NIST 800-171 Control 3.13.15: Protect Communication Authenticity
Communication authenticity ensures that the parties involved in a session are genuinely who they claim to be, preventing unauthorized access and message tampering. This NIST 800-171 control is essential for protecting sensitive conversations and transactions in systems handling controlled unclassified information (CUI). Implementing robust authentication mechanisms prevents impersonation and session hijacking attacks.
What this means
Control 3.13.15 requires organizations to establish and maintain mechanisms that verify the identity of all parties in a communication session and confirm that messages have not been altered in transit. This includes implementing cryptographic authentication, session-level controls, and monitoring for unauthorized session activities. The goal is to ensure that communications involving CUI remain authentic and tamper-proof throughout their lifecycle.
How to comply
- 1.Deploy digital certificates and public key infrastructure (PKI) for sender authentication and encryption
- 2.Implement multi-factor authentication (MFA) for all user sessions initiating or receiving sensitive communications
- 3.Use TLS/SSL protocols with strong cipher suites for all network communications
- 4.Enable message signing and verification using cryptographic hash functions to detect tampering
- 5.Establish session management controls including timeouts, re-authentication triggers, and anomaly detection
- 6.Monitor and log all authentication events and session activities for forensic review
- 7.Conduct regular reviews of authentication logs to identify unauthorized session attempts or anomalies
- 8.Train users on recognizing phishing and social engineering attacks targeting session credentials
Evidence auditors look for
- TLS/SSL configuration documentation showing cipher suite strength and certificate validity
- Multi-factor authentication (MFA) implementation records for user accounts with CUI access
- Public Key Infrastructure (PKI) certificate inventory and lifecycle management logs
- Session management policies documenting timeout intervals and re-authentication requirements
- Authentication and access logs showing successful and failed login attempts with timestamps
- Cryptographic key management procedures and audit trails for digital signature verification
- Security awareness training records covering authentication best practices and phishing awareness
- Vulnerability scan reports demonstrating SSL/TLS compliance and cipher strength validation
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates the collection and validation of TLS/SSL configurations, MFA deployment status, and session logs across your infrastructure, eliminating manual audits for 3.13.15 evidence and flagging authentication misconfigurations in real time.
See how GRCWatch handles this control automatically
Start free trial