CMMC practice IA.L2-3.5.4, derived from NIST SP 800-171 Rev 2 requirement 3.5.4, mandates that organizations employ authentication mechanisms that are resistant to replay attacks for all network access to both privileged and non-privileged accounts. Replay-resistant authentication ensures that even if an authentication exchange is captured by an adversary, the captured data cannot be replayed to gain subsequent unauthorized access. Techniques such as nonces (random values used once), cryptographic challenges, timestamps, and sequence numbers embedded in authentication protocols fulfill this requirement. Common implementations include Kerberos authentication (which uses timestamps and nonces), protocols with mutual authentication and session tokens, and multi-factor authentication solutions that generate one-time codes. The requirement applies specifically to network access, meaning local console access may be governed separately, but any authentication traversing a network interface must be replay-resistant.
Where it stops · what it isn't
- —This practice does not govern physical or local console authentication that does not traverse a network; those controls fall under other physical and access control practices.
- —This practice does not mandate a specific authentication protocol or product; it requires that whatever mechanism is used must incorporate replay-resistant properties.
- —This practice does not independently require multi-factor authentication (MFA), which is addressed separately under IA.L2-3.5.3, though MFA often satisfies both requirements simultaneously.
- —This practice does not address password complexity, length, or rotation policies, which are covered under IA.L2-3.5.7 and IA.L2-3.5.8.
- —This practice does not cover device-to-device authentication for non-network system components or internal process-to-process communications that do not traverse an externally routable network path.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.