) is enabled for access to relevant IT services. Coupled with the use of a secure protocol you evaluate the use of multifactor authentication using public key infrastructure (PKI) or one-time password tokens (OTP) to protect staff logins. Based on your requirements you select OTP tokens as the way to provide a timebound challenge for user authentication to your IT services.

800-171 Description

Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

800-171 Discussion

Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators. [SP 800-63-3] provides guidance on digital identities. DISCUSSION

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 IA-2(8), IA-2(9)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.5.4

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

IA.3.084.[a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15