SC.L2-3.13.15 Communications Authenticity
Protect the authenticity of communications sessions.
Source: NIST SP 800-171 Rev 2 3.13.15
Discussion: Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. [SP 800-77], [SP 800-95], and [SP 800-113] provide guidance on secure communications sessions.
Assessment Objectives:
Determine if:
- [a] the authenticity of communications sessions is protected.
Examine: [SELECT FROM: System and communications protection policy; procedures addressing session authenticity; security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms supporting or implementing session authenticity].
SPRS Score: 5
POA&M Allowed: No