GRCWatch
Sign inStart free trial

SC.L2-3.13.15: Communications Authenticity

Communications authenticity is a critical security control that ensures the integrity and legitimacy of your organization's communications sessions. Under CMMC Level 2, SC.L2-3.13.15 requires you to implement mechanisms that verify and protect the authenticity of all communications—preventing unauthorized access, man-in-the-middle attacks, and session hijacking that could compromise sensitive data.

What this means

This control mandates that your organization establish and enforce technical and procedural measures to authenticate all communications sessions. This includes verifying the identity of parties communicating, protecting session integrity throughout the exchange, and preventing impersonation or unauthorized session takeover. The goal is to ensure that when two systems or users communicate, both parties can confirm they are who they claim to be and that the communication hasn't been intercepted or altered.

How to comply

  1. 1.Implement authentication protocols (e.g., TLS/SSL, mutual authentication) for all remote and network communications
  2. 2.Deploy digital certificates and establish a certificate management process for encryption and identity verification
  3. 3.Configure session management controls to detect and prevent unauthorized session resumption or hijacking
  4. 4.Use cryptographic mechanisms to establish authenticated channels between systems and users
  5. 5.Document all communication authentication methods in your security plan and procedures
  6. 6.Train staff on secure communication practices and the importance of verifying communication authenticity
  7. 7.Regularly audit and monitor communications for signs of compromise or unauthorized access
  8. 8.Test authentication mechanisms during security assessments and penetration testing

Evidence auditors look for

  • Logs showing successful authentication and failed authentication attempts for all communications sessions
  • Certificate management documentation including issuance, renewal, and revocation records
  • Network configuration files demonstrating TLS/SSL enforcement on all external communications
  • System documentation detailing authentication protocols and session management controls in use
  • Penetration test reports validating the effectiveness of communications authenticity controls
  • Incident response logs showing detection and response to unauthorized session attempts
  • Security policy documentation on communication authentication requirements and standards
  • Configuration snapshots showing mutual authentication settings on critical communication channels

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates the continuous monitoring and logging of communications authentication across your infrastructure, generating audit-ready evidence of session authenticity controls without manual log collection or certificate tracking.

See how GRCWatch handles this control automatically

Start free trial

Related controls

SC.L2-3.13.1 (Session Control)SC.L2-3.13.11 (Cryptographic Protection)SI.L2-3.14.1 (System Monitoring)AC.L2-3.1.2 (Authorized Access Control)