SC-23 Session Authenticity (M) (H)

This page is classified as INTERNAL.

NIST 800-53 (r4) Control:

The information system protects the authenticity of communications sessions.

NIST 800-53 (r4) Supplemental Guidance:

This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Related controls: SC-8, SC-10, SC-11.

NIST 800-53 (r5) Discussion:

Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against “man-in-the-middle” attacks, session hijacking, and the insertion of false information into sessions.

38North Guidance:

Meets Minimum Requirement:

Ensure that each session is authenticated and protected with FIPS 140-2 validated encryption.
Utilize secure communication protocols (e.g., HTTPS, SSH, RDP, etc.).
Utilize a VPN (e.g., IPSec, TLS, SSH, etc.) for remote access.

Best Practice:

Enforce Multi-Factor Authentication (MFA) for session establishment.
Enforce mutual authentication for each communication session (Note: Mutual authentication is the default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS)).
Utilize the current version of secure protocols (e.g., TLS v1.2 or better, SSH v2 or better, etc.).
Utilize digital signatures, digital certificates (e.g., TLS certificates, etc.), and digital time stamps. Obtain TLS certificates from a reputable, approved internal (i.e., CSP-managed) or external (i.e., public) Certificate Authority (CA).
Implement a secure mechanism for tracking and maintaining each session (e.g., unique session ID, browser cookies, access tokens, etc.).
Restrict communication sessions based on certain attributes such as hostname, IP address, user identity, time of access, method of access, and originating location.

Unofficial FedRAMP Guidance:

FedRAMP does not maintain a list of approved Certificate Authorities.

Assessment Evidence:

List of FIPS 140-2 validated cryptographic modules (include CMVP certificate # - Cryptographic Module Validation Program (CMVP)) used in the environment for encrypting data in transit (e.g., end user access / data flow).
Configuration settings showing the enablement of FIPS mode on system components.
Configuration settings showing usage of secure transport protocols and VPN technologies.
Installed TLS certificates.
Demonstration of session authentication.
Evidence of unique session identifier generation.

CSP Implementation Tips:

Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD

Page updated

Report abuse