CMMC v2.11 Practices

IA.L2-3.5.4  

Reference: CMMC v2.11

Family: IA

Level Introduced: 2

Title: Replay-Resistant Authentication

Practice:
Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

Further Discussion:
When insecure protocols are used for access to computing resources, an adversary may be able to capture login information and immediately reuse (replay) it for other purposes. It is important to use mechanisms that resist this technique.

Example
To protect your IT infrastructure, you understand that the methods for authentication must not be easily copied and re-sent to your systems by an adversary. You select Kerberos for authentication because of its built-in resistance to replay attacks. As a next step you upgrade all of your web applications to require Transport Layer Security (TLS), which also is replay-resistant. Your use of MFA to protect remote access also confers some replay resistance.

Potential Assessment Considerations
• Are only anti-replay authentication mechanisms used [a]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11