This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
NIST 800-53 (r4) Supplemental Guidance:
Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.
References: HSPD-12; OMB Memoranda 04-04, 06-16, 11-11; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators.
38North Guidance:
Meets Minimum Requirement:
Implements replay-resistant authentication mechanisms for network access to privileged accounts.
Best Practice:
Require safeguards to be in place to protect the authenticator such as TLS 1.2 or higher for network (remote) access to privileged accounts including the following types of accounts:
Administrators
Security Accounts
Implement MFA hardware or software tokens that are FIPS 140-2 or FIPS 140-3 and that utilize a one-time password (OTP) mechanism (pin number that changes every 60) seconds. Examples would include RSA, Gemalto token, or Google Authenticator.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
MFA hardware or software tokens that are FIPS 140-2 or FIPS 140-3 validated so that strong encryption is being utilized with TLS 1.2 or higher encryption for privileged accounts.
Hardware or software tokens should have unique serial number identifications so they are replay-resistant.
Require a memorized secret as well as the unique MFA token.
CSP Implementation Tips: TBD