CMMC Practice SC.L2-3.13.15 – Communications Authenticity: Protect the authenticity of communications sessions.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This blog post is for developers and manufacturers working with private-trust client or device certificates, such as those used in a software application or IoT device. This NIST Special Publication is one part in a series of documents intended to provide guidance to the Federal Government for using cryptography to protect its sensitive, but unclassified digitized information during transmission and while in storage. This Special Publication provides guidance to the selection and configuration of TLS protocol implementations while making effective use of Approved cryptographic schemes and algorithms. This special publication from NIST provides an overview of session authenticity. This SANS whitepaper discusses the use of Public Key Infrastructure (PKI) to meet business, regulatory, and compliance requirements. This whitepaper from SANS gives an overview of how Public Key Infrastructure (PKI) can be distilled into two critical parts: a public and a private key.
Discussion [NIST SP 800-171 R2]
Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted.
NIST SP 800-77, NIST SP 800-95, and NIST SP 800-113 provide guidance on secure communications sessions.
Further Discussion
The intent of this practice is to ensure a trust relationship is established between both ends of a communication session. Each end can be assured that the other end is who it is supposed to be. This is often implemented using a mutual authentication handshake when the session is established, especially between devices. Session authenticity is usually provided by a security protocol enforced for a communication session. Choosing and enforcing a protocol will provide authenticity throughout a communications session.