IA.L3-3.5.1E Bidirectional Authentication

Discussion [NIST SP 800-171 R2]
Cryptographically-based and replay-resistant authentication between systems, components, and devices addresses the risk of unauthorized access from spoofing (i.e., claiming a false identity). The requirement applies to client-server authentication, server-server authentication, and device authentication (including mobile devices). The cryptographic key for authentication transactions is stored in suitably secure storage available to the authenticator application (e.g., keychain storage, Trusted Platform Module [TPM], Trusted Execution Environment [TEE], or secure element). Mandating authentication requirements at every connection point may not be practical, and therefore, such requirements may only be applied periodically or at the initial point of network connection.
[NIST SP 800-63-3] provides guidance on identity and authenticator management.

Further Discussion
The intent of this practice is to prevent unauthorized devices from connecting to one another. One example satisfying this requirement is a web server configured with transport layer security (TLS) using mutual authentication. At a lower level in the OSI stack, IPsec provides application-transparent mutual authentication. Another example would be implementing 802.1X technology to enforce port-based NAC. This is done by enabling 802.1X on switches, wireless access points, and VPN connections for a given network. 802.1X defines authentication controls for devices trying to access a given network. NAC controls authorization and policy management. For this to be implemented, bidirectional authentication must be turned on via 802.1X. Once successfully authenticated, the device may communicate on the network. A final example, at the application-server level, involves the use of Kerberos to control 1) which files a client can access and 2) the transmission of sensitive data from the client to the server.