NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-23Session Authenticity

Protect the authenticity of communications sessions.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against "man-in-the-middle" attacks, session hijacking, and the insertion of false information into sessions.

Practitioner Notes

Protect the authenticity of communication sessions — make sure the session between a user and a system is genuine and has not been hijacked.

Example 1: Configure your web applications to use secure session cookies: set the Secure flag (HTTPS only), HttpOnly flag (no JavaScript access), SameSite attribute (prevent cross-site request forgery), and a reasonable expiration time.

Example 2: Enable Kerberos authentication for internal applications rather than NTLM. Kerberos provides mutual authentication (both client and server verify each other) and protects against session replay attacks with time-stamped tickets.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability