SC-23: Session Authenticity

Control Family:

System And Communications Protection

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

PR.PT-4

PF v1.0 References:

PR.PT-P3

Threats Addressed:

Baselines:

Low
N/A
Moderate
- SC-23
High
- SC-23

Next Version:

NIST Special Publication 800-53 Revision 5:
SC-23: Session Authenticity

Control Statement

The information system protects the authenticity of communications sessions.

Supplemental Guidance

This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.

Control Enhancements

SC-23(1): Invalidate Session Identifiers At Logout

Baseline(s):

(Not part of any baseline)

The information system invalidates session identifiers upon user logout or other session termination.

SC-23(3): Unique Session Identifiers With Randomization

Baseline(s):

(Not part of any baseline)

The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated.

SC-23(5): Allowed Certificate Authorities

Baseline(s):

(Not part of any baseline)

The information system only allows the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.

Control Statement

Supplemental Guidance

Control Enhancements

Related Controls

NIST Special Publication 800-53 Revision 4

Cloud Controls Matrix v3.0.1

Critical Security Controls Version 8