SC-23: Session Authenticity

Control Family:

System and Communications Protection

CSF v1.1 References:

PR.PT-4

PF v1.0 References:

PR.PT-P3

Threats Addressed:

Baselines:

Low
N/A
Moderate
- SC-23
High
- SC-23
Privacy
N/A

Previous Version:

NIST Special Publication 800-53 Revision 4:
SC-23: Session Authenticity

Control Statement

Protect the authenticity of communications sessions.

Supplemental Guidance

Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against "man-in-the-middle" attacks, session hijacking, and the insertion of false information into sessions.

Control Enhancements

SC-23(1): Invalidate Session Identifiers at Logout

Baseline(s):

(Not part of any baseline)

Invalidate session identifiers upon user logout or other session termination.

SC-23(3): Unique System-generated Session Identifiers

Baseline(s):

(Not part of any baseline)

Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated.

SC-23(5): Allowed Certificate Authorities

Baseline(s):

(Not part of any baseline)

Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.

Control Statement

Supplemental Guidance

Control Enhancements

Related Controls

NIST Special Publication 800-53 Revision 5

Cloud Controls Matrix v3.0.1

Critical Security Controls Version 8