IA-2(9): Network Access To Non-Privileged Accounts – Replay Resistant

Control Family:

Identification And Authentication

Parent Control:

IA-2: Identification And Authentication (Organizational Users)

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

Threats Addressed:

Spoofing

Baselines:

High

Control is withdrawn in the next version of this control set and incorporated into: IA-2(8): Access to Accounts – Replay Resistant.

Control Statement

The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

Supplemental Guidance

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by recording/replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.