NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
Control Family: Identification and Authentication
Control Type: Derived
SPRS Value: 1
SPRS Supplemental Guidance: N/A
CMMC Level(s): IA.L2-3.5.4
Top Ten Failed Requirement: No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
IA-2(8)
IA-2(9)
NIST Supplemental Guidance:
[SP 800-63-3]
Discussion:
Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators.
[SP 800-63-3] provides guidance on digital identities.
Upon assessment, assessors must determine if-
Determine if replay-resistant authentication mechanisms are implemented for network
account access to privileged and non-privileged accounts.
Assessors are instructed to-
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; list of privileged system accounts; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system operations responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing identification and authentication capability or replay resistant authentication mechanisms].
FURTHER DISCUSSION
When insecure protocols are used for access to computing resources, an adversary may be able to capture login information and immediately reuse (replay) it for other purposes. It is important to use mechanisms that resist this technique.
Example
To protect your IT infrastructure, you understand that the methods for authentication must not be easily copied and re-sent to your systems by an adversary. You select Kerberos for authentication because of its built-in resistance to replay attacks. As a next step you upgrade all of your web applications to require Transport Layer Security (TLS), which also is replayresistant. Your use of MFA to protect remote access also confers some replay resistance.
Potential Assessment Considerations
Are only anti-replay authentication mechanisms used [a]?
Frameworks & Controls
3.5: Identification and Authentication
3.5.1 Identify system users, processes acting on behalf of users, and devices.
3.5.6 Disable identifiers after a defined period of inactivity.
3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created.
3.5.8 Prohibit password reuse for a specified number of generations.
3.5.10 Store and transmit only cryptographically-protected passwords.