SC.3.190

Control Acronym

SC

Family

System And Communications Protection

CMMC Level

3

800-171 Control #

3.13.15

CMMC Description

Protect the authenticity of communications sessions.

CMMC Clarification

The authentication of a session refers to a user entering login credentials to identify themselves to establish communication to the system. As the communication is established a unique session id is generated to identify the user session as authenticated. Organizations need to develop and implement the necessary controls to validate the identification and protect the session id from attacks such as hijacking. Example You are an IT administrator at your organization. You ensure that the two-factor user authentication mechanism for the servers is setup and configured correctly. You maintain the digital certificate your company purchased and replace it with a new one before the old on expires. You ensure the TLS configuration settings on the web servers, VPN solution, and other components that use TLS are correct, using secure settings that address risks against attacks on the encrypted sessions.

800-171 Description

Protect the authenticity of communications sessions.

800-171 Discussion

Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. [SP 800-77], [SP 800-95], and [SP 800-113] provide guidance on secure communications sessions.

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SC-23

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.13.15

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

SC.3.190.[a] the authenticity of communications sessions is protected.

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15